This is an older, but still relevant question. We are using the HtmlSanitizer .Net library, which: is open-source is actively maintained doesn’t have the problems like Microsoft Anti-XSS library, Is unit tested with the OWASP XSS Filter Evasion Cheat Sheet is special built for this (in contrast to HTML Agility Pack, which is a parser) … Read more
Simple solution is to write pipe like import { Pipe, PipeTransform } from “@angular/core”; import { DomSanitizer, SafeHtml } from ‘@angular/platform-browser’; @Pipe({ name: ‘sanitizeHtml’ }) export class SanitizeHtmlPipe implements PipeTransform { constructor(private _sanitizer:DomSanitizer) { } transform(v:string):SafeHtml { return this._sanitizer.bypassSecurityTrustHtml(v); } } add in your html file add pipe like <td *ngIf=”i>0″ [innerHTML]=”entry.attributes[i] | sanitizeHtml”></td>
We are using the HtmlSanitizer .Net library, which: Is open-source (MIT) – GitHub link Is fully customizable, e.g. configure which elements should be removed. see wiki Is actively maintained Doesn’t have the problems like Microsoft Anti-XSS library Is unit tested with the OWASP XSS Filter Evasion Cheat Sheet Is special built for this (in contrast … Read more
We’ve developed a simple HtmlSantizer and opensourced it here: https://github.com/jitbit/HtmlSanitizer Usage var result = HtmlSanitizer.SanitizeHtml(input); [Disclaimer! I’m one of the authors!]
If you think URLs can’t contain code, think again! https://owasp.org/www-community/xss-filter-evasion-cheatsheet Read that, and weep. Here’s how we do it on Stack Overflow: /// <summary> /// returns “safe” URL, stripping anything outside normal charsets for URL /// </summary> public static string SanitizeUrl(string url) { return Regex.Replace(url, @”[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]”, “”); }
Update 2016: There is now a Google Closure package based on the Caja sanitizer. It has a cleaner API, was rewritten to take into account APIs available on modern browsers, and interacts better with Closure Compiler. Shameless plug: see caja/plugin/html-sanitizer.js for a client side html sanitizer that has been thoroughly reviewed. It is white-listed, not … Read more
For Angular 1.x, use ng-bind-html in the HTML: <div ng-bind-html=”thisCanBeusedInsideNgBindHtml”></div> At this point you would get a attempting to use an unsafe value in a safe context error so you need to either use ngSanitize or $sce to resolve that. $sce Use $sce.trustAsHtml() in the controller to convert the html string. $scope.thisCanBeusedInsideNgBindHtml = $sce.trustAsHtml(someHtmlVar); ngSanitize … Read more