如何防止 Angular 5 中的 html 注入
[英]How to prevent html injection in Angular 5
问题描述
I want to prevent users to enter html injection to textbox.
我想阻止用户向文本框输入 html 注入。 I have researched some example but they are generally about allowing html tags through pipes and saying angular automatically sanitizes html tags .我研究了一些例子,但它们通常是关于允许 html 标签通过管道并说angular 自动清理 html 标签。 But in my example when I enter <script>alert('blabla')</script> to text box, it is accepted and registered to db like this..但是在我的示例中,当我在文本框中输入<script>alert('blabla')</script> ,它被接受并注册到 db 像这样..
How can I prevent it ?我该如何预防?
My template code is:我的模板代码是:
<div fxLayout="row">
<mat-form-field fxFlex="20">
<input matInput name="label" [(ngModel)]="product.label" placeholder="Label"
required>
</mat-form-field>
</div>
and my ts file is:我的 ts 文件是:
import { Product } from '../../../';
@Component({
selector: '....',
templateUrl: '....',
styleUrls: ['....']
})
export class ProductEditComponent implements OnInit {
product: Product = <Product>{};
constructor(some services etc.) {
}
ngOnInit() {
//some code
}
Note again: I want to prevent entering html script injection, not allowing it with bypass or pipe...再次注意:我想防止进入 html 脚本注入,不允许它绕过或管道......
1 个解决方案
解决方案1
1 已采纳 2019-04-25 11:34:52
you could use DomSanitizer for that你可以使用 DomSanitizer
import { DomSanitizer } from "@angular/platform-browser"
import { SecurityContext } from "@angular/core";
constructor(private sanit:DomSanitizer){
var dom = this.sanitizer.sanitize(SecurityContext.HTML, "<script> alert('HELLO'); </script>");
console.log(dom);
}
if it returns null, then it was an issue with html,else it returns passed html如果它返回null,那么它是html的问题,否则它返回传递的html
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.