I need to strip any script tags from a string, but keeping style.
If I sanitize the style of this string:
getSanitized(s: string) {
const safeStyle: any = this.sanitizer.bypassSecurityTrustStyle(s);
return safeStyle.changingThisBreaksApplicationSecurity;
}
const s = '<span style="font-size:18px;color:blue">This is a title</span>';
console.log(this.getSanitized(s));
I get the same string, as it only contains styles, and that seems to work fine.
But if the string contains a script, such as
const s = `<script>alert(1);</script>
<span onclick="javascript:alert(2);"
style="font-size:18px;color:blue">This is a title</span>';`
console.log(this.getSanitized(s));
The script tag and the onclick attribute are not eliminated from the string. Why is it not eliminated if I'm sanitizing at the style level?
from Sanitizing scripts with bypassSecurityTrustStyle in Angular
No comments:
Post a Comment