fix(security): allow empty CSS values. (#9675)

2016-06-28 11:45:02 -07:00 · 2016-06-28 11:45:02 -07:00 · 2d9d7f1310
parent 5ee84fe0f6
commit 2d9d7f1310
2 changed files with 2 additions and 0 deletions
--- a/modules/@angular/platform-browser/src/security/style_sanitizer.ts
+++ b/modules/@angular/platform-browser/src/security/style_sanitizer.ts
@ -82,6 +82,7 @@ function hasBalancedQuotes(value: string) {
 */
 export function sanitizeStyle(value: string): string {
  value = String(value).trim();  // Make sure it's actually a string.
+  if (!value) return '';

  // Single url(...) values are supported, but only for URLs that sanitize cleanly. See above for
  // reasoning behind this.
--- a/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts
+++ b/modules/@angular/platform-browser/test/security/style_sanitizer_spec.ts
@ -26,6 +26,7 @@ export function main() {
    function expectSanitize(v: string) { return t.expect(sanitizeStyle(v)); }

    t.it('sanitizes values', () => {
+      expectSanitize('').toEqual('');
      expectSanitize('abc').toEqual('abc');
      expectSanitize('50px').toEqual('50px');
      expectSanitize('rgb(255, 0, 0)').toEqual('rgb(255, 0, 0)');