New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(core): traverse and sanitize content of unsafe elements #28804
Conversation
I marked this as |
d52e3fd
to
37b6644
Compare
// Typically, `<invalid>Some content</invalid>` would traverse (and in this case preserve) | ||
// `Some content`, but strip `invalid-element` opening/closing tags. For some elements, though, we | ||
// don't want to preserve the content, if the elements themselves are going to be removed. | ||
const SKIP_TRAVERSING_CONTENT_IF_INVALID_ELEMENTS = tagSet('script,style'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should template
be included here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🤷♂️
Probably, I guess 😁 Added.
37b6644
to
d787173
Compare
// Typically, `<invalid>Some content</invalid>` would traverse (and in this case preserve) | ||
// `Some content`, but strip `invalid-element` opening/closing tags. For some elements, though, we | ||
// don't want to preserve the content, if the elements themselves are going to be removed. | ||
const SKIP_TRAVERSING_CONTENT_IF_INVALID_ELEMENTS = tagSet('script,style,template'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know you didn't do tagSet
, but why not pass an array of elements directly instead of splitting. Surely it would reduce overhead and maybe even help with minification
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was trying to remain consistent with the rest of the file 🤔
c3635bf
to
b66a95e
Compare
In the past, the sanitizer would remove unsafe elements, but still traverse and sanitize (and potentially preserve) their content. This was problematic in the case of `<style></style>` tags, whose content would be converted to HTML text nodes. In order to fix this, the sanitizer's behavior was changed in angular#25879 to ignore the content of _all_ unsafe elements. While this fixed the problem with `<style></style>` tags, it unnecessarily removed the contents for _any_ unsafe element. This was an unneeded breaking change. This commit partially restores the old sanitizer behavior (namely traversing content of unsafe elements), but introduces a list of elements whose content should not be traversed if the elements themselves are considered unsafe. Currently, this list contains `style`, `script` and `template`. Related to angular#25879 and angular#26007. Fixes angular#28427
b66a95e
to
9068876
Compare
In the past, the sanitizer would remove unsafe elements, but still traverse and sanitize (and potentially preserve) their content. This was problematic in the case of `<style></style>` tags, whose content would be converted to HTML text nodes. In order to fix this, the sanitizer's behavior was changed in #25879 to ignore the content of _all_ unsafe elements. While this fixed the problem with `<style></style>` tags, it unnecessarily removed the contents for _any_ unsafe element. This was an unneeded breaking change. This commit partially restores the old sanitizer behavior (namely traversing content of unsafe elements), but introduces a list of elements whose content should not be traversed if the elements themselves are considered unsafe. Currently, this list contains `style`, `script` and `template`. Related to #25879 and #26007. Fixes #28427 PR Close #28804
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
PR Checklist
Docs have been added / updated (for bug fixes / features)PR Type
What is the current behavior?
In the past, the sanitizer would remove unsafe elements, but still traverse and sanitize (and potentially preserve) their content. This was problematic in the case of
<style></style>
tags, whose content would be converted to HTML text nodes.In order to fix this, the sanitizer's behavior was changed in #25879 to ignore the content of all unsafe elements. While this fixed the problem with
<style </style>
tags, it unnecessarily removed the contents for any unsafe element. This was an unneeded breaking change.Issue Number: #28427
What is the new behavior?
This commit partially restores the old sanitizer behavior (namely traversing content of unsafe elements), but introduces a list of elements whose content should not be traversed if the elements themselves are considered unsafe. Currently, this list contains
style
andscript
.Does this PR introduce a breaking change?
...this PR does introduce a change in behavior, but only to fix a previous change in behavior that was a regression.
Other information
Related to #25879 and #26007.
Fixes #28427.