securityContext method
securityContext returns the security context for the given property on the given DOM tag.
Tag and property name are statically known and cannot change at runtime, i.e. it is not possible to bind a value into a changing attribute or tag name.
The filtering is allow-list based. All attributes in the schema above are assumed to have the 'NONE' security context, i.e. that they are safe inert string values. Only specific well known attack vectors are assigned their appropriate context.
Implementation
@override
TemplateSecurityContext securityContext(String tagName, String propName) {
if (_SECURITY_SCHEMA.isEmpty) {
_initializeSecuritySchema();
}
var key = '$tagName|$propName';
return _SECURITY_SCHEMA[key] ??
_SECURITY_SCHEMA['*|$propName'] ??
TemplateSecurityContext.none;
}