feat(security): allow more HTML5 elements and attributes in sanitizers

Allow more elements and attributes from the HTML5 spec which were stripped by the htmlSanitizer. fixes #9438 feat(security): allow audio data URLs in urlSanitizer test(security) : add test for valid audio data URL feat(security): allow and sanitize srcset attributes test(security): test for srcset sanitization
2016-06-24 16:54:11 +02:00
parent 3644eef860
commit 6605eb30e9
3 changed files with 66 additions and 16 deletions
--- a/modules/@angular/platform-browser/test/security/url_sanitizer_spec.ts
+++ b/modules/@angular/platform-browser/test/security/url_sanitizer_spec.ts
@ -9,7 +9,7 @@
 import * as t from '@angular/core/testing/testing_internal';

 import {getDOM} from '../../src/dom/dom_adapter';
-import {sanitizeUrl} from '../../src/security/url_sanitizer';
+import {sanitizeSrcset, sanitizeUrl} from '../../src/security/url_sanitizer';

 export function main() {
  t.describe('URL sanitizer', () => {
@ -28,7 +28,6 @@ export function main() {
      t.expect(logMsgs.join('\n')).toMatch(/sanitizing unsafe URL value/);
    });

-
    t.describe('valid URLs', () => {
      const validUrls = [
        '',
@ -47,6 +46,7 @@ export function main() {
        'http://JavaScript/my.js',
        'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',  // Truncated.
        'data:video/webm;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
+        'data:audio/opus;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
      ];
      for (let url of validUrls) {
        t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toEqual(url));
@ -76,5 +76,43 @@ export function main() {
        t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toMatch(/^unsafe:/));
      }
    });
+
+    t.describe('valid srcsets', () => {
+      const validSrcsets = [
+        '',
+        'http://angular.io/images/test.png',
+        'http://angular.io/images/test.png, http://angular.io/images/test.png',
+        'http://angular.io/images/test.png, http://angular.io/images/test.png, http://angular.io/images/test.png',
+        'http://angular.io/images/test.png 2x',
+        'http://angular.io/images/test.png 2x, http://angular.io/images/test.png 3x',
+        'http://angular.io/images/test.png 1.5x',
+        'http://angular.io/images/test.png 1.25x',
+        'http://angular.io/images/test.png 200w, http://angular.io/images/test.png 300w',
+        'https://angular.io/images/test.png, http://angular.io/images/test.png',
+        'http://angular.io:80/images/test.png, http://angular.io:8080/images/test.png',
+        'http://www.angular.io:80/images/test.png, http://www.angular.io:8080/images/test.png',
+        'https://angular.io/images/test.png, https://angular.io/images/test.png',
+        '//angular.io/images/test.png, //angular.io/images/test.png',
+        '/images/test.png, /images/test.png',
+        'images/test.png, images/test.png',
+        'http://angular.io/images/test.png?12345, http://angular.io/images/test.png?12345',
+        'http://angular.io/images/test.png?maxage, http://angular.io/images/test.png?maxage',
+        'http://angular.io/images/test.png?maxage=234, http://angular.io/images/test.png?maxage=234',
+      ];
+      for (let srcset of validSrcsets) {
+        t.it(`valid ${srcset}`, () => t.expect(sanitizeSrcset(srcset)).toEqual(srcset));
+      }
+    });
+
+    t.describe('invalid srcsets', () => {
+      const invalidSrcsets = [
+        'ht:tp://angular.io/images/test.png',
+        'http://angular.io/images/test.png, ht:tp://angular.io/images/test.png',
+      ];
+      for (let srcset of invalidSrcsets) {
+        t.it(`valid ${srcset}`, () => t.expect(sanitizeSrcset(srcset)).toMatch(/unsafe:/));
+      }
+    });
+
  });
 }