DomSanitizer
DomSanitizer helps preventing Cross Site Scripting Security bugs (XSS) by sanitizing values to be safe to use in the different DOM contexts.
Security risk
Calling any of the bypassSecurityTrust...
APIs disables Angular's built-in
sanitization for the value passed in. Carefully check and audit all values and code paths going
into this call. Make sure any user data is appropriately escaped for this security context.
For more detail, see the Security Guide.
abstract class DomSanitizer implements Sanitizer {
abstract sanitize(context: SecurityContext, value: string | SafeValue): string | null
abstract bypassSecurityTrustHtml(value: string): SafeHtml
abstract bypassSecurityTrustStyle(value: string): SafeStyle
abstract bypassSecurityTrustScript(value: string): SafeScript
abstract bypassSecurityTrustUrl(value: string): SafeUrl
abstract bypassSecurityTrustResourceUrl(value: string): SafeResourceUrl
}
Provided in
-
'root'
Description
For example, when binding a URL in an <a [href]="someValue">
hyperlink, someValue
will be
sanitized so that an attacker cannot inject e.g. a javascript:
URL that would execute code on
the website.
In specific situations, it might be necessary to disable sanitization, for example if the
application genuinely needs to produce a javascript:
style link with a dynamic value in it.
Users can bypass security by constructing a value with one of the bypassSecurityTrust...
methods, and then binding to that value from the template.
These situations should be very rare, and extraordinary care must be taken to avoid creating a Cross Site Scripting (XSS) security bug!
When using bypassSecurityTrust...
, make sure to call the method as early as possible and as
close as possible to the source of the value, to make it easy to verify no security bug is
created by its use.
It is not required (and not recommended) to bypass security if the value is safe, e.g. a URL that does not start with a suspicious protocol, or an HTML snippet that does not contain dangerous code. The sanitizer leaves safe values intact.
Methods
sanitize() | ||||||
---|---|---|---|---|---|---|
Gets a safe value from either a known safe value or a value with unknown safety. |
||||||
Parameters
Returns
|
||||||
If the given value is already a |
bypassSecurityTrustHtml() |
---|
Bypass security and trust the given value to be safe HTML. Only use this when the bound HTML
is unsafe (e.g. contains |
WARNING: calling this method with untrusted user data exposes your application to XSS security risks! |
bypassSecurityTrustStyle() |
---|
Bypass security and trust the given value to be safe style value (CSS). |
WARNING: calling this method with untrusted user data exposes your application to XSS security risks! |
bypassSecurityTrustScript() |
---|
Bypass security and trust the given value to be safe JavaScript. |
WARNING: calling this method with untrusted user data exposes your application to XSS security risks! |
bypassSecurityTrustUrl() |
---|
Bypass security and trust the given value to be a safe style URL, i.e. a value that can be used
in hyperlinks or |
WARNING: calling this method with untrusted user data exposes your application to XSS security risks! |
bypassSecurityTrustResourceUrl() | |||
---|---|---|---|
Bypass security and trust the given value to be a safe resource URL, i.e. a location that may
be used to load executable code from, like |
|||
Parameters
Returns |
|||
WARNING: calling this method with untrusted user data exposes your application to XSS security risks! |