908a102a87
Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds *Safe Value*s, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: *** SECURITY WARNING *** Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. *** SECURITY WARNING *** Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103
33 lines
1.6 KiB
TypeScript
33 lines
1.6 KiB
TypeScript
/**
|
|
* A pattern that recognizes a commonly useful subset of URLs that are safe.
|
|
*
|
|
* This regular expression matches a subset of URLs that will not cause script
|
|
* execution if used in URL context within a HTML document. Specifically, this
|
|
* regular expression matches if (comment from here on and regex copied from
|
|
* Soy's EscapingConventions):
|
|
* (1) Either a protocol in a whitelist (http, https, mailto or ftp).
|
|
* (2) or no protocol. A protocol must be followed by a colon. The below
|
|
* allows that by allowing colons only after one of the characters [/?#].
|
|
* A colon after a hash (#) must be in the fragment.
|
|
* Otherwise, a colon after a (?) must be in a query.
|
|
* Otherwise, a colon after a single solidus (/) must be in a path.
|
|
* Otherwise, a colon after a double solidus (//) must be in the authority
|
|
* (before port).
|
|
*
|
|
* The pattern disallows &, used in HTML entity declarations before
|
|
* one of the characters in [/?#]. This disallows HTML entities used in the
|
|
* protocol name, which should never happen, e.g. "http" for "http".
|
|
* It also disallows HTML entities in the first path part of a relative path,
|
|
* e.g. "foo<bar/baz". Our existing escaping functions should not produce
|
|
* that. More importantly, it disallows masking of a colon,
|
|
* e.g. "javascript:...".
|
|
*
|
|
* This regular expression was taken from the Closure sanitization library.
|
|
*/
|
|
const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^&:/?#]*(?:[/?#]|$))/gi;
|
|
|
|
export function sanitizeUrl(url: string): string {
|
|
if (String(url).match(SAFE_URL_PATTERN)) return url;
|
|
return 'unsafe:' + url;
|
|
}
|