closes #16211 Table: breaks after one call to updateStyleElement() #16212
Conversation
…ement() closes primefaces#16211 use domSanitizer to bypass code generated Trusted Types.
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Skipped Deployment
|
| @@ -3573,8 +3575,7 @@ export class Calendar implements OnInit, OnDestroy, ControlValueAccessor { | |||
| `; | |||
| } | |||
| } | |||
|
|
|||
| (<HTMLStyleElement>this.responsiveStyleElement).innerHTML = innerHTML; | |||
| this.responsiveStyleElement.innerHTML = this.domSanitizer.bypassSecurityTrustStyle(innerHTML) as string; | |||
There was a problem hiding this comment.
If the original PR with textContent was not working because the assignment value contained markup that wasn’t just the CSS code, how can we be sure that we can trust this assignment value as a style?
There was a problem hiding this comment.
bypassSecurityTrustStyle will Bypass security and trust the given value to be safe style value (CSS).
abstract bypassSecurityTrustStyle(value: string): SafeStyle
since the type is assigned to responsiveStyleElement we cannot set innerHTML as SafeStyle.
so the suggestion here is to make the responsiveStyleElement as any and then we do not need the as string cast.
I already merged this suggestion into this pull request.
On the other hand, these styles are created internally by primeng, so they are trusted and there is no need for sanitization.
Moreover, all the inputs from user are SANITIZED then bypassed by SafeHtml pipe.
constructor(@Inject(PLATFORM_ID) private readonly platformId: any, private readonly domSanitizer: DomSanitizer) { }
public transform(value: string): SafeHtml {
if (!value || !isPlatformBrowser(this.platformId)) {
return value;
}
+ const sanitizedValue = this.domSanitizer.sanitize(SecurityContext.HTML ,value);
+ return this.domSanitizer.bypassSecurityTrustHtml(sanitizedValue);
}
|
I took a quick cursory look at the proposed changes and a few comments:
Note: I would recommend modifying the text in issue #16211 and remove the following (since you took a different approach in the PR): It's good that this PR doesn't add new OSS dependency to PrimeNG. |
|
@rosenthalj, to response your first question, I have NOT tested all changes, I will really appreciate it if @aaronshim do this on my behalf and see if they are safe as explained in #16153. For the second question, I have merged the needed changes, thanks for the review. Finally, I read angular documentation and saw their standard approach for this so implemented as suggested. PR #16210 has nothing to do with this PR. |
You are correct, in my previous comment I incorrectly referenced issue #16210 instead of issue #16211. I saw that you acted on my note and updated the the text in issue #16211. I'm sorry for any confusion based on my incorrect reference. I have also updated my previous comment in this PR to point to issue #16211 |
|
Hi, Thanks for all the effort guys, you're awesome! since 20 files have been changed, it'll take time to review this PR. During this time, we'll fix the issue for the table beforehand. |
cetincakiroglu
added
the
Status: Pending Review
|
Also, could you please remove table fix (we've just fixed that), and create a separate issue for the rest of the components so that we can include it in next week's milestone? |
@cetincakiroglu I really appreciate if you bear with me up to 29th of August that I test all the changes exhaustively and then make the aforementioned corrections. |
|
@cetincakiroglu merged with changes from table.ts |
|
Hi @ymg2006, Thanks a lot for the effort and support! Could you please resolve the conflicts and test again, files are updated and it might resolved already, if not, please tag me after the conflict fix, so I can merge it safely. |
closes #16211 Table: breaks after one call to updateStyleElement()
Added security bypass and html sanitizer for user inputs without breaking components!
This will stop injections to happen with angular built-in DomSanitizer.