I have an textarea where the user will type in some text. The text cannot be JavaScript or HTML etc. I want to manually sanitize the data and save it to a string.
I cannot figure out how to use DomSanitizationService to manually sanitize my data.
If I do {{ textare_text }} on the page then the data is correctly sanitized.
How do I do that manually to a string I have?
You can sanitize the HTML as follows:
import { Component, SecurityContext } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
@Component({
selector: 'my-app',
template: `
<div [innerHTML]="_htmlProperty"></div>
`
})
export class AppComponent {
_htmlProperty: string = 'AAA<input type="text" name="name">BBB';
constructor(private _sanitizer: DomSanitizer){ }
public get htmlProperty() : SafeHtml {
return this._sanitizer.sanitize(SecurityContext.HTML, this._htmlProperty);
}
}
Demo plunker here.
From your comments, you actually want escaping not sanitization.
For this, check this plunker, where we have both escaping and sanitization.
import { Component, SecurityContext } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
@Component({
selector: 'my-app',
template: `Original, using interpolation (double curly braces):<b>
<div>{{ _originalHtmlProperty }}</div>
</b><hr>Sanitized, used as innerHTML:<b>
<div [innerHTML]="sanitizedHtmlProperty"></div>
</b><hr>Escaped, used as innerHTML:<b>
<div [innerHTML]="escapedHtmlProperty"></div>
</b><hr>Escaped AND sanitized used as innerHTML:<b>
<div [innerHTML]="escapedAndSanitizedHtmlProperty"></div>
</b>`
})
export class AppComponent {
_originalHtmlProperty: string = 'AAA<input type="text" name="name">BBB';
constructor(private _sanitizer: DomSanitizer){ }
public get sanitizedHtmlProperty() : SafeHtml {
return this._sanitizer.sanitize(SecurityContext.HTML, this._originalHtmlProperty);
}
public get escapedHtmlProperty() : string {
return this.escapeHtml(this._originalHtmlProperty);
}
public get escapedAndSanitizedHtmlProperty() : string {
return this._sanitizer.sanitize(SecurityContext.HTML, this.escapeHtml(this._originalHtmlProperty));
}
escapeHtml(unsafe) {
return unsafe.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">")
.replace(/"/g, """).replace(/'/g, "'");
}
}
The HTML escaping function used above escapes the same chars as angular code does (unfortunately, their escaping function is not public, so we can't use it).
In Angular final you can use like this:
First import "DomSanitizer" from angular platform-browser:
import { DomSanitizer } from '@angular/platform-browser';
import { SecurityContext } from '@angular/core';
Then in constructor :
constructor(private _sanitizer: DomSanitizer){}
Then use in your class like :
var title = "<script> alert('Hello')</script>"
title = this._sanitizer.sanitize(SecurityContext.HTML, title);
In angular ^2.3.1
Having a view using a bootstrap4 progressbar. See that in the example we need a value for style.width.
<!-- View HTML-->
<div class="progress">
<div class="progress-bar" role="progressbar" [style.width]="getProgress('style')" aria-valuenow="getProgress()" aria-valuemin="0" aria-valuemax="100"></div>
</div>
We need to sanitize this style.width value. We need to use DomSanitizer to sanitize the value and SecurityContext to specify the context. In this example the context is style.
// note that we need to use SecurityContext and DomSanitizer
// SecurityContext.STYLE
import { Component, OnInit, Input } from '@angular/core';
import { SecurityContext} from '@angular/core';
import { DomSanitizer } from '@angular/platform-browser';
@Component({
selector: 'app-challenge-progress',
templateUrl: './challenge-progress.component.html',
styleUrls: ['./challenge-progress.component.sass']
})
export class ChallengeProgressComponent implements OnInit {
@Input() data: any;
constructor(private _sanitizer: DomSanitizer) { }
ngOnInit() {
}
getProgress(type: string): any {
if(type === 'style') {
// here is the line you are looking for
return this._sanitizer.sanitize(SecurityContext.STYLE,this._getProgress()+'%');
}
return this._getProgress();
}
private _getProgress():number {
if(this.data) {
return this.data.goal_total_current/this.data.goal*100;
}
return 0;
}
}
