flex-layout module breaks style sanitization when style value includes colon
Bug Report
What is the expected behavior?
The sanitization should work the same as without flex-layout module
What is the current behavior?
: is being split in style value and may result in invalid (unsafe) style when sanitazing, warning: sanitizing unsafe style value url(https (see http://g.co/ng/security#xss)., the style is applied then correctly, just the warning shouldn't be there.
What are the steps to reproduce?
Open console in:
https://stackblitz.com/edit/angular-flex-layout-seed-ubokny
Which versions of Angular, Material, OS, TypeScript, browsers are affected?
[email protected] + [email protected]
(maybe those two aren't supposed to work together? if so then please disregard this issue)
Is there anything else we should know?
I guess the stringToKeyValue is at fault as it assumes there is no other colon in the string.
https://github.com/angular/flex-layout/blob/master/src/lib/extended/style/style-transforms.ts#L81
meelkor
All 2 comments
This will be patched in #938 and included in today's release. Thank you for catching this!
CaerusKaru
on 18 Dec 2018
This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.
Read more about our automatic conversation locking policy.
_This action has been performed automatically by a bot._
![angular-automatic-lock-bot[bot] picture](https://avatars.githubusercontent.com/in/40213?v=4&s=40)
angular-automatic-lock-bot[bot]
on 5 Sep 2019
Related issues
mhosman
路
3Comments
MarcusMorba
路
3Comments
jcoronel94
路
4Comments
mackelito
路
3Comments
ciukstar
路
4Comments
Most helpful comment
This will be patched in #938 and included in today's release. Thank you for catching this!