cargdev/angular
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(security): only warn when actually sanitizing HTML. (#10272)

Browse Source 
Previously, Angular would warn users when simply re-encoding text
outside of the ASCII range. While harmless, the log spam was annoying.

With this change, Angular specifically tracks whether anything was
stripped during sanitization, and only reports a warning if so.

Fixes #10206.
This commit is contained in:
Martin Probst
2016-07-26 11:39:09 -07:00
committed by GitHub
parent b449467940
commit 482c019199
2 changed files with 44 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
modules/@angular/platform-browser/test/security/html_sanitizer_spec.ts
View File

@ -63,6 +63,10 @@ export function main() {
t.expect(sanitizeHtml('🚀')).toEqual('🚀');
t.expect(logMsgs).toEqual([]);
});
t.it('does not warn when just re-encoding text', () => {
t.expect(sanitizeHtml('<p>Hellö Wörld</p>')).toEqual('<p>Hell&#246; W&#246;rld</p>');
t.expect(logMsgs).toEqual([]);
});
t.it('escapes entities', () => {
t.expect(sanitizeHtml('<p>Hello &lt; World</p>')).toEqual('<p>Hello &lt; World</p>');
t.expect(sanitizeHtml('<p>Hello < World</p>')).toEqual('<p>Hello &lt; World</p>');