![]()
:
Since upgrading to the latest Angular 2 release candidate, my img tags:
-
Angular treats all values as untrusted by default. When a value is inserted into the DOM from a template, via property, attribute, style, class binding, or interpolation, Angular sanitizes and escapes untrusted values.
So if you are manipulating DOM directly and inserting content it, you need to sanitize it otherwise Angular will through errors.
I have created the pipe SanitizeUrlPipe for this
import { PipeTransform, Pipe } from "@angular/core"; import { DomSanitizer, SafeHtml } from "@angular/platform-browser"; @Pipe({ name: "sanitizeUrl" }) export class SanitizeUrlPipe implements PipeTransform { constructor(private _sanitizer: DomSanitizer) { } transform(v: string): SafeHtml { return this._sanitizer.bypassSecurityTrustResourceUrl(v); } }and this is how you can use
<iframe [src]="url | sanitizeUrl" width="100%" height="500px"></iframe>If you want to add HTML, then SanitizeHtmlPipe can help
import { PipeTransform, Pipe } from "@angular/core"; import { DomSanitizer, SafeHtml } from "@angular/platform-browser"; @Pipe({ name: "sanitizeHtml" }) export class SanitizeHtmlPipe implements PipeTransform { constructor(private _sanitizer: DomSanitizer) { } transform(v: string): SafeHtml { return this._sanitizer.bypassSecurityTrustHtml(v); } }Read more about angular security here.
讨论(0) -
Pipe
// Angular import { Pipe, PipeTransform } from '@angular/core'; import { DomSanitizer, SafeHtml, SafeStyle, SafeScript, SafeUrl, SafeResourceUrl } from '@angular/platform-browser'; /** * Sanitize HTML */ @Pipe({ name: 'safe' }) export class SafePipe implements PipeTransform { /** * Pipe Constructor * * @param _sanitizer: DomSanitezer */ // tslint:disable-next-line constructor(protected _sanitizer: DomSanitizer) { } /** * Transform * * @param value: string * @param type: string */ transform(value: string, type: string): SafeHtml | SafeStyle | SafeScript | SafeUrl | SafeResourceUrl { switch (type) { case 'html': return this._sanitizer.bypassSecurityTrustHtml(value); case 'style': return this._sanitizer.bypassSecurityTrustStyle(value); case 'script': return this._sanitizer.bypassSecurityTrustScript(value); case 'url': return this._sanitizer.bypassSecurityTrustUrl(value); case 'resourceUrl': return this._sanitizer.bypassSecurityTrustResourceUrl(value); default: return this._sanitizer.bypassSecurityTrustHtml(value); } } }Template
{{ data.url | safe:'url' }}That's it!
Note: You shouldn't need it but here is the component use of the pipe// Public properties itsSafe: SafeHtml; // Private properties private safePipe: SafePipe = new SafePipe(this.domSanitizer); /** * Component constructor * * @param safePipe: SafeHtml * @param domSanitizer: DomSanitizer */ constructor(private safePipe: SafePipe, private domSanitizer: DomSanitizer) { } /** * On init */ ngOnInit(): void { this.itsSafe = this.safePipe.transform('<h1>Hi</h1>', 'html'); }讨论(0) -
I usually add separate
safe pipereusable component as following# Add Safe Pipe import { Pipe, PipeTransform } from '@angular/core'; import { DomSanitizer } from '@angular/platform-browser'; @Pipe({name: 'mySafe'}) export class SafePipe implements PipeTransform { constructor(private sanitizer: DomSanitizer) { } public transform(url) { return this.sanitizer.bypassSecurityTrustResourceUrl(url); } }# then create shared pipe module as following import { NgModule } from '@angular/core'; import { SafePipe } from './safe.pipe'; @NgModule({ declarations: [ SafePipe ], exports: [ SafePipe ] }) export class SharedPipesModule { }# import shared pipe module in your native module @NgModule({ declarations: [], imports: [ SharedPipesModule, ], }) export class SupportModule { }<!------------------- call your url (`trustedUrl` for me) and add `mySafe` as defined in Safe Pipe ----------------> <div class="container-fluid" *ngIf="trustedUrl"> <iframe [src]="trustedUrl | mySafe" align="middle" width="100%" height="800" frameborder="0"></iframe> </div>讨论(0)
加载中...
- 热议问题