feat(core): add missing ARIA attributes to html sanitizer (#29685)
Allow ARIA attributes from the WAI-ARIA 1.1 spec which were stripped by the htmlSanitizer. Closes #26815 PR Close #29685
This commit is contained in:
parent
957f594d7c
commit
909557d5f8
|
@ -21,7 +21,7 @@
|
||||||
"master": {
|
"master": {
|
||||||
"uncompressed": {
|
"uncompressed": {
|
||||||
"runtime": 1440,
|
"runtime": 1440,
|
||||||
"main": 155609,
|
"main": 157393,
|
||||||
"polyfills": 43567
|
"polyfills": 43567
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -30,8 +30,8 @@
|
||||||
"master": {
|
"master": {
|
||||||
"uncompressed": {
|
"uncompressed": {
|
||||||
"bundle": "TODO(i): temporarily increase the payload size limit from 105779 - this is due to a closure issue related to ESM reexports that still needs to be investigated",
|
"bundle": "TODO(i): temporarily increase the payload size limit from 105779 - this is due to a closure issue related to ESM reexports that still needs to be investigated",
|
||||||
"bundle": 179479
|
"bundle": 179825
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -73,6 +73,16 @@ const HTML_ATTRS = tagSet(
|
||||||
'scope,scrolling,shape,size,sizes,span,srclang,start,summary,tabindex,target,title,translate,type,usemap,' +
|
'scope,scrolling,shape,size,sizes,span,srclang,start,summary,tabindex,target,title,translate,type,usemap,' +
|
||||||
'valign,value,vspace,width');
|
'valign,value,vspace,width');
|
||||||
|
|
||||||
|
// Accessibility attributes as per WAI-ARIA 1.1 (W3C Working Draft 14 December 2018)
|
||||||
|
const ARIA_ATTRS = tagSet(
|
||||||
|
'aria-activedescendant,aria-atomic,aria-autocomplete,aria-busy,aria-checked,aria-colcount,aria-colindex,' +
|
||||||
|
'aria-colspan,aria-controls,aria-current,aria-describedby,aria-details,aria-disabled,aria-dropeffect,' +
|
||||||
|
'aria-errormessage,aria-expanded,aria-flowto,aria-grabbed,aria-haspopup,aria-hidden,aria-invalid,' +
|
||||||
|
'aria-keyshortcuts,aria-label,aria-labelledby,aria-level,aria-live,aria-modal,aria-multiline,' +
|
||||||
|
'aria-multiselectable,aria-orientation,aria-owns,aria-placeholder,aria-posinset,aria-pressed,aria-readonly,' +
|
||||||
|
'aria-relevant,aria-required,aria-roledescription,aria-rowcount,aria-rowindex,aria-rowspan,aria-selected,' +
|
||||||
|
'aria-setsize,aria-sort,aria-valuemax,aria-valuemin,aria-valuenow,aria-valuetext');
|
||||||
|
|
||||||
// NB: This currently consciously doesn't support SVG. SVG sanitization has had several security
|
// NB: This currently consciously doesn't support SVG. SVG sanitization has had several security
|
||||||
// issues in the past, so it seems safer to leave it out if possible. If support for binding SVG via
|
// issues in the past, so it seems safer to leave it out if possible. If support for binding SVG via
|
||||||
// innerHTML is required, SVG attributes should be added here.
|
// innerHTML is required, SVG attributes should be added here.
|
||||||
|
@ -81,7 +91,7 @@ const HTML_ATTRS = tagSet(
|
||||||
// can be sanitized, but they increase security surface area without a legitimate use case, so they
|
// can be sanitized, but they increase security surface area without a legitimate use case, so they
|
||||||
// are left out here.
|
// are left out here.
|
||||||
|
|
||||||
export const VALID_ATTRS = merge(URI_ATTRS, SRCSET_ATTRS, HTML_ATTRS);
|
export const VALID_ATTRS = merge(URI_ATTRS, SRCSET_ATTRS, HTML_ATTRS, ARIA_ATTRS);
|
||||||
|
|
||||||
// Elements whose content should not be traversed/preserved, if the elements themselves are invalid.
|
// Elements whose content should not be traversed/preserved, if the elements themselves are invalid.
|
||||||
//
|
//
|
||||||
|
|
|
@ -52,6 +52,15 @@ import {_sanitizeHtml} from '../../src/sanitization/html_sanitizer';
|
||||||
.toEqual('<main><summary>Works</summary></main>');
|
.toEqual('<main><summary>Works</summary></main>');
|
||||||
});
|
});
|
||||||
|
|
||||||
|
it('supports ARIA attributes', () => {
|
||||||
|
expect(_sanitizeHtml(defaultDoc, '<h1 role="presentation" aria-haspopup="true">Test</h1>'))
|
||||||
|
.toEqual('<h1 role="presentation" aria-haspopup="true">Test</h1>');
|
||||||
|
expect(_sanitizeHtml(defaultDoc, '<i aria-label="Info">Info</i>'))
|
||||||
|
.toEqual('<i aria-label="Info">Info</i>');
|
||||||
|
expect(_sanitizeHtml(defaultDoc, '<img src="pteranodon.jpg" aria-details="details">'))
|
||||||
|
.toEqual('<img src="pteranodon.jpg" aria-details="details">');
|
||||||
|
});
|
||||||
|
|
||||||
it('sanitizes srcset attributes', () => {
|
it('sanitizes srcset attributes', () => {
|
||||||
expect(_sanitizeHtml(defaultDoc, '<img srcset="/foo.png 400px, javascript:evil() 23px">'))
|
expect(_sanitizeHtml(defaultDoc, '<img srcset="/foo.png 400px, javascript:evil() 23px">'))
|
||||||
.toEqual('<img srcset="/foo.png 400px, unsafe:javascript:evil() 23px">');
|
.toEqual('<img srcset="/foo.png 400px, unsafe:javascript:evil() 23px">');
|
||||||
|
|
Loading…
Reference in New Issue