Skip to content

Docs/errors 5200 5201#69504

Open
arturovt wants to merge 2 commits into
angular:mainfrom
arturovt:docs/errors_5200_5201
Open

Docs/errors 5200 5201#69504
arturovt wants to merge 2 commits into
angular:mainfrom
arturovt:docs/errors_5200_5201

Conversation

@arturovt

@arturovt arturovt commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

See individual commits.

arturovt added 2 commits June 24, 2026 21:56
@arturovt
docs: add NG05200 error reference page for SANITIZATION_UNSAFE_SCRIPT
1ec1a2b 
Adds a reference page for `NG05200`, thrown by `DomSanitizer` when a value is bound to a `<script>` element without being marked trusted via `bypassSecurityTrustScript`. Covers why Angular rejects script content outright, how to reproduce the error, the escape hatch, and the XSS caveat.
@arturovt
docs: add NG05201 error reference page
188b137 
Adds a reference page for `NG05201`, thrown by `DomSanitizer` when a value is bound to a resource-loading attribute (`<iframe src>`, `<link href>`, etc.) without being marked trusted via `bypassSecurityTrustResourceUrl`. Covers why Angular rejects resource URLs outright, lists all affected elements and attributes, and documents the escape hatch with its XSS caveat.
@pullapprove pullapprove Bot requested a review from JeanMeche June 24, 2026 19:00
@angular-robot angular-robot Bot added the area: docs Related to the documentation label Jun 24, 2026
@ngbot ngbot Bot added this to the Backlog milestone Jun 24, 2026
SkyZeroZx
SkyZeroZx reviewed Jun 24, 2026
View reviewed changes
Comment thread adev/src/content/reference/errors/NG05200.md
export class Example {
safeScript: SafeScript;

constructor(sanitizer: DomSanitizer) {

@SkyZeroZx SkyZeroZx Jun 24, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT :

Suggested change
constructor(sanitizer: DomSanitizer) {
constructor( ) {
const sanitizer = inject(DomSanitizer);
}

SkyZeroZx
SkyZeroZx reviewed Jun 24, 2026
View reviewed changes
Comment thread adev/src/content/reference/errors/NG05200.md
Look for a template binding that targets a `<script>` element:

```html
<script [innerHTML]="myScript"></script>

@SkyZeroZx SkyZeroZx Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not a good example; the Angular Compiler removes script when writing it directly in the template.

SkyZeroZx
SkyZeroZx reviewed Jun 24, 2026
View reviewed changes
Comment thread adev/src/content/reference/errors/NG05200.md
@@ -0,0 +1,36 @@
# Unsafe value used in a script context

@SkyZeroZx SkyZeroZx Jun 24, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have some doubts about whether we should document this. As far as I understand and know, it's not currently possible to pass JavaScript directly, at least within the script tag, so I don't think it would apply, given that the use of createComponent was also recently restricted.

See

GHSA-692r-grfm-v8x7
#68713

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JeanMeche JeanMeche Awaiting requested review from JeanMeche
1 more reviewer
@SkyZeroZx SkyZeroZx SkyZeroZx left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

area: docs Related to the documentation

Projects

None yet

Milestone

Backlog

Development

Successfully merging this pull request may close these issues.

2 participants

@arturovt @SkyZeroZx