fix($compile): secure form[action] & iframe[srcdoc]

Require bindings to form[action] to be $sce.RESOURCE_URL and bindings to iframe[srcdoc] to be $sce.HTML Closes #4927 Closes #4933
author: Chirayu Krishnappa 2013-11-12 15:32:52 -0800
committer: Igor Minar 2013-11-21 23:15:15 -0800
commit: 0421cb4200e672818ed10996e92311404c150c3a (patch)
tree: 384b9bc6236a62a0b9a01fa406b1cdb83d7e9aad /src/ng/compile.js
parent: 6f1050df4fa885bd59ce85adbef7350ea93911a3 (diff)
download: angular.js-0421cb4200e672818ed10996e92311404c150c3a.tar.bz2
1 files changed, 7 insertions, 2 deletions
diff --git a/src/ng/compile.js b/src/ng/compile.js
index d977f173..4eb12019 100644
--- a/src/ng/compile.js
+++ b/src/ng/compile.js
@@ -1780,10 +1780,15 @@ function $CompileProvider($provide) {
 
 
     function getTrustedContext(node, attrNormalizedName) {
+      if (attrNormalizedName == "srcdoc") {
+        return $sce.HTML;
+      }
+      var tag = nodeName_(node);
       // maction[xlink:href] can source SVG.  It's not limited to <maction>.
       if (attrNormalizedName == "xlinkHref" ||
-          (nodeName_(node) != "IMG" && (attrNormalizedName == "src" ||
-                                        attrNormalizedName == "ngSrc"))) {
+          (tag == "FORM" && attrNormalizedName == "action") ||
+          (tag != "IMG" && (attrNormalizedName == "src" ||
+                            attrNormalizedName == "ngSrc"))) {
         return $sce.RESOURCE_URL;
       }
     }
author	Chirayu Krishnappa	2013-11-12 15:32:52 -0800
committer	Igor Minar	2013-11-21 23:15:15 -0800
commit	0421cb4200e672818ed10996e92311404c150c3a (patch)
tree	384b9bc6236a62a0b9a01fa406b1cdb83d7e9aad /src/ng/compile.js
parent	6f1050df4fa885bd59ce85adbef7350ea93911a3 (diff)
download	angular.js-0421cb4200e672818ed10996e92311404c150c3a.tar.bz2