نمایش HTML در برنامههای Angular
نویسنده: وحید نصیری
تاریخ: ۱۳۹۶/۰۷/۱۳ ۱۱:۵۰
آدرس: www.dntips.ir
| مطالب | ۳۶۹۴ |
| نویسندگان | ۲۷۶ |
| گروههای مطالب | ۱۰۲۴ |
| نقشههای راه | ۱۱۹ |
| دورهها | ۱۴ |
| اشتراکها | ۱۷۹۱۴ |
export class ShowHtmlComponent {
htmlContent = "Template <script>alert(\"Hello!\")</script> <b>Syntax</b>";
} <h3>Binding innerHTML</h3>
<p>Bound value:</p>
<p>{{htmlContent}}</p>
WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss).
<p>Result of binding to innerHTML:</p> <p [innerHTML]="htmlContent"></p>
<p #dataContainer></p>
export class ShowHtmlComponent implements OnInit {
@ViewChild("dataContainer") dataContainer: ElementRef;
ngOnInit() {
this.dataContainer.nativeElement.innerHTML = "nativeElement <script>alert(\"Hello!\")</script> <b>Syntax</b>";
}
}
HTML Attributes – <div [innerHTML]="UNTRUSTED"></div> OR <input value="UNTRUSTED"> Style— <div [style]="height:UNTRUSTED"></div> URL — <a [href]="UNTRUSTED-URL"></a> OR <script [src]="UNTRUSTED-URL"></script> OR <iframe src="UNTRUSTED-URL" /> GET Parameter – <a href="/user?id=UNTRUSTED">link</a> JavaScript Variable – <script> var value='UNTRUSTED';</script>
export class ShowHtmlComponent implements OnInit {
sanitizedHtml: string;
constructor(private sanitizer: DomSanitizer) { }
ngOnInit() {
this.sanitizedHtml = this.sanitizer.sanitize(SecurityContext.HTML, "<b>Sanitize</b><script>attackerCode()</script>");
}
}
SecurityContext.NONE SecurityContext.HTML SecurityContext.STYLE SecurityContext.SCRIPT SecurityContext.URL SecurityContext.RESOURCE_URL
export enum SecurityContext { NONE, HTML, STYLE, SCRIPT, URL, RESOURCE_URL }
export abstract class DomSanitizer implements Sanitizer {
abstract sanitize(context: SecurityContext, value: SafeValue|string|null): string|null;
abstract bypassSecurityTrustHtml(value: string): SafeHtml;
abstract bypassSecurityTrustStyle(value: string): SafeStyle;
abstract bypassSecurityTrustScript(value: string): SafeScript;
abstract bypassSecurityTrustUrl(value: string): SafeUrl;
abstract bypassSecurityTrustResourceUrl(value: string): SafeResourceUrl;
} import { Pipe, PipeTransform } from "@angular/core";
import { DomSanitizer, SafeHtml, SafeResourceUrl, SafeScript, SafeStyle, SafeUrl } from "@angular/platform-browser";
@Pipe({
name: "safe"
})
export class SafePipe implements PipeTransform {
constructor(protected sanitizer: DomSanitizer) { }
public transform(value: any, type: string): SafeHtml | SafeStyle | SafeScript | SafeUrl | SafeResourceUrl {
switch (type) {
case "html":
return this.sanitizer.bypassSecurityTrustHtml(value);
case "style":
return this.sanitizer.bypassSecurityTrustStyle(value);
case "script":
return this.sanitizer.bypassSecurityTrustScript(value);
case "url":
return this.sanitizer.bypassSecurityTrustUrl(value);
case "resourceUrl":
return this.sanitizer.bypassSecurityTrustResourceUrl(value);
default:
throw new Error(`Invalid safe type specified: ${type}`);
}
}
} @NgModule({
imports: [
// ...
],
declarations: [ SafePipe]
}) <p [innerHTML]="htmlContent | safe: 'html'"></p>