search

angulardart-community / angular

Fast and productive web framework provided by Dart.
https://pub.dev/packages/ngdart
MIT License
114 stars 14 forks source link

feat(ngdart): bring back ngsecurity & configurable sanitization #42

Closed GZGavinZhao closed 1 year ago

GZGavinZhao commented 1 year ago

Currently the only problem is that the sanitizer will kill every value coming in through interpolation, because interpolate0 will convert anything to a string. I guess I could add an exception to interpolate0, but generally I'd like to avoid hard-coding edge cases as much as possible. Perhaps I can figure something out tomorrow.

@override
void detectChangesInternal() {
  final _ctx = this.ctx;
  bool firstCheck = this.firstCheck;
  if (firstCheck) {
    import7.setProperty(this._el_4, 'innerHTML', import9.sanitizeHtml(import15.interpolate0(_ctx.trustedHtml))) /* REF:asset:_tests/test/security/safe_inner_html_test.dart:4309:4336 */;
  }
}
GZGavinZhao commented 1 year ago

I think the way to go is to first sanitize the value and then pass to the interpolation, which itself should be a separate issue/PR.