为什么Angular2清理组件中的脚本标签? [英] Why Angular2 sanitize script tag in components?
问题描述
我完全理解,出于安全原因并为了防止XSS攻击,必须清除用户输入: 清理来自文本字段或输入字段的输入.
I totally understand that for security reasons and to prevent XSS attacks, user input must be sanitized: Sanitizing input from a text field or an input field.
但是,我很难理解Angular为什么要从组件模板中删除脚本元素.
就像在官方文档中写的一样:
Like it's written in the official doc:
信任模板中的HTML,属性和绑定表达式(但不绑定值)是安全的
HTML, attributes, and binding expressions (but not the values bound) in templates are trusted to be safe
因此,如果可以信赖它们是安全的,为什么在编译时会自动删除脚本标签?
So if they are trusted to be safe why are script tags automatically removed when compiled?
我在这里可能缺少安全性问题,但是即使阅读了有关XSS的文档,我仍然不了解Angular编译器编译的Angular组件模板中的脚本标签如何危及安全性.
I'm probably missing a security issue here, but even after reading docs about XSS I do not understand how a script tag within an Angular component's template that get compiled by the Angular compiler can compromise security.
这里有人有答案吗?
推荐答案
以这种方式思考:当您编写Angular模板时,Angular编译器会读取该模板,并创建该模板正在执行的最佳javascript表示并进行提要对浏览器进行优化的javascript.
Think about it this way: When you write an Angular template, the Angular compiler reads that template and creates an optimized javascript representation of what that template is doing and feeds that optimized javascript to the browser.
因此,当浏览器获得您的模板时,实际上它不再是HTML了-只是javascript.因此,目前尚不支持从其他位置动态加载外部,未知且可能不安全的javascript.
So, at the point when the browser gets a hold of your template, it's actually no longer HTML anymore - it's just javascript. So there's no support for dynamically loading external, unknown and potentially unsafe javascript from somewhere else at that point.
这篇关于为什么Angular2清理组件中的脚本标签?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
