Reputation: 12123
Angular DomSanitizer - SecurityContext.NONE
Official Angular Security Guide speaks about 4 security contexts: HTML, Url, Style and Resource Url.
Each one is responsible for sanitizing corresponding type of resource.
In addition, there are 5 methods (per resource type) in DomSanitizer service
- bypassSecurityTrustHtml
- bypassSecurityTrustScript
- bypassSecurityTrustStyle
- bypassSecurityTrustUrl
- bypassSecurityTrustResourceUrl
However, I didn't find any mention of SecurityContext.NONE in official documentation. And it's does exist in the code.
I would assume that it aggregates all the resource types, meaning the resource being sanitized can be HTML, which contains styling and scripts.
Is that the case? Any official source?
Upvotes: 9
Views: 8256
Answers (1)
Reputation: 12123
Apparently, if we use domSanitizer.sanitize with SecurityContext.NONE, it won't perform any sanitation and will return the value as is.
Thus, this will allow HTML with embedded URLs, styling and scripts.
Therefore it is highly recommended not to use this in your code.
Upvotes: 15
Related Questions
- Angular 2, DomSanitizer, bypassSecurityTrustHtml, SVG
- Angular bypassSecurityTrustResourceUrl not working as expected
- Angular 8 DomSanitizer whitelist?
- Unable to bypass angular sanitize security
- Angular dom sanitize not working correctly
- Angular, DomSanitizer, bypassSecurity script
- Angular 5 bypassSecurityTrustUrl is not working
- Sanitizing CSS with Angular's DomSanitizer
- bypasssecuritytrust from DomSanitizer not working (Angular 2)
- angular 2 missing domsanitizer when try to start