Menu
Official Angular Security Guide speaks about 4 security contexts: HTML, Url, Style and Resource Url.
Each one is responsible for sanitizing corresponding type of resource.
In addition, there are 5 methods (per resource type) in DomSanitizer service
- bypassSecurityTrustHtml
- bypassSecurityTrustScript
- bypassSecurityTrustStyle
- bypassSecurityTrustUrl
- bypassSecurityTrustResourceUrl
However, I didn't find any mention of SecurityContext.NONE in official documentation. And it's does exist in the code.
I would assume that it aggregates all the resource types, meaning the resource being sanitized can be HTML, which contains styling and scripts.
Is that the case? Any official source?
411
Angular sanitizes untrusted values for HTML, styles, and URLs; sanitizing resource URLs isn't possible because they contain arbitrary code.
DomSanitizer helps preventing Cross Site Scripting Security bugs (XSS) by sanitizing values to be safe to use in the different DOM contexts.
Angular recognizes the value as unsafe and automatically sanitizes it, which removes the script element but keeps safe content such as the <b> element.
Apparently, if we use domSanitizer.sanitize with SecurityContext.NONE, it won't perform any sanitation and will return the value as is.
Thus, this will allow HTML with embedded URLs, styling and scripts.
Therefore it is highly recommended not to use this in your code.
59
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
