/** * @license * Copyright Google LLC All Rights Reserved. * * Use of this source code is governed by an MIT-style license that can be * found in the LICENSE file at https://angular.io/license */ import { XSS_SECURITY_URL } from '../error_details_base_url'; import { RuntimeError } from '../errors'; import { getDocument } from '../render3/interfaces/document'; import { ENVIRONMENT } from '../render3/interfaces/view'; import { getLView } from '../render3/state'; import { renderStringify } from '../render3/util/stringify_utils'; import { trustedHTMLFromString, trustedScriptURLFromString } from '../util/security/trusted_types'; import { trustedHTMLFromStringBypass, trustedScriptFromStringBypass, trustedScriptURLFromStringBypass } from '../util/security/trusted_types_bypass'; import { allowSanitizationBypassAndThrow, unwrapSafeValue } from './bypass'; import { _sanitizeHtml as _sanitizeHtml } from './html_sanitizer'; import { SecurityContext } from './security'; import { _sanitizeUrl as _sanitizeUrl } from './url_sanitizer'; /** * An `html` sanitizer which converts untrusted `html` **string** into trusted string by removing * dangerous content. * * This method parses the `html` and locates potentially dangerous content (such as urls and * javascript) and removes it. * * It is possible to mark a string as trusted by calling {@link bypassSanitizationTrustHtml}. * * @param unsafeHtml untrusted `html`, typically from the user. * @returns `html` string which is safe to display to user, because all of the dangerous javascript * and urls have been removed. * * @codeGenApi */ export function ɵɵsanitizeHtml(unsafeHtml) { const sanitizer = getSanitizer(); if (sanitizer) { return trustedHTMLFromStringBypass(sanitizer.sanitize(SecurityContext.HTML, unsafeHtml) || ''); } if (allowSanitizationBypassAndThrow(unsafeHtml, "HTML" /* BypassType.Html */)) { return trustedHTMLFromStringBypass(unwrapSafeValue(unsafeHtml)); } return _sanitizeHtml(getDocument(), renderStringify(unsafeHtml)); } /** * A `style` sanitizer which converts untrusted `style` **string** into trusted string by removing * dangerous content. * * It is possible to mark a string as trusted by calling {@link bypassSanitizationTrustStyle}. * * @param unsafeStyle untrusted `style`, typically from the user. * @returns `style` string which is safe to bind to the `style` properties. * * @codeGenApi */ export function ɵɵsanitizeStyle(unsafeStyle) { const sanitizer = getSanitizer(); if (sanitizer) { return sanitizer.sanitize(SecurityContext.STYLE, unsafeStyle) || ''; } if (allowSanitizationBypassAndThrow(unsafeStyle, "Style" /* BypassType.Style */)) { return unwrapSafeValue(unsafeStyle); } return renderStringify(unsafeStyle); } /** * A `url` sanitizer which converts untrusted `url` **string** into trusted string by removing * dangerous * content. * * This method parses the `url` and locates potentially dangerous content (such as javascript) and * removes it. * * It is possible to mark a string as trusted by calling {@link bypassSanitizationTrustUrl}. * * @param unsafeUrl untrusted `url`, typically from the user. * @returns `url` string which is safe to bind to the `src` properties such as ``, because * all of the dangerous javascript has been removed. * * @codeGenApi */ export function ɵɵsanitizeUrl(unsafeUrl) { const sanitizer = getSanitizer(); if (sanitizer) { return sanitizer.sanitize(SecurityContext.URL, unsafeUrl) || ''; } if (allowSanitizationBypassAndThrow(unsafeUrl, "URL" /* BypassType.Url */)) { return unwrapSafeValue(unsafeUrl); } return _sanitizeUrl(renderStringify(unsafeUrl)); } /** * A `url` sanitizer which only lets trusted `url`s through. * * This passes only `url`s marked trusted by calling {@link bypassSanitizationTrustResourceUrl}. * * @param unsafeResourceUrl untrusted `url`, typically from the user. * @returns `url` string which is safe to bind to the `src` properties such as ``, because * only trusted `url`s have been allowed to pass. * * @codeGenApi */ export function ɵɵsanitizeResourceUrl(unsafeResourceUrl) { const sanitizer = getSanitizer(); if (sanitizer) { return trustedScriptURLFromStringBypass(sanitizer.sanitize(SecurityContext.RESOURCE_URL, unsafeResourceUrl) || ''); } if (allowSanitizationBypassAndThrow(unsafeResourceUrl, "ResourceURL" /* BypassType.ResourceUrl */)) { return trustedScriptURLFromStringBypass(unwrapSafeValue(unsafeResourceUrl)); } throw new RuntimeError(904 /* RuntimeErrorCode.UNSAFE_VALUE_IN_RESOURCE_URL */, ngDevMode && `unsafe value used in a resource URL context (see ${XSS_SECURITY_URL})`); } /** * A `script` sanitizer which only lets trusted javascript through. * * This passes only `script`s marked trusted by calling {@link * bypassSanitizationTrustScript}. * * @param unsafeScript untrusted `script`, typically from the user. * @returns `url` string which is safe to bind to the `