honeymoose
/
angular-cn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
angular-cn/packages/platform-browser/test/security/html_sanitizer_spec.ts

114 lines
4.8 KiB
TypeScript
Raw Normal View History

chore(lint): Added license headers to most TypeScript files Relates to #9380
2016-06-23 12:47:54 -04:00
/**
* @license
* Copyright Google Inc. All Rights Reserved.
*
* Use of this source code is governed by an MIT-style license that can be
* found in the LICENSE file at https://angular.io/license
*/
build: fix file paths after moving modules/@angular/* to packages/*
2017-03-02 15:12:46 -05:00
import * as t from '@angular/core/testing/src/testing_internal';
import {browserDetection} from '@angular/platform-browser/testing/src/browser_util';
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
import {getDOM} from '../../src/dom/dom_adapter';
import {sanitizeHtml} from '../../src/security/html_sanitizer';
export function main() {
t.describe('HTML sanitizer', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
let defaultDoc: any;
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
let originalLog: (msg: any) => any = null;
let logMsgs: string[];
t.beforeEach(() => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
defaultDoc = getDOM().supportsDOMEvents() ? document : getDOM().createHtmlDocument();
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
logMsgs = [];
originalLog = getDOM().log; // Monkey patch DOM.log.
getDOM().log = (msg) => logMsgs.push(msg);
});
t.afterEach(() => { getDOM().log = originalLog; });
t.it('serializes nested structures', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, '<div alt="x"><p>a</p>b<b>c<a alt="more">d</a></b>e</div>'))
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
.toEqual('<div alt="x"><p>a</p>b<b>c<a alt="more">d</a></b>e</div>');
t.expect(logMsgs).toEqual([]);
});
t.it('serializes self closing elements', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, '<p>Hello <br> World</p>'))
.toEqual('<p>Hello <br> World</p>');
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
});
style(lint): re-format modules/@angular
2016-06-08 19:38:52 -04:00
t.it('supports namespaced elements', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, 'a<my:hr/><my:div>b</my:div>c')).toEqual('abc');
style(lint): re-format modules/@angular
2016-06-08 19:38:52 -04:00
});
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
t.it('supports namespaced attributes', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, '<a xlink:href="something">t</a>'))
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
.toEqual('<a xlink:href="something">t</a>');
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, '<a xlink:evil="something">t</a>')).toEqual('<a>t</a>');
t.expect(sanitizeHtml(defaultDoc, '<a xlink:href="javascript:foo()">t</a>'))
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
.toEqual('<a xlink:href="unsafe:javascript:foo()">t</a>');
});
test(security): tests for HTML5 elements, srcset. Part of #9572.
2016-06-27 15:18:48 -04:00
t.it('supports HTML5 elements', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, '<main><summary>Works</summary></main>'))
test(security): tests for HTML5 elements, srcset. Part of #9572.
2016-06-27 15:18:48 -04:00
.toEqual('<main><summary>Works</summary></main>');
});
t.it('sanitizes srcset attributes', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, '<img srcset="/foo.png 400px, javascript:evil() 23px">'))
test(security): tests for HTML5 elements, srcset. Part of #9572.
2016-06-27 15:18:48 -04:00
.toEqual('<img srcset="/foo.png 400px, unsafe:javascript:evil() 23px">');
});
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
style(lint): re-format modules/@angular
2016-06-08 19:38:52 -04:00
t.it('supports sanitizing plain text', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, 'Hello, World')).toEqual('Hello, World');
style(lint): re-format modules/@angular
2016-06-08 19:38:52 -04:00
});
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
t.it('ignores non-element, non-attribute nodes', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, '<!-- comments? -->no.')).toEqual('no.');
t.expect(sanitizeHtml(defaultDoc, '<?pi nodes?>no.')).toEqual('no.');
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522.
2016-05-09 10:46:31 -04:00
t.expect(logMsgs.join('\n')).toMatch(/sanitizing HTML stripped some content/);
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
});
fix(security): no warning when sanitizing escaped html (#9392) (#9413)
2016-06-23 16:06:19 -04:00
t.it('supports sanitizing escaped entities', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, '&#128640;')).toEqual('&#128640;');
fix(security): no warning when sanitizing escaped html (#9392) (#9413)
2016-06-23 16:06:19 -04:00
t.expect(logMsgs).toEqual([]);
});
feat(security): only warn when actually sanitizing HTML. (#10272) Previously, Angular would warn users when simply re-encoding text outside of the ASCII range. While harmless, the log spam was annoying. With this change, Angular specifically tracks whether anything was stripped during sanitization, and only reports a warning if so. Fixes #10206.
2016-07-26 14:39:09 -04:00
t.it('does not warn when just re-encoding text', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, '<p>Hellö Wörld</p>'))
.toEqual('<p>Hell&#246; W&#246;rld</p>');
feat(security): only warn when actually sanitizing HTML. (#10272) Previously, Angular would warn users when simply re-encoding text outside of the ASCII range. While harmless, the log spam was annoying. With this change, Angular specifically tracks whether anything was stripped during sanitization, and only reports a warning if so. Fixes #10206.
2016-07-26 14:39:09 -04:00
t.expect(logMsgs).toEqual([]);
});
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
t.it('escapes entities', () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, '<p>Hello &lt; World</p>'))
.toEqual('<p>Hello &lt; World</p>');
t.expect(sanitizeHtml(defaultDoc, '<p>Hello < World</p>')).toEqual('<p>Hello &lt; World</p>');
t.expect(sanitizeHtml(defaultDoc, '<p alt="% &amp; &quot; !">Hello</p>'))
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
.toEqual('<p alt="% &amp; &#34; !">Hello</p>'); // NB: quote encoded as ASCII &#34;.
});
t.describe('should strip dangerous elements', () => {
refactor(): use const and let instead of var
2016-11-12 08:08:58 -05:00
const dangerousTags = [
style(lint): re-format modules/@angular
2016-06-08 19:38:52 -04:00
'frameset', 'form', 'param', 'object', 'embed', 'textarea', 'input', 'button', 'option',
'select', 'script', 'style', 'link', 'base', 'basefont'
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
];
refactor(): use const and let instead of var
2016-11-12 08:08:58 -05:00
for (const tag of dangerousTags) {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.it(`${tag}`, () => {
t.expect(sanitizeHtml(defaultDoc, `<${tag}>evil!</${tag}>`)).toEqual('evil!');
});
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
}
style(lint): re-format modules/@angular
2016-06-08 19:38:52 -04:00
t.it(`swallows frame entirely`, () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, `<frame>evil!</frame>`)).not.toContain('<frame>');
style(lint): re-format modules/@angular
2016-06-08 19:38:52 -04:00
});
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
});
t.describe('should strip dangerous attributes', () => {
refactor(): use const and let instead of var
2016-11-12 08:08:58 -05:00
const dangerousAttrs = ['id', 'name', 'style'];
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
refactor(): use const and let instead of var
2016-11-12 08:08:58 -05:00
for (const attr of dangerousAttrs) {
style(lint): re-format modules/@angular
2016-06-08 19:38:52 -04:00
t.it(`${attr}`, () => {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, `<a ${attr}="x">evil!</a>`)).toEqual('<a>evil!</a>');
style(lint): re-format modules/@angular
2016-06-08 19:38:52 -04:00
});
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
}
});
if (browserDetection.isWebkit) {
t.it('should prevent mXSS attacks', function() {
feat(platform-server): add API to render Module and ModuleFactory to string (#14381) - PlatformState provides an interface to serialize the current Platform State as a string or Document. - renderModule and renderModuleFactory are convenience methods to wait for Angular Application to stabilize and then render the state to a string. - refactor code to remove defaultDoc from DomAdapter and inject DOCUMENT where it's needed.
2017-02-14 19:14:40 -05:00
t.expect(sanitizeHtml(defaultDoc, '<a href="&#x3000;javascript:alert(1)">CLICKME</a>'))
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108
2016-04-30 22:02:05 -04:00
.toEqual('<a href="unsafe:javascript:alert(1)">CLICKME</a>');
});
}
});
}