Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

feat($compile): add support for arbitrary property and event bindings #16614

Merged
merged 2 commits into from
Aug 2, 2018
Merged

feat($compile): add support for arbitrary property and event bindings #16614

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
88a12f8
refactor($compile): move img[srcset] sanitizing to helper method
jbedard Jun 25, 2018
dedb10c
feat($compile): add support for arbitrary DOM property and event bind…
jbedard Jun 26, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 13 additions & 0 deletions docs/content/error/$compile/ctxoverride.ngdoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
@ngdoc error
@name $compile:ctxoverride
@fullName DOM Property Security Context Override
@description

This error occurs when the security context for a property is defined via {@link ng.$compileProvider#addPropertySecurityContext addPropertySecurityContext()} multiple times under different security contexts.

For example:

```js
$compileProvider.addPropertySecurityContext("my-element", "src", $sce.MEDIA_URL);
$compileProvider.addPropertySecurityContext("my-element", "src", $sce.RESOURCE_URL); //throws
```
10 changes: 5 additions & 5 deletions docs/content/error/$compile/nodomevents.ngdoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
@ngdoc error
@name $compile:nodomevents
@fullName Interpolated Event Attributes
@fullName Event Attribute/Property Binding
@description

This error occurs when one tries to create a binding for event handler attributes like `onclick`, `onload`, `onsubmit`, etc.
This error occurs when one tries to create a binding for event handler attributes or properties like `onclick`, `onload`, `onsubmit`, etc.

There is no practical value in binding to these attributes and doing so only exposes your application to security vulnerabilities like XSS.
For these reasons binding to event handler attributes (all attributes that start with `on` and `formaction` attribute) is not supported.
There is no practical value in binding to these attributes/properties and doing so only exposes your application to security vulnerabilities like XSS.
For these reasons binding to event handler attributes and properties (`formaction` and all starting with `on`) is not supported.


An example code that would allow XSS vulnerability by evaluating user input in the window context could look like this:
Expand All @@ -17,4 +17,4 @@ An example code that would allow XSS vulnerability by evaluating user input in t

Since the `onclick` evaluates the value as JavaScript code in the window context, setting the `username` model to a value like `javascript:alert('PWND')` would result in script injection when the `div` is clicked.


Please use the `ng-*` or `ng-on-*` versions instead (such as `ng-click` or `ng-on-click` rather than `onclick`).
6 changes: 6 additions & 0 deletions src/.eslintrc.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,9 +171,15 @@
/* ng/q.js */
"markQExceptionHandled": false,

/* sce.js */
"SCE_CONTEXTS": false,

/* ng/directive/directives.js */
"ngDirective": false,

/* ng/directive/ngEventDirs.js */
"createEventDirective": false,

/* ng/directive/input.js */
"VALID_CLASS": false,
"INVALID_CLASS": false,
Expand Down
Loading