angular-docs-cn/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts

import * as t from '@angular/core/testing/testing_internal';

import {getDOM} from '../../src/dom/dom_adapter';
import {sanitizeStyle} from '../../src/security/style_sanitizer';

export function main() {
  t.describe('Style sanitizer', () => {
    let logMsgs: string[];
    let originalLog: (msg: any) => any;

    t.beforeEach(() => {
      logMsgs = [];
      originalLog = getDOM().log;  // Monkey patch DOM.log.
      getDOM().log = (msg) => logMsgs.push(msg);
    });
    t.afterEach(() => { getDOM().log = originalLog; });

    function expectSanitize(v: string) { return t.expect(sanitizeStyle(v)); }

    t.it('sanitizes values', () => {
      expectSanitize('abc').toEqual('abc');
      expectSanitize('50px').toEqual('50px');
      expectSanitize('rgb(255, 0, 0)').toEqual('rgb(255, 0, 0)');
      expectSanitize('expression(haha)').toEqual('unsafe');
    });
    t.it('rejects unblanaced quotes', () => { expectSanitize('"value" "').toEqual('unsafe'); });
    t.it('accepts transform functions', () => {
      expectSanitize('rotate(90deg)').toEqual('rotate(90deg)');
      expectSanitize('rotate(javascript:evil())').toEqual('unsafe');
      expectSanitize('translateX(12px, -5px)').toEqual('translateX(12px, -5px)');
      expectSanitize('scale3d(1, 1, 2)').toEqual('scale3d(1, 1, 2)');
    });
    t.it('sanitizes URLs', () => {
      expectSanitize('url(foo/bar.png)').toEqual('url(foo/bar.png)');
      expectSanitize('url(javascript:evil())').toEqual('unsafe');
      expectSanitize('url(strangeprotocol:evil)').toEqual('unsafe');
    });
  });
}
feat(security): add tests for style sanitisation. 2016-05-03 18:41:07 -07:00			`import * as t from '@angular/core/testing/testing_internal';`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00
			`import {getDOM} from '../../src/dom/dom_adapter';`
feat(security): add tests for style sanitisation. 2016-05-03 18:41:07 -07:00			`import {sanitizeStyle} from '../../src/security/style_sanitizer';`

			`export function main() {`
			`t.describe('Style sanitizer', () => {`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00			`let logMsgs: string[];`
			`let originalLog: (msg: any) => any;`

			`t.beforeEach(() => {`
			`logMsgs = [];`
			`originalLog = getDOM().log; // Monkey patch DOM.log.`
			`getDOM().log = (msg) => logMsgs.push(msg);`
			`});`
			`t.afterEach(() => { getDOM().log = originalLog; });`

feat(security): support transform CSS functions for sanitization. Fixes part of #8514. 2016-05-09 09:57:07 +02:00			`function expectSanitize(v: string) { return t.expect(sanitizeStyle(v)); }`
feat(security): warn users when sanitizing in dev mode. This should help developers to figure out what's going on when the sanitizer strips some input. Fixes #8522. 2016-05-09 16:46:31 +02:00
feat(security): add tests for style sanitisation. 2016-05-03 18:41:07 -07:00			`t.it('sanitizes values', () => {`
feat(security): support transform CSS functions for sanitization. Fixes part of #8514. 2016-05-09 09:57:07 +02:00			`expectSanitize('abc').toEqual('abc');`
			`expectSanitize('50px').toEqual('50px');`
			`expectSanitize('rgb(255, 0, 0)').toEqual('rgb(255, 0, 0)');`
			`expectSanitize('expression(haha)').toEqual('unsafe');`
			`});`
			`t.it('rejects unblanaced quotes', () => { expectSanitize('"value" "').toEqual('unsafe'); });`
			`t.it('accepts transform functions', () => {`
			`expectSanitize('rotate(90deg)').toEqual('rotate(90deg)');`
			`expectSanitize('rotate(javascript:evil())').toEqual('unsafe');`
			`expectSanitize('translateX(12px, -5px)').toEqual('translateX(12px, -5px)');`
			`expectSanitize('scale3d(1, 1, 2)').toEqual('scale3d(1, 1, 2)');`
feat(security): add tests for style sanitisation. 2016-05-03 18:41:07 -07:00			`});`
feat(security): allow url(...) style values. Allows sanitized URLs for CSS properties. These can be abused for information leakage, but only if the CSS rules are already set up to allow for it. That is, an attacker cannot cause information leakage without controlling the style rules present, or a very particular setup. Fixes #8514. 2016-05-15 11:33:47 +02:00			`t.it('sanitizes URLs', () => {`
			`expectSanitize('url(foo/bar.png)').toEqual('url(foo/bar.png)');`
			`expectSanitize('url(javascript:evil())').toEqual('unsafe');`
			`expectSanitize('url(strangeprotocol:evil)').toEqual('unsafe');`
			`});`
feat(security): add tests for style sanitisation. 2016-05-03 18:41:07 -07:00			`});`
			`}`