iSharkFly-Docs/angular-docs-cn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
angular-docs-cn/packages/core/src/sanitization
History
Bjarki f245c6bb15 fix(core): remove closing body tag from inert DOM builder (#38454) 
Fix a bug in the HTML sanitizer where an unclosed iframe tag would
result in an escaped closing body tag as the output:

_sanitizeHtml(document, '<iframe>') => '&lt;/body&gt;'

This closing body tag comes from the DOMParserHelper where the HTML to be
sanitized is wrapped with surrounding body tags. When an opening iframe
tag is parsed by DOMParser, which DOMParserHelper uses, everything up
until its matching closing tag is consumed as a text node. In the above
example this includes the appended closing body tag.

By removing the explicit closing body tag from the DOMParserHelper and
relying on the body tag being closed implicitly at the end, the above
example is sanitized as expected:

_sanitizeHtml(document, '<iframe>') => ''

PR Close #38454
2020-08-19 14:18:44 -07:00
..
bypass.ts
build: update license headers to reference Google LLC (#37205)
2020-05-26 14:26:58 -04:00
html_sanitizer.ts
refactor(core): split inert strategies to separate classes (#36578) (#36578)
2020-06-26 14:54:09 -07:00
inert_body.ts
fix(core): remove closing body tag from inert DOM builder (#38454)
2020-08-19 14:18:44 -07:00
readme.md
refactor(core): move sanitization into core (#22540)
2018-03-07 18:24:06 -08:00
sanitization.ts
refactor: correct @publicApi and @codeGenApi markers in various files (#38224)
2020-07-27 14:37:41 -07:00
sanitizer.ts
build: update license headers to reference Google LLC (#37205)
2020-05-26 14:26:58 -04:00
security.ts
build: update license headers to reference Google LLC (#37205)
2020-05-26 14:26:58 -04:00
url_sanitizer.ts
feat(platform-browser): Allow sms-URLs (#31463)
2020-06-26 11:12:32 -07:00

readme.md

Sanitization

This folder contains sanitization related code.

History

It used to be that sanitization related code used to be in @angular/platform-browser since it is platform related. While this is true, in practice the compiler schema is permanently tied to the DOM and hence the fact that sanitizer could in theory be replaced is not used in practice.

In order to better support tree shaking we need to be able to refer to the sanitization functions from the Ivy code. For this reason the code has been moved into the @angular/core.