honeymoose/angular-cn
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
angular-cn/modules/@angular/platform-browser/test/security/url_sanitizer_spec.ts

119 lines
4.8 KiB
TypeScript
Raw Normal View History

chore(lint): Added license headers to most TypeScript files Relates to #9380
2016-06-23 09:47:54 -07:00
/**
* @license
* Copyright Google Inc. All Rights Reserved.
*
* Use of this source code is governed by an MIT-style license that can be
* found in the LICENSE file at https://angular.io/license
*/
feat(security): add tests for URL sanitization.
2016-05-03 18:41:31 -07:00
import * as t from '@angular/core/testing/testing_internal';
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522.
2016-05-09 16:46:31 +02:00
import {getDOM} from '../../src/dom/dom_adapter';
feat(security): allow more HTML5 elements and attributes in sanitizers Allow more elements and attributes from the HTML5 spec which were stripped by the htmlSanitizer. fixes #9438 feat(security): allow audio data URLs in urlSanitizer test(security) : add test for valid audio data URL feat(security): allow and sanitize srcset attributes test(security): test for srcset sanitization
2016-06-24 16:54:11 +02:00
import {sanitizeSrcset, sanitizeUrl} from '../../src/security/url_sanitizer';
feat(security): add tests for URL sanitization.
2016-05-03 18:41:31 -07:00
export function main() {
t.describe('URL sanitizer', () => {
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522.
2016-05-09 16:46:31 +02:00
let logMsgs: string[];
let originalLog: (msg: any) => any;
t.beforeEach(() => {
logMsgs = [];
originalLog = getDOM().log; // Monkey patch DOM.log.
getDOM().log = (msg) => logMsgs.push(msg);
});
t.afterEach(() => { getDOM().log = originalLog; });
t.it('reports unsafe URLs', () => {
t.expect(sanitizeUrl('javascript:evil()')).toBe('unsafe:javascript:evil()');
t.expect(logMsgs.join('\n')).toMatch(/sanitizing unsafe URL value/);
});
feat(security): add tests for URL sanitization.
2016-05-03 18:41:31 -07:00
t.describe('valid URLs', () => {
const validUrls = [
'',
'http://abc',
'HTTP://abc',
'https://abc',
'HTTPS://abc',
'ftp://abc',
'FTP://abc',
'mailto:me@example.com',
'MAILTO:me@example.com',
'tel:123-123-1234',
'TEL:123-123-1234',
'#anchor',
'/page1.md',
feat(security): allow data: URLs for images and videos. Allows known-to-be-safe media types in data URIs. Part of #8511.
2016-05-15 11:44:52 +02:00
'http://JavaScript/my.js',
'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/', // Truncated.
'data:video/webm;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
feat(security): allow more HTML5 elements and attributes in sanitizers Allow more elements and attributes from the HTML5 spec which were stripped by the htmlSanitizer. fixes #9438 feat(security): allow audio data URLs in urlSanitizer test(security) : add test for valid audio data URL feat(security): allow and sanitize srcset attributes test(security): test for srcset sanitization
2016-06-24 16:54:11 +02:00
'data:audio/opus;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
feat(security): add tests for URL sanitization.
2016-05-03 18:41:31 -07:00
];
refactor(): use const and let instead of var
2016-11-12 14:08:58 +01:00
for (const url of validUrls) {
feat(security): add tests for URL sanitization.
2016-05-03 18:41:31 -07:00
t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toEqual(url));
}
});
t.describe('invalid URLs', () => {
const invalidUrls = [
'javascript:evil()',
'JavaScript:abc',
'evilNewProtocol:abc',
' \n Java\n Script:abc',
'javascript:',
'&#106avascript:',
'&#106 avascript:',
'&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058',
'&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74:',
'jav	ascript:alert();',
'jav\u0000ascript:alert();',
feat(security): allow data: URLs for images and videos. Allows known-to-be-safe media types in data URIs. Part of #8511.
2016-05-15 11:44:52 +02:00
'data:;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
'data:,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
'data:iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
'data:text/javascript;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
'data:application/x-msdownload;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
feat(security): add tests for URL sanitization.
2016-05-03 18:41:31 -07:00
];
refactor(): use const and let instead of var
2016-11-12 14:08:58 +01:00
for (const url of invalidUrls) {
feat(security): add tests for URL sanitization.
2016-05-03 18:41:31 -07:00
t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toMatch(/^unsafe:/));
}
});
feat(security): allow more HTML5 elements and attributes in sanitizers Allow more elements and attributes from the HTML5 spec which were stripped by the htmlSanitizer. fixes #9438 feat(security): allow audio data URLs in urlSanitizer test(security) : add test for valid audio data URL feat(security): allow and sanitize srcset attributes test(security): test for srcset sanitization
2016-06-24 16:54:11 +02:00
t.describe('valid srcsets', () => {
const validSrcsets = [
'',
'http://angular.io/images/test.png',
'http://angular.io/images/test.png, http://angular.io/images/test.png',
'http://angular.io/images/test.png, http://angular.io/images/test.png, http://angular.io/images/test.png',
'http://angular.io/images/test.png 2x',
'http://angular.io/images/test.png 2x, http://angular.io/images/test.png 3x',
'http://angular.io/images/test.png 1.5x',
'http://angular.io/images/test.png 1.25x',
'http://angular.io/images/test.png 200w, http://angular.io/images/test.png 300w',
'https://angular.io/images/test.png, http://angular.io/images/test.png',
'http://angular.io:80/images/test.png, http://angular.io:8080/images/test.png',
'http://www.angular.io:80/images/test.png, http://www.angular.io:8080/images/test.png',
'https://angular.io/images/test.png, https://angular.io/images/test.png',
'//angular.io/images/test.png, //angular.io/images/test.png',
'/images/test.png, /images/test.png',
'images/test.png, images/test.png',
'http://angular.io/images/test.png?12345, http://angular.io/images/test.png?12345',
'http://angular.io/images/test.png?maxage, http://angular.io/images/test.png?maxage',
'http://angular.io/images/test.png?maxage=234, http://angular.io/images/test.png?maxage=234',
];
refactor(): use const and let instead of var
2016-11-12 14:08:58 +01:00
for (const srcset of validSrcsets) {
feat(security): allow more HTML5 elements and attributes in sanitizers Allow more elements and attributes from the HTML5 spec which were stripped by the htmlSanitizer. fixes #9438 feat(security): allow audio data URLs in urlSanitizer test(security) : add test for valid audio data URL feat(security): allow and sanitize srcset attributes test(security): test for srcset sanitization
2016-06-24 16:54:11 +02:00
t.it(`valid ${srcset}`, () => t.expect(sanitizeSrcset(srcset)).toEqual(srcset));
}
});
t.describe('invalid srcsets', () => {
const invalidSrcsets = [
'ht:tp://angular.io/images/test.png',
'http://angular.io/images/test.png, ht:tp://angular.io/images/test.png',
];
refactor(): use const and let instead of var
2016-11-12 14:08:58 +01:00
for (const srcset of invalidSrcsets) {
feat(security): allow more HTML5 elements and attributes in sanitizers Allow more elements and attributes from the HTML5 spec which were stripped by the htmlSanitizer. fixes #9438 feat(security): allow audio data URLs in urlSanitizer test(security) : add test for valid audio data URL feat(security): allow and sanitize srcset attributes test(security): test for srcset sanitization
2016-06-24 16:54:11 +02:00
t.it(`valid ${srcset}`, () => t.expect(sanitizeSrcset(srcset)).toMatch(/unsafe:/));
}
});
feat(security): add tests for URL sanitization.
2016-05-03 18:41:31 -07:00
});
}
Reference in New Issue Copy Permalink