angular-cn/modules/@angular/platform-browser/test/security/html_sanitizer_spec.ts

/**
 * @license
 * Copyright Google Inc. All Rights Reserved.
 *
 * Use of this source code is governed by an MIT-style license that can be
 * found in the LICENSE file at https://angular.io/license
 */

import * as t from '@angular/core/testing/testing_internal';
import {browserDetection} from '@angular/platform-browser/testing/browser_util';

import {getDOM} from '../../src/dom/dom_adapter';
import {sanitizeHtml} from '../../src/security/html_sanitizer';

export function main() {
  t.describe('HTML sanitizer', () => {
    let originalLog: (msg: any) => any = null;
    let logMsgs: string[];

    t.beforeEach(() => {
      logMsgs = [];
      originalLog = getDOM().log;  // Monkey patch DOM.log.
      getDOM().log = (msg) => logMsgs.push(msg);
    });
    t.afterEach(() => { getDOM().log = originalLog; });

    t.it('serializes nested structures', () => {
      t.expect(sanitizeHtml('<div alt="x"><p>a</p>b<b>c<a alt="more">d</a></b>e</div>'))
          .toEqual('<div alt="x"><p>a</p>b<b>c<a alt="more">d</a></b>e</div>');
      t.expect(logMsgs).toEqual([]);
    });
    t.it('serializes self closing elements', () => {
      t.expect(sanitizeHtml('<p>Hello <br> World</p>')).toEqual('<p>Hello <br> World</p>');
    });
    t.it('supports namespaced elements', () => {
      t.expect(sanitizeHtml('a<my:hr/><my:div>b</my:div>c')).toEqual('abc');
    });
    t.it('supports namespaced attributes', () => {
      t.expect(sanitizeHtml('<a xlink:href="something">t</a>'))
          .toEqual('<a xlink:href="something">t</a>');
      t.expect(sanitizeHtml('<a xlink:evil="something">t</a>')).toEqual('<a>t</a>');
      t.expect(sanitizeHtml('<a xlink:href="javascript:foo()">t</a>'))
          .toEqual('<a xlink:href="unsafe:javascript:foo()">t</a>');
    });
    t.it('supports HTML5 elements', () => {
      t.expect(sanitizeHtml('<main><summary>Works</summary></main>'))
          .toEqual('<main><summary>Works</summary></main>');
    });
    t.it('sanitizes srcset attributes', () => {
      t.expect(sanitizeHtml('<img srcset="/foo.png 400px, javascript:evil() 23px">'))
          .toEqual('<img srcset="/foo.png 400px, unsafe:javascript:evil() 23px">');
    });

    t.it('supports sanitizing plain text', () => {
      t.expect(sanitizeHtml('Hello, World')).toEqual('Hello, World');
    });
    t.it('ignores non-element, non-attribute nodes', () => {
      t.expect(sanitizeHtml('<!-- comments? -->no.')).toEqual('no.');
      t.expect(sanitizeHtml('<?pi nodes?>no.')).toEqual('no.');
      t.expect(logMsgs.join('\n')).toMatch(/sanitizing HTML stripped some content/);
    });
    t.it('supports sanitizing escaped entities', () => {
      t.expect(sanitizeHtml('&#128640;')).toEqual('&#128640;');
      t.expect(logMsgs).toEqual([]);
    });
    t.it('does not warn when just re-encoding text', () => {
      t.expect(sanitizeHtml('<p>Hellö Wörld</p>')).toEqual('<p>Hell&#246; W&#246;rld</p>');
      t.expect(logMsgs).toEqual([]);
    });
    t.it('escapes entities', () => {
      t.expect(sanitizeHtml('<p>Hello &lt; World</p>')).toEqual('<p>Hello &lt; World</p>');
      t.expect(sanitizeHtml('<p>Hello < World</p>')).toEqual('<p>Hello &lt; World</p>');
      t.expect(sanitizeHtml('<p alt="% &amp; &quot; !">Hello</p>'))
          .toEqual('<p alt="% &amp; &#34; !">Hello</p>');  // NB: quote encoded as ASCII &#34;.
    });
    t.describe('should strip dangerous elements', () => {
      let dangerousTags = [
        'frameset', 'form', 'param', 'object', 'embed', 'textarea', 'input', 'button', 'option',
        'select', 'script', 'style', 'link', 'base', 'basefont'
      ];

      for (let tag of dangerousTags) {
        t.it(
            `${tag}`, () => { t.expect(sanitizeHtml(`<${tag}>evil!</${tag}>`)).toEqual('evil!'); });
      }
      t.it(`swallows frame entirely`, () => {
        t.expect(sanitizeHtml(`<frame>evil!</frame>`)).not.toContain('<frame>');
      });
    });
    t.describe('should strip dangerous attributes', () => {
      let dangerousAttrs = ['id', 'name', 'style'];

      for (let attr of dangerousAttrs) {
        t.it(`${attr}`, () => {
          t.expect(sanitizeHtml(`<a ${attr}="x">evil!</a>`)).toEqual('<a>evil!</a>');
        });
      }
    });

    if (browserDetection.isWebkit) {
      t.it('should prevent mXSS attacks', function() {
        t.expect(sanitizeHtml('<a href="&#x3000;javascript:alert(1)">CLICKME</a>'))
            .toEqual('<a href="unsafe:javascript:alert(1)">CLICKME</a>');
      });
    }
  });
}
chore(lint): Added license headers to most TypeScript files Relates to #9380 2016-06-23 09:47:54 -07:00			`/**`
			`* @license`
			`* Copyright Google Inc. All Rights Reserved.`
			`*`
			`* Use of this source code is governed by an MIT-style license that can be`
			`* found in the LICENSE file at https://angular.io/license`
			`*/`

feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108 2016-04-30 19:02:05 -07:00			`import * as t from '@angular/core/testing/testing_internal';`
fix(platform-browser/testing): clean up public api for platform-browser/testing (#9519) Mostly, removing things that were never intended to be exported publicy. BREAKING CHANGE: The following are no longer publicly exported APIs. They were intended as internal utilities and you should use your own util: ``` browserDetection, dispatchEvent, el, normalizeCSS, stringifyElement, expect (and custom matchers for Jasmine) ``` 2016-06-23 16:42:25 -07:00			`import {browserDetection} from '@angular/platform-browser/testing/browser_util';`
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108 2016-04-30 19:02:05 -07:00
			`import {getDOM} from '../../src/dom/dom_adapter';`
			`import {sanitizeHtml} from '../../src/security/html_sanitizer';`

			`export function main() {`
			`t.describe('HTML sanitizer', () => {`
			`let originalLog: (msg: any) => any = null;`
			`let logMsgs: string[];`

			`t.beforeEach(() => {`
			`logMsgs = [];`
			`originalLog = getDOM().log; // Monkey patch DOM.log.`
			`getDOM().log = (msg) => logMsgs.push(msg);`
			`});`
			`t.afterEach(() => { getDOM().log = originalLog; });`

			`t.it('serializes nested structures', () => {`
			`t.expect(sanitizeHtml('<div alt="x"><p>a</p>b<b>c<a alt="more">d</a></b>e</div>'))`
			`.toEqual('<div alt="x"><p>a</p>b<b>c<a alt="more">d</a></b>e</div>');`
			`t.expect(logMsgs).toEqual([]);`
			`});`
			`t.it('serializes self closing elements', () => {`
			`t.expect(sanitizeHtml('<p>Hello <br> World</p>')).toEqual('<p>Hello <br> World</p>');`
			`});`
style(lint): re-format modules/@angular 2016-06-08 16:38:52 -07:00			`t.it('supports namespaced elements', () => {`
			`t.expect(sanitizeHtml('a<my:hr/><my:div>b</my:div>c')).toEqual('abc');`
			`});`
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108 2016-04-30 19:02:05 -07:00			`t.it('supports namespaced attributes', () => {`
			`t.expect(sanitizeHtml('<a xlink:href="something">t</a>'))`
			`.toEqual('<a xlink:href="something">t</a>');`
			`t.expect(sanitizeHtml('<a xlink:evil="something">t</a>')).toEqual('<a>t</a>');`
			`t.expect(sanitizeHtml('<a xlink:href="javascript:foo()">t</a>'))`
			`.toEqual('<a xlink:href="unsafe:javascript:foo()">t</a>');`
			`});`
test(security): tests for HTML5 elements, srcset. Part of #9572. 2016-06-27 12:18:48 -07:00			`t.it('supports HTML5 elements', () => {`
			`t.expect(sanitizeHtml('<main><summary>Works</summary></main>'))`
			`.toEqual('<main><summary>Works</summary></main>');`
			`});`
			`t.it('sanitizes srcset attributes', () => {`
			`t.expect(sanitizeHtml('<img srcset="/foo.png 400px, javascript:evil() 23px">'))`
			`.toEqual('<img srcset="/foo.png 400px, unsafe:javascript:evil() 23px">');`
			`});`
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108 2016-04-30 19:02:05 -07:00
style(lint): re-format modules/@angular 2016-06-08 16:38:52 -07:00			`t.it('supports sanitizing plain text', () => {`
			`t.expect(sanitizeHtml('Hello, World')).toEqual('Hello, World');`
			`});`
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108 2016-04-30 19:02:05 -07:00			`t.it('ignores non-element, non-attribute nodes', () => {`
			`t.expect(sanitizeHtml('<!-- comments? -->no.')).toEqual('no.');`
			`t.expect(sanitizeHtml('<?pi nodes?>no.')).toEqual('no.');`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00			`t.expect(logMsgs.join('\n')).toMatch(/sanitizing HTML stripped some content/);`
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108 2016-04-30 19:02:05 -07:00			`});`
fix(security): no warning when sanitizing escaped html (#9392) (#9413) 2016-06-23 22:06:19 +02:00			`t.it('supports sanitizing escaped entities', () => {`
			`t.expect(sanitizeHtml('🚀')).toEqual('🚀');`
			`t.expect(logMsgs).toEqual([]);`
			`});`
feat(security): only warn when actually sanitizing HTML. (#10272) Previously, Angular would warn users when simply re-encoding text outside of the ASCII range. While harmless, the log spam was annoying. With this change, Angular specifically tracks whether anything was stripped during sanitization, and only reports a warning if so. Fixes #10206. 2016-07-26 11:39:09 -07:00			`t.it('does not warn when just re-encoding text', () => {`
			`t.expect(sanitizeHtml('<p>Hellö Wörld</p>')).toEqual('<p>Hellö Wörld</p>');`
			`t.expect(logMsgs).toEqual([]);`
			`});`
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108 2016-04-30 19:02:05 -07:00			`t.it('escapes entities', () => {`
			`t.expect(sanitizeHtml('<p>Hello < World</p>')).toEqual('<p>Hello < World</p>');`
			`t.expect(sanitizeHtml('<p>Hello < World</p>')).toEqual('<p>Hello < World</p>');`
			`t.expect(sanitizeHtml('<p alt="% & " !">Hello</p>'))`
			`.toEqual('<p alt="% & " !">Hello</p>'); // NB: quote encoded as ASCII ".`
			`});`
			`t.describe('should strip dangerous elements', () => {`
			`let dangerousTags = [`
style(lint): re-format modules/@angular 2016-06-08 16:38:52 -07:00			`'frameset', 'form', 'param', 'object', 'embed', 'textarea', 'input', 'button', 'option',`
			`'select', 'script', 'style', 'link', 'base', 'basefont'`
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108 2016-04-30 19:02:05 -07:00			`];`

			`for (let tag of dangerousTags) {`
style(lint): re-format modules/@angular 2016-06-08 16:38:52 -07:00			`t.it(`
			`${tag}`, () => { t.expect(sanitizeHtml(`<${tag}>evil!</${tag}>`)).toEqual('evil!'); });
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108 2016-04-30 19:02:05 -07:00			`}`
style(lint): re-format modules/@angular 2016-06-08 16:38:52 -07:00			t.it(`swallows frame entirely`, () => {
			t.expect(sanitizeHtml(`<frame>evil!</frame>`)).not.toContain('<frame>');
			`});`
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108 2016-04-30 19:02:05 -07:00			`});`
			`t.describe('should strip dangerous attributes', () => {`
			`let dangerousAttrs = ['id', 'name', 'style'];`

			`for (let attr of dangerousAttrs) {`
style(lint): re-format modules/@angular 2016-06-08 16:38:52 -07:00			t.it(`${attr}`, () => {
			t.expect(sanitizeHtml(`<a ${attr}="x">evil!</a>`)).toEqual('<a>evil!</a>');
			`});`
feat(security): add an HTML sanitizer. This is based on Angular 1's implementation, parsing an HTML document into an inert DOM Document implementation, and then serializing only specifically whitelisted elements. It currently does not support SVG sanitization, all SVG elements are rejected. If available, the sanitizer uses the `<template>` HTML element as an inert container. Sanitization works client and server-side. Reviewers: rjamet, tbosch , molnarg , koto Differential Revision: https://reviews.angular.io/D108 2016-04-30 19:02:05 -07:00			`}`
			`});`

			`if (browserDetection.isWebkit) {`
			`t.it('should prevent mXSS attacks', function() {`
			`t.expect(sanitizeHtml('<a href="　javascript:alert(1)">CLICKME</a>'))`
			`.toEqual('<a href="unsafe:javascript:alert(1)">CLICKME</a>');`
			`});`
			`}`
			`});`
			`}`