Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How can I display a SafeUrl or a SafeResourceUrl?

Tags:

angular

I'm loading a trusted URL into an iframe which works fine. I also want to display that URL as a string on the page. I've tried <div>{{url}}</div> but it displays:

SafeValue must use [property]=binding: /my/resource/path.html (see http://g.co/ng/security#xss)

I also tried using <div [ngModel]="url"></div>, but got

Error: No value accessor for form control with unspecified name attribute

How can I display it?

like image 492
adamdport Avatar asked May 02 '17 14:05

adamdport

People also ask

What is SafeResourceUrl in angular?

SafeResourceUrllink Marker interface for a value that's safe to use as a URL to load executable code from.

What is SafeUrl?

A SafeUrl is a string-like object that carries the security type contract that its value as a string will not cause untrusted script execution when evaluated as a hyperlink URL in a browser.

Which method can you use to bypass security and to trust that the given value is a safe resource URL?

bypassSecurityTrustResourceUrl()link Bypass security and trust the given value to be a safe resource URL, i.e. a location that may be used to load executable code from, like <script src> , or <iframe src> .

1 Answers

  1. The error says use [property] binding - it means [innerHTML] for html

  2. You want to display this value as html (not url or resource) - use bypassSecurityTrustHtml

     @Component({
  selector: 'my-app',
  template: `
    <div [innerHTML]="url"><div>
  `
 })
export class App {

  dangerousVideoUrl = "href='&#x3000;javascript:alert(1)'";

  constructor(private sanitizer: DomSanitizer) {
    this.url =
    this.sanitizer.bypassSecurityTrustHtml(this.dangerousVideoUrl);
 }
}
like image 88
Julia Passynkova Avatar answered Nov 15 '22 06:11

Julia Passynkova
Sign in to Comment

Related questions

md-input-container must contain an mdInput directive?
Trouble injecting service into another service (singleton), Angular2
How to Refresh Browsers after new deploy of Angular2 application
Can't get ag-grid on Angular 2 to work, any recent tutorial?
Ionic 2: How to make a sliding menu from the bottom
Angular 2 keep input form value in bind with the model using getter and setter
Best practice to handle 'handleError ` and `extractData` private methods
splice can't remove the first element in javascript
Angular 2 turn on compatibility mode
How to use types/select2 in a Angular 2 project?
TypeError: index_1.X is not a constructor - Karma - Jasmine - Webpack
Angular 4 - Converting events to observable streams
Angular 2, Cant able to access a variable in one Component from another Component
Best the best way to compare dates using ngIf in angular 2?
Warning: SafeValue must use [property]=binding
Do I need to install Node.js on Production Server to host Angular 2?
Angular 2 : Access play and pause of html5 video tag inside component
How to wait that ngAfterViewInit() runs while creating instance of a component from a directive?
Upgrading AngularJS app to an hybrid Angular-1.6 / Angular-4 kills the perf
How to trigger a change event manually - angular2

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!