mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
b35fa73968
In modern browsers, the 'javascript:' URL scheme is the only scheme that can execute JavaScript when passed in a navigation URL context (e.g. `a.href` value). Validate URL shemes to only contain characters allowed in the URL specification ([a-zA-Z-+.]), and that are not javascript (case insensitive). This is not a breaking change. The URL sanitization is loosen. PR Close #49659 |
||
|---|---|---|
| .. | ||
| bypass.ts | ||
| html_sanitizer.ts | ||
| iframe_attrs_validation.ts | ||
| inert_body.ts | ||
| readme.md | ||
| sanitization.ts | ||
| sanitizer.ts | ||
| security.ts | ||
| url_sanitizer.ts | ||
Sanitization
This folder contains sanitization related code.
History
It used to be that sanitization related code used to be in @angular/platform-browser since it is platform related. While this is true, in practice the compiler schema is permanently tied to the DOM and hence the fact that sanitizer could in theory be replaced is not used in practice.
In order to better support tree shaking we need to be able to refer to the sanitization functions from the Ivy code. For this reason the code has been moved into the @angular/core.