Skip to content

feat(security): Add an HTML sanitizer#8453

Merged
mprobst merged 4 commits intoangular:masterfrom
mprobst:html-sanitizer
May 9, 2016
Merged

feat(security): Add an HTML sanitizer#8453
mprobst merged 4 commits intoangular:masterfrom
mprobst:html-sanitizer

Conversation

@mprobst
Copy link
Copy Markdown
Contributor

@mprobst mprobst commented May 4, 2016

No description provided.

@mprobst mprobst force-pushed the html-sanitizer branch 2 times, most recently from 4b96dd8 to d873286 Compare May 4, 2016 01:59
@mprobst mprobst added the action: review The PR is still awaiting reviews from at least one requested reviewer label May 4, 2016
IgorMinar
IgorMinar reviewed May 4, 2016
View reviewed changes
modules/@angular/platform-browser/test/security/html_sanitizer_spec.ts Outdated
Copy link
Copy Markdown
Contributor

@IgorMinar IgorMinar May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

there are many more tests at https://github.com/angular/angular.js/blob/master/test/ngSanitize/sanitizeSpec.js did you intentionally port only a few?

Copy link
Copy Markdown
Contributor Author

@mprobst mprobst May 4, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intentional.

Most of the tests in the sanitize spec assert that the parser behaves in a particular way, but this code doesn't actually implement a parser. Effectively we're testing the DOM parser. I presume this was done because ngSanitize at some point implemented its own parser, but it doesn't apply to this code.

@ocombe ocombe mentioned this pull request May 4, 2016
Closed
@mprobst mprobst force-pushed the html-sanitizer branch 2 times, most recently from 7f2d5aa to 1849927 Compare May 4, 2016 17:55
@mprobst mprobst mentioned this pull request May 6, 2016
Closed
17 tasks
@mprobst mprobst force-pushed the html-sanitizer branch 3 times, most recently from d65ad8c to c37debd Compare May 9, 2016 13:44
@mprobst
Copy link
Copy Markdown
Contributor Author

mprobst commented May 9, 2016

LGTM in https://reviews.angular.io/D108 from @koto.

@mprobst mprobst added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels May 9, 2016
mprobst added 4 commits May 9, 2016 16:00
@mprobst
feat(security): add an HTML sanitizer.
f86edae 
This is based on Angular 1's implementation, parsing an HTML document
into an inert DOM Document implementation, and then serializing only
specifically whitelisted elements.

It currently does not support SVG sanitization, all SVG elements are
rejected.

If available, the sanitizer uses the `<template>` HTML element as an
inert container.

Sanitization works client and server-side.

Reviewers: rjamet, tbosch , molnarg , koto

Differential Revision: https://reviews.angular.io/D108
@mprobst
chore(build): run security tests in NodeJS, too.
99c0d50
@mprobst
feat(security): add tests for style sanitisation.
7b6c4d5
@mprobst
feat(security): add tests for URL sanitization.
7a524e3
@mprobst mprobst merged commit 7a524e3 into angular:master May 9, 2016
@mprobst mprobst deleted the html-sanitizer branch May 26, 2016 16:47
@angular-automatic-lock-bot
Copy link
Copy Markdown

angular-automatic-lock-bot bot commented Sep 8, 2019

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Sep 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker cla: yes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mprobst @IgorMinar @anjmao @googlebot