Angular DomSanitizer - SecurityContext.NONE - McMap

About

Angular DomSanitizer - SecurityContext.NONE

Asked 4/6, 2017 at 13:29 Answered 4/6, 2017 at 13:43

Solved angular dom sanitization html-sanitizing angular-dom-sanitizer

C

1

9

Official Angular Security Guide speaks about 4 security contexts: HTML, Url, Style and Resource Url.
Each one is responsible for sanitizing corresponding type of resource.
In addition, there are 5 methods (per resource type) in DomSanitizer service

 - bypassSecurityTrustHtml 
 - bypassSecurityTrustScript
 - bypassSecurityTrustStyle 
 - bypassSecurityTrustUrl
 - bypassSecurityTrustResourceUrl

However, I didn't find any mention of SecurityContext.NONE in official documentation. And it's does exist in the code.

I would assume that it aggregates all the resource types, meaning the resource being sanitized can be HTML, which contains styling and scripts.

Is that the case? Any official source?

Corfu answered 4/6, 2017 at 13:29 Comment(0)

C

15

Apparently, if we use domSanitizer.sanitize with SecurityContext.NONE, it won't perform any sanitation and will return the value as is.

Thus, this will allow HTML with embedded URLs, styling and scripts.

Therefore it is highly recommended not to use this in your code.

Corfu answered 4/6, 2017 at 13:43 Comment(2)

They really could enhance their documentation... Terrible to not have this documented after all this time... – Titanomachy 11/2, 2020 at 18:3

That's... extremely scary. I'd assumed that "None" meant "Completely Untrusted", and it turns out it meant "Completely Trustworthy". – Patriarchate 21/1, 2021 at 12:39

Recommended topics

#Godot #Unity #Godot 4.X #Mongodb

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

© 2022 - 2024 — McMap. All rights reserved.