Sanitizing HTML warning for Cyrillic symbols

[firov]

I'm submitting a bug report (check one with "x")

[x] bug report
[ ] feature request
[ ] support request => Please do not submit support request here, instead see https://github.com/angular/angular/blob/master/CONTRIBUTING.md#question

Current behavior

Angular html binding with Cyrillic symbols generates warning:
WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss).

Expected/desired behavior
No error

Reproduction of the problem
http://plnkr.co/edit/smQk5PksQGtKLeezdvEr

Please tell us about your environment:

• Angular version: 2.0.0-rc.4
• Browser: [Chrome 51 ]
• Language: [all]

[vicb]

/cc @mprobst

[mprobst]

@rjamet do you remember/know why our HTML sanitizer turns everything non-ASCII into entity references (ü --> ü)? It seems overkill to me, and is causing these somewhat annoying spurious error messages.

Are we aware of any browser we want to support (> IE9) that would have issues with misinterpreting properly serialized UTF-16 when assigning into innerHtml? It seems to me that we could just as well only escape the usual XML/HTML special characters (< --> &lt;, & --> &).

[mprobst]

@firov btw the warning is harmless, this is just because cycling through sanitization changes your cyrillic characters from the proper encoded representation into decimal entities. It's annoying, but shouldn't cause any actual issues.

[firov]

@mprobst yeah i understand that, so this is not vital but if you have fully localized application with some 3d party library that uses html binding, that can cause a lot of spam. So may be some opportunity to silent this warnings?

[mprobst]

@firov ack, we should do something about this, you're not the first person to run into it.

I think our best bet is to simply not escape the unicode characters, which should hopefully cover most use cases. I'm reluctant to make it a setting or something like that, as that just increases conceptual overhead (and then every developer has to enable the setting). I'm deferring the decision on whether that is safe to our friendly neighborhood security reviewer @rjamet though.

[rjamet]

(+@koto)

This is done to prevent encoding-related bugs, and general mXSS concerns. That canonicalization is useful security-wise, so I'd rather keep it in place. Just to make sure: that step isn't a concern for your use, @firov?

It's probably the warning that needs fixing, but I'm not sure we can untangle safely the encoding from the sanitization. That would probably mean a second pass on the content, since the encoding appears to be done on the DOM serialization step :/

Alternatively, the sanitizer could keep a flag around during sanitization that turns to true only on content removal / sanitization, and let that trigger the warning. This might not warn on everything (like the mXSS checks at the beginning), but it would be faster and less likely to affect security. Sounds like the best solution here.

Relevant file: https://github.com/angular/angular/blob/master/modules/%40angular/platform-browser/src/security/html_sanitizer.ts

[firov]

@rjamet Yes, only warning itself is a problem even if it is visible only in developer mode.

[angular-automatic-lock-bot]

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}