-
Notifications
You must be signed in to change notification settings - Fork 27.5k
angular-sanitize.js remove internal links #3748
Comments
Just had the same issue and I must admit I don't get the whole point of sanitizing href attributes this way. Can anybody knowledgeable, please, explain what's the whole point of |
Anyone? |
I've created this pull request that fixes the problem. I's only one char more in a reqular expression more. |
The reason why it works this way is that a link could be which would cause script injection. Unfortunately it is not easy to determine if a link is prefixed with javascript: since there are a lot of ways in which the javascript keyword can be encoded/escaped. So the safest way is to just assuming that the link must be fully qualified ie start with http and so on. I find this a slippery slope by adding / to the list of things which it can start with, since you could also start with .. and ./ and so on. I think a better way to fix this is to let the browser decode the URL and assert that it starts with http, just like we do here: https://github.com/angular/angular.js/blob/master/src/ng/compile.js#L718 This would solve all of the use cases in a trusted way. |
@mhevery Had the same thought yesterday, but added a message to the PR (#4736 (comment)). Sorry for the double work... |
`$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes angular#3748.
`$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes angular#3748.
`$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes angular#3748.
I've written an wiki application that is showing the converted markdown as html in a div element that is using the ng-bind-html directive.
I have in my html some internal links in this format
My html will be processed by the angular-sanitize.js. And here is my problem, the final html doesn't contains my link. I see only the text Page1.
I've looked into the code of the angular-sanitize.js file and I've found the regex that is responsible to detect any links:
After I've changed the regex to this, the link wasn't removed.
Could you fix this please in the original version of the angular-sanitize.js? Thanks!
The text was updated successfully, but these errors were encountered: