feat(security): add tests for URL sanitization.

modules/@angular/platform-browser/test/security/url_sanitizer_spec.ts

@@ -0,0 +1,47 @@
+import * as t from '@angular/core/testing/testing_internal';
+import {sanitizeUrl} from '../../src/security/url_sanitizer';
+
+export function main() {
+  t.describe('URL sanitizer', () => {
+    t.describe('valid URLs', () => {
+      const validUrls = [
+        '',
+        'http://abc',
+        'HTTP://abc',
+        'https://abc',
+        'HTTPS://abc',
+        'ftp://abc',
+        'FTP://abc',
+        'mailto:me@example.com',
+        'MAILTO:me@example.com',
+        'tel:123-123-1234',
+        'TEL:123-123-1234',
+        '#anchor',
+        '/page1.md',
+        'http://JavaScript/my.js'
+      ];
+      for (let url of validUrls) {
+        t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toEqual(url));
+      }
+    });
+
+    t.describe('invalid URLs', () => {
+      const invalidUrls = [
+        'javascript:evil()',
+        'JavaScript:abc',
+        'evilNewProtocol:abc',
+        ' \n Java\n Script:abc',
+        'javascript:',
+        '&#106avascript:',
+        '&#106 avascript:',
+        '&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058',
+        '&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74:',
+        'jav	ascript:alert();',
+        'jav\u0000ascript:alert();',
+      ];
+      for (let url of invalidUrls) {
+        t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toMatch(/^unsafe:/));
+      }
+    });
+  });
+}