Hopiu/angular.js
1
0
Fork 0
mirror of https://github.com/Hopiu/angular.js.git synced 2026-03-16 23:30:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix($parse): check function call context to be safe

Browse source 
Closes #4417
This commit is contained in:
Chirayu Krishnappa 2013-10-14 16:05:53 -07:00 committed by Igor Minar
parent 3aefd3a4f0
commit 6d324c76f0
2 changed files with 15 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
src/ng/parse.js
View file

@ -754,6 +754,7 @@ Parser.prototype = {
}
var fnPtr = fn(scope, locals, context) || noop;
ensureSafeObject(context, parser.text);
ensureSafeObject(fnPtr, parser.text);
// IE stupidity! (IE doesn't have apply for some native functions)

14
test/ng/parseSpec.js
View file

@ -730,6 +730,20 @@ describe('parser', function() {
'$parse', 'isecdom', 'Referencing DOM nodes in Angular expressions is ' +
'disallowed! Expression: getDoc()');
}));
it('should NOT allow calling functions on Window or DOM', inject(function($window, $document) {
scope.a = {b: { win: $window, doc: $document }};
expect(function() {
scope.$eval('a.b.win.alert(1)', scope);
}).toThrowMinErr(
'$parse', 'isecwindow', 'Referencing the Window in Angular expressions is ' +
'disallowed! Expression: a.b.win.alert(1)');
expect(function() {
scope.$eval('a.b.doc.on("click")', scope);
}).toThrowMinErr(
'$parse', 'isecdom', 'Referencing DOM nodes in Angular expressions is ' +
'disallowed! Expression: a.b.doc.on("click")');
}));
});
});