Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

flex-layout module breaks style sanitization when style value includes colon #935

Closed
meelkor opened this issue Dec 18, 2018 · 2 comments · Fixed by #938
Closed

flex-layout module breaks style sanitization when style value includes colon #935

meelkor opened this issue Dec 18, 2018 · 2 comments · Fixed by #938
Assignees
@CaerusKaru
Labels
bug has pr A PR has been created to address this issue P0 Critical issue that needs to be resolved immediately
Milestone
7.0.0-beta.22

Comments

@meelkor
Copy link

meelkor commented Dec 18, 2018
edited
Loading

Bug Report

What is the expected behavior?

The sanitization should work the same as without flex-layout module

What is the current behavior?

: is being split in style value and may result in invalid (unsafe) style when sanitazing, warning: sanitizing unsafe style value url(https (see http://g.co/ng/security#xss)., the style is applied then correctly, just the warning shouldn't be there.

What are the steps to reproduce?

Open console in:
https://stackblitz.com/edit/angular-flex-layout-seed-ubokny

Which versions of Angular, Material, OS, TypeScript, browsers are affected?

Angular@7.1.3 + flex-layout@7.0.0-beta.21
(maybe those two aren't supposed to work together? if so then please disregard this issue)

Is there anything else we should know?

I guess the stringToKeyValue is at fault as it assumes there is no other colon in the string.
https://github.com/angular/flex-layout/blob/master/src/lib/extended/style/style-transforms.ts#L81
@meelkor meelkor changed the title flex-layout module breaks style sanitization when style value include colon flex-layout module breaks style sanitization when style value includes colon Dec 18, 2018
@CaerusKaru CaerusKaru self-assigned this Dec 18, 2018
@CaerusKaru CaerusKaru added bug P0 Critical issue that needs to be resolved immediately labels Dec 18, 2018
@CaerusKaru CaerusKaru added this to the 7.0.0-beta.22 milestone Dec 18, 2018
@CaerusKaru CaerusKaru mentioned this issue Dec 18, 2018
Merged
@CaerusKaru
Copy link
Member

This will be patched in #938 and included in today's release. Thank you for catching this!

@CaerusKaru CaerusKaru added the has pr A PR has been created to address this issue label Dec 18, 2018
CaerusKaru added a commit that referenced this issue Dec 18, 2018
@CaerusKaru
fix(ngStyle): do not truncate URLs (#938)
1548727 
Fixes #935
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Sep 5, 2019
This issue was closed.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@CaerusKaru CaerusKaru

Labels
bug has pr A PR has been created to address this issue P0 Critical issue that needs to be resolved immediately
Projects
None yet
Milestone
7.0.0-beta.22
Development

Successfully merging a pull request may close this issue.

fix(ngStyle): do not truncate URLs angular/flex-layout
2 participants
@CaerusKaru @meelkor