fix(ngSanitize): sanitizer should not accept <!--> as a valid comment

According to http://validator.w3.org/ , <!--> is not a valid comment
and neither is any comment containing the -- substring.

1 files changed, 33 insertions, 1 deletions

diff --git a/test/ngSanitize/sanitizeSpec.js b/test/ngSanitize/sanitizeSpec.js
index f97e86a6..ae1271f0 100644
--- a/test/ngSanitize/sanitizeSpec.js
+++ b/test/ngSanitize/sanitizeSpec.js
@@ -15,7 +15,7 @@ describe('HTML', function() {
   describe('htmlParser', function() {
     if (angular.isUndefined(window.htmlParser)) return;
 
-    var handler, start, text;
+    var handler, start, text, comment;
     beforeEach(function() {
       handler = {
           start: function(tag, attrs, unary){
@@ -35,10 +35,42 @@ describe('HTML', function() {
           },
           end:function(tag) {
             expect(tag).toEqual(start.tag);
+          },
+          comment:function(comment_) {
+            comment = comment_;
           }
       };
     });
 
+    it('should parse comments', function() {
+      htmlParser('<!--FOOBAR-->', handler);
+      expect(comment).toEqual('FOOBAR');
+    });
+
+    it('should throw an exception for invalid comments', function() {
+      var caught=false;
+      try {
+        htmlParser('<!-->', handler);
+      }
+      catch (ex) {
+        caught = true;
+        // expected an exception due to a bad parse
+      }
+      expect(caught).toBe(true);
+    });
+
+    it('double-dashes are not allowed in a comment', function() {
+      var caught=false;
+      try {
+        htmlParser('<!-- -- -->', handler);
+      }
+      catch (ex) {
+        caught = true;
+        // expected an exception due to a bad parse
+      }
+      expect(caught).toBe(true);
+    });
+
     it('should parse basic format', function() {
       htmlParser('<tag attr="value">text</tag>', handler);
       expect(start).toEqual({tag:'tag', attrs:{attr:'value'}, unary:false});