In RC.1 some styles can’t be added using binding syntax

by

update (2.0.0 final)

import { Pipe, PipeTransform } from '@angular/core';
import { DomSanitizer } from '@angular/platform-browser';

@Pipe({name: 'safeHtml'})
export class SafeHtml implements PipeTransform {
  constructor(private sanitizer:DomSanitizer){}

  transform(html) {
    return this.sanitizer.bypassSecurityTrustStyle(html);
    // return this.sanitizer.bypassSecurityTrustHtml(html);
    // return this.sanitizer.bypassSecurityTrustScript(html);
    // return this.sanitizer.bypassSecurityTrustUrl(html);
    // return this.sanitizer.bypassSecurityTrustResourceUrl(html);
  }
}

See also https://angular.io/api/platform-browser/DomSanitizer

<div [innerHTML]="someHtml | safeHtml"

update

DomSanitizationService is going to be renamed to DomSanitizer in RC.6

original

This should be fixed in RC.2

See also Angular2 Developer Guide – Security

Angular2 intruduced sanitization of CSS values and property binding like [innerHTML]=... and [src]="..." in RC.1

See also https://github.com/angular/angular/issues/8491#issuecomment-217467582

The values can be marked as trusted by using DomSanitizer.bypassSecurityTrustStyle(...) 

import {DomSanitizer} from '@angular/platform-browser';
...
constructor(sanitizer: DomSanitizationService) {
  this.backgroundImageStyle = sanitizer.bypassSecurityTrustStyle('url(' + this.image + ')');
  // for HTML
  // this.backgroundImageStyle = sanitizer.bypassSecurityTrustHtml(...);

}

and binding to this value instead the untrusted plain string.

This can also be wrapped in a pipe like

@Pipe({name: 'safeStyle'})
export class Safe {
  constructor(private sanitizer:Sanitizer){}

  transform(style) {
    return this.sanitizer.bypassSecurityTrustStyle(style);
    // return this.sanitizer.bypassSecurityTrustHtml(style);
    // return this.sanitizer.bypassSecurityTrustScript(value);
    // return this.sanitizer.bypassSecurityTrustUrl(value);
    // return this.sanitizer.bypassSecurityTrustResourceUrl(value);
  }
}

<div [ngStyle]="someStyle | safeStyle"></div>

with

someHtml = `<a href="#" onClick="alert(document.cookie);">click to see the awesome</a>`;

is still working though :-[ (it’s work in progress)

Plunker example (Angular 2.0.0-rc-1)

See also Angular 2 Security Tracking Issue

and https://angular.io/docs/ts/latest/api/platform-browser/index/DomSanitizer-class.html

Hint about {{...}}

Sanitized content can’t be bound using prop="{{sanitizedContent}}" because {{}} stringyfies the value before it is assigned which breaks sanitization.

More Related Contents:

  1. How to style child components from parent component’s CSS file?
  2. How and where to use ::ng-deep?
  3. Angular-cli from css to scss
  4. angular 2 ngIf and CSS transition/animation
  5. How to overwrite angular 2 material styles?
  6. Dynamic styleUrls in angular 2?
  7. The use of /deep/ and >>> in Angular 2
  8. Styling mat-select in Angular Material
  9. Angular dynamic background images
  10. Angular 2: How to style host element of the component?
  11. CSS file blocked: MIME type mismatch (X-Content-Type-Options: nosniff)
  12. Change style of pseudo elements in angular2
  13. Changing border color in mat-form-field
  14. Grid Styling – Overwrite style of ag-grid
  15. Dynamically updating css in Angular 2
  16. How to create a pure css slideshow? [closed]
  17. Is there a “previous sibling” selector?
  18. Align inline-block DIVs to top of container element
  19. How to use JSF generated HTML element ID with colon “:” in CSS selectors?
  20. What does an asterisk (*) do in a CSS selector?
  21. What is the default padding and/or margin for a p element (reset css)?
  22. Which CSS properties create a stacking context?
  23. How to use template literals in tailwindcss to change classes dynamically?
  24. How to put an image in div with CSS?
  25. IE7 relative/absolute positioning bug with dynamically modified page content
  26. Non-Standard fonts in web?
  27. How do you style a external svg with css
  28. How do I make text bold in HTML?
  29. How to use variable in CSS? [duplicate]
  30. Latest on CSS parent selector [duplicate]

Leave a Comment