Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: security issue with sanitizer #5

Merged
merged 1 commit into from
May 26, 2018
Merged

fix: security issue with sanitizer #5

merged 1 commit into from
May 26, 2018

Conversation

jeremyben
Copy link
Contributor

Hi,
First, thank you for your library as it helped me to quickly ship an app while I was still learning Angular.

Now, you dont want to use the bypassSecurityTrustHtml method to bind some HTML (especially since it's just for <br> tags), as you bypass the built-in Angular sanitizer, and add an avoidable vulnerability to XSS attacks.

You should use the sanitize method with the right security context. Here are the API references :
https://angular.io/api/platform-browser/DomSanitizer#sanitize
https://angular.io/api/core/SecurityContext

Better than that, thanks to Angular, binding HTML with the [innerHtml] property automatically sanitizes the HTML for you with the right security context. So you don't even need to sanitize beforehand.

I still kept the sanitization as a optionnal parameter, if you want to use the transform method elsewhere.

In the end, I strongly recommend you and the users of your library to patch this security issue. 👍

@tvicpe tvicpe merged commit 3b60c7a into tvicpe:master May 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jeremyben @tvicpe