Improve this Doc View Source $sanitizeProvider

  1. $sanitize
  2. provider in module ngSanitize

Overview

Creates and configures $sanitize instance.

Methods

  • enableSvg([flag]);

    Enables a subset of svg to be supported by the sanitizer.

    By enabling this setting without taking other precautions, you might expose your application to click-hijacking attacks. In these attacks, sanitized svg elements could be positioned outside of the containing element and be rendered over other elements on the page (e.g. a login link). Such behavior can then result in phishing incidents.

    To protect against these, explicitly setup overflow: hidden css rule for all potential svg tags within the sanitized content:


      .rootOfTheIncludedContent svg {
        overflow: hidden !important;
      }
      

    Parameters

    Param Type Details
    flag
    (optional)
    boolean

    Enable or disable SVG support in the sanitizer.

    Returns

    boolean$sanitizeProvider

    Returns the currently configured value if called without an argument or self for chaining otherwise.

  • addValidElements(elements);

    Extends the built-in lists of valid HTML/SVG elements, i.e. elements that are considered safe and are not stripped off during sanitization. You can extend the following lists of elements:

    • htmlElements: A list of elements (tag names) to extend the current list of safe HTML elements. HTML elements considered safe will not be removed during sanitization. All other elements will be stripped off.

    • htmlVoidElements: This is similar to htmlElements, but marks the elements as "void elements" (similar to HTML void elements). These elements have no end tag and cannot have content.

    • svgElements: This is similar to htmlElements, but for SVG elements. This list is only taken into account if SVG is enabled for $sanitize.

    This method must be called during the config phase. Once the $sanitize service has been instantiated, this method has no effect.
    Keep in mind that extending the built-in lists of elements may expose your app to XSS or other vulnerabilities. Be very mindful of the elements you add.

    Parameters

    Param Type Details
    elements Array.<String>Object

    A list of valid HTML elements or an object with one or more of the following properties:

    • htmlElements - {Array<String>} - A list of elements to extend the current list of HTML elements.
    • htmlVoidElements - {Array<String>} - A list of elements to extend the current list of void HTML elements; i.e. elements that do not have an end tag.
    • svgElements - {Array<String>} - A list of elements to extend the current list of SVG elements. The list of SVG elements is only taken into account if SVG is enabled for $sanitize.

    Passing an array ([...]) is equivalent to passing {htmlElements: [...]}.

    Returns

    $sanitizeProvider

    Returns self for chaining.

  • addValidAttrs(attrs);

    Extends the built-in list of valid attributes, i.e. attributes that are considered safe and are not stripped off during sanitization.

    Note: The new attributes will not be treated as URI attributes, which means their values will not be sanitized as URIs using $compileProvider's aHrefSanitizationTrustedUrlList and imgSrcSanitizationTrustedUrlList.

    This method must be called during the config phase. Once the $sanitize service has been instantiated, this method has no effect.
    Keep in mind that extending the built-in list of attributes may expose your app to XSS or other vulnerabilities. Be very mindful of the attributes you add.

    Parameters

    Param Type Details
    attrs Array<String>

    A list of valid attributes.

    Returns

    $sanitizeProvider

    Returns self for chaining.

© 2010–2020 Google, Inc.
Licensed under the Creative Commons Attribution License 3.0.
https://code.angularjs.org/1.8.2/docs/api/ngSanitize/provider/$sanitizeProvider