angularxssinnerhtmlhtml-sanitizinghtml-sanitizer-api

HTML Sanitizer API - Angular (mXSS)


I have a question regarding the HTML Sanitizer API and Angular. As I can read from the source code from Angular, they have their own method of protection against mXSS.

Recently I read about the HTML Sanitizer API which is letting the browser do the sanitizing, because the browsers knows best what it is going to execute.

I could not find a sign that Angular uses this API anywhere in their source code and also did not figure out how to use it in an Angular project.

I tried constructing a sanitizer with the new Sanitzer() constructor, but it says that it could only find the Sanitizer in "@angular/core" which is not using the HTML Sanitizer API.

Is the HTML Sanitizer API not available in TypeScript or is it not available because it is not standard in all browsers?


Solution

  • The documentation you linked is a draft. This means that the API is subject to change, so no sane developer will start using it for purposes other than testing the API - the next version of the browser might come with an updated API, and you have no control over that.

    Usually developers will use those things once API was finalized, and the finalized API has been implemented in all major browsers. Note that you sill need to use a fallback / polyfills in case it's not available (i.e. user uses older browser version).

    Likewise, it will probably not be available in current types files in your IDE, and might throw on compilation. If you're set on using it, you can probably go around it something like new (window as any).Sanitsizer() and it should compile and work within supported browsers.