@@ -24,85 +24,7 @@ export namespace SCE_CONTEXTS {
2424 * `$sceDelegate` is a service that is used by the `$sce` service to provide {@link ng.$sce Strict
2525 * Contextual Escaping (SCE)} services to AngularTS.
2626 *
27- * For an overview of this service and the functionnality it provides in AngularTS, see the main
28- * page for {@link ng.$sce SCE}. The current page is targeted for developers who need to alter how
29- * SCE works in their application, which shouldn't be needed in most cases.
30- *
31- * <div class="alert alert-danger">
32- * AngularTS strongly relies on contextual escaping for the security of bindings: disabling or
33- * modifying this might cause cross site scripting (XSS) vulnerabilities. For libraries owners,
34- * changes to this service will also influence users, so be extra careful and document your changes.
35- * </div>
36- *
37- * Typically, you would configure or override the {@link ng.$sceDelegate $sceDelegate} instead of
38- * the `$sce` service to customize the way Strict Contextual Escaping works in AngularTS. This is
39- * because, while the `$sce` provides numerous shorthand methods, etc., you really only need to
40- * override 3 core functions (`trustAs`, `getTrusted` and `valueOf`) to replace the way things
41- * work because `$sce` delegates to `$sceDelegate` for these operations.
42- *
43- * Refer {@link ng.$sceDelegateProvider $sceDelegateProvider} to configure this service.
44- *
45- * The default instance of `$sceDelegate` should work out of the box with little pain. While you
46- * can override it completely to change the behavior of `$sce`, the common case would
47- * involve configuring the {@link ng.$sceDelegateProvider $sceDelegateProvider} instead by setting
48- * your own trusted and banned resource lists for trusting URLs used for loading AngularTS resources
49- * such as templates. Refer {@link ng.$sceDelegateProvider#trustedResourceUrlList
50- * $sceDelegateProvider.trustedResourceUrlList} and {@link
51- * ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList}
52- */
53- /**
54- *
55- * The `$sceDelegateProvider` provider allows developers to configure the {@link ng.$sceDelegate
56- * $sceDelegate service}, used as a delegate for {@link ng.$sce Strict Contextual Escaping (SCE)}.
57- *
58- * The `$sceDelegateProvider` allows one to get/set the `trustedResourceUrlList` and
59- * `bannedResourceUrlList` used to ensure that the URLs used for sourcing AngularTS templates and
60- * other script-running URLs are safe (all places that use the `$sce.RESOURCE_URL` context). See
61- * {@link ng.$sceDelegateProvider#trustedResourceUrlList
62- * $sceDelegateProvider.trustedResourceUrlList} and
63- * {@link ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList},
64- *
65- * For the general details about this service in AngularTS, read the main page for {@link ng.$sce
66- * Strict Contextual Escaping (SCE)}.
67- *
68- * **Example**: Consider the following case. <a name="example"></a>
69- *
70- * - your app is hosted at url `http://myapp.example.com/`
71- * - but some of your templates are hosted on other domains you control such as
72- * `http://srv01.assets.example.com/`, `http://srv02.assets.example.com/`, etc.
73- * - and you have an open redirect at `http://myapp.example.com/clickThru?...`.
74- *
75- * Here is what a secure configuration for this scenario might look like:
76- *
77- * ```
78- * angular.module('myApp', []).config(function($sceDelegateProvider) {
79- * $sceDelegateProvider.trustedResourceUrlList([
80- * // Allow same origin resource loads.
81- * 'self',
82- * // Allow loading from our assets domain. Notice the difference between * and **.
83- * 'http://srv*.assets.example.com/**'
84- * ]);
85- *
86- * // The banned resource URL list overrides the trusted resource URL list so the open redirect
87- * // here is blocked.
88- * $sceDelegateProvider.bannedResourceUrlList([
89- * 'http://myapp.example.com/clickThru**'
90- * ]);
91- * });
92- * ```
93- * Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require
94- * you to manually mark each one as trusted with `$sce.trustAsResourceUrl`. However, templates
95- * requested by {@link ng.$templateRequest $templateRequest} that are present in
96- * {@link ng.$templateCache $templateCache} will not go through this check. If you have a mechanism
97- * to populate your templates in that cache at config time, then it is a good idea to remove 'self'
98- * from the trusted resource URL lsit. This helps to mitigate the security impact of certain types
99- * of issues, like for instance attacker-controlled `ng-includes`.
100- */
101- /**
102- * `$sceDelegate` is a service that is used by the `$sce` service to provide {@link ng.$sce Strict
103- * Contextual Escaping (SCE)} services to AngularTS.
104- *
105- * For an overview of this service and the functionnality it provides in AngularTS, see the main
27+ * For an overview of this service and the functionality it provides in AngularTS, see the main
10628 * page for {@link ng.$sce SCE}. The current page is targeted for developers who need to alter how
10729 * SCE works in their application, which shouldn't be needed in most cases.
10830 *
@@ -179,7 +101,7 @@ export namespace SCE_CONTEXTS {
179101export class SceDelegateProvider {
180102 /**
181103 *
182- * @param {Array= } trustedResourceUrlList When provided, replaces the trustedResourceUrlList with
104+ * @param {Array= } value When provided, replaces the trustedResourceUrlList with
183105 * the value provided. This must be an array or null. A snapshot of this array is used so
184106 * further changes to the array are ignored.
185107 * Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
@@ -198,7 +120,7 @@ export class SceDelegateProvider {
198120 * its origin with other apps! It is a good idea to limit it to only your application's directory.
199121 * </div>
200122 */
201- trustedResourceUrlList : ( value : any , ...args : any [ ] ) => any [ ] ;
123+ trustedResourceUrlList : ( value ? : any [ ] | undefined , ...args : any [ ] ) => any [ ] ;
202124 /**
203125 *
204126 * @param {Array= } bannedResourceUrlList When provided, replaces the `bannedResourceUrlList` with
@@ -226,7 +148,7 @@ export class SceDelegateProvider {
226148 | string
227149 | ( (
228150 $injector : ng . InjectorService ,
229- $$sanitizeUri : any ,
151+ $$sanitizeUri : import ( "../../core/sanitize/interface.ts" ) . SanitizerFn ,
230152 $exceptionHandler : ng . ExceptionHandlerService ,
231153 ) => {
232154 trustAs : ( type : string , trustedValue : any ) => any ;
0 commit comments