1

我正在玩bypassSecurityTrust*Angular的功能。目标是让script标签在页面上执行。但它要么不断用消息进行消毒

WARNING: sanitizing HTML stripped some content

或者我在控制台中看到

SafeHtmlImpl {changingThisBreaksApplicationSecurity: "<script>alert(1)</script>.

目标是让这个工作。

我目前使用和尝试过的:

@Pipe({ name: 'safeHtml'})
export class SafeHtmlPipe implements PipeTransform  {
  constructor(private sanitized: DomSanitizer) {}
  transform(value: string): string {
    console.log(this.sanitized.sanitize(SecurityContext.NONE, value))
    return this.sanitized.sanitize(SecurityContext.NONE, value);
  }
}
@Component({
  selector: 'app-demo',
  templateUrl: './demo.component.html',
  styleUrls: ['./demo.component.css']
})
export class DemoComponent implements OnInit {

  name: string;
  html: string;
  constructor(private sanitizer: DomSanitizer) {
    this.name = 'Angular2';
    this.html = "<script> alert(8) </script>";
  }
  ngOnInit() {
  }
}

和模板html:

<div [innerHtml]="html | safeHtml"></div>

我尝试了两者都sanitize应该SecurityContext.NONE可以查看代码bypassSecurityTrustHtml(value). 上面的代码受到这个答案的启发。

关于如何执行该 JavaScript 的任何想法?

4

1 回答 1

2

所以是的,innerHtml 不能插入脚本标签,但它并不能阻止它使用许多其他注入 JavaScript 的方法之一。

工作示例:

import { Component, Pipe, PipeTransform, SecurityContext} from '@angular/core';
import { DomSanitizer } from '@angular/platform-browser'

@Pipe({ name: 'safeHtml'})
export class SafeHtmlPipe implements PipeTransform  {
  constructor(private sanitized: DomSanitizer) {}
  transform(value: string) {
    console.log(this.sanitized.bypassSecurityTrustHtml(value));
    return this.sanitized.bypassSecurityTrustHtml(value);
  }
}

@Component({
  selector: 'app-demo',
  template: `
    <div [innerHtml]="html | safeHtml">
    </div>
  `
})

export class DemoComponent {

  html: string;
  h_html: string;
  constructor(private sanitizer: DomSanitizer) {
    this.html = "<svg onload=\"alert(1)\"> blah </svg>"
    this.h_html = sanitizer.sanitize(SecurityContext.HTML, "<svg onload=\"alert(2)\"> blah </svg>');
  }
}

什么不工作是

return this.sanitized.sanitize(SecurityContext.HTML, value);

或使用

<div [innerHtml]="h_tmpl"></div>

不知道为什么。应该表现相同的 afaiu。

于 2018-05-23T08:50:07.450 回答