search

NG-ZORRO / ng-zorro-antd

Angular UI Component Library based on Ant Design
https://ng.ant.design
MIT License
8.8k stars 3.85k forks source link

confirm未对显示内容过滤防止xss攻击 #8532

Open x412773090 opened 2 months ago

x412773090 commented 2 months ago

Reproduction link

https://ng-zorro-antd-ivy-cjm9xv.stackblitz.io

Steps to reproduce


import { Component } from '@angular/core';
import { NzModalService } from 'ng-zorro-antd/modal';

@Component({
  selector: 'my-app',
  template: `
    <input nz-input [(ngModel)]="input">

    <button 
      (click)="openConfirm()"
      nz-button
      type="button">confirm</button>
  `,
})
export class AppComponent {
  input = 'delete [<a href="https://bing.com">link</a>] ?';

  constructor(private nzModalService: NzModalService) {}

  openConfirm(): void {
    this.nzModalService.confirm({
      nzTitle: this.input,
    });
  }
}

What is expected?

链接不可被点击

What is actually happening?

点击链接可跳转到外部网站

Environment Info
ng-zorro-antd 17.4.0
Browser chrome
zorro-bot[bot] commented 2 months ago

Translation of this issue:

Confirm does not use the display content filtering to prevent XSS attacks

REPRODUCTION LINK

https://ng-zorro-mtd-ivy-cjm9xv.stackblitz.io

STEPS To Reproduce


Import {component} from '@angular/core';
import {nzmodalService} from 'ng-zorro -NTD/MODAL';

@Component ({{
  Selector: 'My-APP',
  template: `
    <input nz-input [(ngmodel)] = "input">

    <Button
      (click) = "OpenConfirm ()" "
      nz-button
      Type = "Button"> Confirm </Button>
  `,
})
export class appcomponent {
  input = 'delete [<a href="https://bing.com"> link </a>]?';

  Constructionor (Private NzmodalService: NZMODALSERVICE) {}

  OpenConfirm (): void {
    this.nzmodalService.confirm ({
      nztitle: this.input,
    });
  }
}

What is exfected?

The link cannot be clicked

What is actually happy?

Click the link to jump to the external website

ENVIRONMENT Info
NG-Zorro-ATD 17.4.0
Browser Chrome
Laffery commented 5 days ago

hi @x412773090.

The nzTitle accepts string | TemplateRef, and ng-zorro will render the string type in [innerHTML] (see angular official doc Sanitization and security contexts), which will sanitize the string and make sure the security

If you wanna just render the original string content, you can pass with a TemplateRef type

I hope these information help you well.