From dbb150a9bdae68dfb92d64d904e85b8c5db5b2ec Mon Sep 17 00:00:00 2001 From: Alex Rickabaugh Date: Tue, 14 May 2019 14:06:01 -0700 Subject: [PATCH] Revert "fix(core): CSS sanitizer now allows parens in file names (#30322)" (#30463) This reverts commit 728db882808869e1f52d20535676756d3b63b58a. We're reverting this commit for now, until it can be subjected to a more thorough security review. PR Close #30463 --- packages/core/src/sanitization/style_sanitizer.ts | 2 +- packages/core/test/sanitization/style_sanitizer_spec.ts | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/packages/core/src/sanitization/style_sanitizer.ts b/packages/core/src/sanitization/style_sanitizer.ts index 16b19de093..62a6ecbe59 100644 --- a/packages/core/src/sanitization/style_sanitizer.ts +++ b/packages/core/src/sanitization/style_sanitizer.ts @@ -54,7 +54,7 @@ const SAFE_STYLE_VALUE = new RegExp( * Given the common use case, low likelihood of attack vector, and low impact of an attack, this * code is permissive and allows URLs that sanitize otherwise. */ -const URL_RE = /^url\(([\w\W]*)\)$/; +const URL_RE = /^url\(([^)]+)\)$/; /** * Checks that quotes (" and ') are properly balanced inside a string. Assumes diff --git a/packages/core/test/sanitization/style_sanitizer_spec.ts b/packages/core/test/sanitization/style_sanitizer_spec.ts index e5a9d200e6..5adafceb8e 100644 --- a/packages/core/test/sanitization/style_sanitizer_spec.ts +++ b/packages/core/test/sanitization/style_sanitizer_spec.ts @@ -32,7 +32,7 @@ import {_sanitizeStyle} from '../../src/sanitization/style_sanitizer'; expectSanitize('rgb(255, 0, 0)').toEqual('rgb(255, 0, 0)'); expectSanitize('expression(haha)').toEqual('unsafe'); }); - t.it('rejects unbalanced quotes', () => { expectSanitize('"value" "').toEqual('unsafe'); }); + t.it('rejects unblanaced quotes', () => { expectSanitize('"value" "').toEqual('unsafe'); }); t.it('accepts transform functions', () => { expectSanitize('rotate(90deg)').toEqual('rotate(90deg)'); expectSanitize('rotate(javascript:evil())').toEqual('unsafe'); @@ -58,7 +58,6 @@ import {_sanitizeStyle} from '../../src/sanitization/style_sanitizer'; t.it('accepts quoted URLs', () => { expectSanitize('url("foo/bar.png")').toEqual('url("foo/bar.png")'); expectSanitize(`url('foo/bar.png')`).toEqual(`url('foo/bar.png')`); - expectSanitize(`url('foo/bar (1).png')`).toEqual(`url('foo/bar (1).png')`); expectSanitize(`url( 'foo/bar.png'\n )`).toEqual(`url( 'foo/bar.png'\n )`); expectSanitize('url("javascript:evil()")').toEqual('unsafe'); expectSanitize('url( " javascript:evil() " )').toEqual('unsafe');