Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ElementRef security risk angular 2

Tags:

angular

Why ElementRef is not secure to use if so, what we can use instead?

I'm been using this ElementRef to see or watch a specific html tag and then to send as specific width after is initialize, but if this open a security risk I will not use it, and to be honest I don't understand why angular 2 teams allow this kind security flaws in their framework.

What is the secure and best technique to use? My test component below:

        import { Component, OnInit } from '@angular/core';

        @Component({
          selector: 'app-standard',
          template: ` <button type="button" #buttonW></button>`,

        })
        export class standardComponent implements OnInit {

          name: string = 'app-standard';
          viewWidthButton: any;

          @ViewChild( 'buttonW' ) elButtonW: ElementRef; 


          constructor() { 

            this.viewWidthButton = this.elButtonW.nativeElement.offsetWidth;
            console.log ('button width: ' + this.viewWidthButton);
          }

          ngOnInit() {
          }

        }

Angular 2 page reference:

https://angular.io/docs/ts/latest/api/core/index/ElementRef-class.html

like image 787
jcdsr Avatar asked Mar 16 '17 12:03

jcdsr

1 Answers

Using ElementRef doesn't directly make your site less secure. The Angular team is just saying "Hey, you may use this, just be careful with it".

If you are only using an ElementRef to get information, like in your example a certain width, there is no security risk involved at all. It's a different story when you use an ElementRef to modify the DOM. There, potential threats can arise. Such an example could be:

@ViewChild('myIdentifier')
myIdentifier: ElementRef

ngAfterViewInit() {
  this.myIdentifier.nativeElement.onclick = someFunctionDefinedBySomeUser;
}

The problem with this is that it gets inserted directly into the DOM, skipping the Angular sanitisation mechanisms. What are sanitisation mechanisms? Usually, if something in the DOM is changed via Angular, Angular makes sure it's nothing dangerous. However, when using ElementRef to insert something into the DOM, Angular can't guarantee this. So it becomes your responsibility that nothing bad enters the DOM when using ElementRef. An important keyword here is XSS (Cross-Site Scripting).

To summarise: If you poll the DOM for information, you are safe. If you modify the DOM using ElementRef, make sure the modifications don't possibly contain malicious code.

like image 93
bersling Avatar answered Sep 27 '22 18:09

bersling
Sign in to Comment

Related questions

NGINX, proxy_pass and SPA routing in HTML5 mode
How to pass data modal Component to parent Component using ng-bootstrap in angular 4
Angular :host <selector> is not working
Accessing a checkbox value on click in angular 2
@import styles in angular component's styles with ::ng-deep
Angular Universal Firebase: no provider for InjectionToken MODULE_MAP
Writing unit test for subscription inside onInit() in Angular
Deploying multiple versions of Angular app to Azure App Service
Building Angular for production without installing devDependencies
What is the point of import { DOCUMENT } from '@angular/common'; if I can already access the document
What does Angular Ivy specifically allow us to do in regards to manual change detection?
Angular Tree Shaking: How exactly does it work?
How to split HTML Page in A4 size in Angular 9
Change fixture response in cypress for the same url with intercept
angular2 can't import ng2-bootstrap
Get current value of Subject.asObservable() inside Angular service
NG2: angular2-webpack-starter - what is the purpose of HMR?
Feature module not exporting component
Ionic2/Angular2 - Read a custom config file
Search for a string in all properties of an object in Angular 2

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!