From 16cbf2615634b4ccf670743435dbfc4adc6c6415 Mon Sep 17 00:00:00 2001
From: jojohoch <joachim.hoch@iqb.hu-berlin.de>
Date: Wed, 13 Oct 2021 12:08:06 +0200
Subject: [PATCH] Sanitize `innerHTML` with pipe
---
projects/common/app.module.ts | 7 +++++--
.../pipes/safe-resource-html.pipe.ts | 13 +++++++++++++
.../common/element-components/text.component.ts | 2 +-
.../properties/element-properties.component.html | 2 +-
4 files changed, 20 insertions(+), 4 deletions(-)
create mode 100644 projects/common/element-components/pipes/safe-resource-html.pipe.ts
diff --git a/projects/common/app.module.ts b/projects/common/app.module.ts
index 904e02173..355b7de05 100644
--- a/projects/common/app.module.ts
+++ b/projects/common/app.module.ts
@@ -34,6 +34,7 @@ import { AudioComponent } from './element-components/audio.component';
import { SafeResourceUrlPipe } from './element-components/pipes/safe-resource-url.pipe';
import { InputBackgroundColorDirective } from './element-components/directives/input-background-color.directive';
import { ErrorTransformPipe } from './element-components/pipes/error-transform.pipe';
+import { SafeResourceHTMLPipe } from './element-components/pipes/safe-resource-html.pipe';
@NgModule({
imports: [
@@ -64,7 +65,8 @@ import { ErrorTransformPipe } from './element-components/pipes/error-transform.p
DropdownComponent,
SafeResourceUrlPipe,
InputBackgroundColorDirective,
- ErrorTransformPipe
+ ErrorTransformPipe,
+ SafeResourceHTMLPipe
],
exports: [
CommonModule,
@@ -97,7 +99,8 @@ import { ErrorTransformPipe } from './element-components/pipes/error-transform.p
MatSnackBarModule,
MatTooltipModule,
MatDialogModule,
- TranslateModule
+ TranslateModule,
+ SafeResourceHTMLPipe
]
})
export class SharedModule { }
diff --git a/projects/common/element-components/pipes/safe-resource-html.pipe.ts b/projects/common/element-components/pipes/safe-resource-html.pipe.ts
new file mode 100644
index 000000000..f7e63e0fb
--- /dev/null
+++ b/projects/common/element-components/pipes/safe-resource-html.pipe.ts
@@ -0,0 +1,13 @@
+import { Pipe, PipeTransform } from '@angular/core';
+import { DomSanitizer, SafeResourceUrl } from '@angular/platform-browser';
+
+@Pipe({
+ name: 'safeResourceHTML'
+})
+export class SafeResourceHTMLPipe implements PipeTransform {
+ constructor(private sanitizer: DomSanitizer) {}
+
+ transform(resourceUrl: string): SafeResourceUrl {
+ return this.sanitizer.bypassSecurityTrustHtml(resourceUrl);
+ }
+}
diff --git a/projects/common/element-components/text.component.ts b/projects/common/element-components/text.component.ts
index 829676bcf..42a88a8db 100644
--- a/projects/common/element-components/text.component.ts
+++ b/projects/common/element-components/text.component.ts
@@ -34,7 +34,7 @@ import { ElementComponent } from '../element-component.directive';
[style.font-weight]="elementModel.bold ? 'bold' : ''"
[style.font-style]="elementModel.italic ? 'italic' : ''"
[style.text-decoration]="elementModel.underline ? 'underline' : ''"
- [innerHTML]="sanitizer.bypassSecurityTrustHtml(elementModel.text)"
+ [innerHTML]="elementModel.text | safeResourceHTML"
#container>
</div>
</div>
diff --git a/projects/editor/src/app/components/unit-view/page-view/properties/element-properties.component.html b/projects/editor/src/app/components/unit-view/page-view/properties/element-properties.component.html
index 52c15c332..448d95922 100644
--- a/projects/editor/src/app/components/unit-view/page-view/properties/element-properties.component.html
+++ b/projects/editor/src/app/components/unit-view/page-view/properties/element-properties.component.html
@@ -20,7 +20,7 @@
<ng-container *ngIf="combinedProperties.text">
Text
- <div class="text-text" [innerHTML]="sanitizer.bypassSecurityTrustHtml($any(combinedProperties.text))"
+ <div class="text-text" [innerHTML]="combinedProperties.text | safeResourceHTML"
(click)="unitService.showDefaultEditDialog(selectedElements[0])">
</div>
</ng-container>
--
GitLab