Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(core): hardening attribute and property binding rules for <iframe…
…> elements This commit updates the logic related to the attribute and property binding rules for <iframe> elements. There is a set of <iframe> attributes that may affect the behavior of an iframe and this change enforces that these attributes are only applied as static attributes, making sure that they are taken into account while creating an <iframe>. If Angular detects that some of the security-sensitive attributes are applied as an attribute or property binding, it throws an error message, which contains the name of an attribute that is causing the problem and the name of a Component where an iframe is located. BREAKING CHANGE: Existing iframe usages may have security-sensitive attributes applied as an attribute or property binding in a template or via host bindings in a directive. Such usages would require an update to ensure compliance with the new stricter rules around iframe bindings.
- Loading branch information
1 parent
3b91101
commit 61575df
Showing
14 changed files
with
965 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/** | ||
* @license | ||
* Copyright Google LLC All Rights Reserved. | ||
* | ||
* Use of this source code is governed by an MIT-style license that can be | ||
* found in the LICENSE file at https://angular.io/license | ||
*/ | ||
|
||
import {IFRAME_SECURITY_SENSITIVE_ATTRS, SECURITY_SCHEMA} from '../src/schema/dom_security_schema'; | ||
|
||
|
||
describe('security-related tests', () => { | ||
it('should have no overlap between `IFRAME_SECURITY_SENSITIVE_ATTRS` and `SECURITY_SCHEMA`', | ||
() => { | ||
// The `IFRAME_SECURITY_SENSITIVE_ATTRS` and `SECURITY_SCHEMA` tokens configure sanitization | ||
// and validation rules and used to pick the right sanitizer function. | ||
// This test verifies that there is no overlap between two sets of rules to flag | ||
// a situation when 2 sanitizer functions may be needed at the same time (in which | ||
// case, compiler logic should be extended to support that). | ||
const schema = new Set(); | ||
Object.keys(SECURITY_SCHEMA()).forEach((key: string) => schema.add(key.toLowerCase())); | ||
let hasOverlap = false; | ||
IFRAME_SECURITY_SENSITIVE_ATTRS.forEach(attr => { | ||
if (schema.has('*|' + attr) || schema.has('iframe|' + attr)) { | ||
hasOverlap = true; | ||
} | ||
}); | ||
expect(hasOverlap).toBeFalse(); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
51 changes: 51 additions & 0 deletions
51
packages/core/src/render3/instructions/element_validation.ts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
/** | ||
* @license | ||
* Copyright Google LLC All Rights Reserved. | ||
* | ||
* Use of this source code is governed by an MIT-style license that can be | ||
* found in the LICENSE file at https://angular.io/license | ||
*/ | ||
|
||
import {throwError} from '../../util/assert'; | ||
import {getComponentDef} from '../definition'; | ||
import {ComponentDef} from '../interfaces/definition'; | ||
import {CONTEXT, DECLARATION_COMPONENT_VIEW, LView} from '../interfaces/view'; | ||
|
||
/** | ||
* WARNING: this is a **dev-mode only** function (thus should always be guarded by the `ngDevMode`) | ||
* and must **not** be used in production bundles. The function makes megamorphic reads, which might | ||
* be too slow for production mode and also it relies on the constructor function being available. | ||
* | ||
* Gets a reference to the host component def (where a current component is declared). | ||
* | ||
* @param lView An `LView` that represents a current component that is being rendered. | ||
*/ | ||
function getDeclarationComponentDef(lView: LView): ComponentDef<unknown>|null { | ||
!ngDevMode && throwError('Must never be called in production mode'); | ||
|
||
const declarationLView = lView[DECLARATION_COMPONENT_VIEW] as LView; | ||
const context = declarationLView[CONTEXT]; | ||
|
||
// Unable to obtain a context. | ||
if (!context) return null; | ||
|
||
return context.constructor ? getComponentDef(context.constructor) : null; | ||
} | ||
|
||
/** | ||
* WARNING: this is a **dev-mode only** function (thus should always be guarded by the `ngDevMode`) | ||
* and must **not** be used in production bundles. The function makes megamorphic reads, which might | ||
* be too slow for production mode. | ||
* | ||
* Constructs a string describing the location of the host component template. The function is used | ||
* in dev mode to produce error messages. | ||
* | ||
* @param lView An `LView` that represents a current component that is being rendered. | ||
*/ | ||
export function getTemplateLocationDetails(lView: LView): string { | ||
!ngDevMode && throwError('Must never be called in production mode'); | ||
|
||
const hostComponentDef = getDeclarationComponentDef(lView); | ||
const componentClassName = hostComponentDef?.type?.name; | ||
return componentClassName ? ` (used in the '${componentClassName}' component template)` : ''; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.