Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

template is sanitized by Angular #2039

Closed
its-dibo opened this issue Jan 18, 2020 · 10 comments · Fixed by #2090
Closed

template is sanitized by Angular #2039

its-dibo opened this issue Jan 18, 2020 · 10 comments · Fixed by #2090
Labels
enhancement

Comments

@its-dibo
Copy link 

{
      key: "test",
      template: `test: <input>`,
      templateOptions: {
        label: "test"
      }
    }

WARNING: sanitizing HTML stripped some content, see http://g.co/ng/security#xss

this causes that not being rendered.
@its-dibo its-dibo added the bug label Jan 18, 2020
@aitboudad
Copy link
Member

use sanitizer service:

import { DomSanitizer } from '@angular/platform-browser';
...

fields: = [{
  key: "test",
  template: this.sanitizer.bypassSecurityTrustHtml(`test: <input>`),
  templateOptions: {
    label: "test"
  }
}];

constructor(private sanitizer: DomSanitizer) {}

@its-dibo
Copy link
Author

I know about sanitizer service, but I mean that formly should do bypassSecurityTrustHtml() for template value by default

@aitboudad aitboudad added enhancement and removed bug labels Jan 18, 2020
@aitboudad
Copy link
Member

ok, I'll mark this as a feature, adding an extra option to mark it safe but not by default:

fields: = [{
  key: "test",
  template: `test: <input>`,
  templateOptions: {
+    safeHtml: true
  }
}];

@aitboudad aitboudad reopened this Jan 18, 2020
@its-dibo
Copy link
Author

its-dibo commented Jan 18, 2020
edited

I'm voting up for this feature, but what is the problem with making it safe by default, the template value is not dynamically created *i.e via an API call).

just to know your opinion.

@aitboudad
Copy link
Member

with the problem with making it safe by default?

  1. Breaking change
  2. Consistency with angular HTML binding behavior
  3. Devs should be aware of enabling this feature (in case the template is controlled by end-users/dynamically created).

@its-dibo
Copy link
Author

its-dibo commented Feb 9, 2020
edited

use sanitizer service:

import { DomSanitizer } from '@angular/platform-browser';
...

fields: = [{
  key: "test",
  template: this.sanitizer.bypassSecurityTrustHtml(`test: <input>`),
  templateOptions: {
    label: "test"
  }
}];

constructor(private sanitizer: DomSanitizer) {}

keep in mined that this method will cause error TS2322: Type 'SafeHtml' is not assignable to type 'string'.

we may use

  template: this.sanitizer.bypassSecurityTrustHtml(`test: <input>`)[
            "changingThisBreaksApplicationSecurity"
          ]

which is not recommended

@aitboudad aitboudad mentioned this issue Feb 11, 2020
Merged
aitboudad added a commit that referenced this issue Feb 11, 2020
@aitboudad
feat(core): add safeHtml opt to bypass sanitizing template HTML… (#2090)
600e9e6 
fix #2039
aitboudad added a commit that referenced this issue Feb 12, 2020
@aitboudad
feat(core): add safeHtml opt to bypass sanitizing template HTML… (#2090)
46c5f9a 
fix #2039
aitboudad added a commit that referenced this issue Feb 20, 2020
@aitboudad
feat(core): add safeHtml opt to bypass sanitizing template HTML… (#2090)
50013bc 
fix #2039
aitboudad added a commit that referenced this issue Mar 6, 2020
@aitboudad
feat(core): add safeHtml opt to bypass sanitizing template HTML… (#2090)
3860669 
fix #2039
aitboudad added a commit that referenced this issue Mar 14, 2020
@aitboudad
feat(core): add safeHtml opt to bypass sanitizing template HTML… (#2090)
0642497 
fix #2039
aitboudad added a commit that referenced this issue Mar 17, 2020
@aitboudad
feat(core): add safeHtml opt to bypass sanitizing template HTML… (#2090)
d8eb124 
fix #2039
aitboudad added a commit that referenced this issue Mar 17, 2020
@aitboudad
feat(core): add safeHtml opt to bypass sanitizing template HTML… (#2090)
bbd7009 
fix #2039
@aitboudad
Copy link
Member

This issue has been fixed and released as part of v5.6.0 release.

Please let us know, in case you are still encountering a similar issue/problem.
Thank you!

@its-dibo
Copy link
Author

wow, great news. ❤
I will give a try and give you a feedback.

@its-dibo
Copy link
Author

did'nt work
https://stackblitz.com/edit/formly-dynamic-checkboxes?file=src%2Fapp%2Fapp.component.ts

also please check this issue

I updated formly to the latest version.

@aitboudad
Copy link
Member 

  fields: [{
    key:"categories",
    template:'<input type="checkbox" name="test" value="ok"/> test<br />',
-    safeHtml: true
+    templateOptions: {
+      safeHtml: true
+    }
  }],

@aorlowski-g aorlowski-g mentioned this issue Jul 21, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(core): add safeHtml opt to bypass sanitizing template HTML content
2 participants
@aitboudad @its-dibo