From 3e39ac7e1b10d4812a44dad2f959a93361cd823b Mon Sep 17 00:00:00 2001
From: Chirayu Krishnappa
Date: Tue, 16 Jul 2013 12:48:29 -0700
Subject: fix($compile): allow data: image URIs in img[src]

Ref: 1adf29af13890d61286840177607edd552a9df97

BREAKING CHANGE: img[src] URLs are now sanitized via a separate
    whitelist regex instead of sharing the whitelist regex with a[href].
    With this change, img[src] URLs may also be data: URI's matching
    mime types image/*.  mailto: URLs are disallowed (and do not make
    sense for img[src] but were allowed under the a[href] whitelist used
    before.)
---
 test/ng/compileSpec.js | 44 ++++++++++++++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 14 deletions(-)

(limited to 'test/ng')

diff --git a/test/ng/compileSpec.js b/test/ng/compileSpec.js
index e0c68301..97a58c10 100755
--- a/test/ng/compileSpec.js
+++ b/test/ng/compileSpec.js
@@ -2551,15 +2551,38 @@ describe('$compile', function() {
       expect(element.attr('src')).toBe('unsafe:javascript:doEvilStuff()');
     }));
 
-    it('should sanitize data: urls', inject(function($compile, $rootScope) {
+    it('should sanitize non-image data: urls', inject(function($compile, $rootScope) {
       element = $compile('<img src="{{testUrl}}"></a>')($rootScope);
-      $rootScope.testUrl = "data:evilPayload";
+      $rootScope.testUrl = "data:application/javascript;charset=US-ASCII,alert('evil!');";
+      $rootScope.$apply();
+      expect(element.attr('src')).toBe("unsafe:data:application/javascript;charset=US-ASCII,alert('evil!');");
+      $rootScope.testUrl = "data:,foo";
       $rootScope.$apply();
+      expect(element.attr('src')).toBe("unsafe:data:,foo");
+    }));
+
+
+    it('should not sanitize data: URIs for images', inject(function($compile, $rootScope) {
+      element = $compile('<img src="{{dataUri}}"></img>')($rootScope);
 
-      expect(element.attr('src')).toBe('unsafe:data:evilPayload');
+      // image data uri
+      // ref: http://probablyprogramming.com/2009/03/15/the-tiniest-gif-ever
+      $rootScope.dataUri = "data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==";
+      $rootScope.$apply();
+      expect(element.attr('src')).toBe('data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==');
     }));
 
 
+    // Fails on IE < 10 with "TypeError: Access is denied" when trying to set img[src]
+    if (!msie || msie > 10) {
+      it('should sanitize mailto: urls', inject(function($compile, $rootScope) {
+        element = $compile('<img src="{{testUrl}}"></a>')($rootScope);
+          $rootScope.testUrl = "mailto:foo@bar.com";
+          $rootScope.$apply();
+          expect(element.attr('src')).toBe('unsafe:mailto:foo@bar.com');
+      }));
+    }
+
     it('should sanitize obfuscated javascript: urls', inject(function($compile, $rootScope) {
       element = $compile('<img src="{{testUrl}}"></img>')($rootScope);
 
@@ -2636,13 +2659,6 @@ describe('$compile', function() {
       $rootScope.$apply();
       expect(element.attr('src')).toBe('ftp://foo.com/bar');
 
-      // Fails on IE < 10 with "TypeError: Access is denied" when trying to set img[src]
-      if (!msie || msie > 10) {
-        $rootScope.testUrl = "mailto:foo@bar.com";
-        $rootScope.$apply();
-        expect(element.attr('src')).toBe('mailto:foo@bar.com');
-      }
-
       $rootScope.testUrl = "file:///foo/bar.html";
       $rootScope.$apply();
       expect(element.attr('src')).toBe('file:///foo/bar.html');
@@ -2660,8 +2676,8 @@ describe('$compile', function() {
 
     it('should allow reconfiguration of the src whitelist', function() {
       module(function($compileProvider) {
-        expect($compileProvider.urlSanitizationWhitelist() instanceof RegExp).toBe(true);
-        var returnVal = $compileProvider.urlSanitizationWhitelist(/javascript:/);
+        expect($compileProvider.imgSrcSanitizationWhitelist() instanceof RegExp).toBe(true);
+        var returnVal = $compileProvider.imgSrcSanitizationWhitelist(/javascript:/);
         expect(returnVal).toBe($compileProvider);
       });
 
@@ -2812,8 +2828,8 @@ describe('$compile', function() {
 
     it('should allow reconfiguration of the href whitelist', function() {
       module(function($compileProvider) {
-        expect($compileProvider.urlSanitizationWhitelist() instanceof RegExp).toBe(true);
-        var returnVal = $compileProvider.urlSanitizationWhitelist(/javascript:/);
+        expect($compileProvider.aHrefSanitizationWhitelist() instanceof RegExp).toBe(true);
+        var returnVal = $compileProvider.aHrefSanitizationWhitelist(/javascript:/);
         expect(returnVal).toBe($compileProvider);
       });
 
-- 
cgit v1.2.3