Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

More liberal style sanitization #8514

Closed
2 tasks done
mprobst opened this issue May 6, 2016 · 2 comments
Closed
2 tasks done

More liberal style sanitization #8514

mprobst opened this issue May 6, 2016 · 2 comments

Comments

@mprobst
Copy link
Contributor

mprobst commented May 6, 2016
edited
Loading

Angular's current style sanitizer is very restrictive, effectively only allowing immediate primitive values and rbg()/hsl() pseudo calls. Angular should support additional common pseudo calls, such as the various animation properties rotate, translate, etc (common in dynamic bindings).

  • support common animation functions (spec)
  • support url() by sanitizing its URL value (spec)
@mprobst mprobst mentioned this issue May 6, 2016
Closed
17 tasks
@mprobst
Copy link
Contributor Author

mprobst commented May 6, 2016

@QuentinFchx @Spittal FYI.

@mprobst mprobst mentioned this issue May 6, 2016
Closed
mprobst added a commit to mprobst/angular that referenced this issue May 13, 2016
@mprobst
feat: support transform CSS functions for sanitization.
e2909c2 
Fixes angular#8514.
@mprobst mprobst mentioned this issue May 13, 2016
Merged
mprobst added a commit to mprobst/angular that referenced this issue May 13, 2016
@mprobst
feat(security): support transform CSS functions for sanitization.
4f67dd9 
Fixes part of angular#8514.
mprobst added a commit to mprobst/angular that referenced this issue May 14, 2016
@mprobst
feat(security): support transform CSS functions for sanitization.
8b1b427 
Fixes part of angular#8514.
mprobst added a commit to mprobst/angular that referenced this issue May 15, 2016
@mprobst
feat(security): allow url(...) style values.
77113be 
Allows sanitized URLs for CSS properties. These can be abused for information
leakage, but only if the CSS rules are already set up to allow for it. That is,
an attacker cannot cause information leakage without controlling the style rules
present, or a very particular setup.

Fixes angular#8514.
@mprobst mprobst mentioned this issue May 15, 2016
Closed
mprobst added a commit to mprobst/angular that referenced this issue May 17, 2016
@mprobst
feat(security): allow url(...) style values.
d17dff1 
Allows sanitized URLs for CSS properties. These can be abused for information
leakage, but only if the CSS rules are already set up to allow for it. That is,
an attacker cannot cause information leakage without controlling the style rules
present, or a very particular setup.

Fixes angular#8514.
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Sep 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(security): allow url(...) style values. mprobst/angular
1 participant
@mprobst