iframe src中使用的角度消毒URL
我正在尝试构建一个URL,以将其传递到IFRAME的SRC属性中。但是我总是会得到异常在资源URL上下文中使用的不安全值,我正在努力理解如何正确消毒URL。
我可以使其与domsanitizer.bypasssecuritytrustresourceurl(mycustomurlasstring)一起使用,但是据我了解,这样做,我只是禁用了安全性。即使是由于没有使用任何用户输入来构建URL,我也可以接受它,我想了解消毒的工作原理。
我的ng组件代码:
export class MyAngularComponent implements OnInit {
public url: SafeResourceUrl | null;
constructor(private domSanitizer: DomSanitizer) {}
ngOnInit() {
const url = new URL('https://example.org?param1=foo');
this.url = this.domSanitizer.sanitize(SecurityContext.URL, url.toString());
}
}
我的模板:< iframe [src] =“ url” width =“ 100%” height =“ 100%”></iframe>
在检查消毒值时,它只是一个字符串或相同的URL。但是模板渲染触发了例外。消毒功能不应该返回安全的URL以避免此例外吗?还是在sanitize之后,我应该拥有bypasssecuritytrustresourceurl吗?
TX寻求帮助
I'm trying to construct an url to pass it inside the src attributes of an iframe. But I always get the exception unsafe value used in a resource URL context and I'm struggling to understand how to correctly sanitize the url.
I could make it work with domSanitizer.bypassSecurityTrustResourceUrl(myCustomUrlAsString) but from what I understand, by doing so, I'm just disabling the security. Even tho it could be acceptable as the url is not constructed with any user input, I want to understand how the sanitization work.
My ng component code:
export class MyAngularComponent implements OnInit {
public url: SafeResourceUrl | null;
constructor(private domSanitizer: DomSanitizer) {}
ngOnInit() {
const url = new URL('https://example.org?param1=foo');
this.url = this.domSanitizer.sanitize(SecurityContext.URL, url.toString());
}
}
My template: <iframe [src]="url" width="100%" height="100%"></iframe>
When checking the sanitized value, it's just a string or that same url. But the template rendering triggers the exception. Shouldn't the sanitize function return a Safe Url to avoid this exception? Or should I had the bypassSecurityTrustResourceUrl in any case after the sanitize?
Tx for the help
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
假设我们将无效的URL传递到直接绕过SecurityTrustResourceurl,它将假定我们通过有效的URL并返回Saferesourceurl对象而不会丢弃任何错误。
示例
消毒方法将添加额外的支票以使URL安全使用。
在将其传递给旁路苏联troustresourceurl方法之前,最好使用Sanitize URL来确保URL安全。
Let say we are passing invalid URL to bypassSecurityTrustResourceUrl directly, It will assume we are passing valid url and return SafeResourceUrl object without throwing any error.
Example
sanitize method will add additional check to make the url safe to use.
It is better practice to use the sanitize URL before passing it to the bypassSecurityTrustResourceUrl method to make the url safe.
这正是您需要做的。您将URL标记为信任,我认为这是因为它不是用户输入。您可以像这样包裹消毒剂:
确保在那里没有疯狂的东西,但是在这种情况下,将其标记为信任不是不好的做法。
至于这一点,我期望与您相同,但认为它可能不会或无法检查URL是否安全或不检查,所以除非您绕过它,否则它总是会抛出该异常。
That's exactly what you need to do. You're marking the URL as trusted which I assume it is because it's not user input. You could wrap the sanitizer like so:
to make sure nothing crazy is in there but it's not bad practice in this case to mark it as trusted.
As for this, I expected the same as you but figured that it probably doesn't or can't check wether the URL is safe or not so it just always throws that exception unless you bypass it.