diff options
| -rw-r--r-- | src/ngSanitize/sanitize.js | 8 | ||||
| -rw-r--r-- | test/ngSanitize/sanitizeSpec.js | 10 |
2 files changed, 17 insertions, 1 deletions
diff --git a/src/ngSanitize/sanitize.js b/src/ngSanitize/sanitize.js index 6f28324e..73340043 100644 --- a/src/ngSanitize/sanitize.js +++ b/src/ngSanitize/sanitize.js @@ -141,6 +141,7 @@ var START_TAG_REGEXP = /^<\s*([\w:-]+)((?:\s+[\w:-]+(?:\s*=\s*(?:(?:"[^"]*")|(?: BEGIN_TAG_REGEXP = /^</, BEGING_END_TAGE_REGEXP = /^<\s*\//, COMMENT_REGEXP = /<!--(.*?)-->/g, + DOCTYPE_REGEXP = /<!DOCTYPE([^>]*?)>/i, CDATA_REGEXP = /<!\[CDATA\[(.*?)]]>/g, URI_REGEXP = /^((ftp|https?):\/\/|mailto:|#)/i, NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g; // Match everything outside of normal chars and " (quote character) @@ -223,7 +224,14 @@ function htmlParser( html, handler ) { html = html.substring( index + 3 ); chars = false; } + // DOCTYPE + } else if ( DOCTYPE_REGEXP.test(html) ) { + match = html.match( DOCTYPE_REGEXP ); + if ( match ) { + html = html.replace( match[0] , ''); + chars = false; + } // end tag } else if ( BEGING_END_TAGE_REGEXP.test(html) ) { match = html.match( END_TAG_REGEXP ); diff --git a/test/ngSanitize/sanitizeSpec.js b/test/ngSanitize/sanitizeSpec.js index 2a53b532..bb52bb9a 100644 --- a/test/ngSanitize/sanitizeSpec.js +++ b/test/ngSanitize/sanitizeSpec.js @@ -24,7 +24,7 @@ describe('HTML', function() { attrs: attrs, unary: unary }; - // Since different browsers handle newlines differenttly we trim + // Since different browsers handle newlines differently we trim // so that it is easier to write tests. angular.forEach(attrs, function(value, key) { attrs[key] = value.replace(/^\s*/, '').replace(/\s*$/, '') @@ -80,6 +80,13 @@ describe('HTML', function() { expectHTML('a<SCRIPT>evil< / scrIpt >c.').toEqual('ac.'); }); + it('should remove DOCTYPE header', function() { + expectHTML('<!DOCTYPE html>').toEqual(''); + expectHTML('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"\n"http://www.w3.org/TR/html4/strict.dtd">').toEqual(''); + expectHTML('a<!DOCTYPE html>c.').toEqual('ac.'); + expectHTML('a<!DocTyPe html>c.').toEqual('ac.'); + }); + it('should remove nested script', function() { expectHTML('a< SCRIPT >A< SCRIPT >evil< / scrIpt >B< / scrIpt >c.').toEqual('ac.'); }); @@ -286,5 +293,6 @@ describe('HTML', function() { }); }); + }); }); |