Commit Graph

112 Commits

Author SHA1 Message Date
Martin Probst f86edae9f3 feat(security): add an HTML sanitizer.
This is based on Angular 1's implementation, parsing an HTML document
into an inert DOM Document implementation, and then serializing only
specifically whitelisted elements.

It currently does not support SVG sanitization, all SVG elements are
rejected.

If available, the sanitizer uses the `<template>` HTML element as an
inert container.

Sanitization works client and server-side.

Reviewers: rjamet, tbosch , molnarg , koto

Differential Revision: https://reviews.angular.io/D108
2016-05-09 16:00:24 +02:00
Igor Minar 905f38acb8 build: fix source map paths for npm packages
the bundles have source mpas disabled for now because when we downlevel
the esm bundle to es5 tsc doesn't consider the original source map so
we end up with a source map pointing to the esm bundle instead which is
not useful.
2016-05-03 13:36:33 -06:00
Martin Probst 908a102a87 feat: security implementation in Angular 2.
Summary:
This adds basic security hooks to Angular 2.

* `SecurityContext` is a private API between core, compiler, and
  platform-browser. `SecurityContext` communicates what context a value is used
  in across template parser, compiler, and sanitization at runtime.
* `SanitizationService` is the bare bones interface to sanitize values for a
  particular context.
* `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)`
  determines the security context for an attribute or property (it turns out
  attributes and properties match for the purposes of sanitization).

Based on these hooks:

* `DomSchemaElementRegistry` decides what sanitization applies in a particular
  context.
* `DomSanitizationService` implements `SanitizationService` and adds *Safe
  Value*s, i.e. the ability to mark a value as safe and not requiring further
  sanitization.
* `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively
  (surprise!).

`DomSanitizationService` is the default implementation bound for browser
applications, in the three contexts (browser rendering, web worker rendering,
server side rendering).

BREAKING CHANGES:
*** SECURITY WARNING ***
Angular 2 Release Candidates do not implement proper contextual escaping yet.
Make sure to correctly escape all values that go into the DOM.
*** SECURITY WARNING ***

Reviewers: IgorMinar

Differential Revision: https://reviews.angular.io/D103
2016-05-03 09:21:43 -07:00
Tobias Bosch 43527172ed chore: don’t shadow `tsconfig.json` used for editors by build specific tsconfig.json 2016-05-02 15:06:46 -07:00
Misko Hevery 107016ec12 chore: router move import changes 2016-05-02 13:27:03 -07:00
Alex Eagle 3ae856ab8b build(tsc): Use angular2-template-compiler in place of tsc
This lets us down-level Decorators with tsickle and produce .metadata.json
files for users to reference when offline-compiling their app.
2016-05-01 23:40:59 -07:00
Misko Hevery 3e17c99f4e chore: clang-reformat 2016-05-01 22:59:41 -07:00
Misko Hevery cd52318f48 fix: parse browser detection lazily 2016-05-01 22:27:55 -07:00
Alex Eagle c4be30d2e8 Revert "build(tsc): Use angular2-template-compiler in place of tsc"
This reverts commit 3d25294f706e0fd6224b20372be1e961959c0af8.
2016-05-01 20:51:00 -07:00
Alex Eagle 57240c85a5 build(tsc): Use angular2-template-compiler in place of tsc
This gives us tsickle pre-processing of Decorators, and produces
.metadata.json files for users to consume in their offline compilation.
2016-05-01 20:51:00 -07:00
Igor Minar a66cdb469f repackaging: all the repackaging changes squashed 2016-05-01 20:51:00 -07:00
Igor Minar 505da6c0a8 repackaging: all the file moves 2016-05-01 20:51:00 -07:00