33

I have an textarea where the user will type in some text. The text cannot be JavaScript or HTML etc. I want to manually sanitize the data and save it to a string.

I cannot figure out how to use DomSanitizationService to manually sanitize my data.

If I do {{ textare_text }} on the page then the data is correctly sanitized.

How do I do that manually to a string I have?

Alexander Abakumov
  • 13,617
  • 16
  • 88
  • 129
lfmunoz
  • 822
  • 1
  • 9
  • 16

3 Answers3

52

You can sanitize the HTML as follows:

import { Component, SecurityContext } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';

@Component({
  selector: 'my-app',
  template: `
  <div [innerHTML]="_htmlProperty"></div>
  `
})
export class AppComponent {

  _htmlProperty: string = 'AAA<input type="text" name="name">BBB';

  constructor(private _sanitizer: DomSanitizer){ }

  public get htmlProperty() : SafeHtml {
     return this._sanitizer.sanitize(SecurityContext.HTML, this._htmlProperty);
  }

}

Demo plunker here.

From your comments, you actually want escaping not sanitization.

For this, check this plunker, where we have both escaping and sanitization.

import { Component, SecurityContext } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';

@Component({
  selector: 'my-app',
  template: `Original, using interpolation (double curly braces):<b>
        <div>{{ _originalHtmlProperty }}</div> 
  </b><hr>Sanitized, used as innerHTML:<b>
        <div [innerHTML]="sanitizedHtmlProperty"></div>
  </b><hr>Escaped, used as innerHTML:<b>
      <div [innerHTML]="escapedHtmlProperty"></div>
  </b><hr>Escaped AND sanitized used as innerHTML:<b>
      <div [innerHTML]="escapedAndSanitizedHtmlProperty"></div>
  </b>`
})
export class AppComponent {
  _originalHtmlProperty: string = 'AAA<input type="text" name="name">BBB';
  constructor(private _sanitizer: DomSanitizer){ }

  public get sanitizedHtmlProperty() : SafeHtml {
     return this._sanitizer.sanitize(SecurityContext.HTML, this._originalHtmlProperty);
  }

  public get escapedHtmlProperty() : string {
     return this.escapeHtml(this._originalHtmlProperty);
  }

  public get escapedAndSanitizedHtmlProperty() : string {
     return this._sanitizer.sanitize(SecurityContext.HTML, this.escapeHtml(this._originalHtmlProperty));
  }

  escapeHtml(unsafe) {
    return unsafe.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;")
                 .replace(/"/g, "&quot;").replace(/'/g, "&#039;");
  }
}

The HTML escaping function used above escapes the same chars as angular code does (unfortunately, their escaping function is not public, so we can't use it).

Community
  • 1
  • 1
acdcjunior
  • 132,397
  • 37
  • 331
  • 304
  • If you change the code to the following you see there is a difference. I want to keep the tags but not have them evaluated . Do you know how to do that? template: `
    {{_htmlProperty}} ` ( http://plnkr.co/edit/5vb1o2b9SX6F74U9g6F6?p=preview)     – lfmunoz Jul 26 '16 at 22:57
  • So, what you want is not really sanitize. What you want is escaping. -- I'll edit the answer. – acdcjunior Jul 26 '16 at 23:20
  • I added escaping. check the answer. There is a new plunker. – acdcjunior Jul 26 '16 at 23:34
  • @BeatriceThalo What do you mean? You are getting that error? If so, what line? – acdcjunior Dec 14 '17 at 20:41
9

In Angular final you can use like this:

  1. First import "DomSanitizer" from angular platform-browser:

    import { DomSanitizer } from '@angular/platform-browser';
import { SecurityContext } from '@angular/core';

  2. Then in constructor : 

    constructor(private _sanitizer: DomSanitizer){}

  3. Then use in your class like :

    var title = "<script> alert('Hello')</script>"
title = this._sanitizer.sanitize(SecurityContext.HTML, title);
Himanshu Teotia
  • 2,126
  • 1
  • 27
  • 38
0

In angular ^2.3.1

Having a view using a bootstrap4 progressbar. See that in the example we need a value for style.width.

<!-- View HTML-->
<div class="progress">
    <div class="progress-bar" role="progressbar" [style.width]="getProgress('style')" aria-valuenow="getProgress()" aria-valuemin="0" aria-valuemax="100"></div>
</div>

We need to sanitize this style.width value. We need to use DomSanitizer to sanitize the value and SecurityContext to specify the context. In this example the context is style.

// note that we need to use SecurityContext and DomSanitizer
// SecurityContext.STYLE
import { Component, OnInit, Input } from '@angular/core';
import { SecurityContext} from '@angular/core';
import { DomSanitizer } from '@angular/platform-browser';


@Component({
  selector: 'app-challenge-progress',
  templateUrl: './challenge-progress.component.html',
  styleUrls: ['./challenge-progress.component.sass']
})
export class ChallengeProgressComponent implements OnInit {

  @Input() data: any;

  constructor(private _sanitizer: DomSanitizer) { }

  ngOnInit() {
  }

  getProgress(type: string): any {
    if(type === 'style') {
      // here is the line you are looking for
      return this._sanitizer.sanitize(SecurityContext.STYLE,this._getProgress()+'%');
    }
    return this._getProgress();
  }

  private _getProgress():number {
    if(this.data) {
      return this.data.goal_total_current/this.data.goal*100;
    }
    return 0;
  }
}
pearpages
  • 18,703
  • 1
  • 26
  • 27