-
-
Notifications
You must be signed in to change notification settings - Fork 181
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is sanitation actually working? Component does not work when content-security-policy is enforced #401
Comments
Hi @MatthiasvB, Could you provide a reproduction example? Thank you! |
Not really, I think. The issue depends on the server configuration. Only if the server sets the header mentioned above will the problem occur. But then always when you use the I doubt I can reproduce this on stackblitz |
But here a hint how it may be fixable: this.element.nativeElement.innerHTML = compiled; I believe if this was replaced with someting like this.element.nativeElement.innerHTML = sanitizer.sanitize(compiled); it may work. I'm not deeply into how the sanitizer works, though |
I am not familiar with the header you mention. If have a solution to fix it please feel free to open a PR otherwise I am not sure how to reproduce the problem 😕 |
But this is done already in the MarkdownService ngx-markdown/lib/src/markdown.service.ts Line 168 in 7e7cfe7
|
It's a fairly now header devised by Google and only implemented by Chromium browsers. However, it's usage is bound to increase, and thus the severity of this issue. Here is some info regarding it https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types |
And the string is final at this point? Not changing afterwards in any way? Then it would be interesting how "marking the string as sanitized" actually works, and whether this can be done right there. At least it's good to know that sanitation does occur, what's missing is just marking it as sanitized |
In an effort to make experiments myself I have cloned the repository. |
I have checkout out the project and tried to fix it. It's not easy, as the problem extends into dependencies. What "works" per instance is to use the package DOMPurify, and to do: // replace
someElement.innerHTML = someHtmlString;
//with
someElement.innerHTML = DOMPurify.sanitize(someHtmlString, { RETURN_TRUSTED_TYPE: true }) as unknown as string; however, DOMPurify is not exactly up to date, requires "allowSyntheticDefaultImports": true in the tsconfig.json and returns some weird type which does not play well with the innerHTML. Given the depth to which this problem permeates, I will not attempt to fix this. @jfcere you probably have way better overview over this project. Do you think it would be possible to refactor this to make sanitation occur automatically by always and only using Angular's Here's a guide to reproduce the issue:
|
Did anyone identify a solution or how the library should be in the future improved to support this? trusted-types are actually a very interesting addition to browser security and recently firefox have confirmed that next version will be supporting it as well. |
Hello @jfcere @MatthiasvB i think i've identified how a user can simply solve this problem so that this ticket could be closed. If a user want to enable trusted types and get ngx-markdown to work can simply define a 'default' trusted policy with the following code. The default policy will be triggered automatically when ngx-markdown or other libraries uses innerHTML without passing already a trusted type. import * as DOMPurify from 'dompurify';
window.trustedTypes.createPolicy('default', {
createHTML: (input: string) => {
// Sanitize the input using DOMPurify or any other sanitizer library
return (DOMPurify as any).default.sanitize(input, {RETURN_TRUSTED_TYPE: true});
},
createScript: (input: string) => {
throw new Error('Scripts are not allowed by this policy.');
},
createScriptURL: (input: string) => {
throw new Error('Script URLs are not allowed by this policy.');
}
}); We are using this implementation in GlobaLeaks: globaleaks/globaleaks-whistleblowing-software@48bfe85 |
@evilaliv3 thanks for the code snippet. If I look at the source (https://github.com/cure53/DOMPurify/blob/ad0fe79863f24d9a6e6583a350e2efb791f77bc9/src/purify.ts) then the code would just run the html string twice through a createHtml policy. The DOMPurify policy actually allows scriptUrls btw! Creating the policy and just using sanitize would be sufficient and also would be the proper expected return type by import { Injectable } from '@angular/core';
import DOMPurify from 'dompurify';
@Injectable({
providedIn: 'root',
})
export class TrustedTypesService {
constructor() {
// https://developer.mozilla.org/en-US/docs/Web/API/TrustedTypePolicyFactory/createPolicy
if (!window.trustedTypes?.createPolicy) {
return; // browser doesn't support it
}
window.trustedTypes.createPolicy('default', {
createHTML: (input: string) => DOMPurify.sanitize(input),
});
}
} (so technically ngx-markdown should just allow us to define a policy / use a default one to handle this if the developer wants it) |
I'm working on an app that is served with header
This should not be an issue if angular's dom sanitizer was used correctly. However, the application breaks (in Chromium browsers) claiming
After hours of debugging and trying to find the right headers to make this work, I've realized that ngx-markdown simply either does not sanitize the generated HTML, or at least not in a fashion that marks this as a trusted type.
The solution is simple: Don't use the component, but the pipe! Since Angular will automatically sanitize the HTML, when I assign it to
[innerHTML]
, it really does't matter what kind of sanitation this library does or does not do. Suddenly, the app is back to working.Please fix this, as not being able to use the other methods for anchoring HTML in the template will break many applications and lead to hours of debugging time, as more and more people will start using this security mechanism
The text was updated successfully, but these errors were encountered: