Comments (5)
Really? I remember looking at this stuff too much and that is why I never let real angular to be executed within toasts. Shoulndn't trustAsHtml
discard any XSS?
from angular-toastr.
No, it asserts that the passed string comes from a trusted source and doesn't need any sanitizing ...
Or as the docs put it:
To be secure by default, AngularJS makes sure bindings go through that sanitization, or any similar validation process, unless there's a good reason to trust the given value in this context. That trust is formalized with a function call. This means that as a developer, you can assume all untrusted bindings are safe. Then, to audit your code for binding security issues, you just need to ensure the values you mark as trusted indeed are safe - because they were received from your server, sanitized by your library, etc. You can organize your codebase to help with this - perhaps allowing only the files in a specific directory to do this. Ensuring that the internal API exposed by that code doesn't markup arbitrary values as safe then becomes a more manageable task.
In the case of AngularJS' SCE service, one uses $sce.trustAs (and shorthand methods such as $sce.trustAsHtml, etc.) to build the trusted versions of your values.
You can also check the implementation. Note that the parameter to trustAs
is called trustedValue
.
from angular-toastr.
I see. I always assumed that the toasts were generated by a trusted source and never by the user and I think that is the right idea.
from angular-toastr.
Please document such assumptions.
that is the right idea
Well, we used it to display an error message received from the server ... which happened to quote invalid user input ...
from angular-toastr.
Can't you just remove the $sce.trustAsHtml calls? This should cause angular to automatically sanitize the HTML, removing dangerous tags, but leaving harmless tags as they are ...
from angular-toastr.
Related Issues (20)
- angular-toastr.tpls.js contains the entire source code HOT 1
- Stacking toasts using custom template
- how to add fadeOut and fadeIn HOT 1
- progressBar option disappearing and starting all over again HOT 2
- Using extraData for ng-click with custom template
- toastr.clear() and toastr.active() don't work! HOT 1
- trustAsHtml used for title and message -XSS Attack
- Repo Name Change HOT 1
- Explicit 3rd parameter doesn't override default behavior which declared in toasrConfig file HOT 2
- styling missmatch when using containerId option
- Parameters for duration configuration HOT 1
- unable to use ng-click HOT 1
- Setting extendedTimeOut to zero, toastr still dismisses after hover HOT 2
- Change width of toast in a controller
- Messages are not styled HOT 1
- x
- I need help with toast-bottom-full-width.
- Second argument is necessary in order for options to be read
- Failed to load template toast.html
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from angular-toastr.