Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Angular sanitizing url to be used in an iframe's src [duplicate]

Tags:

angular

iframe

sanitize

angular-dom-sanitizer

I'm trying to construct an url to pass it inside the src attributes of an iframe. But I always get the exception unsafe value used in a resource URL context and I'm struggling to understand how to correctly sanitize the url.

I could make it work with domSanitizer.bypassSecurityTrustResourceUrl(myCustomUrlAsString) but from what I understand, by doing so, I'm just disabling the security. Even tho it could be acceptable as the url is not constructed with any user input, I want to understand how the sanitization work.

My ng component code:

export class MyAngularComponent implements OnInit {
   public url: SafeResourceUrl | null;
   
   constructor(private domSanitizer: DomSanitizer) {}

   ngOnInit() {
       const url = new URL('https://example.org?param1=foo');
       this.url = this.domSanitizer.sanitize(SecurityContext.URL, url.toString());
   }
}

My template: <iframe [src]="url" width="100%" height="100%"></iframe>

When checking the sanitized value, it's just a string or that same url. But the template rendering triggers the exception. Shouldn't the sanitize function return a Safe Url to avoid this exception? Or should I had the bypassSecurityTrustResourceUrl in any case after the sanitize?

Tx for the help

like image 431
ylerjen Avatar asked Sep 18 '25 07:09

ylerjen

1 Answers

Let say we are passing invalid URL to bypassSecurityTrustResourceUrl directly, It will assume we are passing valid url and return SafeResourceUrl object without throwing any error.

Example

const invalidURL = `javascript:alert('Moar XSS!')`;
const url = this.domSanitizer.sanitize(SecurityContext.URL,invalidURL);
//It will skip validing URL and will not throw any error.

sanitize method will add additional check to make the url safe to use.

const invalidURL = `javascript:alert('Moar XSS!')`;
const url = this.domSanitizer.sanitize(SecurityContext.URL, url.toString());
//This additional check will ensure the above string is invalid string.
this.domSanitizer.bypassSecurityTrustResourceUrl(url);

It is better practice to use the sanitize URL before passing it to the bypassSecurityTrustResourceUrl method to make the url safe.

const url = this.domSanitizer.sanitize(SecurityContext.URL, url.toString());
this.url = this.domSanitizer.bypassSecurityTrustResourceUrl(url);
like image 113
Chellappan வ Avatar answered Sep 19 '25 21:09

Chellappan வ
Sign in to Comment

Related questions

Dockerfile for angular-cli application returns ng: command not found
How to enable noData with highcharts and angular
ngRouterOutlet and component lifecycle - problem with rendering custom template
Can't use SASS variables in Angular from global file, despite other styles working
Detect bottom scroll
How to watch service variable in Angular 6
Why does a link load so much slower when using href instead of routerLink with angular 2+?
Odd behavior rendering dynamically type of input type checkbox Angular 2+
How to set two way binding without using ngModel in Angular Material
Check in template if variable is an array, string, number
Adding simple upload adapter to ckeditor in Angular
Docker build fails and exit with error code 139
Angular 13 + jest + Angular library not working
AWS Lambda@Edge append querystring to response
Angular 9 - parse each parameter for a given url
How to spy on methods of service when the service is provided in the root of Component
Angular: how to inject multiple instance of abstract service
rxjs, recursively call api until all items are fetched
Deployed my Angular app on GitHub pages but errors coming on website in console

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!