DomSanitizationService class
DomSanitizationService helps preventing Cross Site Scripting Security bugs (XSS) by sanitizing values to be safe to use in the different DOM contexts.
For example, when binding a URL in an <a [href]="someUrl"> hyperlink,
someUrl will be sanitized so that an attacker cannot inject a
javascript: URL that would execute code on the website.
In specific situations, it might be necessary to disable sanitization, for example if the application genuinely needs to produce a javascript: style link with a dynamic value in it.
Users can bypass security by constructing a value with one of the
bypassSecurityTrust... methods, and then binding to that value from the
template.
These situations should be very rare, and extraordinary care must be taken to avoid creating a Cross Site Scripting (XSS) security bug!
When using bypassSecurityTrust..., make sure to call the method as
early as possible and as close as possible to the source of the value,
to make it easy to verify that no security bug is created by its use.
It is not required (and not recommended) to bypass security if the value is safe, for example, a URL that does not start with a suspicious protocol, or an HTML snippet that does not contain dangerous code. The sanitizer leaves safe values intact.
- Annotations
-
- @Injectable()
Constructors
- DomSanitizationService()
-
factory
Properties
- hashCode → int
-
The hash code for this object.
no setterinherited
- runtimeType → Type
-
A representation of the runtime type of the object.
no setterinherited
Methods
-
bypassSecurityTrustHtml(
String? value) → SafeHtml - Bypass security and trust the given value to be safe HTML.
-
bypassSecurityTrustResourceUrl(
String? value) → SafeResourceUrl - Bypass security and trust the given value to be a safe resource URL, i.e. a location that may be used to load executable code from, like
-
bypassSecurityTrustStyle(
String? value) → SafeStyle - Bypass security and trust the given value to be safe style value (CSS).
-
bypassSecurityTrustUrl(
String? value) → SafeUrl -
Bypass security and trust the given value to be a safe style URL, i.e. a
value that can be used in hyperlinks or
<iframe src>. -
noSuchMethod(
Invocation invocation) → dynamic -
Invoked when a nonexistent method or property is accessed.
inherited
-
sanitizeHtml(
dynamic value) → String? -
sanitizeResourceUrl(
dynamic value) → String? -
sanitizeStyle(
dynamic value) → String? -
sanitizeUrl(
dynamic value) → String? -
toString(
) → String -
A string representation of this object.
inherited
Operators
-
operator ==(
Object other) → bool -
The equality operator.
inherited