cargdev/angular
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): warn users when sanitizing in dev mode.

Browse Source 
This should help developers to figure out what's going on when the sanitizer
strips some input.

Fixes #8522.
This commit is contained in:
Martin Probst
2016-05-09 16:46:31 +02:00
parent 9fbafba993
commit 3e68b7eb1f
6 changed files with 52 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
modules/@angular/platform-browser/test/security/html_sanitizer_spec.ts
View File

@ -39,7 +39,7 @@ export function main() {
t.it('ignores non-element, non-attribute nodes', () => {
t.expect(sanitizeHtml('<!-- comments? -->no.')).toEqual('no.');
t.expect(sanitizeHtml('<?pi nodes?>no.')).toEqual('no.');
t.expect(logMsgs.join('\n')).toMatch(/HTML contents were removed during sanitization/);
t.expect(logMsgs.join('\n')).toMatch(/sanitizing HTML stripped some content/);
});
t.it('escapes entities', () => {
t.expect(sanitizeHtml('<p>Hello &lt; World</p>')).toEqual('<p>Hello &lt; World</p>');

15
modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts
View File

@ -1,13 +1,28 @@
import * as t from '@angular/core/testing/testing_internal';
import {getDOM} from '../../src/dom/dom_adapter';
import {sanitizeStyle} from '../../src/security/style_sanitizer';
export function main() {
t.describe('Style sanitizer', () => {
let logMsgs: string[];
let originalLog: (msg: any) => any;
t.beforeEach(() => {
logMsgs = [];
originalLog = getDOM().log; // Monkey patch DOM.log.
getDOM().log = (msg) => logMsgs.push(msg);
});
t.afterEach(() => { getDOM().log = originalLog; });
t.it('sanitizes values', () => {
t.expect(sanitizeStyle('abc')).toEqual('abc');
t.expect(sanitizeStyle('expression(haha)')).toEqual('unsafe');
// Unbalanced quotes.
t.expect(sanitizeStyle('"value" "')).toEqual('unsafe');
t.expect(logMsgs.join('\n')).toMatch(/sanitizing unsafe style value/);
});
});
}

18
modules/@angular/platform-browser/test/security/url_sanitizer_spec.ts
View File

@ -1,8 +1,26 @@
import * as t from '@angular/core/testing/testing_internal';
import {getDOM} from '../../src/dom/dom_adapter';
import {sanitizeUrl} from '../../src/security/url_sanitizer';
export function main() {
t.describe('URL sanitizer', () => {
let logMsgs: string[];
let originalLog: (msg: any) => any;
t.beforeEach(() => {
logMsgs = [];
originalLog = getDOM().log; // Monkey patch DOM.log.
getDOM().log = (msg) => logMsgs.push(msg);
});
t.afterEach(() => { getDOM().log = originalLog; });
t.it('reports unsafe URLs', () => {
t.expect(sanitizeUrl('javascript:evil()')).toBe('unsafe:javascript:evil()');
t.expect(logMsgs.join('\n')).toMatch(/sanitizing unsafe URL value/);
});
t.describe('valid URLs', () => {
const validUrls = [
'',