堆栈内存溢出
  简体   繁体   English

DOM 清理 function 不是 escaping 用户输入的文本

[英]DOM sanitize function is not escaping the text that user entered

 原文  2022-09-06 11:38:52       javascript/ angular

问题描述

Was trying to use Angular Sanitize API with the user input entered by the user inside angular form.试图使用 Angular 清理 API 与用户在 angular 表单中输入的用户输入。 But the Angular's Sanitize() is not escaping the input entered.但是 Angular 的Sanitize()不是 escaping 输入的输入。

.ts .ts

export class AppComponent {
  userName = 'Angular';

  constructor(private domSanitizer: DomSanitizer) {}

  onSave(): void {
    console.log('save clicked api call');
    this.sanitizeUserName();
  }

  sanitizeUserName(): string {
    const domSanitize = this.domSanitizer.sanitize(1, this.userName);
    console.log('sanitized text/html', domSanitize);
    return domSanitize;
  }
}

.html .html

<form #userForm="ngForm">
  <label>Username: </label>
  <input type="text" [(ngModel)]="userName" name="username" />

  <div>
    <span>View : </span>
    <div [innerHTML]="userName"></div>
  </div>

  <br />
  <br />
  <button type="button" (click)="onSave()">Save</button>
</form>

Please find the live example here .请在此处找到实时示例。 In component.ts I have added few examples to verify if the input sanitization.component.ts中,我添加了一些示例来验证输入是否经过清理。

If someone can help me out.如果有人可以帮助我。

1 个解决方案

解决方案1
 0  2022-09-06 11:58:41

sanitize method models is:清理方法模型是:

 sanitize(context: SecurityContext, value: SafeValue | string | null): string | null;

and the SecurityContext model is:和 SecurityContext model 是:

enum SecurityContext {
    NONE = 0,
    HTML = 1,
    STYLE = 2,
    SCRIPT = 3,
    URL = 4,
    RESOURCE_URL = 5
}

So it seems that you should use the number one for SecurityContext所以看来你应该为 SecurityContext 使用第一名

  sanitizeUserName(): string {
    const domSanitize = this.domSanitizer.sanitize(1, this.userName);
    console.log('sanitized text/html', domSanitize);
    return domSanitize;
  }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 DOM 清理 function 不是 escaping 用户输入的文本 - DOM sanitize function is not escaping the text that user entered 在 function 中显示用户在文本字段中输入的链接 - Display links in function of what the user entered in a text field 如何在JS函数和循环中使用文本框用户输入的数据 - How to use text box user entered data in a JS Function and loop 用户输入的值将变量转换为文本 - user entered value to variable to text 在用户输入的屏幕上分隔文本 - Separating text on the screen entered by the user 如何清除用户输入的文本,以便可以在Javascript / JSON中使用它? - How to sanitize user input text so that it can be used in Javascript/JSON? 如何获取值用户输入的html文本表单字段传递给javascript函数? - How to get value user entered into html text form field passed to javascript function? 在DOM模型/ JavaScript中,文本框和输入到其中的值之间是否有区别? - In the DOM model/JavaScript , Is there a difference between a a text box and the value entered into it? 使用createTextNode方法附加用户输入的文本 - appending User entered text using createTextNode method 在单独的文本区域中添加用户输入的值 - adding values entered by user in a separate text area
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM