我正在玩bypassSecurityTrust*
Angular的功能。目标是让script
标签在页面上执行。但它要么不断用消息进行消毒
WARNING: sanitizing HTML stripped some content
或者我在控制台中看到
SafeHtmlImpl {changingThisBreaksApplicationSecurity: "<script>alert(1)</script>
.
目标是让这个工作。
我目前使用和尝试过的:
@Pipe({ name: 'safeHtml'})
export class SafeHtmlPipe implements PipeTransform {
constructor(private sanitized: DomSanitizer) {}
transform(value: string): string {
console.log(this.sanitized.sanitize(SecurityContext.NONE, value))
return this.sanitized.sanitize(SecurityContext.NONE, value);
}
}
@Component({
selector: 'app-demo',
templateUrl: './demo.component.html',
styleUrls: ['./demo.component.css']
})
export class DemoComponent implements OnInit {
name: string;
html: string;
constructor(private sanitizer: DomSanitizer) {
this.name = 'Angular2';
this.html = "<script> alert(8) </script>";
}
ngOnInit() {
}
}
和模板html:
<div [innerHtml]="html | safeHtml"></div>
我尝试了两者都sanitize
应该SecurityContext.NONE
可以查看代码和bypassSecurityTrustHtml(value)
. 上面的代码受到这个答案的启发。
关于如何执行该 JavaScript 的任何想法?