@rjamet

LGTM. Maybe more tests for bad data: types, data:,something, other encodings ?

Good point, done.

Could we also add data:text/plain into the whitelist?

@agpreynolds what's the use case? I can't quite find a CSS property where plain text would be useful? If you want plain text as a background image, I think you'll need to use SVG or a style rule with a content property (where you can just bind text directly).

@mprobst The use case is as a link, such as for allowing users to download a file as a .txt e.g.

<a href="data:text/plain;charset=utf-8,{{encodeCsrFile()}}" download="{{certificate.reference}}.req">Download</a>

I had observed the same behaviour of the url being prepended with 'unsafe:' in RC1. Is it that this is a separate issue to the one you are fixing here?

@agpreynolds I'll defer to @koto and @rjamet, but it seems reasonable to me to require blessing a download with sanitizer.bypassSecurityTrustAsUrl. We're still working on the docs for this (sorry!), in a nutshell you inject DomSanitizationService into your controller, and then call sanitizer.bypassSecurityTrustAsUrl(myValue) to mark the value as "safe to use in a URL context".

It's probably safeish, but there are some reasons to be unsure:

• According to https://msdn.microsoft.com/en-us/library/ms775147(v=vs.85).aspx, very ancient IEs sniff types when presented with text/plain, so hypothetically you could get it rendered as HTML. It's likely to not be the case for a vast majority of users. (see next comment)
• And https://www.w3.org/TR/html5/links.html#following-hyperlinks-0 4.8.3 says <a href="data:..." should render the content as same-origin (though I think only Firefox does so).

Since it's a really edge case, I'd keep it blacklisted, but mostly out of paranoia.

data: uris are only supported since IE 8, and not for documents too, so text/plain upgrade to text/html wouldn't matter here.

Second point still stands. Data: uris are same origin (though some browsers break the spec - actually almost all of them break the spec) and they support scripting.

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

_{This action has been performed automatically by a bot.}