feat(security): add tests for style sanitisation.

2016-05-03 18:41:07 -07:00 · 2016-05-03 18:41:07 -07:00 · 7b6c4d5acc
parent 99c0d503d7
commit 7b6c4d5acc
2 changed files with 19 additions and 1 deletions
--- a/modules/@angular/platform-browser/src/security/style_sanitizer.ts
+++ b/modules/@angular/platform-browser/src/security/style_sanitizer.ts
@ -37,7 +37,12 @@ function hasBalancedQuotes(value: string) {
  return outsideSingle && outsideDouble;
 }

+/**
+ * Sanitizes the given untrusted CSS style property value (i.e. not an entire object, just a single
+ * value) and returns a value that is safe to use in a browser environment.
+ */
 export function sanitizeStyle(value: string): string {
-  if (String(value).match(SAFE_STYLE_VALUE) && hasBalancedQuotes(value)) return value;
+  value = String(value);  // Make sure it's actually a string.
+  if (value.match(SAFE_STYLE_VALUE) && hasBalancedQuotes(value)) return value;
  return 'unsafe';
 }
--- a/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts
+++ b/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts
@ -0,0 +1,13 @@
+import * as t from '@angular/core/testing/testing_internal';
+import {sanitizeStyle} from '../../src/security/style_sanitizer';
+
+export function main() {
+  t.describe('Style sanitizer', () => {
+    t.it('sanitizes values', () => {
+      t.expect(sanitizeStyle('abc')).toEqual('abc');
+      t.expect(sanitizeStyle('expression(haha)')).toEqual('unsafe');
+      // Unbalanced quotes.
+      t.expect(sanitizeStyle('"value" "')).toEqual('unsafe');
+    });
+  });
+}