iSharkFly-Docs/angular-docs-cn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
angular-docs-cn/packages/core/test/util/dom_spec.ts
Misko Hevery 6bf99e0eda fix(core): fix possible XSS attack in development through SSR (#40525) 
This is a follow up fix for
894286dd0c.

It turns out that comments can be closed in several ways:
- `<!-->`
- `<!-- -->`
- `<!-- --!>`

All of the above are valid ways to close comment per:
https://html.spec.whatwg.org/multipage/syntax.html#comments

The new fix surrounds `<` and `>` with zero width space so that it
renders in the same way, but it prevents the comment to be closed eagerly.

PR Close #40525
2021-01-26 09:32:27 -08:00

49 lines
1.8 KiB
TypeScript
Raw Blame History

/**
* @license
* Copyright Google LLC All Rights Reserved.
*
* Use of this source code is governed by an MIT-style license that can be
* found in the LICENSE file at https://angular.io/license
*/
import {escapeCommentText} from '@angular/core/src/util/dom';
describe('comment node text escaping', () => {
describe('escapeCommentText', () => {
it('should not change anything on basic text', () => {
expect(escapeCommentText('text')).toEqual('text');
});
it('should escape "<" or ">"', () => {
expect(escapeCommentText('<!--')).toEqual('\u200b<\u200b!--');
expect(escapeCommentText('<!--<!--')).toEqual('\u200b<\u200b!--\u200b<\u200b!--');
expect(escapeCommentText('>')).toEqual('\u200b>\u200b');
expect(escapeCommentText('>-->')).toEqual('\u200b>\u200b--\u200b>\u200b');
});
it('should escape end marker', () => {
expect(escapeCommentText('before-->after')).toEqual('before--\u200b>\u200bafter');
});
it('should escape multiple markers', () => {
expect(escapeCommentText('before-->inline-->after'))
.toEqual('before--\u200b>\u200binline--\u200b>\u200bafter');
});
it('should caver the spec', () => {
// https://html.spec.whatwg.org/multipage/syntax.html#comments
expect(escapeCommentText('>')).toEqual('\u200b>\u200b');
expect(escapeCommentText('->')).toEqual('-\u200b>\u200b');
expect(escapeCommentText('<!--')).toEqual('\u200b<\u200b!--');
expect(escapeCommentText('-->')).toEqual('--\u200b>\u200b');
expect(escapeCommentText('--!>')).toEqual('--!\u200b>\u200b');
expect(escapeCommentText('<!-')).toEqual('\u200b<\u200b!-');
// Things which are OK
expect(escapeCommentText('.>')).toEqual('.>');
expect(escapeCommentText('.->')).toEqual('.->');
expect(escapeCommentText('<!-.')).toEqual('<!-.');
});
});
});
Reference in New Issue View Git Blame Copy Permalink