9

Official Angular Security Guide speaks about 4 security contexts: HTML, Url, Style and Resource Url.
Each one is responsible for sanitizing corresponding type of resource.
In addition, there are 5 methods (per resource type) in DomSanitizer service

 - bypassSecurityTrustHtml 
 - bypassSecurityTrustScript
 - bypassSecurityTrustStyle 
 - bypassSecurityTrustUrl
 - bypassSecurityTrustResourceUrl

However, I didn't find any mention of SecurityContext.NONE in official documentation. And it's does exist in the code.

I would assume that it aggregates all the resource types, meaning the resource being sanitized can be HTML, which contains styling and scripts.

Is that the case? Any official source?

JeB
  • 11,653
  • 10
  • 58
  • 87

1 Answers1

14

Apparently, if we use domSanitizer.sanitize with SecurityContext.NONE, it won't perform any sanitation and will return the value as is.

Thus, this will allow HTML with embedded URLs, styling and scripts.

Therefore it is highly recommended not to use this in your code.

JeB
  • 11,653
  • 10
  • 58
  • 87
  • 6
    They really could enhance their documentation... Terrible to not have this documented after all this time... – mikegross Feb 11 '20 at 18:03
  • That's... extremely scary. I'd assumed that "None" meant "Completely Untrusted", and it turns out it meant "Completely Trustworthy". – Eliezer Berlin Jan 21 '21 at 12:39