Sanitize input in Angular2 [duplicate]

by

To insert normal HTML into your angular2 app, you can use the [innerHtml] directive.

<div [innerHtml]="htmlProperty"></div>

This is not going to work with HTML which has its own components and directives, at least not in the way you’d expect it.

If however you do get an unsafe html warning you should trust the HTML first before injecting it. You have to use the DomSanitizer for such a thing. For instance, an <h3> element is considered safe. An <input> element is not.

export class AppComponent  {

    private _htmlProperty: string = '<input type="text" name="name">';

    public get htmlProperty() : SafeHtml {
       return this.sr.bypassSecurityTrustHtml(this._htmlProperty);
    }

    constructor(private sr: DomSanitizer){}
}

And have your template stay the same as this:

<div [innerHtml]="htmlProperty"></div>

A little heads-up though:

WARNING: calling this method with untrusted user data exposes your application to XSS security risks!

If you plan on using this technique more, you can try to write a @Pipe to fulfill this task.

import { Pipe, PipeTransform } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';

@Pipe({
    name: 'trustHtml'
})
export class TrustHtmlPipe implements PipeTransform  {    
   constructor(readonly sr: DomSanitizer){}  

   transform(html: string) : SafeHtml {
      return this.sr.bypassSecurityTrustHtml(html); 
   } 
}

If you have a pipe like this, your AppComponent will change to this. Don’t forget to add the pipe to your declarations array of your NgModule:

@Component({
   selector: 'app',
   template: `<div [innerHtml]="htmlProperty | trustHtml"></div>`
})
export class AppComponent{

    public htmlProperty: string = '<input type="text" name="name">';

}

Or you can write a @Directive to do the same:

@Directive({
   selector: '[trustHtml]'
})
export class SanitizeHtmlDirective {

    @Input()
    public set trustHtml(trustHtml: string) {
      if (this._trustHtml !== trustHtml) {
        this._trustHtml = trustHtml;
        this.innerHtml = this.sr.bypassSecurityTrustHtml(this.trustHtml);
      }
    }

    @HostBinding('innerHtml')
    innerHtml?: SafeHtml;

    private _trustHtml: string;

    constructor(readonly sr: DomSanitizer){}
}

If you have a directive like this, your AppComponent will change to this. Don’t forget to add the directive to your declarations array of your NgModule:

@Component({
   selector: 'app',
   template: `<div [trustHtml]="htmlProperty"></div>`
})
export class AppComponent{

    public htmlProperty: string = '<input type="text" name="name">';

}

More Related Contents:

  1. How can I select an element in a component template?
  2. Equivalent of $compile in Angular 2
  3. Read response headers from API response – Angular 5 + TypeScript
  4. How to dynamically add a directive?
  5. How to get query parameters from URL in Angular 5?
  6. angular 2 sort and filter
  7. In Angular, What is ‘pathmatch: full’ and what effect does it have?
  8. Angular2 – FormControl Validation on blur
  9. Angular4 Exception: Can’t bind to ‘ngClass’ since it isn’t a known property of ‘input’
  10. No provider for AngularFireDatabase, AngularFireAuth
  11. Multiple canActivate guards all run when first fails
  12. TS2531: Object is possibly ‘null’
  13. Custom ExceptionHandler change detection lag
  14. Trigger update of component view from service – No Provider for ChangeDetectorRef
  15. TypeError: You provided an invalid object where a stream was expected. You can provide an Observable, Promise, Array, or Iterable
  16. Pass parameter into route guard
  17. Typescript dependency injection public vs private
  18. Rxjs Retry with Delay function
  19. What is the meaning of question mark in expressions in Angular 2?
  20. Merging http observables using forkjoin
  21. Subscribing to a nested Observable
  22. Angular 2 translation change language in application
  23. Enabling CORS on Azure Active Directory
  24. How to declare a pipe globally to use in different modules?
  25. How to return value inside subscribe Angular 4
  26. Angular 2 / 4 / 5 – Ahead-of-time compilation how to
  27. Why is ES7/array polyfill needed despite the tsconfig target is set to ES5
  28. Angular Material Tab : Prevent tab change of mat-tab-group if the form in current tab is dirty
  29. Angular 2 ngOnInit not called
  30. Firestore how to get the collection value from another collection document id is referenced

Leave a Comment