0

I use angular 2.1.2, and I want to use sanitize method to prevent XSS/CSRF attacks.

I implemented: this.sanitizer.sanitize(SecurityContext.HTML, this.content)

The html file have html, style, javascript. So this method will unwrap the style and javascript.

But I just only want unwrap for javascript and skip html and style. So, any solution for me to implement this issue.

HTML before sanitation

<html>
  <head><style>h2 {color: #FFFF7C}</style>
    <script>alert("hi")</script>
    </head>
  <body>
    <h2>HTML Content</h2>
  </body>
</html>

Result after sanitation: 

//HTML content: "&#10; h2 {color: #FFFF7C}&#10; alert(&#34;hi&#34;)&#10; &#10; &#10; <h2>HTML Content</h2>&#10; &#10;"

//HTML content view:
h2 {color: #FFFF7C} alert("hi")
HTML Content

Result expect:

alert("hi")
HTML Content //I expect this line will be applied the color: #FFFF7C
ThuyNguyen
  • 1,127
  • 3
  • 14
  • 24

0 Answers0