例如这个代码是危险的:
<div [innerHTML]="post.body"></div>
解决方法
这里写的是:
Interpolated content is always escaped—the HTML isn’t interpreted and the browser displays angle brackets in the element’s text content.
For the HTML to be interpreted,bind it to an HTML property such as innerHTML. But binding a value that an attacker might control into innerHTML normally causes an XSS vulnerability. For example,the code contained in a
<script>
tag is executed:
export class InnerHtmlBindingComponent {
// For example,a user/attacker-controlled value from a URL.
htmlSnippet = 'Template <script>alert("0wned")</script> <b>Syntax</b>';
}Angular recognizes the value as unsafe and automatically sanitizes it,which removes the
<script>
tag but keeps safe content such as the text content of the<script>
tag and the<b>
element.
所以我想,是的,它是安全的.
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。