cargdev/angular
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(core): allow css custom variables/properties in the style sanitizer (#33841)

Browse Source 
This change enables "var(--my-var)" to pass through the style sanitizer.

After consulation with our security team, allowing these doesn't create
new attack vectors, so the sanitizer doesn't need to strip them.

Fixes parts of #23485 related to the sanitizer, other use cases discussed
there related to binding have been addressed via other changes to the
class and style handling in the runtime.

Closes #23485

PR Close #33841
This commit is contained in:
Igor Minar
2019-11-14 17:02:26 -08:00
committed by Alex Rickabaugh
parent 4e0eb3627d
commit 61cc7a3437
2 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
packages/core/test/sanitization/style_sanitizer_spec.ts
View File

@ -51,6 +51,9 @@ describe('Style sanitizer', () => {
it('accepts calc', () => { expectSanitize('calc(90%-123px)').toEqual('calc(90%-123px)'); });
it('accepts var',
() => { expectSanitize('var(--my-custom-var)').toEqual('var(--my-custom-var)'); });
it('sanitizes URLs', () => {
expectSanitize('url(foo/bar.png)').toEqual('url(foo/bar.png)');
expectSanitize('url( foo/bar.png\n )').toEqual('url( foo/bar.png\n )');