SafeInnerHtmlDirective class
Sets Element.innerHtml without sanitizing the HTML output.
Requires use of a SafeHtml wrapper created by DomSanitizationService: var safeHtml = domSanitizationService.bypassSecurityTrustHtml('...');
(This allows security reviews to easily search for and catch exceptions)
All elements are allowed, including <script> tags or other elements
that could cause cross-site scripting, unsafe URLs, and more. Only
trusted data sources should be used when using [safeInnerHtml].
Example use:
@Component(
selector: 'my-component',
directives: const [SafeInnerHtmlDirective],
template: '''
<div [safeInnerHtml]="trustedHtml"></div>
''',
)
class MyComponent {
/// WARNING: This will be embedded directly into the HTML.
final SafeHtml trustedHtml;
MyComponent(DomSanitizationService domSanitizationService)
: trustedHtml = domSanitizationService.bypassSecurityTrustHtml(
'I solemnly swear that this <script></script> is OK!');
}
- Annotations
-
- @Directive(selector: '[safeInnerHtml]')
Constructors
- SafeInnerHtmlDirective(Element _element)
Properties
- hashCode → int
-
The hash code for this object.
no setterinherited
- runtimeType → Type
-
A representation of the runtime type of the object.
no setterinherited
- safeInnerHtml ← dynamic
-
no getter
Methods
-
noSuchMethod(
Invocation invocation) → dynamic -
Invoked when a nonexistent method or property is accessed.
inherited
-
toString(
) → String -
A string representation of this object.
inherited
Operators
-
operator ==(
Object other) → bool -
The equality operator.
inherited