Skip to content

Utilize DomSanitizer in Renderer2 #51208

Closed
Closed
Utilize DomSanitizer in Renderer2#51208
Labels
P3An issue that is relevant to core functions, but does not impede progress. Important, but not urgentarea: docsRelated to the documentation
Milestone
Backlog
@ToneyPK

Description

@ToneyPK
ToneyPK
opened on Jul 30, 2023

Which @angular/* package(s) are relevant/related to the feature request?

core

Description

As stated in: https://angular.io/api/core/ElementRef#properties

Alternatively you can take a look at Renderer2 which provides an API that can be safely used.

A lot of the community (including myself until I checked the source code) is lead to believe that using Renderer2 takes care of all security problems while accessing DOM elements. It only wraps the DOM API methods with Angular methods from what I have seen in the code. I'm not an expert in XSS attacks but I think that is an improvement but not total protection. Correct me if I'm wrong.

Since probably a lot of people use it, can we make it actually solve some security problems so we can benefit from the current situation?

Proposed solution

My proposal is to use the DomSanitizer 's sanitize() method when using Renderer2 methods like:

This way the usage of the Rendere2 would make more sense, if of course, it is not planned to be deprecated.

If this sounds like a good idea, I would also gladly implement the feature.

Alternatives considered

Implement some sort of a feature that would be a norm for direct DOM accessing in some other code segment.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P3An issue that is relevant to core functions, but does not impede progress. Important, but not urgentarea: docsRelated to the documentation

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions