Skip to content

feat(core): support passing Trusted Types around sanitization pipeline#39217

Closed
bjarkler wants to merge 2 commits into
angular:masterfrom
bjarkler:trusted-types-sanitization
Closed

feat(core): support passing Trusted Types around sanitization pipeline#39217
bjarkler wants to merge 2 commits into
angular:masterfrom
bjarkler:trusted-types-sanitization

Conversation

@bjarkler

@bjarkler bjarkler commented Oct 10, 2020

Copy link
Copy Markdown
Contributor

Angular's sanitization pipeline is an application's last line of defence against XSS vulnerabilities. However, it currently outputs plain strings that are then passed to the DOM, where they may cause Trusted Types violations. As a step towards fixing that, make it possible to return Trusted Types from the sanitization pipeline.

This is based on #39207. See the individual commits for more details.

PR Checklist

Please check if your PR fulfills the following requirements:

PR Type

What kind of change does this PR introduce?

  • Bugfix
  • Feature
  • Code style update (formatting, local variables)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • CI related changes
  • Documentation content changes
  • angular.io application / infrastructure changes
  • Other... Please describe:

Does this PR introduce a breaking change?

  • Yes
  • No

Other information

This is part of an ongoing effort to add support for Trusted Types to Angular.

@google-cla google-cla Bot added the cla: yes label Oct 10, 2020
@bjarkler bjarkler mentioned this pull request Oct 10, 2020
Closed
14 tasks
@bjarkler bjarkler force-pushed the trusted-types-sanitization branch 6 times, most recently from 1b0b057 to e73ea66 Compare October 11, 2020 18:31
@bjarkler bjarkler mentioned this pull request Oct 11, 2020
Closed
23 tasks
engelsdamien
engelsdamien reviewed Oct 13, 2020
View reviewed changes
Comment thread packages/core/src/sanitization/bypass.ts Outdated
@bjarkler bjarkler force-pushed the trusted-types-sanitization branch 3 times, most recently from 9a8d7bb to 765f91d Compare October 13, 2020 21:15
@atscott atscott added the area: core Issues related to the framework runtime label Oct 13, 2020
@ngbot ngbot Bot added this to the needsTriage milestone Oct 13, 2020
@bjarkler bjarkler force-pushed the trusted-types-sanitization branch 2 times, most recently from f14b66d to 0480af1 Compare October 14, 2020 23:21
@bjarkler
feat(core): allow returning Trusted Types from SanitizerFn
7c7a4a6 
Sanitizers in Angular currently return strings, which will then
eventually make their way down to the DOM, e.g. as the value of an
attribute or property. This may cause a Trusted Types violation. As a
step towards fixing that, make it possible to return Trusted Types from
the SanitizerFn interface, which represents the internal sanitization
pipeline. DOM renderer interfaces are also updated to reflect the fact
that setAttribute and setAttributeNS must be able to accept Trusted
Types.
@bjarkler
refactor(core): make HTML sanitizer return TrustedHTML
e51f402 
Make Angular's HTML sanitizer return a TrustedHTML, as its output is
trusted not to cause XSS vulnerabilities when used in a context where a
browser may parse and evaluate HTML. Also update tests to reflect the
new behaviour.
@bjarkler bjarkler force-pushed the trusted-types-sanitization branch from 0480af1 to e51f402 Compare October 15, 2020 17:44
@bjarkler

bjarkler commented Oct 15, 2020

Copy link
Copy Markdown
Contributor Author

presubmit

IgorMinar
IgorMinar suggested changes Oct 16, 2020
View reviewed changes

@IgorMinar IgorMinar left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe that this PR can be closed because the relevant changes were already included in the #39218 PR which is already in the merge queue.

@pullapprove pullapprove Bot requested a review from IgorMinar October 16, 2020 00:26
IgorMinar
IgorMinar suggested changes Oct 16, 2020
View reviewed changes

@IgorMinar IgorMinar left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed-for: fw-security

@bjarkler

bjarkler commented Oct 16, 2020

Copy link
Copy Markdown
Contributor Author

You're right, closing in favor of #39218.

@bjarkler bjarkler closed this Oct 16, 2020
@angular-automatic-lock-bot

angular-automatic-lock-bot Bot commented Nov 17, 2020

Copy link
Copy Markdown

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot Bot locked and limited conversation to collaborators Nov 17, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@atscott atscott Awaiting requested review from atscott

@jelbourn jelbourn Awaiting requested review from jelbourn

@mhevery mhevery Awaiting requested review from mhevery

2 more reviewers

@engelsdamien engelsdamien engelsdamien left review comments

@IgorMinar IgorMinar IgorMinar requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area: core Issues related to the framework runtime cla: yes

Projects

None yet

Milestone

needsTriage

Development

Successfully merging this pull request may close these issues.

4 participants

@bjarkler @IgorMinar @engelsdamien @atscott