How does Angular's bypassSecurityTrustHtml pipe work under the hood?












0















I've used variations of SafeHtml pipe, but I'm wondering how it actually works under the hood. How does Angular know that the text being applied to the DOM has been passed through a pipe and is safe? Is it simply done at the compilation stage or is it a run-time check?



The documentation says:




Calling any of the bypassSecurityTrust... APIs disables Angular's
built-in sanitization for the value passed in




Common implementation of a safe HTML pipe:



import { Pipe, PipeTransform } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';

@Pipe({name: 'sanitizeHtml'})
export class SanitizeHtmlPipe implements PipeTransform {
constructor(private _sanitizer:DomSanitizer) {
}
transform(v:string):SafeHtml {
return this._sanitizer.bypassSecurityTrustHtml(v);
}
}


Update: Figured it out from the dom_sanitization_service.ts source. The bypassSecurityTrustHtml function returns a new SafeHtmlImpl(value); instance. During the sanitize process, there is a check: if (value instanceof SafeHtmlImpl), and if so, the sanitization process is skipped










share|improve this question





























    0















    I've used variations of SafeHtml pipe, but I'm wondering how it actually works under the hood. How does Angular know that the text being applied to the DOM has been passed through a pipe and is safe? Is it simply done at the compilation stage or is it a run-time check?



    The documentation says:




    Calling any of the bypassSecurityTrust... APIs disables Angular's
    built-in sanitization for the value passed in




    Common implementation of a safe HTML pipe:



    import { Pipe, PipeTransform } from '@angular/core';
    import { DomSanitizer, SafeHtml } from '@angular/platform-browser';

    @Pipe({name: 'sanitizeHtml'})
    export class SanitizeHtmlPipe implements PipeTransform {
    constructor(private _sanitizer:DomSanitizer) {
    }
    transform(v:string):SafeHtml {
    return this._sanitizer.bypassSecurityTrustHtml(v);
    }
    }


    Update: Figured it out from the dom_sanitization_service.ts source. The bypassSecurityTrustHtml function returns a new SafeHtmlImpl(value); instance. During the sanitize process, there is a check: if (value instanceof SafeHtmlImpl), and if so, the sanitization process is skipped










    share|improve this question



























      0












      0








      0








      I've used variations of SafeHtml pipe, but I'm wondering how it actually works under the hood. How does Angular know that the text being applied to the DOM has been passed through a pipe and is safe? Is it simply done at the compilation stage or is it a run-time check?



      The documentation says:




      Calling any of the bypassSecurityTrust... APIs disables Angular's
      built-in sanitization for the value passed in




      Common implementation of a safe HTML pipe:



      import { Pipe, PipeTransform } from '@angular/core';
      import { DomSanitizer, SafeHtml } from '@angular/platform-browser';

      @Pipe({name: 'sanitizeHtml'})
      export class SanitizeHtmlPipe implements PipeTransform {
      constructor(private _sanitizer:DomSanitizer) {
      }
      transform(v:string):SafeHtml {
      return this._sanitizer.bypassSecurityTrustHtml(v);
      }
      }


      Update: Figured it out from the dom_sanitization_service.ts source. The bypassSecurityTrustHtml function returns a new SafeHtmlImpl(value); instance. During the sanitize process, there is a check: if (value instanceof SafeHtmlImpl), and if so, the sanitization process is skipped










      share|improve this question
















      I've used variations of SafeHtml pipe, but I'm wondering how it actually works under the hood. How does Angular know that the text being applied to the DOM has been passed through a pipe and is safe? Is it simply done at the compilation stage or is it a run-time check?



      The documentation says:




      Calling any of the bypassSecurityTrust... APIs disables Angular's
      built-in sanitization for the value passed in




      Common implementation of a safe HTML pipe:



      import { Pipe, PipeTransform } from '@angular/core';
      import { DomSanitizer, SafeHtml } from '@angular/platform-browser';

      @Pipe({name: 'sanitizeHtml'})
      export class SanitizeHtmlPipe implements PipeTransform {
      constructor(private _sanitizer:DomSanitizer) {
      }
      transform(v:string):SafeHtml {
      return this._sanitizer.bypassSecurityTrustHtml(v);
      }
      }


      Update: Figured it out from the dom_sanitization_service.ts source. The bypassSecurityTrustHtml function returns a new SafeHtmlImpl(value); instance. During the sanitize process, there is a check: if (value instanceof SafeHtmlImpl), and if so, the sanitization process is skipped







      angular






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 18 '18 at 23:38







      Drenai

















      asked Nov 18 '18 at 22:11









      DrenaiDrenai

      3,44043153




      3,44043153
























          1 Answer
          1






          active

          oldest

          votes


















          1














          I think you're misunderstanding the point of the function.
          It doesn't actually sanitize, it doesn't even check the HTML.
          All it does is create an object which has a flag set so the Angular security won't block it. If the string has unsafe HTML, it won't be blocked.



          The developer is still supposed to write some function themselves or use some other tool to make sure that the HTML is safe.






          share|improve this answer
























          • I know it doesn't sanitize. You might have misunderstood the question

            – Drenai
            Nov 18 '18 at 23:28













          • Didn't mean any offense by it, yeah it's possible I didn't get what you were asking. I did still answer you by saying that Angular wraps the string in an object (SafeHtml).

            – Simon K
            Nov 18 '18 at 23:38











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53365975%2fhow-does-angulars-bypasssecuritytrusthtml-pipe-work-under-the-hood%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1














          I think you're misunderstanding the point of the function.
          It doesn't actually sanitize, it doesn't even check the HTML.
          All it does is create an object which has a flag set so the Angular security won't block it. If the string has unsafe HTML, it won't be blocked.



          The developer is still supposed to write some function themselves or use some other tool to make sure that the HTML is safe.






          share|improve this answer
























          • I know it doesn't sanitize. You might have misunderstood the question

            – Drenai
            Nov 18 '18 at 23:28













          • Didn't mean any offense by it, yeah it's possible I didn't get what you were asking. I did still answer you by saying that Angular wraps the string in an object (SafeHtml).

            – Simon K
            Nov 18 '18 at 23:38
















          1














          I think you're misunderstanding the point of the function.
          It doesn't actually sanitize, it doesn't even check the HTML.
          All it does is create an object which has a flag set so the Angular security won't block it. If the string has unsafe HTML, it won't be blocked.



          The developer is still supposed to write some function themselves or use some other tool to make sure that the HTML is safe.






          share|improve this answer
























          • I know it doesn't sanitize. You might have misunderstood the question

            – Drenai
            Nov 18 '18 at 23:28













          • Didn't mean any offense by it, yeah it's possible I didn't get what you were asking. I did still answer you by saying that Angular wraps the string in an object (SafeHtml).

            – Simon K
            Nov 18 '18 at 23:38














          1












          1








          1







          I think you're misunderstanding the point of the function.
          It doesn't actually sanitize, it doesn't even check the HTML.
          All it does is create an object which has a flag set so the Angular security won't block it. If the string has unsafe HTML, it won't be blocked.



          The developer is still supposed to write some function themselves or use some other tool to make sure that the HTML is safe.






          share|improve this answer













          I think you're misunderstanding the point of the function.
          It doesn't actually sanitize, it doesn't even check the HTML.
          All it does is create an object which has a flag set so the Angular security won't block it. If the string has unsafe HTML, it won't be blocked.



          The developer is still supposed to write some function themselves or use some other tool to make sure that the HTML is safe.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 18 '18 at 22:21









          Simon KSimon K

          1,6831414




          1,6831414













          • I know it doesn't sanitize. You might have misunderstood the question

            – Drenai
            Nov 18 '18 at 23:28













          • Didn't mean any offense by it, yeah it's possible I didn't get what you were asking. I did still answer you by saying that Angular wraps the string in an object (SafeHtml).

            – Simon K
            Nov 18 '18 at 23:38



















          • I know it doesn't sanitize. You might have misunderstood the question

            – Drenai
            Nov 18 '18 at 23:28













          • Didn't mean any offense by it, yeah it's possible I didn't get what you were asking. I did still answer you by saying that Angular wraps the string in an object (SafeHtml).

            – Simon K
            Nov 18 '18 at 23:38

















          I know it doesn't sanitize. You might have misunderstood the question

          – Drenai
          Nov 18 '18 at 23:28







          I know it doesn't sanitize. You might have misunderstood the question

          – Drenai
          Nov 18 '18 at 23:28















          Didn't mean any offense by it, yeah it's possible I didn't get what you were asking. I did still answer you by saying that Angular wraps the string in an object (SafeHtml).

          – Simon K
          Nov 18 '18 at 23:38





          Didn't mean any offense by it, yeah it's possible I didn't get what you were asking. I did still answer you by saying that Angular wraps the string in an object (SafeHtml).

          – Simon K
          Nov 18 '18 at 23:38


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53365975%2fhow-does-angulars-bypasssecuritytrusthtml-pipe-work-under-the-hood%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Guess what letter conforming each word

          Port of Spain

          Run scheduled task as local user group (not BUILTIN)