diff options
| -rw-r--r-- | angularFiles.js | 2 | ||||
| -rw-r--r-- | src/service/sanitize.js (renamed from src/sanitizer.js) | 96 |
2 files changed, 97 insertions, 1 deletions
diff --git a/angularFiles.js b/angularFiles.js index 05f93bf8..1070299f 100644 --- a/angularFiles.js +++ b/angularFiles.js @@ -6,7 +6,6 @@ angularFiles = { 'src/JSON.js', 'src/Injector.js', 'src/Resource.js', - 'src/sanitizer.js', 'src/jqLite.js', 'src/apis.js', 'src/service/anchorScroll.js', @@ -34,6 +33,7 @@ angularFiles = { 'src/service/route.js', 'src/service/routeParams.js', 'src/service/scope.js', + 'src/service/sanitize.js', 'src/service/sniffer.js', 'src/service/window.js', 'src/service/http.js', diff --git a/src/sanitizer.js b/src/service/sanitize.js index 207b1039..0d5c74af 100644 --- a/src/sanitizer.js +++ b/src/service/sanitize.js @@ -16,6 +16,102 @@ * */ + + +/** + * @ngdoc service + * @name angular.module.ng.$sanitize + * @function + * + * @description + * The input is sanitized by parsing the html into tokens. All safe tokens (from a whitelist) are + * then serialized back to properly escaped html string. This means that no unsafe input can make + * it into the returned string, however, since our parser is more strict than a typical browser + * parser, it's possible that some obscure input, which would be recognized as valid HTML by a + * browser, won't make it through the sanitizer. + * + * @param {string} html Html input. + * @returns {string} Sanitized html. + * + * @example + <doc:example> + <doc:source> + <script> + function Ctrl() { + this.snippet = + '<p style="color:blue">an html\n' + + '<em onmouseover="this.textContent=\'PWN3D!\'">click here</em>\n' + + 'snippet</p>'; + } + </script> + <div ng:controller="Ctrl"> + Snippet: <textarea ng:model="snippet" cols="60" rows="3"></textarea> + <table> + <tr> + <td>Filter</td> + <td>Source</td> + <td>Rendered</td> + </tr> + <tr id="html-filter"> + <td>html filter</td> + <td> + <pre><div ng:bind-html="snippet"><br/></div></pre> + </td> + <td> + <div ng:bind-html="snippet"></div> + </td> + </tr> + <tr id="escaped-html"> + <td>no filter</td> + <td><pre><div ng:bind-="snippet"><br/></div></pre></td> + <td><div ng:bind="snippet"></div></td> + </tr> + <tr id="html-unsafe-filter"> + <td>unsafe html filter</td> + <td><pre><div ng:bind-html-unsafe="snippet"><br/></div></pre></td> + <td><div ng:bind-html-unsafe="snippet"></div></td> + </tr> + </table> + </div> + </doc:source> + <doc:scenario> + it('should sanitize the html snippet ', function() { + expect(using('#html-filter').element('div').html()). + toBe('<p>an html\n<em>click here</em>\nsnippet</p>'); + }); + + it('should escape snippet without any filter', function() { + expect(using('#escaped-html').element('div').html()). + toBe("<p style=\"color:blue\">an html\n" + + "<em onmouseover=\"this.textContent='PWN3D!'\">click here</em>\n" + + "snippet</p>"); + }); + + it('should inline raw snippet if filtered as unsafe', function() { + expect(using('#html-unsafe-filter').element("div").html()). + toBe("<p style=\"color:blue\">an html\n" + + "<em onmouseover=\"this.textContent='PWN3D!'\">click here</em>\n" + + "snippet</p>"); + }); + + it('should update', function() { + input('snippet').enter('new <b>text</b>'); + expect(using('#html-filter').binding('snippet')).toBe('new <b>text</b>'); + expect(using('#escaped-html').element('div').html()).toBe("new <b>text</b>"); + expect(using('#html-unsafe-filter').binding("snippet")).toBe('new <b>text</b>'); + }); + </doc:scenario> + </doc:example> + */ + +function $SanitizeProvider() { + this.$get = valueFn(function(html) { + var buf = []; + htmlParser(html, htmlSanitizeWriter(buf)); + return buf.join(''); + }); +}; + // Regular Expressions for parsing tags and attributes var START_TAG_REGEXP = /^<\s*([\w:-]+)((?:\s+[\w:-]+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)\s*>/, END_TAG_REGEXP = /^<\s*\/\s*([\w:-]+)[^>]*>/, |