Manually sanitize a string

angular angular2-forms
lfmunoz picture lfmunoz · Jul 25, 2016 · Viewed 33.7k times · Source

I have an textarea where the user will type in some text. The text cannot be JavaScript or HTML etc. I want to manually sanitize the data and save it to a string.

I cannot figure out how to use DomSanitizationService to manually sanitize my data.

If I do {{ textare_text }} on the page then the data is correctly sanitized.

How do I do that manually to a string I have?

Answer

acdcjunior picture acdcjunior · Jul 26, 2016

You can sanitize the HTML as follows:

import { Component, SecurityContext } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';

@Component({
  selector: 'my-app',
  template: `
  <div [innerHTML]="_htmlProperty"></div>
  `
})
export class AppComponent {

  _htmlProperty: string = 'AAA<input type="text" name="name">BBB';

  constructor(private _sanitizer: DomSanitizer){ }

  public get htmlProperty() : SafeHtml {
     return this._sanitizer.sanitize(SecurityContext.HTML, this._htmlProperty);
  }

}

Demo plunker here.

From your comments, you actually want escaping not sanitization.

For this, check this plunker, where we have both escaping and sanitization.

import { Component, SecurityContext } from '@angular/core';
import { DomSanitizer, SafeHtml } from '@angular/platform-browser';

@Component({
  selector: 'my-app',
  template: `Original, using interpolation (double curly braces):<b>
        <div>{{ _originalHtmlProperty }}</div> 
  </b><hr>Sanitized, used as innerHTML:<b>
        <div [innerHTML]="sanitizedHtmlProperty"></div>
  </b><hr>Escaped, used as innerHTML:<b>
      <div [innerHTML]="escapedHtmlProperty"></div>
  </b><hr>Escaped AND sanitized used as innerHTML:<b>
      <div [innerHTML]="escapedAndSanitizedHtmlProperty"></div>
  </b>`
})
export class AppComponent {
  _originalHtmlProperty: string = 'AAA<input type="text" name="name">BBB';
  constructor(private _sanitizer: DomSanitizer){ }

  public get sanitizedHtmlProperty() : SafeHtml {
     return this._sanitizer.sanitize(SecurityContext.HTML, this._originalHtmlProperty);
  }

  public get escapedHtmlProperty() : string {
     return this.escapeHtml(this._originalHtmlProperty);
  }

  public get escapedAndSanitizedHtmlProperty() : string {
     return this._sanitizer.sanitize(SecurityContext.HTML, this.escapeHtml(this._originalHtmlProperty));
  }

  escapeHtml(unsafe) {
    return unsafe.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;")
                 .replace(/"/g, "&quot;").replace(/'/g, "&#039;");
  }
}

The HTML escaping function used above escapes the same chars as angular code does (unfortunately, their escaping function is not public, so we can't use it).

Related questions

Can't bind to 'formGroup' since it isn't a known property of 'form'

THE SITUATION: Please help! I am trying to make what should be a very simple form in my Angular2 app but no matter what it never works. ANGULAR VERSION: Angular 2.0.0 Rc5 THE ERROR: Can't bind to 'formGroup' since it isn't …

Read More
Angular 2 - Setting selected value on dropdown list

I have run into an issue in pre-selecting values on a dropdown list in Angular 2. I set an array of colours in the component which I bind successfully to the dropdown list. The issue I'm experiencing is with pre-selecting a …

Read More
How can I manually set an Angular form field as invalid?

I am working on a login form and if the user enters invalid credentials we want to mark both the email and password fields as invalid and display a message that says the login failed. How do I go about …

Read More