Angular2 - 预期的安全值必须使用[property] = binding

时间:2017-07-26 05:22:42

标签: angular protractor karma-jasmine

我正在为SafePipe编写测试。该方法使用bypassSecurityTrustResourceUrl()。我搜索了可用的解决方案并尝试了它们但不幸的是,它对我没有帮助。错误是

  

预期的SafeValue必须使用[property] = binding:Cross(请参阅http://g.co/ng/security#xss)为“跨站点请求”。

我在这里做错了什么? 

import {Pipe, PipeTransform} from "@angular/core";
import {DomSanitizer} from "@angular/platform-browser";

@Pipe({name: 'safe'})
 export class SafePipe implements PipeTransform {
  constructor(private sanitizer: DomSanitizer) {
 }

 public transform(url: string): any {
   return this.sanitizer.bypassSecurityTrustResourceUrl(url);
 }
}

测试是:

import {SafePipe} from './safe.pipe';
import {DomSanitizer} from "@angular/platform-browser";
import {DomSanitizerImpl} from "@angular/platform-browse/src/security/dom_sanitization_service";

fdescribe('SafePipe', () => {
  let pipe: SafePipe;
  let sanitizer: DomSanitizer = new DomSanitizerImpl();
  beforeEach(() => {
    pipe = new SafePipe(sanitizer);
  });

  it('should transform', () => {
    expect(pipe.transform("Cross <script>alert('Hello')</script>")).toBe("Cross alert('Hello')");
  });
});

2 个答案:

答案 0 :(得分:8)

sanitizer.bypassSecurityTrustResourceUrl方法返回SafeResourceUrlImpl类,您无法将其转换为字符串(jasmine正在尝试在内部转换它)。 

abstract class SafeValueImpl implements SafeValue {
  constructor(public changingThisBreaksApplicationSecurity: string) {
    // empty
  }

  abstract getTypeName(): string;

  toString() {
    return `SafeValue must use [property]=binding: ${this.changingThisBreaksApplicationSecurity}` +
        ` (see http://g.co/ng/security#xss)`;
  }
}

您应该使用DomSanitizer.sanitize方法(Angular在应用[url]="value | safe"等属性时使用它)

it('should transform', () => {
  const safeResourceUrl = pipe.transform("Cross <script>alert('Hello')</script>");
  const sanitizedValue = sanitizer.sanitize(SecurityContext.RESOURCE_URL, safeResourceUrl);

  expect(sanitizedValue).toBe("Cross <script>alert('Hello')</script>");
});

PS。在这里,我假设您在toBe语句中输入了拼写错误,并且您希望字符串会保存script个标记。

您可以在 Plunker

中找到完整示例

答案 1 :(得分:1)

可接受的答案略有不同:将管道的SafeValue输出与经过消毒的期望值进行比较:

import { RichtextPipe } from './richtext.pipe';
import {BrowserModule, DomSanitizer} from "@angular/platform-browser";
import {TestBed} from "@angular/core/testing";

describe('RichtextPipe', () => {
  let domSanitizer: DomSanitizer;
  let pipe: RichtextPipe;

  beforeEach(() => {
    TestBed
      .configureTestingModule({
        imports: [
          BrowserModule
        ]
      });
    domSanitizer = TestBed.get(DomSanitizer);
    pipe = new RichtextPipe(domSanitizer);
  });

  it('should convert EventPage page link', () => {
    // Setup
    const html = '<a id="1" linktype="page" pagetype="EventPage">foo</a>';

    // Test
    const result = pipe.transform(html); 

    // Assert
    const expected = domSanitizer.bypassSecurityTrustHtml('<a routerLink="/events/1">foo</a>');
    expect(result).toEqual(expected);
  });


});

在此示例中,RichtextPipe使用bypassSecurityTrustHtml来转换输出。如果您的管道使用其他旁路方法,那么您可能应该对期望值使用相同的方法。

相关问题
最新问题