-
Notifications
You must be signed in to change notification settings - Fork 24.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
getInertBodyElement returns null, crashing in _sanitizeHtml #39834
Comments
This is interesting. There are two Note that One thing you could do to help diagnose what is going on is to remove the |
Not as helpful as you wished I bet. |
Well it's a step forward... I expect the error is now throwing on this line:
|
To save you from a bit of debugging.. I tried this, but with no luck, it works "fine".
|
Hmm, we need to dig/debug a bit further. I assume that if you remove our |
To be frank, this is a production app and I am modifying minified code right now. And not all my traffic is coming from an iPad. |
OK, no stress. I don't have access to an iPad to test myself right now. Sorry. |
Alright, I found the code... not simple. Pushed to production and we will see. I had to make sure the "fallback" works with most browser first. Thanks. |
I confirm that when I was using the other implementation, I was getting no error whatsoever about this. |
Hmm, so it looks like for Mobile Safari we cannot use the |
I think it's a good alternative, but I'm not a IVY/compiler coder :) Do you guys have any reason why this would throw in the first place (other than the one we haven't found the exact cause here). Looking at the DOMParser in WebKit. (If this is the correct code being used) The document cannot be null, but the reach of ".body" returned null. |
One thing, can I ask @jsgoupil, did this suddenly start happening, i.e. after an upgrade to Angular, or has it always been doing this? The reason I ask is that this commit landed in 11.0.0 and it might be causing the |
I note this issue seems similar: DylanPiercey/set-dom#23
|
What you propose seems what they have done on that other repo. (to fallback if the body is not present) |
@koto and @cure53 - have you come across this issue in https://github.com/cure53/DOMPurify? I can't see any mention of it. But I do see that you fall back on the |
We have seen many issues with Safari but not this one it seems. |
In some browsers, notably a mobile version of webkit on iPad, the result of calling `DOMParser.parseFromString()` returns a document whose `body` property is null until the next tick of the browser. Since this is of no use to us for sanitization, we now fall back to the "inert document" strategy for this case. Fixes angular#39834
I created a PR that should fall back in this scenario... #40107 |
In some browsers, notably a mobile version of webkit on iPad, the result of calling `DOMParser.parseFromString()` returns a document whose `body` property is null until the next tick of the browser. Since this is of no use to us for sanitization, we now fall back to the "inert document" strategy for this case. Fixes angular#39834
In some browsers, notably a mobile version of webkit on iPad, the result of calling `DOMParser.parseFromString()` returns a document whose `body` property is null until the next tick of the browser. Since this is of no use to us for sanitization, we now fall back to the "inert document" strategy for this case. Fixes #39834 PR Close #40107
This issue has been automatically locked due to inactivity. Read more about our automatic conversation locking policy. This action has been performed automatically by a bot. |
馃悶 bug report
Affected Package
The issue is caused by package @angular/coreIs this a regression?
NoDescription
With IVY, the following lineangular/packages/core/src/sanitization/html_sanitizer.ts
Line 267 in 3e1e5a1
causes this error
I have real trouble to repro this consistently; and it happens only on a specific browser without access to the console (I'm not a mac developer).
But the
getInertBodyElement
CAN return null within a try/catch, but nothing is reported. The lineinertBodyElement
bypasses the nullability with !.And it happens ONLY with this browser:
Mobile Safari UI/WKWebView
Version 14.1, 14.0, 13.7, 13.6, 12.4
To get that specific browser, you get it via an iPad app with a
UIWebView
This is getting quite specific, but it happens a lot.
Why in the first place there is no check for this nullability?
馃敩 Minimal Reproduction
The data being passed in is
<span class="quick-books-status"><img src="/assets/images/quick-books-pending.svg" title="QuickBooks Pending" alt="" /></span>
but I have doubts that this is the main issues.
馃敟 Exception or Error
馃實 Your Environment
Angular Version: 11.0.0
Anything else relevant?
Yes. It's a browser served in a UIWebView on an iPad; which results in Safari.
Example of a user-agent affected
The text was updated successfully, but these errors were encountered: