cargdev/angular
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): no warning when sanitizing escaped html (#9392) (#9413)

Browse Source
This commit is contained in:
Wojciech Kwiatek 2016-06-23 22:06:19 +02:00 committed by Martin Probst
parent 6c5b653593
commit 98cef76931
2 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
modules/@angular/platform-browser/src/security/html_sanitizer.ts
View File

@ -231,11 +231,11 @@ function stripCustomNsAttrs(el: any) {
* Sanitizes the given unsafe, untrusted HTML fragment, and returns HTML text that is safe to add to * Sanitizes the given unsafe, untrusted HTML fragment, and returns HTML text that is safe to add to
* the DOM in a browser environment. * the DOM in a browser environment.
*/ */
export function sanitizeHtml(unsafeHtml: string): string { export function sanitizeHtml(unsafeHtmlInput: string): string {
try { try {
let containerEl = getInertElement(); const containerEl = getInertElement();
// Make sure unsafeHtml is actually a string (TypeScript types are not enforced at runtime). // Make sure unsafeHtml is actually a string (TypeScript types are not enforced at runtime).
unsafeHtml = unsafeHtml ? String(unsafeHtml) : ''; let unsafeHtml = unsafeHtmlInput ? String(unsafeHtmlInput) : '';
// mXSS protection. Repeatedly parse the document to make sure it stabilizes, so that a browser // mXSS protection. Repeatedly parse the document to make sure it stabilizes, so that a browser
// trying to auto-correct incorrect HTML cannot cause formerly inert HTML to become dangerous. // trying to auto-correct incorrect HTML cannot cause formerly inert HTML to become dangerous.
@ -266,7 +266,7 @@ export function sanitizeHtml(unsafeHtml: string): string {
DOM.removeChild(parent, child); DOM.removeChild(parent, child);
} }
if (isDevMode() && safeHtml !== unsafeHtml) { if (isDevMode() && safeHtml !== unsafeHtmlInput) {
DOM.log('WARNING: sanitizing HTML stripped some content.'); DOM.log('WARNING: sanitizing HTML stripped some content.');
} }

4
modules/@angular/platform-browser/test/security/html_sanitizer_spec.ts
View File

@ -51,6 +51,10 @@ export function main() {
t.expect(sanitizeHtml('<?pi nodes?>no.')).toEqual('no.'); t.expect(sanitizeHtml('<?pi nodes?>no.')).toEqual('no.');
t.expect(logMsgs.join('\n')).toMatch(/sanitizing HTML stripped some content/); t.expect(logMsgs.join('\n')).toMatch(/sanitizing HTML stripped some content/);
}); });
t.it('supports sanitizing escaped entities', () => {
t.expect(sanitizeHtml('&#128640;')).toEqual('&#128640;');
t.expect(logMsgs).toEqual([]);
});
t.it('escapes entities', () => { t.it('escapes entities', () => {
t.expect(sanitizeHtml('<p>Hello &lt; World</p>')).toEqual('<p>Hello &lt; World</p>'); t.expect(sanitizeHtml('<p>Hello &lt; World</p>')).toEqual('<p>Hello &lt; World</p>');
t.expect(sanitizeHtml('<p>Hello < World</p>')).toEqual('<p>Hello &lt; World</p>'); t.expect(sanitizeHtml('<p>Hello < World</p>')).toEqual('<p>Hello &lt; World</p>');