angular-docs-cn/modules/@angular/platform-browser/test/security/url_sanitizer_spec.ts

import * as t from '@angular/core/testing/testing_internal';

import {getDOM} from '../../src/dom/dom_adapter';
import {sanitizeUrl} from '../../src/security/url_sanitizer';

export function main() {
  t.describe('URL sanitizer', () => {
    let logMsgs: string[];
    let originalLog: (msg: any) => any;

    t.beforeEach(() => {
      logMsgs = [];
      originalLog = getDOM().log;  // Monkey patch DOM.log.
      getDOM().log = (msg) => logMsgs.push(msg);
    });
    t.afterEach(() => { getDOM().log = originalLog; });

    t.it('reports unsafe URLs', () => {
      t.expect(sanitizeUrl('javascript:evil()')).toBe('unsafe:javascript:evil()');
      t.expect(logMsgs.join('\n')).toMatch(/sanitizing unsafe URL value/);
    });


    t.describe('valid URLs', () => {
      const validUrls = [
        '',
        'http://abc',
        'HTTP://abc',
        'https://abc',
        'HTTPS://abc',
        'ftp://abc',
        'FTP://abc',
        'mailto:me@example.com',
        'MAILTO:me@example.com',
        'tel:123-123-1234',
        'TEL:123-123-1234',
        '#anchor',
        '/page1.md',
        'http://JavaScript/my.js',
        'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',  // Truncated.
        'data:video/webm;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
      ];
      for (let url of validUrls) {
        t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toEqual(url));
      }
    });

    t.describe('invalid URLs', () => {
      const invalidUrls = [
        'javascript:evil()',
        'JavaScript:abc',
        'evilNewProtocol:abc',
        ' \n Java\n Script:abc',
        '&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;',
        '&#106&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;',
        '&#106 &#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;',
        '&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058',
        '&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A;',
        'jav&#x09;ascript:alert();',
        'jav\u0000ascript:alert();',
        'data:;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
        'data:,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
        'data:iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
        'data:text/javascript;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
        'data:application/x-msdownload;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
      ];
      for (let url of invalidUrls) {
        t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toMatch(/^unsafe:/));
      }
    });
  });
}
feat(security): add tests for URL sanitization. 2016-05-03 18:41:31 -07:00			`import * as t from '@angular/core/testing/testing_internal';`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00
			`import {getDOM} from '../../src/dom/dom_adapter';`
feat(security): add tests for URL sanitization. 2016-05-03 18:41:31 -07:00			`import {sanitizeUrl} from '../../src/security/url_sanitizer';`

			`export function main() {`
			`t.describe('URL sanitizer', () => {`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00			`let logMsgs: string[];`
			`let originalLog: (msg: any) => any;`

			`t.beforeEach(() => {`
			`logMsgs = [];`
			`originalLog = getDOM().log; // Monkey patch DOM.log.`
			`getDOM().log = (msg) => logMsgs.push(msg);`
			`});`
			`t.afterEach(() => { getDOM().log = originalLog; });`

			`t.it('reports unsafe URLs', () => {`
			`t.expect(sanitizeUrl('javascript:evil()')).toBe('unsafe:javascript:evil()');`
			`t.expect(logMsgs.join('\n')).toMatch(/sanitizing unsafe URL value/);`
			`});`


feat(security): add tests for URL sanitization. 2016-05-03 18:41:31 -07:00			`t.describe('valid URLs', () => {`
			`const validUrls = [`
			`'',`
			`'http://abc',`
			`'HTTP://abc',`
			`'https://abc',`
			`'HTTPS://abc',`
			`'ftp://abc',`
			`'FTP://abc',`
			`'mailto:me@example.com',`
			`'MAILTO:me@example.com',`
			`'tel:123-123-1234',`
			`'TEL:123-123-1234',`
			`'#anchor',`
			`'/page1.md',`
feat(security): allow data: URLs for images and videos. Allows known-to-be-safe media types in data URIs. Part of #8511. 2016-05-15 11:44:52 +02:00			`'http://JavaScript/my.js',`
			`'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/', // Truncated.`
			`'data:video/webm;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',`
feat(security): add tests for URL sanitization. 2016-05-03 18:41:31 -07:00			`];`
			`for (let url of validUrls) {`
			t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toEqual(url));
			`}`
			`});`

			`t.describe('invalid URLs', () => {`
			`const invalidUrls = [`
			`'javascript:evil()',`
			`'JavaScript:abc',`
			`'evilNewProtocol:abc',`
			`' \n Java\n Script:abc',`
			`'javascript:',`
			`'&#106avascript:',`
			`'&#106 avascript:',`
			`'&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058',`
			`'&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74:',`
			`'jav ascript:alert();',`
			`'jav\u0000ascript:alert();',`
feat(security): allow data: URLs for images and videos. Allows known-to-be-safe media types in data URIs. Part of #8511. 2016-05-15 11:44:52 +02:00			`'data:;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',`
			`'data:,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',`
			`'data:iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',`
			`'data:text/javascript;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',`
			`'data:application/x-msdownload;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',`
feat(security): add tests for URL sanitization. 2016-05-03 18:41:31 -07:00			`];`
			`for (let url of invalidUrls) {`
			t.it(`valid ${url}`, () => t.expect(sanitizeUrl(url)).toMatch(/^unsafe:/));
			`}`
			`});`
			`});`
			`}`