[英]How to prevent html injection in Angular 5
I want to prevent users to enter html injection to textbox.我想阻止用户向文本框输入 html 注入。 I have researched some example but they are generally about allowing html tags through pipes and saying angular automatically sanitizes html tags .
我研究了一些例子,但它们通常是关于允许 html 标签通过管道并说angular 自动清理 html 标签。 But in my example when I enter
<script>alert('blabla')</script>
to text box, it is accepted and registered to db like this..但是在我的示例中,当我在文本框中输入
<script>alert('blabla')</script>
,它被接受并注册到 db 像这样..
How can I prevent it ?我该如何预防?
My template code is:我的模板代码是:
<div fxLayout="row">
<mat-form-field fxFlex="20">
<input matInput name="label" [(ngModel)]="product.label" placeholder="Label"
required>
</mat-form-field>
</div>
and my ts file is:我的 ts 文件是:
import { Product } from '../../../';
@Component({
selector: '....',
templateUrl: '....',
styleUrls: ['....']
})
export class ProductEditComponent implements OnInit {
product: Product = <Product>{};
constructor(some services etc.) {
}
ngOnInit() {
//some code
}
Note again: I want to prevent entering html script injection, not allowing it with bypass or pipe...再次注意:我想防止进入 html 脚本注入,不允许它绕过或管道......
you could use DomSanitizer for that你可以使用 DomSanitizer
import { DomSanitizer } from "@angular/platform-browser"
import { SecurityContext } from "@angular/core";
constructor(private sanit:DomSanitizer){
var dom = this.sanitizer.sanitize(SecurityContext.HTML, "<script> alert('HELLO'); </script>");
console.log(dom);
}
if it returns null, then it was an issue with html,else it returns passed html如果它返回null,那么它是html的问题,否则它返回传递的html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.