From f9abec5915afc5c6b0bbfb3be965d1e887b91767 Mon Sep 17 00:00:00 2001 From: Martin Staffa Date: Wed, 1 Aug 2018 09:52:04 +0200 Subject: [PATCH 1/3] fix(ngHref): allow numbers as input --- src/ng/sanitizeUri.js | 4 ++-- test/ng/directive/ngHrefSpec.js | 8 ++++++++ test/ng/sanitizeUriSpec.js | 3 +++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/src/ng/sanitizeUri.js b/src/ng/sanitizeUri.js index edda8244e406..fc4d19e9d0a6 100644 --- a/src/ng/sanitizeUri.js +++ b/src/ng/sanitizeUri.js @@ -72,11 +72,11 @@ function $$SanitizeUriProvider() { return function sanitizeUri(uri, isMediaUrl) { // if (!uri) return uri; var regex = isMediaUrl ? imgSrcSanitizationWhitelist : aHrefSanitizationWhitelist; - var normalizedVal = urlResolve(uri && uri.trim()).href; + var normalizedVal = urlResolve(uri && uri.toString().trim()).href; if (normalizedVal !== '' && !normalizedVal.match(regex)) { return 'unsafe:' + normalizedVal; } - return uri; + return uri.toString(); }; }; } diff --git a/test/ng/directive/ngHrefSpec.js b/test/ng/directive/ngHrefSpec.js index 6d44ac8b5631..07f257f1d756 100644 --- a/test/ng/directive/ngHrefSpec.js +++ b/test/ng/directive/ngHrefSpec.js @@ -36,6 +36,14 @@ describe('ngHref', function() { expect(element.attr('href')).toEqual('http://server'); })); + + it('should bind href if value is a number', inject(function($rootScope, $compile) { + element = $compile('')($rootScope); + $rootScope.$digest(); + expect(element.attr('href')).toEqual('1234'); + })); + + it('should not set the href if ng-href is empty', inject(function($rootScope, $compile) { $rootScope.url = null; element = $compile('')($rootScope); diff --git a/test/ng/sanitizeUriSpec.js b/test/ng/sanitizeUriSpec.js index c5ca4c5d040f..ce4eb3f44a06 100644 --- a/test/ng/sanitizeUriSpec.js +++ b/test/ng/sanitizeUriSpec.js @@ -111,6 +111,9 @@ describe('sanitizeUri', function() { testUrl = 'file:///foo/bar.html'; expect(sanitizeImg(testUrl)).toBe('file:///foo/bar.html'); + + testUrl = 1234; + expect(sanitizeImg(1234)).toBe('1234'); }); it('should not sanitize blob urls', function() { From 3352a77dd579abc3ff936fa39f712c8184e5350f Mon Sep 17 00:00:00 2001 From: Martin Staffa Date: Thu, 16 Aug 2018 12:17:51 +0200 Subject: [PATCH 2/3] fixup! fix(ngHref): allow numbers as input --- src/ng/sanitizeUri.js | 4 +-- src/ng/sce.js | 2 +- test/ng/directive/ngHrefSpec.js | 44 +++++++++++++++++++++++++++------ 3 files changed, 39 insertions(+), 11 deletions(-) diff --git a/src/ng/sanitizeUri.js b/src/ng/sanitizeUri.js index fc4d19e9d0a6..edda8244e406 100644 --- a/src/ng/sanitizeUri.js +++ b/src/ng/sanitizeUri.js @@ -72,11 +72,11 @@ function $$SanitizeUriProvider() { return function sanitizeUri(uri, isMediaUrl) { // if (!uri) return uri; var regex = isMediaUrl ? imgSrcSanitizationWhitelist : aHrefSanitizationWhitelist; - var normalizedVal = urlResolve(uri && uri.toString().trim()).href; + var normalizedVal = urlResolve(uri && uri.trim()).href; if (normalizedVal !== '' && !normalizedVal.match(regex)) { return 'unsafe:' + normalizedVal; } - return uri.toString(); + return uri; }; }; } diff --git a/src/ng/sce.js b/src/ng/sce.js index a5f618ef8fe4..45f90a8af951 100644 --- a/src/ng/sce.js +++ b/src/ng/sce.js @@ -440,7 +440,7 @@ function $SceDelegateProvider() { // If we get here, then we will either sanitize the value or throw an exception. if (type === SCE_CONTEXTS.MEDIA_URL || type === SCE_CONTEXTS.URL) { // we attempt to sanitize non-resource URLs - return $$sanitizeUri(maybeTrusted, type === SCE_CONTEXTS.MEDIA_URL); + return $$sanitizeUri(maybeTrusted.toString(), type === SCE_CONTEXTS.MEDIA_URL); } else if (type === SCE_CONTEXTS.RESOURCE_URL) { if (isResourceUrlAllowedByPolicy(maybeTrusted)) { return maybeTrusted; diff --git a/test/ng/directive/ngHrefSpec.js b/test/ng/directive/ngHrefSpec.js index 07f257f1d756..2c5e99c076b3 100644 --- a/test/ng/directive/ngHrefSpec.js +++ b/test/ng/directive/ngHrefSpec.js @@ -36,14 +36,6 @@ describe('ngHref', function() { expect(element.attr('href')).toEqual('http://server'); })); - - it('should bind href if value is a number', inject(function($rootScope, $compile) { - element = $compile('')($rootScope); - $rootScope.$digest(); - expect(element.attr('href')).toEqual('1234'); - })); - - it('should not set the href if ng-href is empty', inject(function($rootScope, $compile) { $rootScope.url = null; element = $compile('')($rootScope); @@ -87,6 +79,42 @@ describe('ngHref', function() { })); } + + it('should bind numbers', inject(function($rootScope, $compile) { + element = $compile('')($rootScope); + $rootScope.$digest(); + expect(element.attr('href')).toEqual('1234'); + })); + + + it('should bind and sanitize the result of a (custom) toString() function', inject(function($rootScope, $compile) { + $rootScope.value = {}; + element = $compile('')($rootScope); + $rootScope.$digest(); + expect(element.attr('href')).toEqual('[object Object]'); + + function SafeClass() {} + + SafeClass.prototype.toString = function() { + return 'custom value'; + }; + + $rootScope.value = new SafeClass(); + $rootScope.$digest(); + expect(element.attr('href')).toEqual('custom value'); + + function UnsafeClass() {} + + UnsafeClass.prototype.toString = function() { + return 'javascript:alert(1);'; + }; + + $rootScope.value = new UnsafeClass(); + $rootScope.$digest(); + expect(element.attr('href')).toEqual('unsafe:javascript:alert(1);'); + })); + + if (isDefined(window.SVGElement)) { describe('SVGAElement', function() { it('should interpolate the expression and bind to xlink:href', inject(function($compile, $rootScope) { From 1733287924117257bca2d82aa2e16ebbdcf60c76 Mon Sep 17 00:00:00 2001 From: Martin Staffa Date: Thu, 16 Aug 2018 12:19:27 +0200 Subject: [PATCH 3/3] fixup! fix(ngHref): allow numbers as input --- test/ng/sanitizeUriSpec.js | 3 --- 1 file changed, 3 deletions(-) diff --git a/test/ng/sanitizeUriSpec.js b/test/ng/sanitizeUriSpec.js index ce4eb3f44a06..c5ca4c5d040f 100644 --- a/test/ng/sanitizeUriSpec.js +++ b/test/ng/sanitizeUriSpec.js @@ -111,9 +111,6 @@ describe('sanitizeUri', function() { testUrl = 'file:///foo/bar.html'; expect(sanitizeImg(testUrl)).toBe('file:///foo/bar.html'); - - testUrl = 1234; - expect(sanitizeImg(1234)).toBe('1234'); }); it('should not sanitize blob urls', function() {