2

What I am trying to achieve is a dynamically generated html with some static links in it.

So, in a component, I have an array of objects:

 let list = [{
     type: 'container',
     title: 'SIMPLE LIST'
     description: '<ul>
       <li>
         <a href='/some/link#A'>A</a> // or [href] or routerLink+fragment
       </li>
       <li>
         <a href='/some/link#B'>B</a> 
       </li>
       <li>
         <a href='/some/link#C'>C</a>
       </li>
     </ul>'
   }, {
     type: 'container',
     title: 'SIMPLE ICON'
     description: '<mat-icon class="material-icons">launch</mat-icon>'
   }]

Then I pass it to a service which sanitize the description key via bypassSecurityTrustHtml() (from DomSanitzer):

   export class myDynamicBuilder {

     content: Array<object>;         

     constructor(content, sanitizer) {
       content.forEach(each => {
         if (item.hasOwnProperty('description') && typeof item['description'] === 'string') {
           item['description'] = sanitizer.bypassSecurityTrustHtml(item['description'])
         }
       this.content = content
       })
     }
   }

Then in template:

<table *ngIf="(items?.content | filterContentBy: 'container').length">  
  <ng-template ngFor let-item [ngForOf]="(items?.content | filterContentBy:'container')">                   
    <tr>
      <td> 
        <b>{{item?.title}}</b>                                                                                 
      </td>
    </tr>                                                                                                      

    <tr>                                                                                                       
      <td colspan="2" class="second-row">                                                                      

        <p *ngIf="item.description" [innerHTML]="item.description"</p>
      </td>
    </tr>
  </ng-template>
</table>

Links in description field do not work as expected.:

  • if href is used as attribute a complete reload of the app is triggered (which is very bad)

  • if the routerLink directive is used the link doesn't work

  • if [href] is used I get the usual XSS security warning. So, I went back to the docs and I've found the convenient bypassSecurityTrustUrl function. I modified the above mentioned service to replace strings after [href] with the output of the bypassSecurityTrustUrl and then throw the result in the bypassSecurityTrustHtml function. Got a very nicely rendered HTML but with a non functional link.

How should I handle this scenario? I am thinking of building some pipes as shown in this question but not sure if this is the right way to do it. Another idea could be to let my service handle a new key (maybe links) of the input object, sanitize via bypassSecurityTrustUrl and then inject safe links in the sanitized HTML. Is there any defined way to do this? Thanks.

ftabaro
  • 136
  • 11
  • 1
    `[href]="..."` or `routerLink` will be completely ignored by Angular for HTML added using `[innerHTML]="..."`. It will be just added to the DOM as is. Using `...TrustUrl` is therefore bogus. Perhaps you want something like https://stackoverflow.com/questions/38888008/how-can-i-use-create-dynamic-template-to-compile-dynamic-component-with-angular – Günter Zöchbauer Nov 13 '17 at 17:54
  • I forgot to mention that if hardcoding `href` or `routerLink` outside the dynamic portion everything works as expected... – ftabaro Nov 13 '17 at 17:56
  • 2
    Right. I forgot to add "or HTML added using `[innerHTML]="..."`" – Günter Zöchbauer Nov 13 '17 at 17:57

0 Answers0