diff options
| author | Chirayu Krishnappa | 2013-06-21 12:33:03 -0700 |
|---|---|---|
| committer | Chirayu Krishnappa | 2013-06-21 17:26:42 -0700 |
| commit | 1adf29af13890d61286840177607edd552a9df97 (patch) | |
| tree | f8ad9cd8ee1e546f045d49146bf78b1f9fb6e344 /src | |
| parent | 99e85fc9b5b71a1bf3e54126b9c080b3c355c336 (diff) | |
| download | angular.js-1adf29af13890d61286840177607edd552a9df97.tar.bz2 | |
fix($compile): sanitize values bound to img[src]
Ref: 9532234bf1c408af9a6fd2c4743fdb585b920531
BREAKING CHANGE: img[src] URLs are now sanitized using the same whitelist
as a[href] URLs. The most obvious impact is if you were using data:
URIs. data: URIs will be whitelisted for img[src] in a future
commit.
Diffstat (limited to 'src')
| -rw-r--r-- | src/ng/compile.js | 20 |
1 files changed, 12 insertions, 8 deletions
diff --git a/src/ng/compile.js b/src/ng/compile.js index 851f2404..d85af28c 100644 --- a/src/ng/compile.js +++ b/src/ng/compile.js @@ -215,14 +215,15 @@ function $CompileProvider($provide) { * * @description * Retrieves or overrides the default regular expression that is used for whitelisting of safe - * urls during a[href] sanitization. + * urls during a[href] and img[src] sanitization. * * The sanitization is a security measure aimed at prevent XSS attacks via html links. * - * Any url about to be assigned to a[href] via data-binding is first normalized and turned into an - * absolute url. Afterwards the url is matched against the `urlSanitizationWhitelist` regular - * expression. If a match is found the original url is written into the dom. Otherwise the - * absolute url is prefixed with `'unsafe:'` string and only then it is written into the DOM. + * Any url about to be assigned to a[href] or img[src] via data-binding is first normalized and + * turned into an absolute url. Afterwards, the url is matched against the + * `urlSanitizationWhitelist` regular expression. If a match is found, the original url is written + * into the dom. Otherwise, the absolute url is prefixed with `'unsafe:'` string and only then is + * it written into the DOM. * * @param {RegExp=} regexp New regexp to whitelist urls with. * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for @@ -264,7 +265,8 @@ function $CompileProvider($provide) { $set: function(key, value, writeAttr, attrName) { var booleanKey = getBooleanAttrName(this.$$element[0], key), $$observers = this.$$observers, - normalizedVal; + normalizedVal, + nodeName; if (booleanKey) { this.$$element.prop(key, value); @@ -284,8 +286,10 @@ function $CompileProvider($provide) { } - // sanitize a[href] values - if (nodeName_(this.$$element[0]) === 'A' && key === 'href') { + // sanitize a[href] and img[src] values + nodeName = nodeName_(this.$$element); + if ((nodeName === 'A' && key === 'href') || + (nodeName === 'IMG' && key === 'src')){ urlSanitizationNode.setAttribute('href', value); // href property always returns normalized absolute url, so we can match against that |