I have an textarea
where the user will type in some text. The text cannot be JavaScript or HTML etc. I want to manually sanitize the data and save it to a string.
I cannot figure out how to use DomSanitizationService
to manually sanitize my data.
If I do {{ textare_text }}
on the page then the data is correctly sanitized.
How do I do that manually to a string
I have?
Use the sanitize() Method to Sanitize String in JavaScript The sanitize() method of the Sanitizer interface sanitizes a tree of DOM nodes, removing unwanted elements or attributes. It should be used when the data is already available as DOM nodes, such as when sanitizing a Document instance in a frame.
Input sanitization is a cybersecurity measure of checking, cleaning, and filtering data inputs from users, APIs, and web services of any unwanted characters and strings to prevent the injection of harmful codes into the system.
Sanitization is the inspection of an untrusted value, turning it into a value that's safe to insert into the DOM. In many cases, sanitization doesn't change a value at all. Sanitization depends on context: A value that's harmless in CSS is potentially dangerous in a URL.
You can sanitize the HTML as follows:
import { Component, SecurityContext } from '@angular/core'; import { DomSanitizer, SafeHtml } from '@angular/platform-browser'; @Component({ selector: 'my-app', template: ` <div [innerHTML]="_htmlProperty"></div> ` }) export class AppComponent { _htmlProperty: string = 'AAA<input type="text" name="name">BBB'; constructor(private _sanitizer: DomSanitizer){ } public get htmlProperty() : SafeHtml { return this._sanitizer.sanitize(SecurityContext.HTML, this._htmlProperty); } }
Demo plunker here.
From your comments, you actually want escaping not sanitization.
For this, check this plunker, where we have both escaping and sanitization.
import { Component, SecurityContext } from '@angular/core'; import { DomSanitizer, SafeHtml } from '@angular/platform-browser'; @Component({ selector: 'my-app', template: `Original, using interpolation (double curly braces):<b> <div>{{ _originalHtmlProperty }}</div> </b><hr>Sanitized, used as innerHTML:<b> <div [innerHTML]="sanitizedHtmlProperty"></div> </b><hr>Escaped, used as innerHTML:<b> <div [innerHTML]="escapedHtmlProperty"></div> </b><hr>Escaped AND sanitized used as innerHTML:<b> <div [innerHTML]="escapedAndSanitizedHtmlProperty"></div> </b>` }) export class AppComponent { _originalHtmlProperty: string = 'AAA<input type="text" name="name">BBB'; constructor(private _sanitizer: DomSanitizer){ } public get sanitizedHtmlProperty() : SafeHtml { return this._sanitizer.sanitize(SecurityContext.HTML, this._originalHtmlProperty); } public get escapedHtmlProperty() : string { return this.escapeHtml(this._originalHtmlProperty); } public get escapedAndSanitizedHtmlProperty() : string { return this._sanitizer.sanitize(SecurityContext.HTML, this.escapeHtml(this._originalHtmlProperty)); } escapeHtml(unsafe) { return unsafe.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">") .replace(/"/g, """).replace(/'/g, "'"); } }
The HTML escaping function used above escapes the same chars as angular code does (unfortunately, their escaping function is not public, so we can't use it).
In Angular final you can use like this:
First import "DomSanitizer" from angular platform-browser:
import { DomSanitizer } from '@angular/platform-browser'; import { SecurityContext } from '@angular/core';
Then in constructor :
constructor(private _sanitizer: DomSanitizer){}
Then use in your class like :
var title = "<script> alert('Hello')</script>" title = this._sanitizer.sanitize(SecurityContext.HTML, title);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With