MatLinkPreview Directive Security Flaw? #99
Description
Bug Report or Feature Request (mark with an x)
- [ X ] bug report -> please search issues before submitting
- [ ] feature request
OS and Version?
Ubuntu 16.04
Versions
Angular 8.3.1
NPM 6.7.0
Looking at the source code for the mat link preview directive, Im a little concerned about the way youre subscribing to input events and logging the data. It seems like if you use the matLinkPreview directive anywhere in your application then it will log all of your inputs(including password fields) as plain text in the console.
The piece of code that im looking at is
import {Directive, OnInit} from '@angular/core';
import {fromEvent} from 'rxjs';
import {debounceTime, distinctUntilChanged, map} from 'rxjs/operators';
import {Link, NgxLinkifyjsService} from 'ngx-linkifyjs';
import {MatLinkPreviewService} from '../../module/service/mat-link-preview.service';
@Directive({
selector: '[matLinkPreview]',
exportAs: '[matLinkPreview]',
})
export class MatLinkPreviewDirective implements OnInit {
constructor(public linkifyService: NgxLinkifyjsService,
public linkPreviewService: MatLinkPreviewService) {
}
ngOnInit(): void {
this._init();
}
private _init() {
fromEvent(document, 'input')
.pipe(
debounceTime(2000),
distinctUntilChanged(),
map(event => {
const data = event.target['value'];
const links: Link[] = this.linkifyService.find(data);
console.log('data: ', data);
console.log('links: ', links);
// event.target['value'] = this.linkifyService.linkify(data);
return links;
})).subscribe((links) => {
this.linkPreviewService.onLinkFound.emit(links);
});
}
}
Metadata
Metadata
Assignees
Labels
No labels