angular-cn/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts

import * as t from '@angular/core/testing/testing_internal';

import {getDOM} from '../../src/dom/dom_adapter';
import {sanitizeStyle} from '../../src/security/style_sanitizer';

export function main() {
  t.describe('Style sanitizer', () => {
    let logMsgs: string[];
    let originalLog: (msg: any) => any;

    t.beforeEach(() => {
      logMsgs = [];
      originalLog = getDOM().log;  // Monkey patch DOM.log.
      getDOM().log = (msg) => logMsgs.push(msg);
    });
    t.afterEach(() => { getDOM().log = originalLog; });

    function expectSanitize(v: string) { return t.expect(sanitizeStyle(v)); }

    t.it('sanitizes values', () => {
      expectSanitize('abc').toEqual('abc');
      expectSanitize('50px').toEqual('50px');
      expectSanitize('rgb(255, 0, 0)').toEqual('rgb(255, 0, 0)');
      expectSanitize('expression(haha)').toEqual('unsafe');
    });
    t.it('rejects unblanaced quotes', () => { expectSanitize('"value" "').toEqual('unsafe'); });
    t.it('accepts transform functions', () => {
      expectSanitize('rotate(90deg)').toEqual('rotate(90deg)');
      expectSanitize('rotate(javascript:evil())').toEqual('unsafe');
      expectSanitize('translateX(12px, -5px)').toEqual('translateX(12px, -5px)');
      expectSanitize('scale3d(1, 1, 2)').toEqual('scale3d(1, 1, 2)');
    });
    t.it('sanitizes URLs', () => {
      expectSanitize('url(foo/bar.png)').toEqual('url(foo/bar.png)');
      expectSanitize('url( foo/bar.png\n )').toEqual('url( foo/bar.png\n )');
      expectSanitize('url(javascript:evil())').toEqual('unsafe');
      expectSanitize('url(strangeprotocol:evil)').toEqual('unsafe');
    });
    t.it('accepts quoted URLs', () => {
      expectSanitize('url("foo/bar.png")').toEqual('url("foo/bar.png")');
      expectSanitize(`url('foo/bar.png')`).toEqual(`url('foo/bar.png')`);
      expectSanitize(`url(  'foo/bar.png'\n )`).toEqual(`url(  'foo/bar.png'\n )`);
      expectSanitize('url("javascript:evil()")').toEqual('unsafe');
      expectSanitize('url( " javascript:evil() " )').toEqual('unsafe');
    });
  });
}
feat(security): add tests for style sanitisation. 2016-05-03 18:41:07 -07:00			`import * as t from '@angular/core/testing/testing_internal';`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00
			`import {getDOM} from '../../src/dom/dom_adapter';`
feat(security): add tests for style sanitisation. 2016-05-03 18:41:07 -07:00			`import {sanitizeStyle} from '../../src/security/style_sanitizer';`

			`export function main() {`
			`t.describe('Style sanitizer', () => {`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00			`let logMsgs: string[];`
			`let originalLog: (msg: any) => any;`

			`t.beforeEach(() => {`
			`logMsgs = [];`
			`originalLog = getDOM().log; // Monkey patch DOM.log.`
			`getDOM().log = (msg) => logMsgs.push(msg);`
			`});`
			`t.afterEach(() => { getDOM().log = originalLog; });`

feat(security): support transform CSS functions for sanitization. Fixes part of #8514. 2016-05-09 09:57:07 +02:00			`function expectSanitize(v: string) { return t.expect(sanitizeStyle(v)); }`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00
feat(security): add tests for style sanitisation. 2016-05-03 18:41:07 -07:00			`t.it('sanitizes values', () => {`
feat(security): support transform CSS functions for sanitization. Fixes part of #8514. 2016-05-09 09:57:07 +02:00			`expectSanitize('abc').toEqual('abc');`
			`expectSanitize('50px').toEqual('50px');`
			`expectSanitize('rgb(255, 0, 0)').toEqual('rgb(255, 0, 0)');`
			`expectSanitize('expression(haha)').toEqual('unsafe');`
			`});`
			`t.it('rejects unblanaced quotes', () => { expectSanitize('"value" "').toEqual('unsafe'); });`
			`t.it('accepts transform functions', () => {`
			`expectSanitize('rotate(90deg)').toEqual('rotate(90deg)');`
			`expectSanitize('rotate(javascript:evil())').toEqual('unsafe');`
			`expectSanitize('translateX(12px, -5px)').toEqual('translateX(12px, -5px)');`
			`expectSanitize('scale3d(1, 1, 2)').toEqual('scale3d(1, 1, 2)');`
feat(security): add tests for style sanitisation. 2016-05-03 18:41:07 -07:00			`});`
feat(security): allow url(...) style values. Allows sanitized URLs for CSS properties. These can be abused for information leakage, but only if the CSS rules are already set up to allow for it. That is, an attacker cannot cause information leakage without controlling the style rules present, or a very particular setup. Fixes #8514. 2016-05-15 11:33:47 +02:00			`t.it('sanitizes URLs', () => {`
			`expectSanitize('url(foo/bar.png)').toEqual('url(foo/bar.png)');`
test(security): test case for quoted URL values. Test case that fixes #8701. This is already supported with the latest sanitizer changes, but it's good to have an explicit test case. 2016-05-26 08:00:34 -07:00			`expectSanitize('url( foo/bar.png\n )').toEqual('url( foo/bar.png\n )');`
feat(security): allow url(...) style values. Allows sanitized URLs for CSS properties. These can be abused for information leakage, but only if the CSS rules are already set up to allow for it. That is, an attacker cannot cause information leakage without controlling the style rules present, or a very particular setup. Fixes #8514. 2016-05-15 11:33:47 +02:00			`expectSanitize('url(javascript:evil())').toEqual('unsafe');`
			`expectSanitize('url(strangeprotocol:evil)').toEqual('unsafe');`
			`});`
test(security): test case for quoted URL values. Test case that fixes #8701. This is already supported with the latest sanitizer changes, but it's good to have an explicit test case. 2016-05-26 08:00:34 -07:00			`t.it('accepts quoted URLs', () => {`
			`expectSanitize('url("foo/bar.png")').toEqual('url("foo/bar.png")');`
			expectSanitize(`url('foo/bar.png')`).toEqual(`url('foo/bar.png')`);
			expectSanitize(`url( 'foo/bar.png'\n )`).toEqual(`url( 'foo/bar.png'\n )`);
			`expectSanitize('url("javascript:evil()")').toEqual('unsafe');`
			`expectSanitize('url( " javascript:evil() " )').toEqual('unsafe');`
			`});`
feat(security): add tests for style sanitisation. 2016-05-03 18:41:07 -07:00			`});`
			`}`