confirm未对显示内容过滤防止xss攻击
Opened this issue · 1 comments
x412773090 commented
Reproduction link
https://ng-zorro-antd-ivy-cjm9xv.stackblitz.io
Steps to reproduce
import { Component } from '@angular/core';
import { NzModalService } from 'ng-zorro-antd/modal';
@Component({
selector: 'my-app',
template: `
<input nz-input [(ngModel)]="input">
<button
(click)="openConfirm()"
nz-button
type="button">confirm</button>
`,
})
export class AppComponent {
input = 'delete [<a href="https://bing.com">link</a>] ?';
constructor(private nzModalService: NzModalService) {}
openConfirm(): void {
this.nzModalService.confirm({
nzTitle: this.input,
});
}
}
What is expected?
链接不可被点击
What is actually happening?
点击链接可跳转到外部网站
| Environment | Info |
|---|---|
| ng-zorro-antd | 17.4.0 |
| Browser | chrome |
zorro-bot commented
Translation of this issue:
Confirm does not use the display content filtering to prevent XSS attacks
REPRODUCTION LINK
[https://ng-zorro-mtd- ivy-cjm9xv.stackblitz.io] (https://ng-zorro-ntd-Ivy-cjm9xv.stackblitz.io))))))))
STEPS To Reproduce
`` Text
Import {component} from '@angular/core';
import {nzmodalService} from 'ng-zorro -NTD/MODAL';
@component ({{
Selector: 'My-APP',
template: `
<input nz-input [(ngmodel)] = "input">
<Button
(click) = "OpenConfirm ()" "
nz-button
Type = "Button"> Confirm </Button>
`,
})
export class appcomponent {
input = 'delete [ link ]?';
Constructionor (Private NzmodalService: NZMODALSERVICE) {}
OpenConfirm (): void {
this.nzmodalService.confirm ({
nztitle: this.input,
});
}
}
`` `
What is exfected?
The link cannot be clicked
What is actually happy?
Click the link to jump to the external website
| ENVIRONMENT | Info |
| --- | --- | |
| NG-Zorro-ATD | 17.4.0 |
| Browser | Chrome |