Skip to content

Aria attributes should not be stripped by html sanitizer #26815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
MartinMa opened this issue Oct 29, 2018 · 1 comment
Closed
1 task done

Aria attributes should not be stripped by html sanitizer #26815

MartinMa opened this issue Oct 29, 2018 · 1 comment
Labels
area: core Issues related to the framework runtime feature Issue that requests a new feature
Milestone
Backlog

Comments

@MartinMa
Copy link
Contributor

I'm submitting a...

  • Bug report

Current behavior

Aria attributes like aria-label are being stripped by the html sanitizer as unsafe html.

Expected behavior

Aria attributes should be treated as safe html and not be stripped, when used within [innerHTML].

For a list of supported attributes see https://www.w3.org/TR/html-aria/

Minimal reproduction of the problem with instructions

See https://stackblitz.com/edit/angular-wbkoxx

What is the motivation / use case for changing the behavior?

I'm loading translation strings from a json file (using @ngx-translate/core, since the built-in i18n support is missing important features). Some of them are pulled in via [innerHTML] to keep html tags and attributes intact. Sadly, aria attributes are being stripped altogether.

Is this on purpose? I could not find any hints in the docs or in the source.
Relevant line of code:
https://github.com/angular/angular/blob/master/packages/core/src/sanitization/html_sanitizer.ts#L69

Environment

Angular version: 7.0.1

Browser:
Any
@matsko matsko added the area: core Issues related to the framework runtime label Oct 30, 2018
@ngbot ngbot bot added this to the needsTriage milestone Oct 30, 2018
@mhevery mhevery added the feature Issue that requests a new feature label Nov 29, 2018
@ngbot ngbot bot modified the milestones: needsTriage, Backlog Nov 29, 2018
MartinMa added a commit to MartinMa/angular that referenced this issue Apr 3, 2019
@MartinMa
feat(core): add missing ARIA attributes to html sanitizer
dbd3647 
Allow ARIA attributes from the WAI-ARIA 1.1 spec which were stripped by the htmlSanitizer.

Closes angular#26815
@MartinMa MartinMa mentioned this issue Apr 3, 2019
Closed
5 tasks
MartinMa added a commit to MartinMa/angular that referenced this issue Apr 3, 2019
@MartinMa
feat(core): add missing ARIA attributes to html sanitizer
33877c6 
Allow ARIA attributes from the WAI-ARIA 1.1 spec which were stripped by the htmlSanitizer.

Closes angular#26815
MartinMa added a commit to MartinMa/angular that referenced this issue Apr 23, 2019
@MartinMa
feat(core): add missing ARIA attributes to html sanitizer
c10ca12 
Allow ARIA attributes from the WAI-ARIA 1.1 spec which were stripped by the htmlSanitizer.

Closes angular#26815
IgorMinar pushed a commit to MartinMa/angular that referenced this issue Apr 25, 2019
@MartinMa @IgorMinar
feat(core): add missing ARIA attributes to html sanitizer
ecbb3fc 
Allow ARIA attributes from the WAI-ARIA 1.1 spec which were stripped by the htmlSanitizer.

Closes angular#26815
BioPhoton pushed a commit to BioPhoton/angular that referenced this issue May 21, 2019
@MartinMa @BioPhoton
feat(core): add missing ARIA attributes to html sanitizer (angular#29685
43e8eb3 
)

Allow ARIA attributes from the WAI-ARIA 1.1 spec which were stripped by the htmlSanitizer.

Closes angular#26815

PR Close angular#29685
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Sep 15, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area: core Issues related to the framework runtime feature Issue that requests a new feature
Projects
None yet
Milestone
Backlog
Development

Successfully merging a pull request may close this issue.

feat(core): add missing ARIA attributes to html sanitizer MartinMa/angular
3 participants
@matsko @mhevery @MartinMa