iSharkFly-Docs
/
angular-docs-cn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(core): CSS sanitizer now allows parens in file names (#30322) 

Resolves an issue where images that were created with a name like `'foo (1).png'` would not pass CSS url sanitization.

PR Close #30322
This commit is contained in:
Ben Lesh 2019-05-07 19:03:00 -07:00 committed by Alex Rickabaugh
parent 9a807bd26a
commit 728db88280
2 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/core/src/sanitization/style_sanitizer.ts
View File

@ -54,7 +54,7 @@ const SAFE_STYLE_VALUE = new RegExp(
* Given the common use case, low likelihood of attack vector, and low impact of an attack, this
* code is permissive and allows URLs that sanitize otherwise.
*/
const URL_RE = /^url\(([^)]+)\)$/;
const URL_RE = /^url\(([\w\W]*)\)$/;
/**
* Checks that quotes (" and ') are properly balanced inside a string. Assumes

3
packages/core/test/sanitization/style_sanitizer_spec.ts
View File

@ -32,7 +32,7 @@ import {_sanitizeStyle} from '../../src/sanitization/style_sanitizer';
expectSanitize('rgb(255, 0, 0)').toEqual('rgb(255, 0, 0)');
expectSanitize('expression(haha)').toEqual('unsafe');
});
t.it('rejects unblanaced quotes', () => { expectSanitize('"value" "').toEqual('unsafe'); });
t.it('rejects unbalanced quotes', () => { expectSanitize('"value" "').toEqual('unsafe'); });
t.it('accepts transform functions', () => {
expectSanitize('rotate(90deg)').toEqual('rotate(90deg)');
expectSanitize('rotate(javascript:evil())').toEqual('unsafe');
@ -58,6 +58,7 @@ import {_sanitizeStyle} from '../../src/sanitization/style_sanitizer';
t.it('accepts quoted URLs', () => {
expectSanitize('url("foo/bar.png")').toEqual('url("foo/bar.png")');
expectSanitize(`url('foo/bar.png')`).toEqual(`url('foo/bar.png')`);
expectSanitize(`url('foo/bar (1).png')`).toEqual(`url('foo/bar (1).png')`);
expectSanitize(`url( 'foo/bar.png'\n )`).toEqual(`url( 'foo/bar.png'\n )`);
expectSanitize('url("javascript:evil()")').toEqual('unsafe');
expectSanitize('url( " javascript:evil() " )').toEqual('unsafe');