diff options
Diffstat (limited to 'test/ng/directive')
| -rw-r--r-- | test/ng/directive/booleanAttrsSpec.js | 104 | ||||
| -rw-r--r-- | test/ng/directive/ngBindSpec.js | 48 | ||||
| -rw-r--r-- | test/ng/directive/ngIncludeSpec.js | 50 | ||||
| -rw-r--r-- | test/ng/directive/ngSrcSpec.js | 44 |
4 files changed, 204 insertions, 42 deletions
diff --git a/test/ng/directive/booleanAttrsSpec.js b/test/ng/directive/booleanAttrsSpec.js index be2dfb60..93e8cc20 100644 --- a/test/ng/directive/booleanAttrsSpec.js +++ b/test/ng/directive/booleanAttrsSpec.js @@ -102,61 +102,99 @@ describe('boolean attr directives', function() { describe('ngSrc', function() { - it('should interpolate the expression and bind to src', inject(function($compile, $rootScope) { + it('should interpolate the expression and bind to src with raw same-domain value', + inject(function($compile, $rootScope) { + var element = $compile('<div ng-src="{{id}}"></div>')($rootScope); + + $rootScope.$digest(); + expect(element.attr('src')).toBeUndefined(); + + $rootScope.$apply(function() { + $rootScope.id = '/somewhere/here'; + }); + expect(element.attr('src')).toEqual('/somewhere/here'); + + dealoc(element); + })); + + + it('should interpolate the expression and bind to src with a trusted value', inject(function($compile, $rootScope, $sce) { var element = $compile('<div ng-src="{{id}}"></div>')($rootScope); $rootScope.$digest(); expect(element.attr('src')).toBeUndefined(); $rootScope.$apply(function() { - $rootScope.id = 1; + $rootScope.id = $sce.trustAsResourceUrl('http://somewhere'); }); - expect(element.attr('src')).toEqual('1'); + expect(element.attr('src')).toEqual('http://somewhere'); dealoc(element); })); - describe('isTrustedContext', function() { - it('should NOT interpolate a multi-part expression for non-img src attribute', inject(function($compile, $rootScope) { - expect(function() { - var element = $compile('<div ng-src="some/{{id}}"></div>')($rootScope); - dealoc(element); - }).toThrow( - "[$interpolate:noconcat] Error while interpolating: some/{{id}}\nYou may not use " + - "multiple expressions when interpolating this expression."); - })); - it('should interpolate a multi-part expression for regular attributes', inject(function($compile, $rootScope) { - var element = $compile('<div foo="some/{{id}}"></div>')($rootScope); - $rootScope.$digest(); - expect(element.attr('foo')).toBe('some/'); + it('should NOT interpolate a multi-part expression for non-img src attribute', inject(function($compile, $rootScope) { + expect(function() { + var element = $compile('<div ng-src="some/{{id}}"></div>')($rootScope); + dealoc(element); + }).toThrow( + "[$interpolate:noconcat] Error while interpolating: some/{{id}}\nStrict " + + "Contextual Escaping disallows interpolations that concatenate multiple expressions " + + "when a trusted value is required. See http://docs.angularjs.org/api/ng.$sce"); + })); + + + it('should interpolate a multi-part expression for regular attributes', inject(function($compile, $rootScope) { + var element = $compile('<div foo="some/{{id}}"></div>')($rootScope); + $rootScope.$digest(); + expect(element.attr('foo')).toBe('some/'); + $rootScope.$apply(function() { + $rootScope.id = 1; + }); + expect(element.attr('foo')).toEqual('some/1'); + })); + + + it('should NOT interpolate a wrongly typed expression', inject(function($compile, $rootScope, $sce) { + expect(function() { + var element = $compile('<div ng-src="{{id}}"></div>')($rootScope); $rootScope.$apply(function() { - $rootScope.id = 1; + $rootScope.id = $sce.trustAsUrl('http://somewhere'); }); - expect(element.attr('foo')).toEqual('some/1'); - })); + element.attr('src'); + }).toThrow( + "[$interpolate:interr] Can't interpolate: {{id}}\nError: [$sce:isecrurl] Blocked " + + "loading resource from url not allowed by $sceDelegate policy. URL: http://somewhere"); + })); - }); if (msie) { it('should update the element property as well as the attribute', inject( - function($compile, $rootScope) { - // on IE, if "ng:src" directive declaration is used and "src" attribute doesn't exist - // then calling element.setAttribute('src', 'foo') doesn't do anything, so we need - // to set the property as well to achieve the desired effect + function($compile, $rootScope, $sce) { + // on IE, if "ng:src" directive declaration is used and "src" attribute doesn't exist + // then calling element.setAttribute('src', 'foo') doesn't do anything, so we need + // to set the property as well to achieve the desired effect - var element = $compile('<div ng-src="{{id}}"></div>')($rootScope); + var element = $compile('<div ng-src="{{id}}"></div>')($rootScope); - $rootScope.$digest(); - expect(element.prop('src')).toBeUndefined(); + $rootScope.$digest(); + expect(element.prop('src')).toBeUndefined(); + dealoc(element); - $rootScope.$apply(function() { - $rootScope.id = 1; - }); - expect(element.prop('src')).toEqual('1'); + element = $compile('<div ng-src="some/"></div>')($rootScope); - dealoc(element); - })); + $rootScope.$digest(); + expect(element.prop('src')).toEqual('some/'); + dealoc(element); + + element = $compile('<div ng-src="{{id}}"></div>')($rootScope); + $rootScope.$apply(function() { + $rootScope.id = $sce.trustAsResourceUrl('http://somewhere'); + }); + expect(element.prop('src')).toEqual('http://somewhere'); + + dealoc(element); + })); } }); diff --git a/test/ng/directive/ngBindSpec.js b/test/ng/directive/ngBindSpec.js index da291fa4..1d8f8ef4 100644 --- a/test/ng/directive/ngBindSpec.js +++ b/test/ng/directive/ngBindSpec.js @@ -69,11 +69,47 @@ describe('ngBind*', function() { describe('ngBindHtmlUnsafe', function() { - it('should set unsafe html', inject(function($rootScope, $compile) { - element = $compile('<div ng-bind-html-unsafe="html"></div>')($rootScope); - $rootScope.html = '<div onclick="">hello</div>'; - $rootScope.$digest(); - expect(angular.lowercase(element.html())).toEqual('<div onclick="">hello</div>'); - })); + function configureSce(enabled) { + module(function($provide, $sceProvider) { + $sceProvider.enabled(enabled); + }); + }; + + describe('SCE disabled', function() { + beforeEach(function() {configureSce(false)}); + + it('should set unsafe html', inject(function($rootScope, $compile) { + element = $compile('<div ng-bind-html-unsafe="html"></div>')($rootScope); + $rootScope.html = '<div onclick="">hello</div>'; + $rootScope.$digest(); + expect(angular.lowercase(element.html())).toEqual('<div onclick="">hello</div>'); + })); + }); + + + describe('SCE enabled', function() { + beforeEach(function() {configureSce(true)}); + + it('should NOT set unsafe html for untrusted values', inject(function($rootScope, $compile) { + element = $compile('<div ng-bind-html-unsafe="html"></div>')($rootScope); + $rootScope.html = '<div onclick="">hello</div>'; + expect($rootScope.$digest).toThrow(); + })); + + it('should NOT set unsafe html for wrongly typed values', inject(function($rootScope, $compile, $sce) { + element = $compile('<div ng-bind-html-unsafe="html"></div>')($rootScope); + $rootScope.html = $sce.trustAsCss('<div onclick="">hello</div>'); + expect($rootScope.$digest).toThrow(); + })); + + it('should set unsafe html for trusted values', inject(function($rootScope, $compile, $sce) { + element = $compile('<div ng-bind-html-unsafe="html"></div>')($rootScope); + $rootScope.html = $sce.trustAsHtml('<div onclick="">hello</div>'); + $rootScope.$digest(); + expect(angular.lowercase(element.html())).toEqual('<div onclick="">hello</div>'); + })); + + }); + }); }); diff --git a/test/ng/directive/ngIncludeSpec.js b/test/ng/directive/ngIncludeSpec.js index 93709431..6cb78755 100644 --- a/test/ng/directive/ngIncludeSpec.js +++ b/test/ng/directive/ngIncludeSpec.js @@ -3,7 +3,6 @@ describe('ngInclude', function() { var element; - afterEach(function(){ dealoc(element); }); @@ -16,7 +15,29 @@ describe('ngInclude', function() { } - it('should include on external file', inject(putIntoCache('myUrl', '{{name}}'), + it('should trust and use literal urls', inject(function( + $rootScope, $httpBackend, $compile) { + element = $compile('<div ng-include="\'url\'"></div>')($rootScope); + $httpBackend.expect('GET', 'url').respond('template text'); + $rootScope.$digest(); + $httpBackend.flush(); + expect(element.text()).toEqual('template text'); + dealoc($rootScope); + })); + + + it('should trust and use trusted urls', inject(function($rootScope, $httpBackend, $compile, $sce) { + element = $compile('<div ng-include="fooUrl"></div>')($rootScope); + $httpBackend.expect('GET', 'http://foo.bar/url').respond('template text'); + $rootScope.fooUrl = $sce.trustAsResourceUrl('http://foo.bar/url'); + $rootScope.$digest(); + $httpBackend.flush(); + expect(element.text()).toEqual('template text'); + dealoc($rootScope); + })); + + + it('should include an external file', inject(putIntoCache('myUrl', '{{name}}'), function($rootScope, $compile) { element = jqLite('<ng:include src="url"></ng:include>'); jqLite(document.body).append(element); @@ -42,6 +63,29 @@ describe('ngInclude', function() { })); + it('should NOT use untrusted expressions ', inject(putIntoCache('myUrl', '{{name}} text'), + function($rootScope, $compile, $sce) { + element = jqLite('<ng:include src="url"></ng:include>'); + jqLite(document.body).append(element); + element = $compile(element)($rootScope); + $rootScope.name = 'chirayu'; + $rootScope.url = 'myUrl'; + expect($rootScope.$digest).toThrow(); + jqLite(document.body).html(''); + })); + + + it('should NOT use mistyped expressions ', inject(putIntoCache('myUrl', '{{name}} text'), + function($rootScope, $compile, $sce) { + element = jqLite('<ng:include src="url"></ng:include>'); + jqLite(document.body).append(element); + element = $compile(element)($rootScope); + $rootScope.name = 'chirayu'; + $rootScope.url = $sce.trustAsUrl('myUrl'); + expect($rootScope.$digest).toThrow(); + jqLite(document.body).html(''); + })); + it('should remove previously included text if a falsy value is bound to src', inject( putIntoCache('myUrl', '{{name}}'), function($rootScope, $compile) { @@ -308,7 +352,7 @@ describe('ngInclude ngAnimate', function() { } function applyCSS(element, cssProp, cssValue) { - element.css(cssProp, cssValue); + element.css(cssProp, cssValue); element.css(vendorPrefix + cssProp, cssValue); } diff --git a/test/ng/directive/ngSrcSpec.js b/test/ng/directive/ngSrcSpec.js index a917c511..23ace7ee 100644 --- a/test/ng/directive/ngSrcSpec.js +++ b/test/ng/directive/ngSrcSpec.js @@ -14,4 +14,48 @@ describe('ngSrc', function() { expect(element.attr('src')).not.toBe(''); expect(element.attr('src')).toBe(undefined); })); + + describe('iframe[ng-src]', function() { + it('should pass through src attributes for the same domain', inject(function($compile, $rootScope) { + element = $compile('<iframe ng-src="{{testUrl}}"></iframe>')($rootScope); + $rootScope.testUrl = "different_page"; + $rootScope.$apply(); + expect(element.attr('src')).toEqual('different_page'); + })); + + it('should error on src attributes for a different domain', inject(function($compile, $rootScope) { + element = $compile('<iframe ng-src="{{testUrl}}"></iframe>')($rootScope); + $rootScope.testUrl = "http://a.different.domain.example.com"; + expect(function() { $rootScope.$apply() }).toThrow( + "[$interpolate:interr] Can't interpolate: {{testUrl}}\nError: [$sce:isecrurl] Blocked " + + "loading resource from url not allowed by $sceDelegate policy. URL: " + + "http://a.different.domain.example.com"); + })); + + it('should error on JS src attributes', inject(function($compile, $rootScope) { + element = $compile('<iframe ng-src="{{testUrl}}"></iframe>')($rootScope); + $rootScope.testUrl = "javascript:alert(1);"; + expect(function() { $rootScope.$apply() }).toThrow( + "[$interpolate:interr] Can't interpolate: {{testUrl}}\nError: [$sce:isecrurl] Blocked " + + "loading resource from url not allowed by $sceDelegate policy. URL: " + + "javascript:alert(1);"); + })); + + it('should error on non-resource_url src attributes', inject(function($compile, $rootScope, $sce) { + element = $compile('<iframe ng-src="{{testUrl}}"></iframe>')($rootScope); + $rootScope.testUrl = $sce.trustAsUrl("javascript:doTrustedStuff()"); + expect($rootScope.$apply).toThrow( + "[$interpolate:interr] Can't interpolate: {{testUrl}}\nError: [$sce:isecrurl] Blocked " + + "loading resource from url not allowed by $sceDelegate policy. URL: " + + "javascript:doTrustedStuff()"); + })); + + it('should pass through $sce.trustAs() values in src attributes', inject(function($compile, $rootScope, $sce) { + element = $compile('<iframe ng-src="{{testUrl}}"></iframe>')($rootScope); + $rootScope.testUrl = $sce.trustAsResourceUrl("javascript:doTrustedStuff()"); + $rootScope.$apply(); + + expect(element.attr('src')).toEqual('javascript:doTrustedStuff()'); + })); + }); }); |