Angular、DomSanitizer、绕过安全脚本
Angular, DomSanitizer, bypassSecurity script
我正在玩 Angular 的 bypassSecurityTrust* 函数。目标是让 script 标签在页面上执行。但它要么继续使用消息
进行消毒
WARNING: sanitizing HTML stripped some content
或者我在控制台看到一个
SafeHtmlImpl {changingThisBreaksApplicationSecurity: "<script>alert(1)</script>.
目标是让它发挥作用。
我目前使用和尝试过的:
@Pipe({ name: 'safeHtml'})
export class SafeHtmlPipe implements PipeTransform {
constructor(private sanitized: DomSanitizer) {}
transform(value: string): string {
console.log(this.sanitized.sanitize(SecurityContext.NONE, value))
return this.sanitized.sanitize(SecurityContext.NONE, value);
}
}
@Component({
selector: 'app-demo',
templateUrl: './demo.component.html',
styleUrls: ['./demo.component.css']
})
export class DemoComponent implements OnInit {
name: string;
html: string;
constructor(private sanitizer: DomSanitizer) {
this.name = 'Angular2';
this.html = "<script> alert(8) </script>";
}
ngOnInit() {
}
}
和模板 html:
<div [innerHtml]="html | safeHtml"></div>
我尝试了 sanitize 和 SecurityContext.NONE,看看 code and bypassSecurityTrustHtml(value). The above code was inspired by this .
应该可以
关于如何执行 JavaScript 的任何想法?
所以是的,innerHtml 不能插入脚本标签,但它并不能阻止它从许多其他注入方式之一中注入 JavaScript。
工作示例:
import { Component, Pipe, PipeTransform, SecurityContext} from '@angular/core';
import { DomSanitizer } from '@angular/platform-browser'
@Pipe({ name: 'safeHtml'})
export class SafeHtmlPipe implements PipeTransform {
constructor(private sanitized: DomSanitizer) {}
transform(value: string) {
console.log(this.sanitized.bypassSecurityTrustHtml(value));
return this.sanitized.bypassSecurityTrustHtml(value);
}
}
@Component({
selector: 'app-demo',
template: `
<div [innerHtml]="html | safeHtml">
</div>
`
})
export class DemoComponent {
html: string;
h_html: string;
constructor(private sanitizer: DomSanitizer) {
this.html = "<svg onload=\"alert(1)\"> blah </svg>"
this.h_html = sanitizer.sanitize(SecurityContext.HTML, "<svg onload=\"alert(2)\"> blah </svg>');
}
}
没用的是
return this.sanitized.sanitize(SecurityContext.HTML, value);
或使用
<div [innerHtml]="h_tmpl"></div>
不知道为什么。应该表现得一样。
我正在玩 Angular 的 bypassSecurityTrust* 函数。目标是让 script 标签在页面上执行。但它要么继续使用消息
WARNING: sanitizing HTML stripped some content
或者我在控制台看到一个
SafeHtmlImpl {changingThisBreaksApplicationSecurity: "<script>alert(1)</script>.
目标是让它发挥作用。
我目前使用和尝试过的:
@Pipe({ name: 'safeHtml'})
export class SafeHtmlPipe implements PipeTransform {
constructor(private sanitized: DomSanitizer) {}
transform(value: string): string {
console.log(this.sanitized.sanitize(SecurityContext.NONE, value))
return this.sanitized.sanitize(SecurityContext.NONE, value);
}
}
@Component({
selector: 'app-demo',
templateUrl: './demo.component.html',
styleUrls: ['./demo.component.css']
})
export class DemoComponent implements OnInit {
name: string;
html: string;
constructor(private sanitizer: DomSanitizer) {
this.name = 'Angular2';
this.html = "<script> alert(8) </script>";
}
ngOnInit() {
}
}
和模板 html:
<div [innerHtml]="html | safeHtml"></div>
我尝试了 sanitize 和 SecurityContext.NONE,看看 code and bypassSecurityTrustHtml(value). The above code was inspired by this
关于如何执行 JavaScript 的任何想法?
所以是的,innerHtml 不能插入脚本标签,但它并不能阻止它从许多其他注入方式之一中注入 JavaScript。
工作示例:
import { Component, Pipe, PipeTransform, SecurityContext} from '@angular/core';
import { DomSanitizer } from '@angular/platform-browser'
@Pipe({ name: 'safeHtml'})
export class SafeHtmlPipe implements PipeTransform {
constructor(private sanitized: DomSanitizer) {}
transform(value: string) {
console.log(this.sanitized.bypassSecurityTrustHtml(value));
return this.sanitized.bypassSecurityTrustHtml(value);
}
}
@Component({
selector: 'app-demo',
template: `
<div [innerHtml]="html | safeHtml">
</div>
`
})
export class DemoComponent {
html: string;
h_html: string;
constructor(private sanitizer: DomSanitizer) {
this.html = "<svg onload=\"alert(1)\"> blah </svg>"
this.h_html = sanitizer.sanitize(SecurityContext.HTML, "<svg onload=\"alert(2)\"> blah </svg>');
}
}
没用的是
return this.sanitized.sanitize(SecurityContext.HTML, value);
或使用
<div [innerHtml]="h_tmpl"></div>
不知道为什么。应该表现得一样。