Menu
I'm loading a trusted URL into an iframe which works fine. I also want to display that URL as a string on the page. I've tried <div>{{url}}</div> but it displays:
SafeValue must use [property]=binding: /my/resource/path.html (see http://g.co/ng/security#xss)
I also tried using <div [ngModel]="url"></div>, but got
Error: No value accessor for form control with unspecified name attribute
How can I display it?
492
SafeResourceUrllink Marker interface for a value that's safe to use as a URL to load executable code from.
A SafeUrl is a string-like object that carries the security type contract that its value as a string will not cause untrusted script execution when evaluated as a hyperlink URL in a browser.
bypassSecurityTrustResourceUrl()link Bypass security and trust the given value to be a safe resource URL, i.e. a location that may be used to load executable code from, like <script src> , or <iframe src> .
You want to display this value as html (not url or resource) - use bypassSecurityTrustHtml
@Component({
selector: 'my-app',
template: `
<div [innerHTML]="url"><div>
`
})
export class App {
dangerousVideoUrl = "href=' javascript:alert(1)'";
constructor(private sanitizer: DomSanitizer) {
this.url =
this.sanitizer.bypassSecurityTrustHtml(this.dangerousVideoUrl);
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
