With all due respect this is simply stupid

this.safeStyleValue = sanitizer.bypassSecurityTrustStyle('rotate(90deg)')

Angular2 should have an internal list of dangerous styles and pass them through that ugly function without the user knowing about, this way sanitization can even be optional `provide(Sanitization, {useValue: true/false`` (or whatever)

PLEASE don't make the dom handling the new router, PLEASE

@ericmartinezr we should improve our CSS sanitization whitelist, stuff like rotate(7deg) should be reasonable to detect. We'll have an issue on that.

That being said, you cannot build security by detecting dangerous patterns. There's always some odd browser or some crazy escaping hack that would break app security, so having a list of dangerous patterns won't work. See e.g. OWASP's resources on XSS prevention for more documentation.

you cannot detect all dangerous patterns

In that case angular2 shouldn't do anything about it, or you provide full security or you provide none. Let the user handle the security of his/her own application, and in that case (again), Sanitization optional would be a solution/workaround. If I know angular2 can't provide full security, I turn sanitization off and I do it myself, if I know it will provide little security (and I'm ok with that) I turn it on and I fill the gaps ng2 can't (use that ugly function above, or any other).

Yes, please let this be opt-in or at least able to be turned off.

If your styles are 100% app code generated or you properly sanitize content then it's not required.

I filed #8511 for a general tracking bug on this, let's move the discussion there (this PR is only about documenting it).

@ericmartinezr the whitelist implementation is fully secure, by only allowing known to be safe values. I'm just explaining why we cannot have a blacklist based implementation as you suggested.

lgtm

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}