警告:清理不安全的样式值 url [英] WARNING: sanitizing unsafe style value url

查看:25
本文介绍了警告:清理不安全的样式值 url的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想在我的 Angular 2 应用程序的组件模板中设置 DIV 的背景图像.但是,我的控制台中不断收到以下警告,但没有得到预期的效果...我不确定动态 CSS 背景图像是否由于 Angular2 中的安全限制或我的 HTML 模板损坏而被阻止.

这是我在控制台中看到的警告(我已将 img url 更改为 /img/path/is/correct.png:

<块引用>

警告:清理不安全的样式值 url(SafeValue 必须使用 [property]=binding:/img/path/is/correct.png(参见 http://g.co/ng/security#xss))(参见 http://g.co/ng/security#xss).

问题是我确实使用 Angular2 中的 DomSanitizationService 清理注入到我的模板中的内容.这是我的模板中的 HTML:

<div><div 类=标题"*ngIf="图像"[style.background-image]="'url(' + image + ')'">
<div class="zone"><div><div><h1 [innerHTML]="header"></h1>

<div class="zone__content"><p*ngFor="let contentSegment of content"[innerHTML]="contentSegment"></p>

这是组件...

导入{DomSanitizationService,安全HTML,安全网址,安全风格来自'@angular/platform-b​​rowser';@成分({选择器:'示例',templateUrl: 'src/content/example.component.html'})导出类 CardComponent 实现 OnChanges {公共头文件:SafeHtml;公开内容:SafeHtml[];公众形象:SafeStyle;公共 isActive:boolean;public isExtended:boolean;构造函数(私有消毒:DomSanitizationService){}ngOnChanges():void {地图(这个.元素,这个);功能映射(元素:卡片,实例:卡片组件):无效{如果(元素){instance.header = instance.sanitization.bypassSecurityTrustHtml(element.header);instance.content = _.map(instance.element.content, (input:string):SafeHtml => {返回 instance.sanitization.bypassSecurityTrustHtml(input);});如果(元素.图像){/* 这里是问题...我也使用了 bypassSecurityTrustUrl */instance.image = instance.sanitization.bypassSecurityTrustStyle(element.image);} 别的 {instance.image = null;}}}}}

请注意,当我刚刚使用 [src]="image" 绑定到模板时,例如:

<img [src]="图像">

image 是使用 bypassSecurityTrustUrl 传递的,一切似乎都运行良好......谁能看到我做错了什么?

解决方案

您必须将整个 url 语句包装在 bypassSecurityTrustStyle 中:

<div class="header" *ngIf="image" [style.background-image]="image"></div>

还有

this.image = this.sanitization.bypassSecurityTrustStyle(`url(${element.image})`);

否则它不被视为有效的样式属性

I want to set the background image of a DIV in a Component Template in my Angular 2 app. However I keep getting the following warning in my console and I don't get the desired effect... I am unsure if the dynamic CSS background image is being blocked due to security restrictions in Angular2 or if my HTML template is broken.

This is the warning I see in my console (I have changed my img url to /img/path/is/correct.png:

WARNING: sanitizing unsafe style value url(SafeValue must use [property]=binding: /img/path/is/correct.png (see http://g.co/ng/security#xss)) (see http://g.co/ng/security#xss).

The thing is I do sanitize what is injected into my template using the DomSanitizationService in Angular2. Here is my HTML that I have in my template:

<div>
    <div>
        <div class="header"
             *ngIf="image"
             [style.background-image]="'url(' + image + ')'">
        </div>

        <div class="zone">
            <div>
                <div>
                    <h1 [innerHTML]="header"></h1>
                </div>
                <div class="zone__content">
                    <p
                       *ngFor="let contentSegment of content"
                       [innerHTML]="contentSegment"></p>
                </div>
            </div>
        </div>
    </div>
</div>

Here is the component...

Import {
    DomSanitizationService,
    SafeHtml,
    SafeUrl,
    SafeStyle
} from '@angular/platform-browser';

@Component({
               selector: 'example',
               templateUrl: 'src/content/example.component.html'
           })
export class CardComponent implements OnChanges {

    public header:SafeHtml;
    public content:SafeHtml[];
    public image:SafeStyle;
    public isActive:boolean;
    public isExtended:boolean;

    constructor(private sanitization:DomSanitizationService) {
    }

    ngOnChanges():void {
        map(this.element, this);

        function map(element:Card, instance:CardComponent):void {
            if (element) {
                instance.header = instance.sanitization.bypassSecurityTrustHtml(element.header);

                instance.content = _.map(instance.element.content, (input:string):SafeHtml => {
                    return instance.sanitization.bypassSecurityTrustHtml(input);
                });

                if (element.image) {
                    /* Here is the problem... I have also used bypassSecurityTrustUrl */ 
                    instance.image = instance.sanitization.bypassSecurityTrustStyle(element.image);
                } else {
                    instance.image = null;
                }

            }
        }
    }
}

Please note that when I just bound to the template using [src]="image", for example: 

<div *ngIf="image">
    <img [src]="image">
</div>

and image was passed using bypassSecurityTrustUrl everything seemed to work well... can anyone see what I am doing wrong?

解决方案

You have to wrap the entire url statement in the bypassSecurityTrustStyle:

<div class="header" *ngIf="image" [style.background-image]="image"></div>

And have 

this.image = this.sanitization.bypassSecurityTrustStyle(`url(${element.image})`);

Otherwise it is not seen as a valid style property

这篇关于警告:清理不安全的样式值 url的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆