From 7b6c4d5accd9a6b483edee111826d6324694048d Mon Sep 17 00:00:00 2001
From: Martin Probst <martin@probst.io>
Date: Tue, 3 May 2016 18:41:07 -0700
Subject: [PATCH] feat(security): add tests for style sanitisation.

---
 .../src/security/style_sanitizer.ts                 |  7 ++++++-
 .../test/security/style_sanitizer_spec.ts           | 13 +++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)
 create mode 100644 modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts

diff --git a/modules/@angular/platform-browser/src/security/style_sanitizer.ts b/modules/@angular/platform-browser/src/security/style_sanitizer.ts
index 8f15f9ac87..c0134d70af 100644
--- a/modules/@angular/platform-browser/src/security/style_sanitizer.ts
+++ b/modules/@angular/platform-browser/src/security/style_sanitizer.ts
@@ -37,7 +37,12 @@ function hasBalancedQuotes(value: string) {
   return outsideSingle && outsideDouble;
 }
 
+/**
+ * Sanitizes the given untrusted CSS style property value (i.e. not an entire object, just a single
+ * value) and returns a value that is safe to use in a browser environment.
+ */
 export function sanitizeStyle(value: string): string {
-  if (String(value).match(SAFE_STYLE_VALUE) && hasBalancedQuotes(value)) return value;
+  value = String(value);  // Make sure it's actually a string.
+  if (value.match(SAFE_STYLE_VALUE) && hasBalancedQuotes(value)) return value;
   return 'unsafe';
 }
diff --git a/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts b/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts
new file mode 100644
index 0000000000..dedd346da1
--- /dev/null
+++ b/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts
@@ -0,0 +1,13 @@
+import * as t from '@angular/core/testing/testing_internal';
+import {sanitizeStyle} from '../../src/security/style_sanitizer';
+
+export function main() {
+  t.describe('Style sanitizer', () => {
+    t.it('sanitizes values', () => {
+      t.expect(sanitizeStyle('abc')).toEqual('abc');
+      t.expect(sanitizeStyle('expression(haha)')).toEqual('unsafe');
+      // Unbalanced quotes.
+      t.expect(sanitizeStyle('"value" "')).toEqual('unsafe');
+    });
+  });
+}