diff options
| author | Chirayu Krishnappa | 2013-06-21 13:03:56 -0700 |
|---|---|---|
| committer | Chirayu Krishnappa | 2013-06-21 17:37:44 -0700 |
| commit | 39841f2ec9b17b3b2920fd1eb548d444251f4f56 (patch) | |
| tree | 0776f7918d3b3bfbab22507a2ace7dc5fa43bc1c /src/ng/compile.js | |
| parent | 1adf29af13890d61286840177607edd552a9df97 (diff) | |
| download | angular.js-39841f2ec9b17b3b2920fd1eb548d444251f4f56.tar.bz2 | |
fix($compile): disallow interpolations for DOM event handlers
BREAKING CHANGE: Interpolations inside DOM event handlers are
disallowed. DOM event handlers execute arbitrary Javascript code.
Using an interpolation for such handlers means that the interpolated
value is a JS string that is evaluated. Storing or generating such
strings is error prone and likely leads to an XSS if you're not
super careful. On the other hand, ng-click and such event handlers
evaluate Angular expressions that are a lot safer (e.g. No direct
access to global objects - only scope), cleaner and harder to
exploit.
To migrate the code follow the example below:
Before:
JS: scope.foo = 'alert(1)';
HTML: <div onclick="{{foo}}">
After:
JS: scope.foo = function() { alert(1); }
HTML: <div ng-click="foo()">
Diffstat (limited to 'src/ng/compile.js')
| -rw-r--r-- | src/ng/compile.js | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/src/ng/compile.js b/src/ng/compile.js index d85af28c..91844f45 100644 --- a/src/ng/compile.js +++ b/src/ng/compile.js @@ -155,6 +155,10 @@ function $CompileProvider($provide) { CLASS_DIRECTIVE_REGEXP = /(([\d\w\-_]+)(?:\:([^;]+))?;?)/, urlSanitizationWhitelist = /^\s*(https?|ftp|mailto|file):/; + // Ref: http://developers.whatwg.org/webappapis.html#event-handler-idl-attributes + // The assumption is that future DOM event attribute names will begin with + // 'on' and be composed of only English letters. + var EVENT_HANDLER_ATTR_REGEXP = /^(on[a-z]*|formaction)$/; /** * @ngdoc function @@ -1165,6 +1169,12 @@ function $CompileProvider($provide) { compile: valueFn(function attrInterpolateLinkFn(scope, element, attr) { var $$observers = (attr.$$observers || (attr.$$observers = {})); + if (EVENT_HANDLER_ATTR_REGEXP.test(name)) { + throw $compileMinErr('nodomevents', + "Interpolations for HTML DOM event attributes are disallowed. Please use the ng- " + + "versions (such as ng-click instead of onclick) instead."); + } + // we need to interpolate again, in case the attribute value has been updated // (e.g. by another directive's compile function) interpolateFn = $interpolate(attr[name], true); |