diff options
| author | Tobias Bosch | 2013-11-25 15:40:18 -0800 |
|---|---|---|
| committer | Tobias Bosch | 2013-11-26 14:29:38 -0800 |
| commit | 333523483f3ce6dd3177b697a5e5a7177ca364c8 (patch) | |
| tree | 34cd700540680a7d9276cd1fe231b6f72fd232ae /test/ng | |
| parent | 68ceb17272bdd2ebc838565070973d93704f4427 (diff) | |
| download | angular.js-333523483f3ce6dd3177b697a5e5a7177ca364c8.tar.bz2 | |
fix($sanitize): Use same whitelist mechanism as $compile does.
`$sanitize` now uses the same mechanism as `$compile` to validate uris.
By this, the validation in `$sanitize` is more general and can be
configured in the same way as the one in `$compile`.
Changes
- Creates the new private service `$$sanitizeUri`.
- Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`.
- Refactors the `linky` filter to be less dependent on `$sanitize`
internal functions.
Fixes #3748.
Diffstat (limited to 'test/ng')
| -rwxr-xr-x | test/ng/compileSpec.js | 296 | ||||
| -rw-r--r-- | test/ng/sanitizeUriSpec.js | 230 |
2 files changed, 274 insertions, 252 deletions
diff --git a/test/ng/compileSpec.js b/test/ng/compileSpec.js index 80788b02..6de96f65 100755 --- a/test/ng/compileSpec.js +++ b/test/ng/compileSpec.js @@ -3834,6 +3834,7 @@ describe('$compile', function() { describe('img[src] sanitization', function() { + it('should NOT require trusted values for img src', inject(function($rootScope, $compile, $sce) { element = $compile('<img src="{{testUrl}}"></img>')($rootScope); $rootScope.testUrl = 'http://example.com/image.png'; @@ -3845,127 +3846,6 @@ describe('$compile', function() { expect(element.attr('src')).toEqual('http://example.com/image2.png'); })); - it('should sanitize javascript: urls', inject(function($compile, $rootScope) { - element = $compile('<img src="{{testUrl}}"></a>')($rootScope); - $rootScope.testUrl = "javascript:doEvilStuff()"; - $rootScope.$apply(); - expect(element.attr('src')).toBe('unsafe:javascript:doEvilStuff()'); - })); - - it('should sanitize non-image data: urls', inject(function($compile, $rootScope) { - element = $compile('<img src="{{testUrl}}"></a>')($rootScope); - $rootScope.testUrl = "data:application/javascript;charset=US-ASCII,alert('evil!');"; - $rootScope.$apply(); - expect(element.attr('src')).toBe("unsafe:data:application/javascript;charset=US-ASCII,alert('evil!');"); - $rootScope.testUrl = "data:,foo"; - $rootScope.$apply(); - expect(element.attr('src')).toBe("unsafe:data:,foo"); - })); - - - it('should not sanitize data: URIs for images', inject(function($compile, $rootScope) { - element = $compile('<img src="{{dataUri}}"></img>')($rootScope); - - // image data uri - // ref: http://probablyprogramming.com/2009/03/15/the-tiniest-gif-ever - $rootScope.dataUri = "data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="; - $rootScope.$apply(); - expect(element.attr('src')).toBe('data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=='); - })); - - - // Fails on IE <= 10 with "TypeError: Access is denied" when trying to set img[src] - if (!msie || msie > 10) { - it('should sanitize mailto: urls', inject(function($compile, $rootScope) { - element = $compile('<img src="{{testUrl}}"></a>')($rootScope); - $rootScope.testUrl = "mailto:foo@bar.com"; - $rootScope.$apply(); - expect(element.attr('src')).toBe('unsafe:mailto:foo@bar.com'); - })); - } - - it('should sanitize obfuscated javascript: urls', inject(function($compile, $rootScope) { - element = $compile('<img src="{{testUrl}}"></img>')($rootScope); - - // case-sensitive - $rootScope.testUrl = "JaVaScRiPt:doEvilStuff()"; - $rootScope.$apply(); - expect(element[0].src).toBe('unsafe:javascript:doEvilStuff()'); - - // tab in protocol - $rootScope.testUrl = "java\u0009script:doEvilStuff()"; - $rootScope.$apply(); - expect(element[0].src).toMatch(/(http:\/\/|unsafe:javascript:doEvilStuff\(\))/); - - // space before - $rootScope.testUrl = " javascript:doEvilStuff()"; - $rootScope.$apply(); - expect(element[0].src).toBe('unsafe:javascript:doEvilStuff()'); - - // ws chars before - $rootScope.testUrl = " \u000e javascript:doEvilStuff()"; - $rootScope.$apply(); - expect(element[0].src).toMatch(/(http:\/\/|unsafe:javascript:doEvilStuff\(\))/); - - // post-fixed with proper url - $rootScope.testUrl = "javascript:doEvilStuff(); http://make.me/look/good"; - $rootScope.$apply(); - expect(element[0].src).toBeOneOf( - 'unsafe:javascript:doEvilStuff(); http://make.me/look/good', - 'unsafe:javascript:doEvilStuff();%20http://make.me/look/good' - ); - })); - - it('should sanitize ng-src bindings as well', inject(function($compile, $rootScope) { - element = $compile('<img ng-src="{{testUrl}}"></img>')($rootScope); - $rootScope.testUrl = "javascript:doEvilStuff()"; - $rootScope.$apply(); - - expect(element[0].src).toBe('unsafe:javascript:doEvilStuff()'); - })); - - - it('should not sanitize valid urls', inject(function($compile, $rootScope) { - element = $compile('<img src="{{testUrl}}"></img>')($rootScope); - - $rootScope.testUrl = "foo/bar"; - $rootScope.$apply(); - expect(element.attr('src')).toBe('foo/bar'); - - $rootScope.testUrl = "/foo/bar"; - $rootScope.$apply(); - expect(element.attr('src')).toBe('/foo/bar'); - - $rootScope.testUrl = "../foo/bar"; - $rootScope.$apply(); - expect(element.attr('src')).toBe('../foo/bar'); - - $rootScope.testUrl = "#foo"; - $rootScope.$apply(); - expect(element.attr('src')).toBe('#foo'); - - $rootScope.testUrl = "http://foo.com/bar"; - $rootScope.$apply(); - expect(element.attr('src')).toBe('http://foo.com/bar'); - - $rootScope.testUrl = " http://foo.com/bar"; - $rootScope.$apply(); - expect(element.attr('src')).toBe(' http://foo.com/bar'); - - $rootScope.testUrl = "https://foo.com/bar"; - $rootScope.$apply(); - expect(element.attr('src')).toBe('https://foo.com/bar'); - - $rootScope.testUrl = "ftp://foo.com/bar"; - $rootScope.$apply(); - expect(element.attr('src')).toBe('ftp://foo.com/bar'); - - $rootScope.testUrl = "file:///foo/bar.html"; - $rootScope.$apply(); - expect(element.attr('src')).toBe('file:///foo/bar.html'); - })); - - it('should not sanitize attributes other than src', inject(function($compile, $rootScope) { element = $compile('<img title="{{testUrl}}"></img>')($rootScope); $rootScope.testUrl = "javascript:doEvilStuff()"; @@ -3974,141 +3854,42 @@ describe('$compile', function() { expect(element.attr('title')).toBe('javascript:doEvilStuff()'); })); + it('should use $$sanitizeUriProvider for reconfiguration of the src whitelist', function() { + module(function($compileProvider, $$sanitizeUriProvider) { + var newRe = /javascript:/, + returnVal; + expect($compileProvider.imgSrcSanitizationWhitelist()).toBe($$sanitizeUriProvider.imgSrcSanitizationWhitelist()); - it('should allow reconfiguration of the src whitelist', function() { - module(function($compileProvider) { - expect($compileProvider.imgSrcSanitizationWhitelist() instanceof RegExp).toBe(true); - var returnVal = $compileProvider.imgSrcSanitizationWhitelist(/javascript:/); + returnVal = $compileProvider.imgSrcSanitizationWhitelist(newRe); expect(returnVal).toBe($compileProvider); + expect($$sanitizeUriProvider.imgSrcSanitizationWhitelist()).toBe(newRe); + expect($compileProvider.imgSrcSanitizationWhitelist()).toBe(newRe); }); + inject(function() { + // needed to the module definition above is run... + }); + }); + it('should use $$sanitizeUri', function() { + var $$sanitizeUri = jasmine.createSpy('$$sanitizeUri'); + module(function($provide) { + $provide.value('$$sanitizeUri', $$sanitizeUri); + }); inject(function($compile, $rootScope) { element = $compile('<img src="{{testUrl}}"></img>')($rootScope); + $rootScope.testUrl = "someUrl"; - // Fails on IE <= 11 with "TypeError: Object doesn't support this property or method" when - // trying to set img[src] - if (!msie || msie > 11) { - $rootScope.testUrl = "javascript:doEvilStuff()"; - $rootScope.$apply(); - expect(element.attr('src')).toBe('javascript:doEvilStuff()'); - } - - $rootScope.testUrl = "http://recon/figured"; + $$sanitizeUri.andReturn('someSanitizedUrl'); $rootScope.$apply(); - expect(element.attr('src')).toBe('unsafe:http://recon/figured'); + expect(element.attr('src')).toBe('someSanitizedUrl'); + expect($$sanitizeUri).toHaveBeenCalledWith($rootScope.testUrl, true); }); }); - }); describe('a[href] sanitization', function() { - it('should sanitize javascript: urls', inject(function($compile, $rootScope) { - element = $compile('<a href="{{testUrl}}"></a>')($rootScope); - $rootScope.testUrl = "javascript:doEvilStuff()"; - $rootScope.$apply(); - - expect(element.attr('href')).toBe('unsafe:javascript:doEvilStuff()'); - })); - - - it('should sanitize data: urls', inject(function($compile, $rootScope) { - element = $compile('<a href="{{testUrl}}"></a>')($rootScope); - $rootScope.testUrl = "data:evilPayload"; - $rootScope.$apply(); - - expect(element.attr('href')).toBe('unsafe:data:evilPayload'); - })); - - - it('should sanitize obfuscated javascript: urls', inject(function($compile, $rootScope) { - element = $compile('<a href="{{testUrl}}"></a>')($rootScope); - - // case-sensitive - $rootScope.testUrl = "JaVaScRiPt:doEvilStuff()"; - $rootScope.$apply(); - expect(element[0].href).toBe('unsafe:javascript:doEvilStuff()'); - - // tab in protocol - $rootScope.testUrl = "java\u0009script:doEvilStuff()"; - $rootScope.$apply(); - expect(element[0].href).toMatch(/(http:\/\/|unsafe:javascript:doEvilStuff\(\))/); - - // space before - $rootScope.testUrl = " javascript:doEvilStuff()"; - $rootScope.$apply(); - expect(element[0].href).toBe('unsafe:javascript:doEvilStuff()'); - - // ws chars before - $rootScope.testUrl = " \u000e javascript:doEvilStuff()"; - $rootScope.$apply(); - expect(element[0].href).toMatch(/(http:\/\/|unsafe:javascript:doEvilStuff\(\))/); - - // post-fixed with proper url - $rootScope.testUrl = "javascript:doEvilStuff(); http://make.me/look/good"; - $rootScope.$apply(); - expect(element[0].href).toBeOneOf( - 'unsafe:javascript:doEvilStuff(); http://make.me/look/good', - 'unsafe:javascript:doEvilStuff();%20http://make.me/look/good' - ); - })); - - - it('should sanitize ngHref bindings as well', inject(function($compile, $rootScope) { - element = $compile('<a ng-href="{{testUrl}}"></a>')($rootScope); - $rootScope.testUrl = "javascript:doEvilStuff()"; - $rootScope.$apply(); - - expect(element[0].href).toBe('unsafe:javascript:doEvilStuff()'); - })); - - - it('should not sanitize valid urls', inject(function($compile, $rootScope) { - element = $compile('<a href="{{testUrl}}"></a>')($rootScope); - - $rootScope.testUrl = "foo/bar"; - $rootScope.$apply(); - expect(element.attr('href')).toBe('foo/bar'); - - $rootScope.testUrl = "/foo/bar"; - $rootScope.$apply(); - expect(element.attr('href')).toBe('/foo/bar'); - - $rootScope.testUrl = "../foo/bar"; - $rootScope.$apply(); - expect(element.attr('href')).toBe('../foo/bar'); - - $rootScope.testUrl = "#foo"; - $rootScope.$apply(); - expect(element.attr('href')).toBe('#foo'); - - $rootScope.testUrl = "http://foo/bar"; - $rootScope.$apply(); - expect(element.attr('href')).toBe('http://foo/bar'); - - $rootScope.testUrl = " http://foo/bar"; - $rootScope.$apply(); - expect(element.attr('href')).toBe(' http://foo/bar'); - - $rootScope.testUrl = "https://foo/bar"; - $rootScope.$apply(); - expect(element.attr('href')).toBe('https://foo/bar'); - - $rootScope.testUrl = "ftp://foo/bar"; - $rootScope.$apply(); - expect(element.attr('href')).toBe('ftp://foo/bar'); - - $rootScope.testUrl = "mailto:foo@bar.com"; - $rootScope.$apply(); - expect(element.attr('href')).toBe('mailto:foo@bar.com'); - - $rootScope.testUrl = "file:///foo/bar.html"; - $rootScope.$apply(); - expect(element.attr('href')).toBe('file:///foo/bar.html'); - })); - - it('should not sanitize href on elements other than anchor', inject(function($compile, $rootScope) { element = $compile('<div href="{{testUrl}}"></div>')($rootScope); $rootScope.testUrl = "javascript:doEvilStuff()"; @@ -4117,7 +3898,6 @@ describe('$compile', function() { expect(element.attr('href')).toBe('javascript:doEvilStuff()'); })); - it('should not sanitize attributes other than href', inject(function($compile, $rootScope) { element = $compile('<a title="{{testUrl}}"></a>')($rootScope); $rootScope.testUrl = "javascript:doEvilStuff()"; @@ -4126,26 +3906,38 @@ describe('$compile', function() { expect(element.attr('title')).toBe('javascript:doEvilStuff()'); })); + it('should use $$sanitizeUriProvider for reconfiguration of the href whitelist', function() { + module(function($compileProvider, $$sanitizeUriProvider) { + var newRe = /javascript:/, + returnVal; + expect($compileProvider.aHrefSanitizationWhitelist()).toBe($$sanitizeUriProvider.aHrefSanitizationWhitelist()); - it('should allow reconfiguration of the href whitelist', function() { - module(function($compileProvider) { - expect($compileProvider.aHrefSanitizationWhitelist() instanceof RegExp).toBe(true); - var returnVal = $compileProvider.aHrefSanitizationWhitelist(/javascript:/); + returnVal = $compileProvider.aHrefSanitizationWhitelist(newRe); expect(returnVal).toBe($compileProvider); + expect($$sanitizeUriProvider.aHrefSanitizationWhitelist()).toBe(newRe); + expect($compileProvider.aHrefSanitizationWhitelist()).toBe(newRe); + }); + inject(function() { + // needed to the module definition above is run... }); + }); + it('should use $$sanitizeUri', function() { + var $$sanitizeUri = jasmine.createSpy('$$sanitizeUri'); + module(function($provide) { + $provide.value('$$sanitizeUri', $$sanitizeUri); + }); inject(function($compile, $rootScope) { element = $compile('<a href="{{testUrl}}"></a>')($rootScope); + $rootScope.testUrl = "someUrl"; - $rootScope.testUrl = "javascript:doEvilStuff()"; - $rootScope.$apply(); - expect(element.attr('href')).toBe('javascript:doEvilStuff()'); - - $rootScope.testUrl = "http://recon/figured"; + $$sanitizeUri.andReturn('someSanitizedUrl'); $rootScope.$apply(); - expect(element.attr('href')).toBe('unsafe:http://recon/figured'); + expect(element.attr('href')).toBe('someSanitizedUrl'); + expect($$sanitizeUri).toHaveBeenCalledWith($rootScope.testUrl, false); }); }); + }); describe('interpolation on HTML DOM event handler attributes onclick, onXYZ, formaction', function() { diff --git a/test/ng/sanitizeUriSpec.js b/test/ng/sanitizeUriSpec.js new file mode 100644 index 00000000..b9f6a0e2 --- /dev/null +++ b/test/ng/sanitizeUriSpec.js @@ -0,0 +1,230 @@ +'use strict'; + +describe('sanitizeUri', function() { + var sanitizeHref, sanitizeImg, sanitizeUriProvider, testUrl; + beforeEach(function() { + module(function(_$$sanitizeUriProvider_) { + sanitizeUriProvider = _$$sanitizeUriProvider_; + }); + inject(function($$sanitizeUri) { + sanitizeHref = function(uri) { + return $$sanitizeUri(uri, false); + }; + sanitizeImg = function(uri) { + return $$sanitizeUri(uri, true); + } + }); + }); + + function isEvilInCurrentBrowser(uri) { + var a = document.createElement('a'); + a.setAttribute('href', uri); + return a.href.substring(0, 4) !== 'http'; + } + + describe('img[src] sanitization', function() { + + it('should sanitize javascript: urls', function() { + testUrl = "javascript:doEvilStuff()"; + expect(sanitizeImg(testUrl)).toBe('unsafe:javascript:doEvilStuff()'); + }); + + it('should sanitize non-image data: urls', function() { + testUrl = "data:application/javascript;charset=US-ASCII,alert('evil!');"; + expect(sanitizeImg(testUrl)).toBe("unsafe:data:application/javascript;charset=US-ASCII,alert('evil!');"); + + testUrl = "data:,foo"; + expect(sanitizeImg(testUrl)).toBe("unsafe:data:,foo"); + }); + + it('should not sanitize data: URIs for images', function() { + // image data uri + // ref: http://probablyprogramming.com/2009/03/15/the-tiniest-gif-ever + testUrl = "data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=="; + expect(sanitizeImg(testUrl)).toBe('data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=='); + }); + + it('should sanitize mailto: urls', function() { + testUrl = "mailto:foo@bar.com"; + expect(sanitizeImg(testUrl)).toBe('unsafe:mailto:foo@bar.com'); + }); + + it('should sanitize obfuscated javascript: urls', function() { + // case-sensitive + testUrl = "JaVaScRiPt:doEvilStuff()"; + expect(sanitizeImg(testUrl)).toBe('unsafe:javascript:doEvilStuff()'); + + // tab in protocol + testUrl = "java\u0009script:doEvilStuff()"; + if (isEvilInCurrentBrowser(testUrl)) { + expect(sanitizeImg(testUrl)).toEqual('unsafe:javascript:doEvilStuff()'); + } + + // space before + testUrl = " javascript:doEvilStuff()"; + expect(sanitizeImg(testUrl)).toBe('unsafe:javascript:doEvilStuff()'); + + // ws chars before + testUrl = " \u000e javascript:doEvilStuff()"; + if (isEvilInCurrentBrowser(testUrl)) { + expect(sanitizeImg(testUrl)).toEqual('unsafe:javascript:doEvilStuff()'); + } + + // post-fixed with proper url + testUrl = "javascript:doEvilStuff(); http://make.me/look/good"; + expect(sanitizeImg(testUrl)).toBeOneOf( + 'unsafe:javascript:doEvilStuff(); http://make.me/look/good', + 'unsafe:javascript:doEvilStuff();%20http://make.me/look/good' + ); + }); + + it('should sanitize ng-src bindings as well', function() { + testUrl = "javascript:doEvilStuff()"; + expect(sanitizeImg(testUrl)).toBe('unsafe:javascript:doEvilStuff()'); + }); + + + it('should not sanitize valid urls', function() { + testUrl = "foo/bar"; + expect(sanitizeImg(testUrl)).toBe('foo/bar'); + + testUrl = "/foo/bar"; + expect(sanitizeImg(testUrl)).toBe('/foo/bar'); + + testUrl = "../foo/bar"; + expect(sanitizeImg(testUrl)).toBe('../foo/bar'); + + testUrl = "#foo"; + expect(sanitizeImg(testUrl)).toBe('#foo'); + + testUrl = "http://foo.com/bar"; + expect(sanitizeImg(testUrl)).toBe('http://foo.com/bar'); + + testUrl = " http://foo.com/bar"; + expect(sanitizeImg(testUrl)).toBe(' http://foo.com/bar'); + + testUrl = "https://foo.com/bar"; + expect(sanitizeImg(testUrl)).toBe('https://foo.com/bar'); + + testUrl = "ftp://foo.com/bar"; + expect(sanitizeImg(testUrl)).toBe('ftp://foo.com/bar'); + + testUrl = "file:///foo/bar.html"; + expect(sanitizeImg(testUrl)).toBe('file:///foo/bar.html'); + }); + + + it('should allow reconfiguration of the src whitelist', function() { + var returnVal; + expect(sanitizeUriProvider.imgSrcSanitizationWhitelist() instanceof RegExp).toBe(true); + returnVal = sanitizeUriProvider.imgSrcSanitizationWhitelist(/javascript:/); + expect(returnVal).toBe(sanitizeUriProvider); + + testUrl = "javascript:doEvilStuff()"; + expect(sanitizeImg(testUrl)).toBe('javascript:doEvilStuff()'); + + testUrl = "http://recon/figured"; + expect(sanitizeImg(testUrl)).toBe('unsafe:http://recon/figured'); + }); + + }); + + + describe('a[href] sanitization', function() { + + it('should sanitize javascript: urls', inject(function() { + testUrl = "javascript:doEvilStuff()"; + expect(sanitizeHref(testUrl)).toBe('unsafe:javascript:doEvilStuff()'); + })); + + + it('should sanitize data: urls', inject(function() { + testUrl = "data:evilPayload"; + expect(sanitizeHref(testUrl)).toBe('unsafe:data:evilPayload'); + })); + + + it('should sanitize obfuscated javascript: urls', inject(function() { + // case-sensitive + testUrl = "JaVaScRiPt:doEvilStuff()"; + expect(sanitizeHref(testUrl)).toBe('unsafe:javascript:doEvilStuff()'); + + // tab in protocol + testUrl = "java\u0009script:doEvilStuff()"; + if (isEvilInCurrentBrowser(testUrl)) { + expect(sanitizeHref(testUrl)).toEqual('unsafe:javascript:doEvilStuff()'); + } + + // space before + testUrl = " javascript:doEvilStuff()"; + expect(sanitizeHref(testUrl)).toBe('unsafe:javascript:doEvilStuff()'); + + // ws chars before + testUrl = " \u000e javascript:doEvilStuff()"; + if (isEvilInCurrentBrowser(testUrl)) { + expect(sanitizeHref(testUrl)).toEqual('unsafe:javascript:doEvilStuff()'); + } + + // post-fixed with proper url + testUrl = "javascript:doEvilStuff(); http://make.me/look/good"; + expect(sanitizeHref(testUrl)).toBeOneOf( + 'unsafe:javascript:doEvilStuff(); http://make.me/look/good', + 'unsafe:javascript:doEvilStuff();%20http://make.me/look/good' + ); + })); + + + it('should sanitize ngHref bindings as well', inject(function() { + testUrl = "javascript:doEvilStuff()"; + expect(sanitizeHref(testUrl)).toBe('unsafe:javascript:doEvilStuff()'); + })); + + + it('should not sanitize valid urls', inject(function() { + testUrl = "foo/bar"; + expect(sanitizeHref(testUrl)).toBe('foo/bar'); + + testUrl = "/foo/bar"; + expect(sanitizeHref(testUrl)).toBe('/foo/bar'); + + testUrl = "../foo/bar"; + expect(sanitizeHref(testUrl)).toBe('../foo/bar'); + + testUrl = "#foo"; + expect(sanitizeHref(testUrl)).toBe('#foo'); + + testUrl = "http://foo/bar"; + expect(sanitizeHref(testUrl)).toBe('http://foo/bar'); + + testUrl = " http://foo/bar"; + expect(sanitizeHref(testUrl)).toBe(' http://foo/bar'); + + testUrl = "https://foo/bar"; + expect(sanitizeHref(testUrl)).toBe('https://foo/bar'); + + testUrl = "ftp://foo/bar"; + expect(sanitizeHref(testUrl)).toBe('ftp://foo/bar'); + + testUrl = "mailto:foo@bar.com"; + expect(sanitizeHref(testUrl)).toBe('mailto:foo@bar.com'); + + testUrl = "file:///foo/bar.html"; + expect(sanitizeHref(testUrl)).toBe('file:///foo/bar.html'); + })); + + it('should allow reconfiguration of the href whitelist', function() { + var returnVal; + expect(sanitizeUriProvider.aHrefSanitizationWhitelist() instanceof RegExp).toBe(true); + returnVal = sanitizeUriProvider.aHrefSanitizationWhitelist(/javascript:/); + expect(returnVal).toBe(sanitizeUriProvider); + + testUrl = "javascript:doEvilStuff()"; + expect(sanitizeHref(testUrl)).toBe('javascript:doEvilStuff()'); + + testUrl = "http://recon/figured"; + expect(sanitizeHref(testUrl)).toBe('unsafe:http://recon/figured'); + }); + + }); + +});
\ No newline at end of file |