Reputation: 4386
Angular 8 DomSanitizer whitelist?
Im using angular(8) in my web page and would like to display several iframes as innerHTML.
By default the angular domsanitizer removes risky elements. I know I can disable this by using the bypassSecurityTrustHtml functions and alike.
(https://angular.io/api/platform-browser/DomSanitizer)
Since the content will be user generated however, I cannot simple bypass the Domsanitizer, as it is too risky. However I wonder if it's possible to allow certain domains that are known, like my own domain for example. So I would need to give the Sanitizer some kind of whitelist with secure domains. Google did not return anything useful so far, so I wonder: Is that possible and if yes, how would I do that?
Upvotes: 1
Views: 1787
Answers (1)
Reputation: 342
I think it is hard to do this in Angular unless you implement your own DomSanitizer. Based on the source code here, the iframe is not in whiltelist. The filtering rule seems not possible to extend. I suggest you did the filtering here by your self, or using some third-party lib like js-xss which allow you to define the whilelist.
Upvotes: 2
Related Questions
- Angular 2, DomSanitizer, bypassSecurityTrustHtml, SVG
- Correct way Provide DomSanitizer to Component with Angular 2 RC6
- Unable to bypass angular sanitize security
- Angular DomSanitizer - SecurityContext.NONE
- Angular dom sanitize not working correctly
- Angular, DomSanitizer, bypassSecurity script
- Sanitizing CSS with Angular's DomSanitizer
- bypasssecuritytrust from DomSanitizer not working (Angular 2)
- angular 2 missing domsanitizer when try to start
- $sanitize Custom Whitelist