Monday, December 11, 2023
Homepage · html
 Popular · Latest · Hot · Upcoming
61
rated 0 times [  66] [ 5]  / answers: 1 / hits: 10201  / 6 Years ago, thu, april 19, 2018, 12:00:00

I'm playing with bypassSecurityTrust* functions of Angular. Goal is to get a script tag to execute on the page. But it either keeps sanitizing with the message



WARNING: sanitizing HTML stripped some content



or I see in the console a



SafeHtmlImpl {changingThisBreaksApplicationSecurity: <script>alert(1)</script>.



Goal is to get this working.



What I currently use and tried:



@Pipe({ name: 'safeHtml'})

export class SafeHtmlPipe implements PipeTransform  {

  constructor(private sanitized: DomSanitizer) {}

  transform(value: string): string {

    console.log(this.sanitized.sanitize(SecurityContext.NONE, value))

    return this.sanitized.sanitize(SecurityContext.NONE, value);

  }

}

@Component({

  selector: 'app-demo',

  templateUrl: './demo.component.html',

  styleUrls: ['./demo.component.css']

})

export class DemoComponent implements OnInit {



  name: string;

  html: string;

  constructor(private sanitizer: DomSanitizer) {

    this.name = 'Angular2';

    this.html = <script> alert(8) </script>;

  }

  ngOnInit() {

  }

}


and the template html:



<div [innerHtml]=html | safeHtml></div>


I tried both sanitize with SecurityContext.NONE which should work looking at the code and bypassSecurityTrustHtml(value). The above code was inspired by this answer.



Any ideas on how to execute that JavaScript?


More From » html
 Answers
4

So yes, innerHtml can't insert script tags, but it doesn't stop it from one of the many other ways to inject JavaScript.



Working example:



import { Component, Pipe, PipeTransform, SecurityContext} from '@angular/core';

import { DomSanitizer } from '@angular/platform-browser'



@Pipe({ name: 'safeHtml'})

export class SafeHtmlPipe implements PipeTransform  {

  constructor(private sanitized: DomSanitizer) {}

  transform(value: string) {

    console.log(this.sanitized.bypassSecurityTrustHtml(value));

    return this.sanitized.bypassSecurityTrustHtml(value);

  }

}



@Component({

  selector: 'app-demo',

  template: `

    <div [innerHtml]=html | safeHtml>

    </div>

  `

})



export class DemoComponent {



  html: string;

  h_html: string;

  constructor(private sanitizer: DomSanitizer) {

    this.html = <svg onload=alert(1)> blah </svg>

    this.h_html = sanitizer.sanitize(SecurityContext.HTML, <svg onload=alert(2)> blah </svg>');

  }

}


What doesn't work is



return this.sanitized.sanitize(SecurityContext.HTML, value);


or using



<div [innerHtml]=h_tmpl></div>


Not sure why. Should behave the same afaiu.


[#13933] Wednesday, April 18, 2018, 6 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
reedmustafam
Add To Favorites
Follow
Total Points: 211
Total Questions: 83
Total Answers: 105
Location: Vanuatu
Member since Wed, Oct 14, 2020
3 Years ago
;