手动清理字符串
Manually sanitize a string
我有一个 textarea 用户将在其中键入一些文本。文本不能是 JavaScript 或 HTML 等。我想手动清理数据并将其保存到字符串中。
我不知道如何使用 DomSanitizationService 手动清理我的数据。
如果我在页面上执行 {{ textare_text }},则数据已正确清理。
如何手动对我有的 string 执行此操作?
您可以按如下方式清理 HTML:
import { Component, SecurityContext } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
@Component({
selector: 'my-app',
template: `
<div [innerHTML]="_htmlProperty"></div>
`
})
export class AppComponent {
_htmlProperty: string = 'AAA<input type="text" name="name">BBB';
constructor(private _sanitizer: DomSanitizer){ }
public get htmlProperty() : SafeHtml {
return this._sanitizer.sanitize(SecurityContext.HTML, this._htmlProperty);
}
}
根据您的评论,您实际上想要转义而不是清理。
为此,check this plunker, where we have both escaping and sanitization.
import { Component, SecurityContext } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
@Component({
selector: 'my-app',
template: `Original, using interpolation (double curly braces):<b>
<div>{{ _originalHtmlProperty }}</div>
</b><hr>Sanitized, used as innerHTML:<b>
<div [innerHTML]="sanitizedHtmlProperty"></div>
</b><hr>Escaped, used as innerHTML:<b>
<div [innerHTML]="escapedHtmlProperty"></div>
</b><hr>Escaped AND sanitized used as innerHTML:<b>
<div [innerHTML]="escapedAndSanitizedHtmlProperty"></div>
</b>`
})
export class AppComponent {
_originalHtmlProperty: string = 'AAA<input type="text" name="name">BBB';
constructor(private _sanitizer: DomSanitizer){ }
public get sanitizedHtmlProperty() : SafeHtml {
return this._sanitizer.sanitize(SecurityContext.HTML, this._originalHtmlProperty);
}
public get escapedHtmlProperty() : string {
return this.escapeHtml(this._originalHtmlProperty);
}
public get escapedAndSanitizedHtmlProperty() : string {
return this._sanitizer.sanitize(SecurityContext.HTML, this.escapeHtml(this._originalHtmlProperty));
}
escapeHtml(unsafe) {
return unsafe.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">")
.replace(/"/g, """).replace(/'/g, "'");
}
}
HTML escaping function used above escapes the same chars as angular code does(可惜他们的转义函数不是public,所以没法用)
在 Angular final 你可以这样使用:
首先从 angular 平台浏览器导入 "DomSanitizer":
import { DomSanitizer } from '@angular/platform-browser';
import { SecurityContext } from '@angular/core';
然后在构造函数中:
constructor(private _sanitizer: DomSanitizer){}
然后在您的 class 中使用:
var title = "<script> alert('Hello')</script>"
title = this._sanitizer.sanitize(SecurityContext.HTML, title);
在angular^2.3.1
使用 bootstrap4 进度条 进行查看。看到在示例中我们需要 style.width.
的值
<!-- View HTML-->
<div class="progress">
<div class="progress-bar" role="progressbar" [style.width]="getProgress('style')" aria-valuenow="getProgress()" aria-valuemin="0" aria-valuemax="100"></div>
</div>
我们需要清理此 style.width 值。我们需要使用 DomSanitizer 来 sanitize 值和 SecurityContext 来指定上下文。在此示例中,上下文是 style.
// note that we need to use SecurityContext and DomSanitizer
// SecurityContext.STYLE
import { Component, OnInit, Input } from '@angular/core';
import { SecurityContext} from '@angular/core';
import { DomSanitizer } from '@angular/platform-browser';
@Component({
selector: 'app-challenge-progress',
templateUrl: './challenge-progress.component.html',
styleUrls: ['./challenge-progress.component.sass']
})
export class ChallengeProgressComponent implements OnInit {
@Input() data: any;
constructor(private _sanitizer: DomSanitizer) { }
ngOnInit() {
}
getProgress(type: string): any {
if(type === 'style') {
// here is the line you are looking for
return this._sanitizer.sanitize(SecurityContext.STYLE,this._getProgress()+'%');
}
return this._getProgress();
}
private _getProgress():number {
if(this.data) {
return this.data.goal_total_current/this.data.goal*100;
}
return 0;
}
}
我有一个 textarea 用户将在其中键入一些文本。文本不能是 JavaScript 或 HTML 等。我想手动清理数据并将其保存到字符串中。
我不知道如何使用 DomSanitizationService 手动清理我的数据。
如果我在页面上执行 {{ textare_text }},则数据已正确清理。
如何手动对我有的 string 执行此操作?
您可以按如下方式清理 HTML:
import { Component, SecurityContext } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
@Component({
selector: 'my-app',
template: `
<div [innerHTML]="_htmlProperty"></div>
`
})
export class AppComponent {
_htmlProperty: string = 'AAA<input type="text" name="name">BBB';
constructor(private _sanitizer: DomSanitizer){ }
public get htmlProperty() : SafeHtml {
return this._sanitizer.sanitize(SecurityContext.HTML, this._htmlProperty);
}
}
根据您的评论,您实际上想要转义而不是清理。
为此,check this plunker, where we have both escaping and sanitization.
import { Component, SecurityContext } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';
@Component({
selector: 'my-app',
template: `Original, using interpolation (double curly braces):<b>
<div>{{ _originalHtmlProperty }}</div>
</b><hr>Sanitized, used as innerHTML:<b>
<div [innerHTML]="sanitizedHtmlProperty"></div>
</b><hr>Escaped, used as innerHTML:<b>
<div [innerHTML]="escapedHtmlProperty"></div>
</b><hr>Escaped AND sanitized used as innerHTML:<b>
<div [innerHTML]="escapedAndSanitizedHtmlProperty"></div>
</b>`
})
export class AppComponent {
_originalHtmlProperty: string = 'AAA<input type="text" name="name">BBB';
constructor(private _sanitizer: DomSanitizer){ }
public get sanitizedHtmlProperty() : SafeHtml {
return this._sanitizer.sanitize(SecurityContext.HTML, this._originalHtmlProperty);
}
public get escapedHtmlProperty() : string {
return this.escapeHtml(this._originalHtmlProperty);
}
public get escapedAndSanitizedHtmlProperty() : string {
return this._sanitizer.sanitize(SecurityContext.HTML, this.escapeHtml(this._originalHtmlProperty));
}
escapeHtml(unsafe) {
return unsafe.replace(/&/g, "&").replace(/</g, "<").replace(/>/g, ">")
.replace(/"/g, """).replace(/'/g, "'");
}
}
HTML escaping function used above escapes the same chars as angular code does(可惜他们的转义函数不是public,所以没法用)
在 Angular final 你可以这样使用:
首先从 angular 平台浏览器导入 "DomSanitizer":
import { DomSanitizer } from '@angular/platform-browser'; import { SecurityContext } from '@angular/core';然后在构造函数中:
constructor(private _sanitizer: DomSanitizer){}然后在您的 class 中使用:
var title = "<script> alert('Hello')</script>" title = this._sanitizer.sanitize(SecurityContext.HTML, title);
在angular^2.3.1
使用 bootstrap4 进度条 进行查看。看到在示例中我们需要 style.width.
的值<!-- View HTML-->
<div class="progress">
<div class="progress-bar" role="progressbar" [style.width]="getProgress('style')" aria-valuenow="getProgress()" aria-valuemin="0" aria-valuemax="100"></div>
</div>
我们需要清理此 style.width 值。我们需要使用 DomSanitizer 来 sanitize 值和 SecurityContext 来指定上下文。在此示例中,上下文是 style.
// note that we need to use SecurityContext and DomSanitizer
// SecurityContext.STYLE
import { Component, OnInit, Input } from '@angular/core';
import { SecurityContext} from '@angular/core';
import { DomSanitizer } from '@angular/platform-browser';
@Component({
selector: 'app-challenge-progress',
templateUrl: './challenge-progress.component.html',
styleUrls: ['./challenge-progress.component.sass']
})
export class ChallengeProgressComponent implements OnInit {
@Input() data: any;
constructor(private _sanitizer: DomSanitizer) { }
ngOnInit() {
}
getProgress(type: string): any {
if(type === 'style') {
// here is the line you are looking for
return this._sanitizer.sanitize(SecurityContext.STYLE,this._getProgress()+'%');
}
return this._getProgress();
}
private _getProgress():number {
if(this.data) {
return this.data.goal_total_current/this.data.goal*100;
}
return 0;
}
}