angular-cn/modules/@angular/platform-browser/test/security/url_sanitizer_spec.ts

import * as t from '@angular/core/testing/testing_internal';
import {sanitizeUrl} from '../../src/security/url_sanitizer';

export function main() {
  t.describe('URL sanitizer', () => {
    t.describe('valid URLs', () => {
      const validUrls = [
        '',
        'http://abc',
        'HTTP://abc',
        'https://abc',
        'HTTPS://abc',
        'ftp://abc',
        'FTP://abc',
        'mailto:me@example.com',
        'MAILTO:me@example.com',
        'tel:123-123-1234',
        'TEL:123-123-1234',
        '#anchor',
        '/page1.md',
        'http://JavaScript/my.js'
      ];
      for (let url of validUrls) {
        t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toEqual(url));
      }
    });

    t.describe('invalid URLs', () => {
      const invalidUrls = [
        'javascript:evil()',
        'JavaScript:abc',
        'evilNewProtocol:abc',
        ' \n Java\n Script:abc',
        'javascript:',
        '&#106avascript:',
        '&#106 avascript:',
        '&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058',
        '&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74:',
        'jav	ascript:alert();',
        'jav\u0000ascript:alert();',
      ];
      for (let url of invalidUrls) {
        t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toMatch(/^unsafe:/));
      }
    });
  });
}