Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

avoid bypassing xss protection #7464

Closed
wants to merge 1 commit into from
Closed

avoid bypassing xss protection #7464

wants to merge 1 commit into from

Conversation

danieljsinclair
Copy link

Request Type: docs

How to reproduce: If binding database data to a contentEditable that contains raw HTML the example in these docs binds it directly. Shouldn't it use the $sce service?

Component(s): misc core

Impact: small

Complexity: small

This issue is related to: security

Detailed Description:

element.html() sets the raw value directly in the dom which seems to bypass the built-in $sce protection one would normally get with a built-in directive. This seems dangerous to promote as an example. element.html() seems inherently dangerous to use in a directive. Could it alternatively be overridden to only accept safe strings? Perhaps with a safeHtml() alternative.

Other Comments:

element.html() sets the raw value directly in the dom which seems to bypass the built-in $sce protection one would normally get with a built-in directive. This seems dangerous to promote as an example. element.html() seems inherently dangerous to use in a directive. Could it alternatively be overridden to only accept safe strings? Perhaps with a safeHtml() alternative.

@danieljsinclair
avoid bypassing xss protection
dd02891 
element.html() sets the raw value directly in the dom which seems to bypass the built-in $sce protection one would normally get with a built-in directive. This seems dangerous to promote as an example.
@mary-poppins
Copy link

Thanks for the PR! Please check the items below to help us merge this faster. See the contributing docs for more information.

  • Uses the issue template (#7464)

If you need to make changes to your pull request, you can update the commit with git commit --amend.
Then, update the pull request with git push -f.

Thanks again for your help!

@mary-poppins
Copy link

I'm sorry, but I wasn't able to verify your Contributor License Agreement (CLA) signature. CLA signature is required for any code contributions to AngularJS.

Please sign our CLA and ensure that the CLA signature email address and the email address in this PR's commits match.

If you signed the CLA as a corporation, please let us know the company's name.

Thanks a bunch!

PS: If you signed the CLA in the past then most likely the email addresses don't match. Please sign the CLA again or update the email address in the commit of this PR.
PS2: If you are a Googler, please sign the CLA as well to simplify the CLA verification process.

@tbosch tbosch self-assigned this May 21, 2014
@tbosch tbosch closed this in d606e66 May 21, 2014
@tbosch tbosch removed their assignment May 21, 2014
tbosch added a commit that referenced this pull request May 21, 2014
@tbosch
docs(ngModelController): use $sce and $sanitize in the `contented…
e9ecd56 
…itable` example.

Closes #7464
RichardLitt pushed a commit to RichardLitt/angular.js that referenced this pull request May 24, 2014
@tbosch @RichardLitt
docs(ngModelController): use $sce and $sanitize in the `contented…
8803c25 
…itable` example.

Closes angular#7464
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
cla: no
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@danieljsinclair @mary-poppins @tbosch