X Tutup
The Wayback Machine - https://web.archive.org/web/20250519201612/https://github.com/angular/angular/pull/45274
Skip to content

html_sanitizer: add id and style html attrs as allowed to avoid dropping of them by sanitizer #45274

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

html_sanitizer: add id and style html attrs as allowed to avoid dropping of them by sanitizer #45274

wants to merge 1 commit into from

Conversation

amaestr0
Copy link

@amaestr0 amaestr0 commented Mar 5, 2022
edited
Loading

PR Checklist

Please check if your PR fulfills the following requirements:

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • angular.io application / infrastructure changes
  • Other... Please describe:

What is the current behavior?

Issue Number: 45270

#45270

What is the new behavior?

style and id attrs should be kept in html security context but sanitized inside.

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

@google-cla
Copy link

google-cla bot commented Mar 5, 2022

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

For more information, open the CLA check for this pull request.

@amaestr0 amaestr0 marked this pull request as ready for review March 5, 2022 03:35
@amaestr0 amaestr0 force-pushed the master branch 8 times, most recently from 8bd1aa6 to f2a7fe9 Compare March 5, 2022 14:50
@amaestr0 amaestr0 force-pushed the master branch 2 times, most recently from 2252c52 to b10cf47 Compare March 22, 2022 08:20
@amaestr0
fix(platform-browser): add style html attrs as allowed to avoid dropp…
f223fcd 
…ing of them by sanitizer

The provided change is for leaving html attributes style and id if they don't contain potentially dangerous code which could be executed to make some xss attacks, so as the result - a valid html content will be received with styling when a string has been sanitized
@dylhunn dylhunn added area: core Issues related to the framework runtime core: sanitization labels Mar 24, 2022
@ngbot ngbot bot added this to the Backlog milestone Mar 24, 2022
@amaestr0
Copy link
Author

@AndrewKushnir , does smb plan to pick it up for review?

@pkozlowski-opensource
Copy link
Member

@amaestr0 it is not clear to me what is the motivation for this change. What is the problem that you are trying to address?

@pkozlowski-opensource pkozlowski-opensource added the needs: clarification This issue needs additional clarification from the reporter before the team can investigate. label Jun 17, 2022
@amaestr0
Copy link
Author

@amaestr0 it is not clear to me what is the motivation for this change. What is the problem that you are trying to address?

@pkozlowski-opensource have you read the related issue an it's description?

@pkozlowski-opensource
Copy link
Member

have you read the related issue an it's description?

@amaestr0 sure, I'm assuming that you are referring to #45270. But this is where the confusion starts. The #45270 mentions the id and style attributes, so does your PR title. But it doesn't match what is going on in the code:

  • it doesn't deal with the id (good, but the PR title and the communication should be updated);
  • it introduces export const UNSAFE_SPEC_ATTRS_VALUES: string[] = ['expression', 'javascript', 'script']; (and the processing of it) which I find unrelated to what it discussed in the issue / PR communication.

I'm fine if we focus on the style attribute - in fact we might no longer need to sanitize it at all, given changes done in #35621.

I'm going to close this PR for now as there is lots of noise going on here already. If we are to do changes to the style attribute sanitization we should do so in a dedicated, focused PR. But before opening a PR we should discuss if the style attribute sanitization is needed at all.

Moving the discussion back to #45270

@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Jul 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@alxhub alxhub Awaiting requested review from alxhub

@AndrewKushnir AndrewKushnir Awaiting requested review from AndrewKushnir

@jelbourn jelbourn Awaiting requested review from jelbourn

@josephperrott josephperrott Awaiting requested review from josephperrott

@pkozlowski-opensource pkozlowski-opensource Awaiting requested review from pkozlowski-opensource

Assignees
No one assigned
Labels
area: core Issues related to the framework runtime core: sanitization needs: clarification This issue needs additional clarification from the reporter before the team can investigate.
Projects
None yet
Milestone
Backlog
Development

Successfully merging this pull request may close these issues.
3 participants
@amaestr0 @pkozlowski-opensource @dylhunn
X Tutup