Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Aria attributes should not be stripped by html sanitizer #26815

Closed
MartinMa opened this issue Oct 29, 2018 · 0 comments

Comments

Projects
None yet
3 participants
@MartinMa
Copy link
Contributor

commented Oct 29, 2018

I'm submitting a...

  • Bug report

Current behavior

Aria attributes like aria-label are being stripped by the html sanitizer as unsafe html.

Expected behavior

Aria attributes should be treated as safe html and not be stripped, when used within [innerHTML].

For a list of supported attributes see https://www.w3.org/TR/html-aria/

Minimal reproduction of the problem with instructions

See https://stackblitz.com/edit/angular-wbkoxx

What is the motivation / use case for changing the behavior?

I'm loading translation strings from a json file (using @ngx-translate/core, since the built-in i18n support is missing important features). Some of them are pulled in via [innerHTML] to keep html tags and attributes intact. Sadly, aria attributes are being stripped altogether.

Is this on purpose? I could not find any hints in the docs or in the source.
Relevant line of code:
https://github.com/angular/angular/blob/master/packages/core/src/sanitization/html_sanitizer.ts#L69

Environment

Angular version: 7.0.1

Browser:
Any

@ngbot ngbot bot added this to the needsTriage milestone Oct 30, 2018

@ngbot ngbot bot modified the milestones: needsTriage, Backlog Nov 29, 2018

MartinMa added a commit to MartinMa/angular that referenced this issue Apr 3, 2019

feat(core): add missing ARIA attributes to html sanitizer
Allow ARIA attributes from the WAI-ARIA 1.1 spec which were stripped by the htmlSanitizer.

Closes angular#26815

MartinMa added a commit to MartinMa/angular that referenced this issue Apr 3, 2019

feat(core): add missing ARIA attributes to html sanitizer
Allow ARIA attributes from the WAI-ARIA 1.1 spec which were stripped by the htmlSanitizer.

Closes angular#26815

MartinMa added a commit to MartinMa/angular that referenced this issue Apr 23, 2019

feat(core): add missing ARIA attributes to html sanitizer
Allow ARIA attributes from the WAI-ARIA 1.1 spec which were stripped by the htmlSanitizer.

Closes angular#26815

IgorMinar added a commit to MartinMa/angular that referenced this issue Apr 25, 2019

feat(core): add missing ARIA attributes to html sanitizer
Allow ARIA attributes from the WAI-ARIA 1.1 spec which were stripped by the htmlSanitizer.

Closes angular#26815

BioPhoton added a commit to BioPhoton/angular that referenced this issue May 21, 2019

feat(core): add missing ARIA attributes to html sanitizer (angular#29685
)

Allow ARIA attributes from the WAI-ARIA 1.1 spec which were stripped by the htmlSanitizer.

Closes angular#26815

PR Close angular#29685
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.