MCPcopy
hub / github.com/angular/angular / ɵɵvalidateAttribute

Function ɵɵvalidateAttribute

packages/core/src/sanitization/sanitization.ts:317–391  ·  view source on GitHub ↗
(value: T, tagName: string, attributeName: string)

Source from the content-addressed store, hash-verified

315 * @param attributeName The name of the attribute.
316 */
317export function ɵɵvalidateAttribute<T = any>(value: T, tagName: string, attributeName: string): T {
318 const lowerCaseTagName = tagName.toLowerCase();
319 const lowerCaseAttrName = attributeName.toLowerCase();
320
321 const index = getSelectedIndex();
322 const tNode: TNode | null = index === -1 ? null : getSelectedTNode();
323 if (tNode && tNode.type !== TNodeType.Element) {
324 return value;
325 }
326
327 // Leverage tNode.namespace if active, otherwise check both namespaced and base variants.
328 const fullTagName =
329 lowerCaseTagName[0] !== ':' && tNode?.namespace
330 ? `:${tNode.namespace}:${lowerCaseTagName}`
331 : lowerCaseTagName;
332
333 const validationConfig = SECURITY_SENSITIVE_ELEMENTS[fullTagName]?.[lowerCaseAttrName];
334
335 if (!validationConfig) {
336 return value;
337 }
338
339 const lView = getLView();
340 if (tNode && lowerCaseTagName === 'iframe') {
341 const element = getNativeByTNode(tNode, lView) as RElement;
342 enforceIframeSecurity(element as HTMLIFrameElement);
343 }
344
345 const displayTagName = tagName[0] === ':' ? tagName.split(':').pop()! : tagName;
346
347 if (typeof validationConfig !== 'boolean') {
348 if (!tNode) {
349 const errorMessage =
350 ngDevMode &&
351 `Angular has detected that the \`${attributeName}\` was applied ` +
352 `as a binding to the <${tagName}> element. ` +
353 `For security reasons, the \`${attributeName}\` can be set on the <${tagName}> element ` +
354 `as a static attribute only. \n` +
355 `To fix this, switch the \`${attributeName}\` binding to a static attribute ` +
356 `in a template or in host bindings section.`;
357 throw new RuntimeError(RuntimeErrorCode.UNSAFE_ATTRIBUTE_BINDING, errorMessage);
358 }
359
360 const element = getNativeByTNode(tNode, lView) as SVGAnimateElement;
361 const attributeNameValue = getSecuritySensitiveSVGAnimationAttributeName(
362 element,
363 validationConfig,
364 );
365
366 if (attributeNameValue) {
367 const errorMessage =
368 ngDevMode &&
369 `Angular has detected that the \`${attributeName}\` was applied ` +
370 `as a binding to the <${displayTagName}> element${getTemplateLocationDetails(lView)}. ` +
371 `For security reasons, the \`${attributeName}\` can be set on the <${displayTagName}> element ` +
372 `as a static attribute only when the "attributeName" is set to \'${attributeNameValue}\'. \n` +
373 `To fix this, switch the \`${attributeNameValue}\` binding to a static attribute ` +
374 `in a template or in host bindings section.`;

Callers

nothing calls this directly

Calls 8

getSelectedIndexFunction · 0.90
getSelectedTNodeFunction · 0.90
getLViewFunction · 0.90
getNativeByTNodeFunction · 0.90
enforceIframeSecurityFunction · 0.90
popMethod · 0.80

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…