Hopiu/angular.js
1
0
Fork 0
mirror of https://github.com/Hopiu/angular.js.git synced 2026-05-04 05:04:44 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
angular.js/src/ngSanitize/sanitize.js

467 lines
15 KiB
JavaScript
Raw Normal View History

feat(strict mode): adding strict mode flag to all js files the flag must be in all src and test files so that we get the benefit of running in the strict mode even in jstd the following script was used to modify all files: for file in `find src test -name "*.js"`; do echo -e "'use strict';\n" > temp.txt cat $file >> temp.txt mv temp.txt $file done
2011-07-17 08:05:43 +00:00
'use strict';
style(minerr): prefer component name as namespace Closes #3527
2013-08-09 18:14:37 +00:00
var $sanitizeMinErr = angular.$$minErr('$sanitize');
chore(sanitize): use minErr to throw exception
2013-07-08 12:23:45 +00:00
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
/**
* @ngdoc overview
docs(*): simplify doc urls we now have two types of namespaces: - true namespace: angular.* - used for all global apis - virtual namespace: ng.*, ngMock.*, ... - used for all DI modules the virual namespaces have services under the second namespace level (e.g. ng.) and filters and directives prefixed with filter: and directive: respectively (e.g. ng.filter:orderBy, ng.directive:ngRepeat) this simplifies urls and makes them a lot shorter while still avoiding name collisions
2012-06-12 06:49:24 +00:00
* @name ngSanitize
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
* @description
docs(sanitize): add @description section
2013-05-29 13:44:36 +00:00
*
docs(module): improve the installation instructions for optional modules Currently, the documentation does a bad job of explaining the distinction between the services that it provides, and the module itself. Furthermore, the instructions for using optional modules are inconsistent or missing. This commit addresses the problem by ading a new `{@installModule foo}` annotation to the docs generator that inlines the appropriate instructions based on the name of the module.
2013-08-22 19:32:42 +00:00
* # ngSanitize
*
* The `ngSanitize` module provides functionality to sanitize HTML.
docs(sanitize): add @description section
2013-05-29 13:44:36 +00:00
*
docs(module): improve the installation instructions for optional modules Currently, the documentation does a bad job of explaining the distinction between the services that it provides, and the module itself. Furthermore, the instructions for using optional modules are inconsistent or missing. This commit addresses the problem by ading a new `{@installModule foo}` annotation to the docs generator that inlines the appropriate instructions based on the name of the module.
2013-08-22 19:32:42 +00:00
* {@installModule sanitize}
docs(sanitize): add @description section
2013-05-29 13:44:36 +00:00
*
feat(docs): provide index pages for each angular module
2013-10-17 02:48:32 +00:00
* <div doc-module-components="ngSanitize"></div>
*
docs(module): improve the installation instructions for optional modules Currently, the documentation does a bad job of explaining the distinction between the services that it provides, and the module itself. Furthermore, the instructions for using optional modules are inconsistent or missing. This commit addresses the problem by ading a new `{@installModule foo}` annotation to the docs generator that inlines the appropriate instructions based on the name of the module.
2013-08-22 19:32:42 +00:00
* See {@link ngSanitize.$sanitize `$sanitize`} for usage.
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
*/
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
/*
* HTML Parser By Misko Hevery (misko@hevery.com)
* based on: HTML Parser By John Resig (ejohn.org)
* Original code by Erik Arvidsson, Mozilla Public License
* http://erik.eae.net/simplehtmlparser/simplehtmlparser.js
*
* // Use like so:
* htmlParser(htmlString, {
* start: function(tag, attrs, unary) {},
* end: function(tag) {},
* chars: function(text) {},
* comment: function(text) {}
* });
*
*/
refactor(sanitizer): turn sanitizer into a service
2011-11-21 22:09:52 +00:00
/**
* @ngdoc service
docs(*): simplify doc urls we now have two types of namespaces: - true namespace: angular.* - used for all global apis - virtual namespace: ng.*, ngMock.*, ... - used for all DI modules the virual namespaces have services under the second namespace level (e.g. ng.) and filters and directives prefixed with filter: and directive: respectively (e.g. ng.filter:orderBy, ng.directive:ngRepeat) this simplifies urls and makes them a lot shorter while still avoiding name collisions
2012-06-12 06:49:24 +00:00
* @name ngSanitize.$sanitize
refactor(sanitizer): turn sanitizer into a service
2011-11-21 22:09:52 +00:00
* @function
*
* @description
* The input is sanitized by parsing the html into tokens. All safe tokens (from a whitelist) are
* then serialized back to properly escaped html string. This means that no unsafe input can make
* it into the returned string, however, since our parser is more strict than a typical browser
* parser, it's possible that some obscure input, which would be recognized as valid HTML by a
* browser, won't make it through the sanitizer.
fix($sanitize): Use same whitelist mechanism as $compile does. `$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes #3748.
2013-11-25 23:40:18 +00:00
* The whitelist is configured using the functions `aHrefSanitizationWhitelist` and
* `imgSrcSanitizationWhitelist` of {@link ng.$compileProvider `$compileProvider`}.
refactor(sanitizer): turn sanitizer into a service
2011-11-21 22:09:52 +00:00
*
* @param {string} html Html input.
* @returns {string} Sanitized html.
*
* @example
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
<doc:example module="ngSanitize">
style: make jshint happy
2013-10-22 21:41:21 +00:00
<doc:source>
<script>
function Ctrl($scope, $sce) {
$scope.snippet =
'<p style="color:blue">an html\n' +
'<em onmouseover="this.textContent=\'PWN3D!\'">click here</em>\n' +
'snippet</p>';
$scope.deliberatelyTrustDangerousSnippet = function() {
return $sce.trustAsHtml($scope.snippet);
};
}
</script>
<div ng-controller="Ctrl">
Snippet: <textarea ng-model="snippet" cols="60" rows="3"></textarea>
<table>
<tr>
<td>Directive</td>
<td>How</td>
<td>Source</td>
<td>Rendered</td>
</tr>
<tr id="bind-html-with-sanitize">
<td>ng-bind-html</td>
<td>Automatically uses $sanitize</td>
<td><pre>&lt;div ng-bind-html="snippet"&gt;<br/>&lt;/div&gt;</pre></td>
<td><div ng-bind-html="snippet"></div></td>
</tr>
<tr id="bind-html-with-trust">
<td>ng-bind-html</td>
<td>Bypass $sanitize by explicitly trusting the dangerous value</td>
<td>
<pre>&lt;div ng-bind-html="deliberatelyTrustDangerousSnippet()"&gt;
&lt;/div&gt;</pre>
</td>
<td><div ng-bind-html="deliberatelyTrustDangerousSnippet()"></div></td>
</tr>
<tr id="bind-default">
<td>ng-bind</td>
<td>Automatically escapes</td>
<td><pre>&lt;div ng-bind="snippet"&gt;<br/>&lt;/div&gt;</pre></td>
<td><div ng-bind="snippet"></div></td>
</tr>
</table>
</div>
</doc:source>
<doc:scenario>
it('should sanitize the html snippet by default', function() {
expect(using('#bind-html-with-sanitize').element('div').html()).
toBe('<p>an html\n<em>click here</em>\nsnippet</p>');
});
it('should inline raw snippet if bound to a trusted value', function() {
expect(using('#bind-html-with-trust').element("div").html()).
toBe("<p style=\"color:blue\">an html\n" +
"<em onmouseover=\"this.textContent='PWN3D!'\">click here</em>\n" +
"snippet</p>");
});
it('should escape snippet without any filter', function() {
expect(using('#bind-default').element('div').html()).
toBe("&lt;p style=\"color:blue\"&gt;an html\n" +
"&lt;em onmouseover=\"this.textContent='PWN3D!'\"&gt;click here&lt;/em&gt;\n" +
"snippet&lt;/p&gt;");
});
it('should update', function() {
input('snippet').enter('new <b onclick="alert(1)">text</b>');
expect(using('#bind-html-with-sanitize').element('div').html()).toBe('new <b>text</b>');
expect(using('#bind-html-with-trust').element('div').html()).toBe(
'new <b onclick="alert(1)">text</b>');
expect(using('#bind-default').element('div').html()).toBe(
"new &lt;b onclick=\"alert(1)\"&gt;text&lt;/b&gt;");
});
</doc:scenario>
refactor(sanitizer): turn sanitizer into a service
2011-11-21 22:09:52 +00:00
</doc:example>
*/
fix($sanitize): Use same whitelist mechanism as $compile does. `$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes #3748.
2013-11-25 23:40:18 +00:00
function $SanitizeProvider() {
this.$get = ['$$sanitizeUri', function($$sanitizeUri) {
return function(html) {
var buf = [];
htmlParser(html, htmlSanitizeWriter(buf, function(uri, isImage) {
return !/^unsafe/.test($$sanitizeUri(uri, isImage));
}));
return buf.join('');
};
}];
}
function sanitizeText(chars) {
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
var buf = [];
fix($sanitize): Use same whitelist mechanism as $compile does. `$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes #3748.
2013-11-25 23:40:18 +00:00
var writer = htmlSanitizeWriter(buf, angular.noop);
writer.chars(chars);
return buf.join('');
}
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
refactor(sanitizer): turn sanitizer into a service
2011-11-21 22:09:52 +00:00
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
// Regular Expressions for parsing tags and attributes
style: make jshint happy
2013-10-22 21:41:21 +00:00
var START_TAG_REGEXP =
/^<\s*([\w:-]+)((?:\s+[\w:-]+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)\s*>/,
fixed population of value attribute on option The value attribute must be populated manually, since different browsers default to different value of option when not explicitly defined.
2011-02-03 20:25:51 +00:00
END_TAG_REGEXP = /^<\s*\/\s*([\w:-]+)[^>]*>/,
ATTR_REGEXP = /([\w:-]+)(?:\s*=\s*(?:(?:"((?:[^"])*)")|(?:'((?:[^'])*)')|([^>\s]+)))?/g,
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
BEGIN_TAG_REGEXP = /^</,
BEGING_END_TAGE_REGEXP = /^<\s*\//,
COMMENT_REGEXP = /<!--(.*?)-->/g,
fix($sanitize): sanitize DOCTYPE declarations correctly HTML to be sanitized that contains a DOCTYPE declaration were causing the HTML parser to throw an error. Now the parser correctly removes the declarations when sanitizing HTML. Closes #3931
2013-10-02 19:49:20 +00:00
DOCTYPE_REGEXP = /<!DOCTYPE([^>]*?)>/i,
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
CDATA_REGEXP = /<!\[CDATA\[(.*?)]]>/g,
style: make jshint happy
2013-10-22 21:41:21 +00:00
// Match everything outside of normal chars and " (quote character)
NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g;
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
feat(sanitizer): add html5 elements to the whitelist Closes #89
2011-10-20 16:43:00 +00:00
// Good source of info about elements and attributes
// http://dev.w3.org/html5/spec/Overview.html#semantics
// http://simon.html5.org/html-elements
// Safe Void Elements - HTML5
// http://dev.w3.org/html5/spec/Overview.html#void-elements
var voidElements = makeMap("area,br,col,hr,img,wbr");
// Elements that you can, intentionally, leave open (and which close themselves)
// http://dev.w3.org/html5/spec/Overview.html#optional-tags
var optionalEndTagBlockElements = makeMap("colgroup,dd,dt,li,p,tbody,td,tfoot,th,thead,tr"),
optionalEndTagInlineElements = makeMap("rp,rt"),
style: make jshint happy
2013-10-22 21:41:21 +00:00
optionalEndTagElements = angular.extend({},
optionalEndTagInlineElements,
optionalEndTagBlockElements);
feat(sanitizer): add html5 elements to the whitelist Closes #89
2011-10-20 16:43:00 +00:00
// Safe Block Elements - HTML5
style: make jshint happy
2013-10-22 21:41:21 +00:00
var blockElements = angular.extend({}, optionalEndTagBlockElements, makeMap("address,article," +
"aside,blockquote,caption,center,del,dir,div,dl,figure,figcaption,footer,h1,h2,h3,h4,h5," +
"h6,header,hgroup,hr,ins,map,menu,nav,ol,pre,script,section,table,ul"));
feat(sanitizer): add html5 elements to the whitelist Closes #89
2011-10-20 16:43:00 +00:00
// Inline Elements - HTML5
style: make jshint happy
2013-10-22 21:41:21 +00:00
var inlineElements = angular.extend({}, optionalEndTagInlineElements, makeMap("a,abbr,acronym,b," +
"bdi,bdo,big,br,cite,code,del,dfn,em,font,i,img,ins,kbd,label,map,mark,q,ruby,rp,rt,s," +
"samp,small,span,strike,strong,sub,sup,time,tt,u,var"));
feat(sanitizer): add html5 elements to the whitelist Closes #89
2011-10-20 16:43:00 +00:00
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
// Special Elements (can contain anything)
var specialElements = makeMap("script,style");
feat(sanitizer): add html5 elements to the whitelist Closes #89
2011-10-20 16:43:00 +00:00
style: make jshint happy
2013-10-22 21:41:21 +00:00
var validElements = angular.extend({},
voidElements,
blockElements,
inlineElements,
optionalEndTagElements);
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
//Attributes that have href and hence need to be sanitized
feat(sanitizer): add html5 elements to the whitelist Closes #89
2011-10-20 16:43:00 +00:00
var uriAttrs = makeMap("background,cite,href,longdesc,src,usemap");
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
var validAttrs = angular.extend({}, uriAttrs, makeMap(
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
'abbr,align,alt,axis,bgcolor,border,cellpadding,cellspacing,class,clear,'+
smarter normalization of value on option, and htmlParser fixes
2011-02-04 00:35:51 +00:00
'color,cols,colspan,compact,coords,dir,face,headers,height,hreflang,hspace,'+
'ismap,lang,language,nohref,nowrap,rel,rev,rows,rowspan,rules,'+
Fix sanitization issues as suggested by evn
2010-12-03 23:42:11 +00:00
'scope,scrolling,shape,span,start,summary,target,title,type,'+
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
'valign,value,vspace,width'));
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
function makeMap(str) {
var obj = {}, items = str.split(','), i;
for (i = 0; i < items.length; i++) obj[items[i]] = true;
return obj;
}
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
/**
* @example
* htmlParser(htmlString, {
* start: function(tag, attrs, unary) {},
* end: function(tag) {},
* chars: function(text) {},
* comment: function(text) {}
* });
*
* @param {string} html string
* @param {object} handler
*/
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
function htmlParser( html, handler ) {
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
var index, chars, match, stack = [], last = html;
chore(formating): clean code to be function() {
2011-10-07 18:27:49 +00:00
stack.last = function() { return stack[ stack.length - 1 ]; };
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
while ( html ) {
chars = true;
// Make sure we're not in a script or style element
if ( !stack.last() || !specialElements[ stack.last() ] ) {
// Comment
if ( html.indexOf("<!--") === 0 ) {
fix(ngSanitize): sanitizer should not accept <!--> as a valid comment According to http://validator.w3.org/ , <!--> is not a valid comment and neither is any comment containing the -- substring.
2013-08-17 23:09:28 +00:00
// comments containing -- are not allowed unless they terminate the comment
index = html.indexOf("--", 4);
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
fix(ngSanitize): sanitizer should not accept <!--> as a valid comment According to http://validator.w3.org/ , <!--> is not a valid comment and neither is any comment containing the -- substring.
2013-08-17 23:09:28 +00:00
if ( index >= 0 && html.lastIndexOf("-->", index) === index) {
smarter normalization of value on option, and htmlParser fixes
2011-02-04 00:35:51 +00:00
if (handler.comment) handler.comment( html.substring( 4, index ) );
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
html = html.substring( index + 3 );
chars = false;
}
fix($sanitize): sanitize DOCTYPE declarations correctly HTML to be sanitized that contains a DOCTYPE declaration were causing the HTML parser to throw an error. Now the parser correctly removes the declarations when sanitizing HTML. Closes #3931
2013-10-02 19:49:20 +00:00
// DOCTYPE
} else if ( DOCTYPE_REGEXP.test(html) ) {
match = html.match( DOCTYPE_REGEXP );
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
fix($sanitize): sanitize DOCTYPE declarations correctly HTML to be sanitized that contains a DOCTYPE declaration were causing the HTML parser to throw an error. Now the parser correctly removes the declarations when sanitizing HTML. Closes #3931
2013-10-02 19:49:20 +00:00
if ( match ) {
html = html.replace( match[0] , '');
chars = false;
}
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
// end tag
} else if ( BEGING_END_TAGE_REGEXP.test(html) ) {
match = html.match( END_TAG_REGEXP );
if ( match ) {
html = html.substring( match[0].length );
match[0].replace( END_TAG_REGEXP, parseEndTag );
chars = false;
}
// start tag
} else if ( BEGIN_TAG_REGEXP.test(html) ) {
match = html.match( START_TAG_REGEXP );
if ( match ) {
html = html.substring( match[0].length );
match[0].replace( START_TAG_REGEXP, parseStartTag );
chars = false;
}
}
if ( chars ) {
index = html.indexOf("<");
var text = index < 0 ? html : html.substring( 0, index );
html = index < 0 ? "" : html.substring( index );
smarter normalization of value on option, and htmlParser fixes
2011-02-04 00:35:51 +00:00
if (handler.chars) handler.chars( decodeEntities(text) );
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
}
} else {
style: make jshint happy
2013-10-22 21:41:21 +00:00
html = html.replace(new RegExp("(.*)<\\s*\\/\\s*" + stack.last() + "[^>]*>", 'i'),
function(all, text){
text = text.replace(COMMENT_REGEXP, "$1").replace(CDATA_REGEXP, "$1");
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
style: make jshint happy
2013-10-22 21:41:21 +00:00
if (handler.chars) handler.chars( decodeEntities(text) );
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
style: make jshint happy
2013-10-22 21:41:21 +00:00
return "";
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
});
parseEndTag( "", stack.last() );
}
if ( html == last ) {
style: make jshint happy
2013-10-22 21:41:21 +00:00
throw $sanitizeMinErr('badparse', "The sanitizer was unable to parse the following block " +
"of html: {0}", html);
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
}
last = html;
}
// Clean up any remaining tags
parseEndTag();
function parseStartTag( tag, tagName, rest, unary ) {
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
tagName = angular.lowercase(tagName);
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
if ( blockElements[ tagName ] ) {
while ( stack.last() && inlineElements[ stack.last() ] ) {
parseEndTag( "", stack.last() );
}
}
feat(sanitizer): add html5 elements to the whitelist Closes #89
2011-10-20 16:43:00 +00:00
if ( optionalEndTagElements[ tagName ] && stack.last() == tagName ) {
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
parseEndTag( "", tagName );
}
feat(sanitizer): add html5 elements to the whitelist Closes #89
2011-10-20 16:43:00 +00:00
unary = voidElements[ tagName ] || !!unary;
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
if ( !unary )
stack.push( tagName );
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
var attrs = {};
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
style: make jshint happy
2013-10-22 21:41:21 +00:00
rest.replace(ATTR_REGEXP,
function(match, name, doubleQuotedValue, singleQuotedValue, unquotedValue) {
var value = doubleQuotedValue
|| singleQuotedValue
|| unquotedValue
|| '';
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
style: make jshint happy
2013-10-22 21:41:21 +00:00
attrs[name] = decodeEntities(value);
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
});
smarter normalization of value on option, and htmlParser fixes
2011-02-04 00:35:51 +00:00
if (handler.start) handler.start( tagName, attrs, unary );
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
}
function parseEndTag( tag, tagName ) {
var pos = 0, i;
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
tagName = angular.lowercase(tagName);
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
if ( tagName )
// Find the closest opened tag of the same type
for ( pos = stack.length - 1; pos >= 0; pos-- )
if ( stack[ pos ] == tagName )
break;
if ( pos >= 0 ) {
// Close all the open elements, up the stack
for ( i = stack.length - 1; i >= pos; i-- )
smarter normalization of value on option, and htmlParser fixes
2011-02-04 00:35:51 +00:00
if (handler.end) handler.end( stack[ i ] );
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
// Remove the open elements from the stack
stack.length = pos;
}
}
fixing lint warnings in older code
2010-12-06 17:56:49 +00:00
}
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
fix($sanitize): don't rely on YARR regex engine executing immediately In Safari 7 (and other browsers potentially using the latest YARR JIT library) regular expressions are not always executed immediately that they are called. The regex is only evaluated (lazily) when you first access properties on the `matches` result object returned from the regex call. In the case of `decodeEntities()`, we were updating this returned object, `parts[0] = ''`, before accessing it, `if (parts[2])', and so our change was overwritten by the result of executing the regex. The solution here is not to modify the match result object at all. We only need to make use of the three match results directly in code. Developers should be aware, in the future, when using regex, to read from the result object before making modifications to it. There is no additional test committed here, because when run against Safari 7, this bug caused numerous specs to fail, which are all fixed by this commit. Closes #5193 Closes #5192
2013-12-03 10:39:09 +00:00
var hiddenPre=document.createElement("pre");
var spaceRe = /^(\s*)([\s\S]*?)(\s*)$/;
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
/**
* decodes all entities into regular string
* @param value
fixing closure compiler warnings
2010-12-07 04:48:47 +00:00
* @returns {string} A string with decoded entities.
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
*/
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
function decodeEntities(value) {
fix($sanitize): don't rely on YARR regex engine executing immediately In Safari 7 (and other browsers potentially using the latest YARR JIT library) regular expressions are not always executed immediately that they are called. The regex is only evaluated (lazily) when you first access properties on the `matches` result object returned from the regex call. In the case of `decodeEntities()`, we were updating this returned object, `parts[0] = ''`, before accessing it, `if (parts[2])', and so our change was overwritten by the result of executing the regex. The solution here is not to modify the match result object at all. We only need to make use of the three match results directly in code. Developers should be aware, in the future, when using regex, to read from the result object before making modifications to it. There is no additional test committed here, because when run against Safari 7, this bug caused numerous specs to fail, which are all fixed by this commit. Closes #5193 Closes #5192
2013-12-03 10:39:09 +00:00
if (!value) { return ''; }
fix($sanitize): Use same whitelist mechanism as $compile does. `$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes #3748.
2013-11-25 23:40:18 +00:00
// Note: IE8 does not preserve spaces at the start/end of innerHTML
fix($sanitize): don't rely on YARR regex engine executing immediately In Safari 7 (and other browsers potentially using the latest YARR JIT library) regular expressions are not always executed immediately that they are called. The regex is only evaluated (lazily) when you first access properties on the `matches` result object returned from the regex call. In the case of `decodeEntities()`, we were updating this returned object, `parts[0] = ''`, before accessing it, `if (parts[2])', and so our change was overwritten by the result of executing the regex. The solution here is not to modify the match result object at all. We only need to make use of the three match results directly in code. Developers should be aware, in the future, when using regex, to read from the result object before making modifications to it. There is no additional test committed here, because when run against Safari 7, this bug caused numerous specs to fail, which are all fixed by this commit. Closes #5193 Closes #5192
2013-12-03 10:39:09 +00:00
// so we must capture them and reattach them afterward
fix($sanitize): Use same whitelist mechanism as $compile does. `$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes #3748.
2013-11-25 23:40:18 +00:00
var parts = spaceRe.exec(value);
fix($sanitize): don't rely on YARR regex engine executing immediately In Safari 7 (and other browsers potentially using the latest YARR JIT library) regular expressions are not always executed immediately that they are called. The regex is only evaluated (lazily) when you first access properties on the `matches` result object returned from the regex call. In the case of `decodeEntities()`, we were updating this returned object, `parts[0] = ''`, before accessing it, `if (parts[2])', and so our change was overwritten by the result of executing the regex. The solution here is not to modify the match result object at all. We only need to make use of the three match results directly in code. Developers should be aware, in the future, when using regex, to read from the result object before making modifications to it. There is no additional test committed here, because when run against Safari 7, this bug caused numerous specs to fail, which are all fixed by this commit. Closes #5193 Closes #5192
2013-12-03 10:39:09 +00:00
var spaceBefore = parts[1];
var spaceAfter = parts[3];
var content = parts[2];
if (content) {
hiddenPre.innerHTML=content.replace(/</g,"&lt;");
fix(ngSanitize): prefer textContent to innerText to avoid layout trashing innerText depends on styling as it doesn't display hidden elements. Therefore, it's better to use textContent not to cause unnecessary reflows. However, IE<9 don't support textContent so the innerText fallback is necessary.
2013-11-24 20:13:51 +00:00
// innerText depends on styling as it doesn't display hidden elements.
// Therefore, it's better to use textContent not to cause unnecessary
// reflows. However, IE<9 don't support textContent so the innerText
// fallback is necessary.
content = 'textContent' in hiddenPre ?
hiddenPre.textContent : hiddenPre.innerText;
fix($sanitize): Use same whitelist mechanism as $compile does. `$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes #3748.
2013-11-25 23:40:18 +00:00
}
fix($sanitize): don't rely on YARR regex engine executing immediately In Safari 7 (and other browsers potentially using the latest YARR JIT library) regular expressions are not always executed immediately that they are called. The regex is only evaluated (lazily) when you first access properties on the `matches` result object returned from the regex call. In the case of `decodeEntities()`, we were updating this returned object, `parts[0] = ''`, before accessing it, `if (parts[2])', and so our change was overwritten by the result of executing the regex. The solution here is not to modify the match result object at all. We only need to make use of the three match results directly in code. Developers should be aware, in the future, when using regex, to read from the result object before making modifications to it. There is no additional test committed here, because when run against Safari 7, this bug caused numerous specs to fail, which are all fixed by this commit. Closes #5193 Closes #5192
2013-12-03 10:39:09 +00:00
return spaceBefore + content + spaceAfter;
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
}
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
/**
fixed example rendering, add tests for it.
2011-01-19 23:42:11 +00:00
* Escapes all potentially dangerous characters, so that the
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
* resulting string can be safely inserted into attribute or
* element text.
* @param value
* @returns escaped text
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
*/
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
function encodeEntities(value) {
return value.
replace(/&/g, '&amp;').
replace(NON_ALPHANUMERIC_REGEXP, function(value){
return '&#' + value.charCodeAt(0) + ';';
}).
replace(/</g, '&lt;').
replace(/>/g, '&gt;');
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
}
/**
* create an HTML/XML writer which writes to buffer
* @param {Array} buf use buf.jain('') to get out sanitized html string
fix closure compile warnings
2010-10-27 04:06:24 +00:00
* @returns {object} in the form of {
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
* start: function(tag, attrs, unary) {},
* end: function(tag) {},
* chars: function(text) {},
* comment: function(text) {}
* }
*/
fix($sanitize): Use same whitelist mechanism as $compile does. `$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes #3748.
2013-11-25 23:40:18 +00:00
function htmlSanitizeWriter(buf, uriValidator){
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
var ignore = false;
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
var out = angular.bind(buf, buf.push);
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
return {
start: function(tag, attrs, unary){
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
tag = angular.lowercase(tag);
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
if (!ignore && specialElements[tag]) {
ignore = tag;
}
style: make jshint happy
2013-10-22 21:41:21 +00:00
if (!ignore && validElements[tag] === true) {
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
out('<');
out(tag);
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
angular.forEach(attrs, function(value, key){
var lkey=angular.lowercase(key);
fix($sanitize): Use same whitelist mechanism as $compile does. `$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes #3748.
2013-11-25 23:40:18 +00:00
var isImage = (tag === 'img' && lkey === 'src') || (lkey === 'background');
if (validAttrs[lkey] === true &&
(uriAttrs[lkey] !== true || uriValidator(value, isImage))) {
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
out(' ');
out(key);
out('="');
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
out(encodeEntities(value));
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
out('"');
}
});
out(unary ? '/>' : '>');
}
},
end: function(tag){
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
tag = angular.lowercase(tag);
style: make jshint happy
2013-10-22 21:41:21 +00:00
if (!ignore && validElements[tag] === true) {
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
out('</');
out(tag);
out('>');
}
if (tag == ignore) {
ignore = false;
}
},
chars: function(chars){
if (!ignore) {
Fixed sanitization * explicitly require full URLs (ftp|https?://...) * list the URI attributes * remove a lot of unneeded attributes
2010-11-24 04:10:05 +00:00
out(encodeEntities(chars));
create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34
2010-10-19 04:20:47 +00:00
}
}
};
}
chore(ngSanitize): extract $sanitize, ngBindHtml, linkyFilter into a module Create build for other modules as well (ngResource, ngCookies): - wrap into a function - add license - add version Breaks `$sanitize` service, `ngBindHtml` directive and `linky` filter were moved to the `ngSanitize` module. Apps that depend on any of these will need to load `angular-sanitize.js` and include `ngSanitize` in their dependency list: `var myApp = angular.module('myApp', ['ngSanitize']);`
2012-04-10 23:50:31 +00:00
// define ngSanitize module and register $sanitize service
fix($sanitize): Use same whitelist mechanism as $compile does. `$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes #3748.
2013-11-25 23:40:18 +00:00
angular.module('ngSanitize', []).provider('$sanitize', $SanitizeProvider);
Reference in a new issue Copy permalink