Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MatLinkPreview Directive Security Flaw? #99

Open
nseney1 opened this issue Oct 3, 2019 · 2 comments
Open

MatLinkPreview Directive Security Flaw? #99

nseney1 opened this issue Oct 3, 2019 · 2 comments
Assignees
@AnthonyNahas

Comments

@nseney1
Copy link

nseney1 commented Oct 3, 2019

Bug Report or Feature Request (mark with an x)

- [ X ] bug report -> please search issues before submitting
- [ ] feature request

OS and Version?

Ubuntu 16.04

Versions

Angular 8.3.1
NPM 6.7.0

Looking at the source code for the mat link preview directive, Im a little concerned about the way youre subscribing to input events and logging the data. It seems like if you use the matLinkPreview directive anywhere in your application then it will log all of your inputs(including password fields) as plain text in the console.

The piece of code that im looking at is

import {Directive, OnInit} from '@angular/core';
import {fromEvent} from 'rxjs';
import {debounceTime, distinctUntilChanged, map} from 'rxjs/operators';
import {Link, NgxLinkifyjsService} from 'ngx-linkifyjs';
import {MatLinkPreviewService} from '../../module/service/mat-link-preview.service';

@Directive({
  selector: '[matLinkPreview]',
  exportAs: '[matLinkPreview]',
})
export class MatLinkPreviewDirective implements OnInit {

  constructor(public linkifyService: NgxLinkifyjsService,
              public linkPreviewService: MatLinkPreviewService) {
  }

  ngOnInit(): void {
    this._init();
  }

  private _init() {
    fromEvent(document, 'input')
      .pipe(
        debounceTime(2000),
        distinctUntilChanged(),
        map(event => {
          const data = event.target['value'];
          const links: Link[] = this.linkifyService.find(data);
          console.log('data: ', data);
          console.log('links: ', links);
          // event.target['value'] = this.linkifyService.linkify(data);
          return links;
        })).subscribe((links) => {
      this.linkPreviewService.onLinkFound.emit(links);
    });
  }

}
@nseney1 nseney1 mentioned this issue Oct 18, 2019
Open
@AnthonyNahas
Copy link
Member

I will check that asap! thanks for contributing <3

@nseney1
Copy link
Author

nseney1 commented Oct 24, 2019
edited
Loading

@AnthonyNahas Sounds good man and no problem. I'm happy to contribute, the library that youre providing is really nice. If you have any concerns with the way I try to mend this issue please lmk and ill get to it as soon as possible.

As for my idea on fixing this, which you will see in the PR. I basically figured that we could remove the subscription to all input events and apply an oninput function to the actual element that the directive is bound to(which angular is able to inject into the directive through an element ref). This way youre not subscribing to all input events only the input event for the element its bound on.

@AnthonyNahas AnthonyNahas self-assigned this Nov 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AnthonyNahas AnthonyNahas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AnthonyNahas @nseney1