angular.js

Hopiu/angular.js

Fork 0

mirror of https://github.com/Hopiu/angular.js.git synced 2026-03-18 07:50:22 +00:00

Commit graph

Author	SHA1	Message	Date
Misko Hevery	2bbced212e	Fix sanitization issues as suggested by evn	2010-12-03 15:42:42 -08:00
Misko Hevery	41d5938883	Fixed sanitization * explicitly require full URLs (ftp\|https?://...) * list the URI attributes * remove a lot of unneeded attributes	2010-11-29 21:55:32 -08:00
Misko Hevery	4fdab37659	create HTML sanitizer to allow inclusion of untrusted HTML in safe manner. Sanitization works in two phases: 1) We parse the HTML into sax-like events (start, end, chars). HTML parsing is very complex, and so it may very well be that what most browser consider valid HTML may not pares properly here, but we do best effort. We treat this parser as untrusted. 2) We have safe sanitizeWriter which treats its input (start, end, chars) as untrusted content and escapes everything. It only allows elements in the whitelist and only allows attributes which are whitelisted. Any attribute value must not start with 'javascript:'. This check is performed after escaping for entity (&xAB; etc..) and ignoring any whitespace. - Correct linky filter to use safeHtmlWriter - Correct html filter to use safeHtmlWriter Close #33; Close #34	2010-10-26 13:41:07 -07:00

Author

SHA1

Message

Date

Misko Hevery

2bbced212e

Fix sanitization issues as suggested by evn

2010-12-03 15:42:42 -08:00

Misko Hevery

41d5938883

Fixed sanitization

* explicitly require full URLs (ftp|https?://...)
* list the URI attributes
* remove a lot of unneeded attributes

2010-11-29 21:55:32 -08:00

Misko Hevery

4fdab37659

create HTML sanitizer to allow inclusion of untrusted HTML in safe manner.

Sanitization works in two phases:
 1) We parse the HTML into sax-like events (start, end, chars).
    HTML parsing is very complex, and so it may very well be that what
    most browser consider valid HTML may not pares properly here,
    but we do best effort. We treat this parser as untrusted.
 2) We have safe sanitizeWriter which treats its input (start, end, chars)
    as untrusted content and escapes everything. It only allows elements
    in the whitelist and only allows attributes which are whitelisted.
    Any attribute value must not start with 'javascript:'. This check
    is performed after escaping for entity (&xAB; etc..) and ignoring
    any whitespace.

 - Correct linky filter to use safeHtmlWriter
 - Correct html filter to use safeHtmlWriter

Close #33; Close #34

2010-10-26 13:41:07 -07:00

3 commits