Hi Sander, Hi all, Some parts of my app are edtable by the user with a wysiwyg editor (quilljs). This editior is customized to add the possibility to insert dynamically within the html, some Angular components : button, Card, Collapse, etc.
The defintions of these components are stored in a dedicated data-attribute of an img tag which represents the component during the edition process. The result of all of this is then processed to generate the view dynamically. You helped me for that few months ago! ;-) I had to disable the sanitizer of the editor so I would like to keep the angular one for everything except the data-attribute and I wonder if there is a better way than what I did. Regards, Arnaud. Le samedi 13 janvier 2018 20:40:28 UTC+1, Arnaud Deman a écrit : > > Hi, > is it possible to keep a specific data attribute with the DomSanitizer ? > > For the moment I am doing these steps : > > 1. Extract the data-attribute with a regex from the html string, > 2. Call the DomSanitizer on the html string, > 3. Reinject the data-attribute in the sanitized html. > 4. call DomSanitizer.bypassSecurityTrustHtml on the result of the > previous step to obtain a SafeHtml instance. > 5. Inject the result with: <div [innerHTML]="mySafeHtml"></div> > > It is working but I find this a little bit tricky so I would be interested > by a more conventional solution. > > Subsidary question: what are the risks of an XSS attack with a data > attribute (quoted and html encoded) ? > > Regards, > Arnaud. > -- You received this message because you are subscribed to the Google Groups "Angular and AngularJS discussion" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
