1. 首頁
  2. 問答
  3. Angular2 - 預期安全值必須使用[property] = binding

Angular2 - 預期安全值必須使用[property] = binding

2017-07-26 104 views
2

我正在爲SafePipe編寫測試。該方法使用bypassSecurityTrustResourceUrl()。我搜索了可用的解決方案並嘗試了它們,但不幸的是,它並沒有幫助我。錯誤是Angular2 - 預期安全值必須使用[property] = binding

預期的SafeValue必須使用[property] = binding:Cross(見http://g.co/ng/security#xss)爲'跨站點請求'。

我在這裏做什麼?

import {Pipe, PipeTransform} from "@angular/core"; 
import {DomSanitizer} from "@angular/platform-browser"; 

@Pipe({name: 'safe'}) 
export class SafePipe implements PipeTransform { 
    constructor(private sanitizer: DomSanitizer) { 
} 

public transform(url: string): any { 
    return this.sanitizer.bypassSecurityTrustResourceUrl(url); 
} 
}

測試是:

import {SafePipe} from './safe.pipe'; 
import {DomSanitizer} from "@angular/platform-browser"; 
import {DomSanitizerImpl} from "@angular/platform-browse/src/security/dom_sanitization_service"; 

fdescribe('SafePipe',() => { 
    let pipe: SafePipe; 
    let sanitizer: DomSanitizer = new DomSanitizerImpl(); 
    beforeEach(() => { 
    pipe = new SafePipe(sanitizer); 
    }); 

    it('should transform',() => { 
    expect(pipe.transform("Cross <script>alert('Hello')</script>")).toBe("Cross alert('Hello')"); 
    }); 
});

來源

2017-07-26 user3520629

回答

6

sanitizer.bypassSecurityTrustResourceUrl方法返回SafeResourceUrlImpl類,你不能將它轉換爲字符串(茉莉正試圖在內部轉換)。

abstract class SafeValueImpl implements SafeValue { 
    constructor(public changingThisBreaksApplicationSecurity: string) { 
    // empty 
    } 

    abstract getTypeName(): string; 

    toString() { 
    return `SafeValue must use [property]=binding: ${this.changingThisBreaksApplicationSecurity}` + 
     ` (see http://g.co/ng/security#xss)`; 
    } 
}

您應該使用DomSanitizer.sanitize方法,而不是(像時適用[url]="value | safe"財產角度使用它)

it('should transform',() => { 
    const safeResourceUrl = pipe.transform("Cross <script>alert('Hello')</script>"); 
    const sanitizedValue = sanitizer.sanitize(SecurityContext.RESOURCE_URL, safeResourceUrl); 

    expect(sanitizedValue).toBe("Cross <script>alert('Hello')</script>"); 
});

PS。這裏我假設你在toBe聲明中有錯字,並且你期望字符串將保存script標記。

完整的例子,你可以找到在Plunker

來源

2017-07-26 07:39:46 yurzui

+0

它的工作原理,謝謝。但它應該從文本中移除'script'標籤。 [看到這裏 - Angular2安全](https://angular.io/guide/security#sanitization-example) – user3520629

+1

'Angular認爲這個值是不安全的,並自動清理它,這就消除了

相關問題

 相關問題