Sanitize `innerHTML` with pipe

16cbf261 · jojohoch · 781ded38 · 16cbf261 · 16cbf261 · 16cbf261
Commit 16cbf261 authored 3 years ago by jojohoch
--- a/projects/common/app.module.ts
+++ b/projects/common/app.module.ts
@@ -34,6 +34,7 @@ import { AudioComponent } from './element-components/audio.component';
 import { SafeResourceUrlPipe } from './element-components/pipes/safe-resource-url.pipe';
 import { InputBackgroundColorDirective } from './element-components/directives/input-background-color.directive';
 import { ErrorTransformPipe } from './element-components/pipes/error-transform.pipe';
+import { SafeResourceHTMLPipe } from './element-components/pipes/safe-resource-html.pipe';
 @NgModule({
  imports: [
@@ -64,7 +65,8 @@ import { ErrorTransformPipe } from './element-components/pipes/error-transform.p
    DropdownComponent,
    SafeResourceUrlPipe,
    InputBackgroundColorDirective,
-    ErrorTransformPipe
+    ErrorTransformPipe,
+    SafeResourceHTMLPipe
  ],
  exports: [
    CommonModule,
@@ -97,7 +99,8 @@ import { ErrorTransformPipe } from './element-components/pipes/error-transform.p
    MatSnackBarModule,
    MatTooltipModule,
    MatDialogModule,
-    TranslateModule
+    TranslateModule,
+    SafeResourceHTMLPipe
  ]
 })
 export class SharedModule { }
--- a/projects/common/element-components/pipes/safe-resource-html.pipe.ts
+++ b/projects/common/element-components/pipes/safe-resource-html.pipe.ts
+import { Pipe, PipeTransform } from '@angular/core';
+import { DomSanitizer, SafeResourceUrl } from '@angular/platform-browser';
+@Pipe({
+  name: 'safeResourceHTML'
+})
+export class SafeResourceHTMLPipe implements PipeTransform {
+  constructor(private sanitizer: DomSanitizer) {}
+  transform(resourceUrl: string): SafeResourceUrl {
+    return this.sanitizer.bypassSecurityTrustHtml(resourceUrl);
+  }
+}
--- a/projects/common/element-components/text.component.ts
+++ b/projects/common/element-components/text.component.ts
@@ -34,7 +34,7 @@ import { ElementComponent } from '../element-component.directive';
           [style.font-weight]="elementModel.bold ? 'bold' : ''"
           [style.font-style]="elementModel.italic ? 'italic' : ''"
           [style.text-decoration]="elementModel.underline ? 'underline' : ''"
-           [innerHTML]="sanitizer.bypassSecurityTrustHtml(elementModel.text)"
+           [innerHTML]="elementModel.text | safeResourceHTML"
           #container>
      </div>
    </div>

--- a/projects/editor/src/app/components/unit-view/page-view/properties/element-properties.component.html
+++ b/projects/editor/src/app/components/unit-view/page-view/properties/element-properties.component.html
@@ -20,7 +20,7 @@
        <ng-container *ngIf="combinedProperties.text">
          Text
-          <div class="text-text" [innerHTML]="sanitizer.bypassSecurityTrustHtml($any(combinedProperties.text))"
+          <div class="text-text" [innerHTML]="combinedProperties.text | safeResourceHTML"
               (click)="unitService.showDefaultEditDialog(selectedElements[0])">
          </div>
        </ng-container>