Javascript Angular2:使用指令使iframe src安全
我试图将一个经过消毒的src属性直接应用到iframe,它工作得很好,但当把它全部放在属性指令中时,它拒绝玩球。这是指令代码和出现的错误消息Javascript Angular2:使用指令使iframe src安全,javascript,angular,xss,Javascript,Angular,Xss,我试图将一个经过消毒的src属性直接应用到iframe,它工作得很好,但当把它全部放在属性指令中时,它拒绝玩球。这是指令代码和出现的错误消息 import { OnInit, Directive, ElementRef, Input, Renderer } from '@angular/core'; import { DomSanitizer, SafeResourceUrl} from '@angular/platform-browser'; @Directive({ selec
import { OnInit, Directive, ElementRef, Input, Renderer } from '@angular/core';
import { DomSanitizer, SafeResourceUrl} from '@angular/platform-browser';
@Directive({
selector: '[resume]'
})
export class ResumeDirective implements OnInit {
@Input('resume') inputLink: string;
constructor(private _sanitizer: DomSanitizer, private el: ElementRef, private render: Renderer) {
}
ngOnInit(): void {
let _url: string = this.inputLink + '#zoom=100';
let resumeUrl: SafeResourceUrl = this._sanitizer.bypassSecurityTrustResourceUrl(_url);
// this.el.nativeElement.src = resumeUrl.toString(); // same result
this.render.setElementProperty(this.el.nativeElement, 'src', _url);
// using 'srcdoc' or setElementAttribute brings same results
}
}
我发现错误:
SafeValue必须使用[property]=binding:/theurl/x.pdf#zoom=100(请参见http://g.co/ng/security#xss)
您可以尝试@HostBinding()
-但不确定这是否有效
@Directive({
selector: '[resume]'
})
export class ResumeDirective implements OnInit {
@Input('resume') inputLink: string;
constructor(private _sanitizer: DomSanitizer, private el: ElementRef, private render: Renderer) {
}
@HostBinding('src')
resumeUrl:any;
ngOnInit(): void {
let _url: string = this.inputLink + '#zoom=100';
this.resumeUrl = this._sanitizer.bypassSecurityTrustResourceUrl(_url);
}
}
this.render.setElementProperty
不关心经过清理的值,它只调用DOM API并按原样传递经过清理的值。是的,我得到的实际工作的更快的答案:)谢谢