angular-docs-cn/packages/core/src/sanitization/url_sanitizer.ts

/**
 * @license
 * Copyright Google Inc. All Rights Reserved.
 *
 * Use of this source code is governed by an MIT-style license that can be
 * found in the LICENSE file at https://angular.io/license
 */

import {isDevMode} from '../is_dev_mode';

/**
 * A pattern that recognizes a commonly useful subset of URLs that are safe.
 *
 * This regular expression matches a subset of URLs that will not cause script
 * execution if used in URL context within a HTML document. Specifically, this
 * regular expression matches if (comment from here on and regex copied from
 * Soy's EscapingConventions):
 * (1) Either a protocol in a whitelist (http, https, mailto or ftp).
 * (2) or no protocol.  A protocol must be followed by a colon. The below
 *     allows that by allowing colons only after one of the characters [/?#].
 *     A colon after a hash (#) must be in the fragment.
 *     Otherwise, a colon after a (?) must be in a query.
 *     Otherwise, a colon after a single solidus (/) must be in a path.
 *     Otherwise, a colon after a double solidus (//) must be in the authority
 *     (before port).
 *
 * The pattern disallows &, used in HTML entity declarations before
 * one of the characters in [/?#]. This disallows HTML entities used in the
 * protocol name, which should never happen, e.g. "h&#116;tp" for "http".
 * It also disallows HTML entities in the first path part of a relative path,
 * e.g. "foo&lt;bar/baz".  Our existing escaping functions should not produce
 * that. More importantly, it disallows masking of a colon,
 * e.g. "javascript&#58;...".
 *
 * This regular expression was taken from the Closure sanitization library.
 */
const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^&:/?#]*(?:[/?#]|$))/gi;

/* A pattern that matches safe srcset values */
const SAFE_SRCSET_PATTERN = /^(?:(?:https?|file):|[^&:/?#]*(?:[/?#]|$))/gi;

/** A pattern that matches safe data URLs. Only matches image, video and audio types. */
const DATA_URL_PATTERN =
    /^data:(?:image\/(?:bmp|gif|jpeg|jpg|png|tiff|webp)|video\/(?:mpeg|mp4|ogg|webm)|audio\/(?:mp3|oga|ogg|opus));base64,[a-z0-9+\/]+=*$/i;

export function _sanitizeUrl(url: string): string {
  url = String(url);
  if (url.match(SAFE_URL_PATTERN) || url.match(DATA_URL_PATTERN)) return url;

  if (isDevMode()) {
    console.warn(`WARNING: sanitizing unsafe URL value ${url} (see http://g.co/ng/security#xss)`);
  }

  return 'unsafe:' + url;
}

export function sanitizeSrcset(srcset: string): string {
  srcset = String(srcset);
  return srcset.split(',').map((srcset) => _sanitizeUrl(srcset.trim())).join(', ');
}
chore(lint): Added license headers to most TypeScript files Relates to #9380 2016-06-23 09:47:54 -07:00			`/**`
			`* @license`
			`* Copyright Google Inc. All Rights Reserved.`
			`*`
			`* Use of this source code is governed by an MIT-style license that can be`
			`* found in the LICENSE file at https://angular.io/license`
			`*/`

feat(ivy): add `ngcc` ivy switch (#25238) Provides a runtime and compile time switch for ivy including `ApplicationRef.bootstrapModule`. This is done by naming the symbols such that `ngcc` (angular Compatibility compiler) can rename symbols in such a way that running `ngcc` command will switch the `@angular/core` module from `legacy` to `ivy` mode. This is done as follows: ``` const someToken__PRE_NGCC__ = ‘legacy mode’; const someToken__POST_NGCC__ = ‘ivy mode’; export someSymbol = someToken__PRE_NGCC__; ``` The `ngcc` will search for any token which ends with `__PRE_NGCC__` and replace it with `__POST_NGCC__`. This allows the `@angular/core` package to be rewritten to ivy mode post `ngcc` execution. PR Close #25238 2018-07-30 22:34:15 -07:00			`import {isDevMode} from '../is_dev_mode';`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00
feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`/**`
			`* A pattern that recognizes a commonly useful subset of URLs that are safe.`
			`*`
			`* This regular expression matches a subset of URLs that will not cause script`
			`* execution if used in URL context within a HTML document. Specifically, this`
			`* regular expression matches if (comment from here on and regex copied from`
			`* Soy's EscapingConventions):`
			`* (1) Either a protocol in a whitelist (http, https, mailto or ftp).`
			`* (2) or no protocol. A protocol must be followed by a colon. The below`
			`* allows that by allowing colons only after one of the characters [/?#].`
			`* A colon after a hash (#) must be in the fragment.`
			`* Otherwise, a colon after a (?) must be in a query.`
			`* Otherwise, a colon after a single solidus (/) must be in a path.`
			`* Otherwise, a colon after a double solidus (//) must be in the authority`
			`* (before port).`
			`*`
			`* The pattern disallows &, used in HTML entity declarations before`
			`* one of the characters in [/?#]. This disallows HTML entities used in the`
			`* protocol name, which should never happen, e.g. "http" for "http".`
			`* It also disallows HTML entities in the first path part of a relative path,`
			`* e.g. "foo<bar/baz". Our existing escaping functions should not produce`
			`* that. More importantly, it disallows masking of a colon,`
			`* e.g. "javascript:...".`
			`*`
			`* This regular expression was taken from the Closure sanitization library.`
			`*/`
			`const SAFE_URL_PATTERN = /^(?:(?:https?\|mailto\|ftp\|tel\|file):\|[^&:/?#]*(?:[/?#]\|$))/gi;`

feat(security): allow more HTML5 elements and attributes in sanitizers Allow more elements and attributes from the HTML5 spec which were stripped by the htmlSanitizer. fixes #9438 feat(security): allow audio data URLs in urlSanitizer test(security) : add test for valid audio data URL feat(security): allow and sanitize srcset attributes test(security): test for srcset sanitization 2016-06-24 16:54:11 +02:00			`/* A pattern that matches safe srcset values */`
			`const SAFE_SRCSET_PATTERN = /^(?:(?:https?\|file):\|[^&:/?#]*(?:[/?#]\|$))/gi;`

			`/** A pattern that matches safe data URLs. Only matches image, video and audio types. */`
style(lint): re-format modules/@angular 2016-06-08 16:38:52 -07:00			`const DATA_URL_PATTERN =`
feat(security): allow more HTML5 elements and attributes in sanitizers Allow more elements and attributes from the HTML5 spec which were stripped by the htmlSanitizer. fixes #9438 feat(security): allow audio data URLs in urlSanitizer test(security) : add test for valid audio data URL feat(security): allow and sanitize srcset attributes test(security): test for srcset sanitization 2016-06-24 16:54:11 +02:00			`/^data:(?:image\/(?:bmp\|gif\|jpeg\|jpg\|png\|tiff\|webp)\|video\/(?:mpeg\|mp4\|ogg\|webm)\|audio\/(?:mp3\|oga\|ogg\|opus));base64,[a-z0-9+\/]+=*$/i;`
feat(security): allow data: URLs for images and videos. Allows known-to-be-safe media types in data URIs. Part of #8511. 2016-05-15 11:44:52 +02:00
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540 2018-03-01 17:14:01 -08:00			`export function _sanitizeUrl(url: string): string {`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00			`url = String(url);`
feat(security): allow data: URLs for images and videos. Allows known-to-be-safe media types in data URIs. Part of #8511. 2016-05-15 11:44:52 +02:00			`if (url.match(SAFE_URL_PATTERN) \|\| url.match(DATA_URL_PATTERN)) return url;`

docs(security): point users to docs when sanitization fails. (#9680) 2016-06-28 18:13:46 -07:00			`if (isDevMode()) {`
refactor(core): move sanitization into core (#22540) This is in preparation of having Ivy have sanitization inline. PR Close #22540 2018-03-01 13:16:13 -08:00			console.warn(`WARNING: sanitizing unsafe URL value ${url} (see http://g.co/ng/security#xss)`);
docs(security): point users to docs when sanitization fails. (#9680) 2016-06-28 18:13:46 -07:00			`}`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00
feat: security implementation in Angular 2. Summary: This adds basic security hooks to Angular 2. * `SecurityContext` is a private API between core, compiler, and platform-browser. `SecurityContext` communicates what context a value is used in across template parser, compiler, and sanitization at runtime. * `SanitizationService` is the bare bones interface to sanitize values for a particular context. * `SchemaElementRegistry.securityContext(tagName, attributeOrPropertyName)` determines the security context for an attribute or property (it turns out attributes and properties match for the purposes of sanitization). Based on these hooks: * `DomSchemaElementRegistry` decides what sanitization applies in a particular context. * `DomSanitizationService` implements `SanitizationService` and adds Safe Values, i.e. the ability to mark a value as safe and not requiring further sanitization. * `url_sanitizer` and `style_sanitizer` sanitize URLs and Styles, respectively (surprise!). `DomSanitizationService` is the default implementation bound for browser applications, in the three contexts (browser rendering, web worker rendering, server side rendering). BREAKING CHANGES: * SECURITY WARNING * Angular 2 Release Candidates do not implement proper contextual escaping yet. Make sure to correctly escape all values that go into the DOM. * SECURITY WARNING * Reviewers: IgorMinar Differential Revision: https://reviews.angular.io/D103 2016-04-29 16:04:08 -07:00			`return 'unsafe:' + url;`
			`}`
feat(security): allow more HTML5 elements and attributes in sanitizers Allow more elements and attributes from the HTML5 spec which were stripped by the htmlSanitizer. fixes #9438 feat(security): allow audio data URLs in urlSanitizer test(security) : add test for valid audio data URL feat(security): allow and sanitize srcset attributes test(security): test for srcset sanitization 2016-06-24 16:54:11 +02:00
			`export function sanitizeSrcset(srcset: string): string {`
			`srcset = String(srcset);`
feat(ivy): provide sanitization methods which can be tree shaken (#22540) By providing a top level sanitization methods (rather than service) the compiler can generate calls into the methods only when needed. This makes the methods tree shakable. PR Close #22540 2018-03-01 17:14:01 -08:00			`return srcset.split(',').map((srcset) => _sanitizeUrl(srcset.trim())).join(', ');`
feat(security): allow more HTML5 elements and attributes in sanitizers Allow more elements and attributes from the HTML5 spec which were stripped by the htmlSanitizer. fixes #9438 feat(security): allow audio data URLs in urlSanitizer test(security) : add test for valid audio data URL feat(security): allow and sanitize srcset attributes test(security): test for srcset sanitization 2016-06-24 16:54:11 +02:00			`}`