search

SamirHodzic / ngx-embed-video

Get embed code for embedding youtube/vimeo/dailymotion/* video in websites from URL or ID in Angular 6+.
MIT License
56 stars 41 forks source link

"WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss)." #1

Closed oztek22 closed 6 years ago

oztek22 commented 7 years ago

getting this error while using it in Angular4 with innerHTML

SamirHodzic commented 7 years ago

Don't have time to play with it soon. That wasn't case with Angular2 as I remember, but probably you will need some kind of workaround for it. Feel free to make a pull request if you figure it out.

dkeulen commented 7 years ago

Don't know if you have encounter this before, but in ng2 its needed to sanitize url's, raw html, etc when injecting it into the dom from a returned value.

This should be part of this component already if it isn't. Angular does not like you inserting DOM elements or url's with javascript because it could be a potential attack.

Looking at the code i'd say angular isn't happy when you return the complete iframe and try to inject it into the dom. the iframe code should be sanitized.

Put the iframe it returns into a variable and return it like so:

return this.sanitizer.bypassSecurityTrustHtml(iframeVariable); (typescript) this.sanitizer is from import { DomSanitizer } from 'angular/platform-browser';

This should get rid of the security messages.

https://angular.io/api/platform-browser/DomSanitizer https://angular.io/guide/security

Hope this helps.

SamirHodzic commented 7 years ago

@dkeulen if you have time to improve it and test if it gets rid of security messages, feel free to make a pull request.

SamirHodzic commented 6 years ago

Closing, 0b4bbad7c39e81d0b2f5a8618bcad7964b46e3d0.