doc($sce): Overhaul the $sce service's documentation. #15735
Conversation
A big docs update around the $sce: there's a lot of content in there that's often misunderstood, and some of the documentation starts to get really old too.
src/ng/sce.js
Outdated
| * attribute interpolation, any dom event binding attribute interpolation | ||
| * such as for onclick, etc.) that uses the provided value. | ||
| * See {@link ng.$sce $sce} for enabling strict contextual escaping. | ||
| * Marks the parameter as trusted for the specified context, and returns the |
There was a problem hiding this comment.
This is misleading - this doesn't change the parameter at all, but the language suggests it: "marks the parameter...". Maybe "Returns a version of the parameter that is trusted for the specified context..." or so?
There was a problem hiding this comment.
Yup, right, my formulation might imply that there's a global list of trusted stuff somewhere. Changed to "Returns a trusted representation of the parameter for the specified context. "
src/ng/sce.js
Outdated
| * such as for onclick, etc.) that uses the provided value. | ||
| * See {@link ng.$sce $sce} for enabling strict contextual escaping. | ||
| * Marks the parameter as trusted for the specified context, and returns the | ||
| * trusted representation of it. This trusted object should later on be |
src/ng/sce.js
Outdated
| * See {@link ng.$sce $sce} for enabling strict contextual escaping. | ||
| * Marks the parameter as trusted for the specified context, and returns the | ||
| * trusted representation of it. This trusted object should later on be | ||
| * used as-is, without any security check, by sinks that use this context. |
There was a problem hiding this comment.
I'm not sure users will undestand what sinks are in this context. Maybe just say "Angular", or Angular's templating engine, or so? It's less precise, but much closer to the mental model most users have.
There was a problem hiding this comment.
I've replaced it by "used as is without any security checks by bindings or directives that require this security context."
(I'd like to keep the notion that it's not automagical and that modules are on the hook for their contexts)
src/ng/sce.js
Outdated
| * For instance, marking a string as trusted for the $sce.HTML context will | ||
| * entirely bypass the potential $sanitize call in corresponding $sce.HTML | ||
| * sinks, such as an ng-bind-html directive, while using the same value | ||
| * passed as a string will cause it to be sanitized. |
There was a problem hiding this comment.
It might be worth calling out that calling this method does not need to be called for most use cases where HTML is interpolated, as sanitization is fine?
There was a problem hiding this comment.
Added "Note that in most cases you won't need to call trustAsHtml: if you have the sanitizer loaded, passing the value itself will render all HTML that does not pose a security risk."
src/ng/sce.js
Outdated
| * for general documentation about strict contextual escaping. | ||
| * | ||
| * @param {string} type The kind of context in which this value is safe | ||
| * for use. e.g. url, resourceUrl, html, js and css. |
There was a problem hiding this comment.
Should I do that for the whole file, while I'm at it? Do you have a style guide for doc?
There was a problem hiding this comment.
Please do. I don't think we have a style guide in Angular, but +4 matches Google JS style and what you generally do in other languages.
There was a problem hiding this comment.
Ok, I'll do that. 80 or 100 cols, btw? (edit: CONTRIBUTING.md says 100, I'll go with that)
src/ng/sce.js
Outdated
| * Disabling auto-escaping is extremely dangerous, it usually creates a Cross Site Scripting | ||
| * (XSS) vulnerability in your application. | ||
| * </div> | ||
| * In practice, there's several cases. When given a string, then this should |
There was a problem hiding this comment.
s/should/will/, or just this runs checks and sanitization....
src/ng/sce.js
Outdated
| * bindings. (HTML is just one example of a context where rendering user controlled input creates | ||
| * security vulnerabilities.) | ||
| * disabled, this application allows the user to render arbitrary HTML into the DIV, which would | ||
| * be an XSS bug. In a more realistic example, one may be rendering user comments, blog articles, |
There was a problem hiding this comment.
maybe XSS security bug or XSS security hole in your application? Users might not know what this means, being explicit might make them look it up.
src/ng/sce.js
Outdated
| * return value of {@link ng.$sce#trustAs $sce.trustAs}.) | ||
| * @param {*} value The value to mark as trusted for URL context. | ||
| * @returns {*} A wrapped version of value that can be used as a trusted variant | ||
| * of your `value` in URL context (currently unused.) |
There was a problem hiding this comment.
(currently untrusted) is a bit misleading, maybe used as a trusted variant of your previously untrusted value?
There was a problem hiding this comment.
it's unused, not untrusted. Fixed by saying more explicitly that the context is unused so the corresponding trustAs has no reason to be called.
|
Some more formatting fixes after your comments:
|
|
LGTM. |
src/ng/sce.js
Outdated
| * | ||
| * @return {Array} the currently set whitelist array. | ||
| * | ||
| * The **default value** when no whitelist has been explicitly set is `['self']` allowing only | ||
| * same origin resource requests. | ||
| * | ||
| * <div class="alert alert-warning"> | ||
| * **Note:** the default whitelist of 'self' is not recommanded if your app shares its origin |
There was a problem hiding this comment.
While you are at it, can you indent the preceeding paragraph as well for consistency?
| * @param {*} value The value that that should be considered trusted/safe. | ||
| * @returns {*} A value that can be used to stand in for the provided `value` in places | ||
| * where AngularJS expects a $sce.trustAs() return value. | ||
| * @param {*} value The value that that should be considered trusted. |
src/ng/sce.js
Outdated
| * Disabling auto-escaping is extremely dangerous, it usually creates a Cross Site Scripting | ||
| * (XSS) vulnerability in your application. | ||
| * </div> | ||
| * In practice, there's several cases. When given a string, this run checks and sanitization to |
There was a problem hiding this comment.
there's --> there are
this run --> it runs
src/ng/sce.js
Outdated
| * </div> | ||
| * In practice, there's several cases. When given a string, this run checks and sanitization to | ||
| * make it safe without prior assumptions. When given the result of a {@link | ||
| * ng.$sceDelegate#trustAs `$sceDelegate.trustAs`} call, this returns the originally supplied |
There was a problem hiding this comment.
this --> it (we generally try to avoid "this" as it can be confusing)
There was a problem hiding this comment.
done (plus another this above clarified in this function)
src/ng/sce.js
Outdated
| * @returns {*} The value the was originally provided to {@link ng.$sceDelegate#trustAs | ||
| * `$sceDelegate.trustAs`} if valid in this context. Otherwise, throws an exception. | ||
| * `$sceDelegate.trustAs`} call, or anything else (which will not be considered trusted.) | ||
| * @return {*} A version of value that's safe to use in the given context, or throws an |
src/ng/sce.js
Outdated
| * context. That trust is formalized with a function call. This means that as a developer, you | ||
| * can assume all untrusted bindings are safe. Then, to audit your code for binding security issues, | ||
| * you just need to ensure the values you mark as trusted indeed are safe - because they were | ||
| * received from your server, sanitized by your library, etc.. You can organize your codebase to |
src/ng/sce.js
Outdated
| * through {@link ng.$sce#getTrusted $sce.getTrusted}. SCE doesn't play a role here. | ||
| * call `$sce.trustAs` on them (e.g. | ||
| * `<div ng-bind-html="'<b>implicitly trusted</b>'"></div>`) just works. The `$sceDelegate` will | ||
| * also use the `$sanitize` injectable if it is available when binding untrusted values to |
There was a problem hiding this comment.
injectable --> service (It would be clearer to the reader, as this is the term we use throughout the docs.)
src/ng/sce.js
Outdated
| * | ||
| * @param {*} value The value to mark as trusted for `$sce.CSS` context. | ||
| * @return {*} A wrapped version of value that can be used as a trusted variant | ||
| * of your `value` in CSS context. This context is currently unused, so there are almost no |
There was a problem hiding this comment.
I missed that one. Fixed.
src/ng/sce.js
Outdated
| * takes any input, and either returns a value that's safe to use in the specified context, | ||
| * or throws an exception. This function is aware of trusted values created by the `trustAs` | ||
| * function and its shorthands, and when contexts are appropriate, returns the unwrapped value | ||
| * as-is. Finally, this function can also throw when there is no way to turn maybeTrusted in a |
There was a problem hiding this comment.
maybeTrusted --> `maybeTrusted`
src/ng/sce.js
Outdated
| * Otherwise, throws an exception. | ||
| * @param {string} type The context in which this value is to be used. | ||
| * @param {*} maybeTrusted The result of a prior {@link ng.$sce#trustAs `$sce.trustAs`} call. | ||
| * @return {*} The value the was originally provided to {@link ng.$sce#trustAs `$sce.trustAs`} |
|
BTW, regarding the 4-space indentation on |
|
I don't know how to render these so far, so everything is blind edits... I'll look into dgeni. |
|
My only concern is whether the 4-space indentations make some blocks incorrectly rendered as code blocks. Other than that it LGTM. @rjamet, you can see the rendered output with the folloing commands: The open http://localhost:8000/build/docs/. (After you have run |
|
Your fears are justified, that parses paragraphs in param/return blocks as code blocks if there's an empty line. I'm tempted to keep the +4 indentation, and work around this by either two spaces + simple line break (= I spotted a few unrelated issues otherwise, I'll bundle them as part of the next fix. |
|
Either way works for me, as long as the output looks the way it should. |
Some capitalization was wrong, formatting fixes for +4 indentation on @param tags, and uniformize some params descriptions on the same functions (scedelegate / sce).
|
Ok, fixed:
I checked all the $sce doc output, it's all sensible at least. I kept paragraphs where they made sense. |
|
Oops, sorry, I missed it. Fixed. |
A big docs update around `$sce`: There is a lot of content in there that is often misunderstood, and some of the documentation starts to get really old too. Also fixed capitalization, formatting, indentation and uniformized `@param` descriptions. Closes #15735
A big docs update around the $sce: there's a lot of content in there that's often misunderstood, and some of the documentation starts to get really old too. Plus some minor falsehoods in there... Overall, this isn't a major refactoring, but there's a lot of smaller changes.
cc @mprobst for another set of eyes on the contents.
Does this PR introduce a breaking change?
Nope, it's a doc-only CL.
Other information: