forked from angular/angular.js
-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix($sanitize): Use same whitelist mechanism as $compile does.
`$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes angular#3748.
- Loading branch information
1 parent
b562f4e
commit 751491b
Showing
9 changed files
with
550 additions
and
339 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
'use strict'; | ||
|
||
/** | ||
* @description | ||
* Private service to sanitize uris for links and images. Used by $compile and $sanitize. | ||
*/ | ||
function $$SanitizeUriProvider() { | ||
var aHrefSanitizationWhitelist = /^\s*(https?|ftp|mailto|tel|file):/, | ||
imgSrcSanitizationWhitelist = /^\s*(https?|ftp|file):|data:image\//; | ||
|
||
/** | ||
* @description | ||
* Retrieves or overrides the default regular expression that is used for whitelisting of safe | ||
* urls during a[href] sanitization. | ||
* | ||
* The sanitization is a security measure aimed at prevent XSS attacks via html links. | ||
* | ||
* Any url about to be assigned to a[href] via data-binding is first normalized and turned into | ||
* an absolute url. Afterwards, the url is matched against the `aHrefSanitizationWhitelist` | ||
* regular expression. If a match is found, the original url is written into the dom. Otherwise, | ||
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM. | ||
* | ||
* @param {RegExp=} regexp New regexp to whitelist urls with. | ||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for | ||
* chaining otherwise. | ||
*/ | ||
this.aHrefSanitizationWhitelist = function(regexp) { | ||
if (isDefined(regexp)) { | ||
aHrefSanitizationWhitelist = regexp; | ||
return this; | ||
} | ||
return aHrefSanitizationWhitelist; | ||
}; | ||
|
||
|
||
/** | ||
* @description | ||
* Retrieves or overrides the default regular expression that is used for whitelisting of safe | ||
* urls during img[src] sanitization. | ||
* | ||
* The sanitization is a security measure aimed at prevent XSS attacks via html links. | ||
* | ||
* Any url about to be assigned to img[src] via data-binding is first normalized and turned into | ||
* an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationWhitelist` | ||
* regular expression. If a match is found, the original url is written into the dom. Otherwise, | ||
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM. | ||
* | ||
* @param {RegExp=} regexp New regexp to whitelist urls with. | ||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for | ||
* chaining otherwise. | ||
*/ | ||
this.imgSrcSanitizationWhitelist = function(regexp) { | ||
if (isDefined(regexp)) { | ||
imgSrcSanitizationWhitelist = regexp; | ||
return this; | ||
} | ||
return imgSrcSanitizationWhitelist; | ||
}; | ||
|
||
this.$get = function() { | ||
return function sanitizeUri(uri, isImage) { | ||
var regex = isImage ? imgSrcSanitizationWhitelist : aHrefSanitizationWhitelist; | ||
var normalizedVal; | ||
// NOTE: urlResolve() doesn't support IE < 8 so we don't sanitize for that case. | ||
if (!msie || msie >= 8 ) { | ||
normalizedVal = urlResolve(uri).href; | ||
if (normalizedVal !== '' && !normalizedVal.match(regex)) { | ||
return 'unsafe:'+normalizedVal; | ||
} | ||
} | ||
return uri; | ||
}; | ||
}; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.