From 2d9d7f13103d8aeb1064f5ff3ec3aace9373c7c3 Mon Sep 17 00:00:00 2001 From: Martin Probst Date: Tue, 28 Jun 2016 11:45:02 -0700 Subject: [PATCH] fix(security): allow empty CSS values. (#9675) --- .../@angular/platform-browser/src/security/style_sanitizer.ts | 1 + .../platform-browser/test/security/style_sanitizer_spec.ts | 1 + 2 files changed, 2 insertions(+) diff --git a/modules/@angular/platform-browser/src/security/style_sanitizer.ts b/modules/@angular/platform-browser/src/security/style_sanitizer.ts index 688e20e98c..78258c9200 100644 --- a/modules/@angular/platform-browser/src/security/style_sanitizer.ts +++ b/modules/@angular/platform-browser/src/security/style_sanitizer.ts @@ -82,6 +82,7 @@ function hasBalancedQuotes(value: string) { */ export function sanitizeStyle(value: string): string { value = String(value).trim(); // Make sure it's actually a string. + if (!value) return ''; // Single url(...) values are supported, but only for URLs that sanitize cleanly. See above for // reasoning behind this. diff --git a/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts b/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts index 67bed84e96..7bec4047d0 100644 --- a/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts +++ b/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts @@ -26,6 +26,7 @@ export function main() { function expectSanitize(v: string) { return t.expect(sanitizeStyle(v)); } t.it('sanitizes values', () => { + expectSanitize('').toEqual(''); expectSanitize('abc').toEqual('abc'); expectSanitize('50px').toEqual('50px'); expectSanitize('rgb(255, 0, 0)').toEqual('rgb(255, 0, 0)');