Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(core): allow css custom variables/properties in the style sanitizer #33841

Closed
wants to merge 2 commits into from

Conversation

@IgorMinar
Copy link
Member

IgorMinar commented Nov 15, 2019

best reviewed commit-by-commit

@IgorMinar IgorMinar requested review from angular/fw-core as code owners Nov 15, 2019
@googlebot googlebot added the cla: yes label Nov 15, 2019
IgorMinar added 2 commits Nov 15, 2019
This change enables "var(--my-var)" to pass through the style sanitizer.

After consulation with our security team, allowing these doesn't create
new attack vectors, so the sanitizer doesn't need to strip them.

Fixes parts of #23485 related to the sanitizer, other use cases discussed
there related to binding have been addressed via other changes to the
class and style handling in the runtime.

Closes #23485
@IgorMinar IgorMinar force-pushed the IgorMinar:core/style-sanitizer-var branch from b046dba to a8e79f6 Nov 15, 2019
originalLog = console.warn; // Monkey patch DOM.log.
console.warn = (msg: any) => logMsgs.push(msg);
});
describe('Style sanitizer', () => {

This comment has been minimized.

Copy link
@IgorMinar

IgorMinar Nov 15, 2019

Author Member

no content changes here, just reformatting and stripping of t.

@mary-poppins

This comment has been minimized.

Copy link

mary-poppins commented Nov 15, 2019

@IgorMinar

This comment has been minimized.

Copy link
Member Author

IgorMinar commented Nov 15, 2019

g3 failures are unrelated

@ngbot ngbot bot added this to the needsTriage milestone Nov 20, 2019
alxhub added a commit that referenced this pull request Nov 20, 2019
…er (#33841)

This change enables "var(--my-var)" to pass through the style sanitizer.

After consulation with our security team, allowing these doesn't create
new attack vectors, so the sanitizer doesn't need to strip them.

Fixes parts of #23485 related to the sanitizer, other use cases discussed
there related to binding have been addressed via other changes to the
class and style handling in the runtime.

Closes #23485

PR Close #33841
@alxhub alxhub closed this in 6a5475f Nov 20, 2019
alxhub added a commit that referenced this pull request Nov 20, 2019
…er (#33841)

This change enables "var(--my-var)" to pass through the style sanitizer.

After consulation with our security team, allowing these doesn't create
new attack vectors, so the sanitizer doesn't need to strip them.

Fixes parts of #23485 related to the sanitizer, other use cases discussed
there related to binding have been addressed via other changes to the
class and style handling in the runtime.

Closes #23485

PR Close #33841
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants
You can’t perform that action at this time.