From 767381020d88bda2855ac87ca6f00748907e14ff Mon Sep 17 00:00:00 2001 From: Joey Perrott Date: Wed, 23 Sep 2020 10:53:24 -0700 Subject: [PATCH] refactor(SanitizeUriProvider): remove usages of whitelist Changes aHrefSanitizationWhitelist to aHrefSanitizationTrustedUri and imgSrcSanitizationWhitelist to imgSrcSanitizationTrustedUri updating references to use the new symbols. For the purposes of backward compatibility, the previous symbols are aliased to the new symbols. --- docs/content/guide/migration.ngdoc | 4 +-- src/ng/compile.js | 32 ++++++++++--------- src/ng/sanitizeUri.js | 31 +++++++++--------- src/ngSanitize/sanitize.js | 6 ++-- test/ng/compileSpec.js | 50 +++++++++++++++--------------- test/ng/sanitizeUriSpec.js | 12 +++---- 6 files changed, 69 insertions(+), 66 deletions(-) diff --git a/docs/content/guide/migration.ngdoc b/docs/content/guide/migration.ngdoc index f243eef04a9e..ac76896f6d5e 100644 --- a/docs/content/guide/migration.ngdoc +++ b/docs/content/guide/migration.ngdoc @@ -283,8 +283,8 @@ break. To fix this you need to ensure that the values used for binding to the affected `xlink:href` contexts are considered safe URLs, e.g. by whitelisting them in -`$compileProvider`'s `aHrefSanitizationWhitelist` (for `` elements) or -`imgSrcSanitizationWhitelist` (for `` elements). +`$compileProvider`'s `aHrefSanitizationTrustedUri` (for `` elements) or +`imgSrcSanitizationTrustedUri` (for `` elements).
diff --git a/src/ng/compile.js b/src/ng/compile.js index 92da37dbb07f..c30e1aa530e8 100644 --- a/src/ng/compile.js +++ b/src/ng/compile.js @@ -1116,7 +1116,7 @@ * By default, `$sce` will throw an error if it detects untrusted HTML content, and will not bind the * content. * However, if you include the {@link ngSanitize ngSanitize module}, it will try to sanitize the - * potentially dangerous HTML, e.g. strip non-whitelisted tags and attributes when binding to + * potentially dangerous HTML, e.g. strip non-trusted tags and attributes when binding to * `innerHTML`. * * @example @@ -1698,62 +1698,64 @@ function $CompileProvider($provide, $$sanitizeUriProvider) { /** * @ngdoc method - * @name $compileProvider#aHrefSanitizationWhitelist + * @name $compileProvider#aHrefSanitizationTrustedUri * @kind function * * @description - * Retrieves or overrides the default regular expression that is used for whitelisting of safe + * Retrieves or overrides the default regular expression that is used for determining trusted safe * urls during a[href] sanitization. * * The sanitization is a security measure aimed at preventing XSS attacks via html links. * * Any url about to be assigned to a[href] via data-binding is first normalized and turned into - * an absolute url. Afterwards, the url is matched against the `aHrefSanitizationWhitelist` + * an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUri` * regular expression. If a match is found, the original url is written into the dom. Otherwise, * the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM. * - * @param {RegExp=} regexp New regexp to whitelist urls with. + * @param {RegExp=} regexp New regexp to trust urls with. * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.aHrefSanitizationWhitelist = function(regexp) { + this.aHrefSanitizationTrustedUri = function(regexp) { if (isDefined(regexp)) { - $$sanitizeUriProvider.aHrefSanitizationWhitelist(regexp); + $$sanitizeUriProvider.aHrefSanitizationTrustedUri(regexp); return this; } else { - return $$sanitizeUriProvider.aHrefSanitizationWhitelist(); + return $$sanitizeUriProvider.aHrefSanitizationTrustedUri(); } }; + this.aHrefSanitizationWhitelist = this.aHrefSanitizationTrustedUri; /** * @ngdoc method - * @name $compileProvider#imgSrcSanitizationWhitelist + * @name $compileProvider#imgSrcSanitizationTrustedUri * @kind function * * @description - * Retrieves or overrides the default regular expression that is used for whitelisting of safe + * Retrieves or overrides the default regular expression that is used for determining trusted safe * urls during img[src] sanitization. * * The sanitization is a security measure aimed at prevent XSS attacks via html links. * * Any url about to be assigned to img[src] via data-binding is first normalized and turned into - * an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationWhitelist` + * an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUri` * regular expression. If a match is found, the original url is written into the dom. Otherwise, * the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM. * - * @param {RegExp=} regexp New regexp to whitelist urls with. + * @param {RegExp=} regexp New regexp to trust urls with. * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.imgSrcSanitizationWhitelist = function(regexp) { + this.imgSrcSanitizationTrustedUri = function(regexp) { if (isDefined(regexp)) { - $$sanitizeUriProvider.imgSrcSanitizationWhitelist(regexp); + $$sanitizeUriProvider.imgSrcSanitizationTrustedUri(regexp); return this; } else { - return $$sanitizeUriProvider.imgSrcSanitizationWhitelist(); + return $$sanitizeUriProvider.imgSrcSanitizationTrustedUri(); } }; + this.imgSrcSanitizationWhitelist = this.imgSrcSanitizationTrustedUri; /** * @ngdoc method diff --git a/src/ng/sanitizeUri.js b/src/ng/sanitizeUri.js index edda8244e406..fc4ebcaacbb4 100644 --- a/src/ng/sanitizeUri.js +++ b/src/ng/sanitizeUri.js @@ -7,12 +7,12 @@ */ function $$SanitizeUriProvider() { - var aHrefSanitizationWhitelist = /^\s*(https?|s?ftp|mailto|tel|file):/, - imgSrcSanitizationWhitelist = /^\s*((https?|ftp|file|blob):|data:image\/)/; + var aHrefSanitizationTrustedUri = /^\s*(https?|s?ftp|mailto|tel|file):/, + imgSrcSanitizationTrustedUri = /^\s*((https?|ftp|file|blob):|data:image\/)/; /** * @description - * Retrieves or overrides the default regular expression that is used for whitelisting of safe + * Retrieves or overrides the default regular expression that is used for determining trusted safe * urls during a[href] sanitization. * * The sanitization is a security measure aimed at prevent XSS attacks via HTML anchor links. @@ -21,27 +21,27 @@ function $$SanitizeUriProvider() { * the $sce.URL security context. When interpolation occurs a call is made to `$sce.trustAsUrl(url)` * which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize the potentially malicious URL. * - * If the URL matches the `aHrefSanitizationWhitelist` regular expression, it is returned unchanged. + * If the URL matches the `aHrefSanitizationTrustedUri` regular expression, it is returned unchanged. * * If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written * to the DOM it is inactive and potentially malicious code will not be executed. * - * @param {RegExp=} regexp New regexp to whitelist urls with. + * @param {RegExp=} regexp New regexp to trust urls with. * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.aHrefSanitizationWhitelist = function(regexp) { + this.aHrefSanitizationTrustedUri = function(regexp) { if (isDefined(regexp)) { - aHrefSanitizationWhitelist = regexp; + aHrefSanitizationTrustedUri = regexp; return this; } - return aHrefSanitizationWhitelist; + return aHrefSanitizationTrustedUri; }; /** * @description - * Retrieves or overrides the default regular expression that is used for whitelisting of safe + * Retrieves or overrides the default regular expression that is used for determining trusted safe * urls during img[src] sanitization. * * The sanitization is a security measure aimed at prevent XSS attacks via HTML image src links. @@ -51,27 +51,28 @@ function $$SanitizeUriProvider() { * `$sce.trustAsMediaUrl(url)` which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize * the potentially malicious URL. * - * If the URL matches the `aImgSanitizationWhitelist` regular expression, it is returned unchanged. + * If the URL matches the `imgSrcSanitizationTrustedUrlList` regular expression, it is returned + * unchanged. * * If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written * to the DOM it is inactive and potentially malicious code will not be executed. * - * @param {RegExp=} regexp New regexp to whitelist urls with. + * @param {RegExp=} regexp New regexp to trust urls with. * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.imgSrcSanitizationWhitelist = function(regexp) { + this.imgSrcSanitizationTrustedUri = function(regexp) { if (isDefined(regexp)) { - imgSrcSanitizationWhitelist = regexp; + imgSrcSanitizationTrustedUri = regexp; return this; } - return imgSrcSanitizationWhitelist; + return imgSrcSanitizationTrustedUri; }; this.$get = function() { return function sanitizeUri(uri, isMediaUrl) { // if (!uri) return uri; - var regex = isMediaUrl ? imgSrcSanitizationWhitelist : aHrefSanitizationWhitelist; + var regex = isMediaUrl ? imgSrcSanitizationTrustedUri : aHrefSanitizationTrustedUri; var normalizedVal = urlResolve(uri && uri.trim()).href; if (normalizedVal !== '' && !normalizedVal.match(regex)) { return 'unsafe:' + normalizedVal; diff --git a/src/ngSanitize/sanitize.js b/src/ngSanitize/sanitize.js index cebf0228fd88..ed47fcb2394d 100644 --- a/src/ngSanitize/sanitize.js +++ b/src/ngSanitize/sanitize.js @@ -46,7 +46,7 @@ var htmlSanitizeWriter; * it into the returned string. * * The whitelist for URL sanitization of attribute values is configured using the functions - * `aHrefSanitizationWhitelist` and `imgSrcSanitizationWhitelist` of {@link $compileProvider}. + * `aHrefSanitizationTrustedUri` and `imgSrcSanitizationTrustedUri` of {@link $compileProvider}. * * The input may also contain SVG markup if this is enabled via {@link $sanitizeProvider}. * @@ -277,8 +277,8 @@ function $SanitizeProvider() { * **Note**: * The new attributes will not be treated as URI attributes, which means their values will not be * sanitized as URIs using `$compileProvider`'s - * {@link ng.$compileProvider#aHrefSanitizationWhitelist aHrefSanitizationWhitelist} and - * {@link ng.$compileProvider#imgSrcSanitizationWhitelist imgSrcSanitizationWhitelist}. + * {@link ng.$compileProvider#aHrefSanitizationTrustedUri aHrefSanitizationTrustedUri} and + * {@link ng.$compileProvider#imgSrcSanitizationTrustedUri imgSrcSanitizationTrustedUri}. * *
* This method must be called during the {@link angular.Module#config config} phase. Once the diff --git a/test/ng/compileSpec.js b/test/ng/compileSpec.js index 83b607d58b31..ef6b904b11da 100644 --- a/test/ng/compileSpec.js +++ b/test/ng/compileSpec.js @@ -151,30 +151,30 @@ describe('$compile', function() { describe('configuration', function() { - it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationWhitelist`', function() { + it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationTrustedUri`', function() { module(function($compileProvider, $$sanitizeUriProvider) { var newRe = /safe:/, returnVal; - expect($compileProvider.aHrefSanitizationWhitelist()).toBe($$sanitizeUriProvider.aHrefSanitizationWhitelist()); - returnVal = $compileProvider.aHrefSanitizationWhitelist(newRe); + expect($compileProvider.aHrefSanitizationTrustedUri()).toBe($$sanitizeUriProvider.aHrefSanitizationTrustedUri()); + returnVal = $compileProvider.aHrefSanitizationTrustedUri(newRe); expect(returnVal).toBe($compileProvider); - expect($$sanitizeUriProvider.aHrefSanitizationWhitelist()).toBe(newRe); - expect($compileProvider.aHrefSanitizationWhitelist()).toBe(newRe); + expect($$sanitizeUriProvider.aHrefSanitizationTrustedUri()).toBe(newRe); + expect($compileProvider.aHrefSanitizationTrustedUri()).toBe(newRe); }); inject(function() { // needed to the module definition above is run... }); }); - it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationWhitelist`', function() { + it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationTrustedUri`', function() { module(function($compileProvider, $$sanitizeUriProvider) { var newRe = /safe:/, returnVal; - expect($compileProvider.imgSrcSanitizationWhitelist()).toBe($$sanitizeUriProvider.imgSrcSanitizationWhitelist()); - returnVal = $compileProvider.imgSrcSanitizationWhitelist(newRe); + expect($compileProvider.imgSrcSanitizationTrustedUri()).toBe($$sanitizeUriProvider.imgSrcSanitizationTrustedUri()); + returnVal = $compileProvider.imgSrcSanitizationTrustedUri(newRe); expect(returnVal).toBe($compileProvider); - expect($$sanitizeUriProvider.imgSrcSanitizationWhitelist()).toBe(newRe); - expect($compileProvider.imgSrcSanitizationWhitelist()).toBe(newRe); + expect($$sanitizeUriProvider.imgSrcSanitizationTrustedUri()).toBe(newRe); + expect($compileProvider.imgSrcSanitizationTrustedUri()).toBe(newRe); }); inject(function() { // needed to the module definition above is run... @@ -11334,9 +11334,9 @@ describe('$compile', function() { // IE9 rejects the `video` / `audio` tags with "Error: Not implemented" if (msie !== 9 || tag === 'img') { describe(tag + '[src] context requirement', function() { - it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) { + it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) { element = $compile('<' + tag + ' src="{{testUrl}}">')($rootScope); - $rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted + $rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted $rootScope.$digest(); expect(element.attr('src')).toEqual('http://example.com/image.mp4'); })); @@ -11372,9 +11372,9 @@ describe('$compile', function() { if (msie !== 9) { ['source', 'track'].forEach(function(tag) { describe(tag + '[src]', function() { - it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) { + it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) { element = $compile('')($rootScope); - $rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted + $rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted $rootScope.$digest(); expect(element.find(tag).attr('src')).toEqual('http://example.com/image.mp4'); })); @@ -11509,14 +11509,14 @@ describe('$compile', function() { }); }); - it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile, $sce) { + it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile, $sce) { element = $compile('')($rootScope); - $rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted + $rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted $rootScope.$digest(); expect(element.attr('srcset')).toEqual('http://example.com/image.png'); })); - it('should accept trusted values, if they are also whitelisted', inject(function($rootScope, $compile, $sce) { + it('should accept trusted values, if they are also trusted URIs', inject(function($rootScope, $compile, $sce) { element = $compile('')($rootScope); $rootScope.testUrl = $sce.trustAsUrl('http://example.com'); $rootScope.$digest(); @@ -11602,8 +11602,8 @@ describe('$compile', function() { }); describe('a[href] sanitization', function() { - it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile) { - $rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted + it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile) { + $rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted element = $compile('')($rootScope); $rootScope.$digest(); expect(element.attr('href')).toEqual('http://example.com/image.png'); @@ -11613,8 +11613,8 @@ describe('$compile', function() { expect(element.attr('ng-href')).toEqual('http://example.com/image.png'); })); - it('should accept trusted values for non-whitelisted values', inject(function($rootScope, $compile, $sce) { - $rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not whitelisted + it('should accept trusted values for non-trusted URI values', inject(function($rootScope, $compile, $sce) { + $rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not trusted element = $compile('')($rootScope); $rootScope.$digest(); expect(element.attr('href')).toEqual('javascript:foo()'); @@ -11624,8 +11624,8 @@ describe('$compile', function() { expect(element.attr('ng-href')).toEqual('javascript:foo()'); })); - it('should sanitize non-whitelisted values', inject(function($rootScope, $compile) { - $rootScope.testUrl = 'javascript:foo()'; // `javascript` is not whitelisted + it('should sanitize non-trusted values', inject(function($rootScope, $compile) { + $rootScope.testUrl = 'javascript:foo()'; // `javascript` is not trusted element = $compile('')($rootScope); $rootScope.$digest(); expect(element.attr('href')).toEqual('unsafe:javascript:foo()'); @@ -11678,7 +11678,7 @@ describe('$compile', function() { $provide.value('$$sanitizeUri', $$sanitizeUri); }); inject(function($compile, $rootScope) { - // This URL would fail the RESOURCE_URL whitelist, but that test shouldn't be run + // This URL would fail the RESOURCE_URL trusted list, but that test shouldn't be run // because these interpolations will be resolved against the URL context instead $rootScope.testUrl = 'https://bad.example.org'; @@ -11700,7 +11700,7 @@ describe('$compile', function() { $provide.value('$$sanitizeUri', $$sanitizeUri); }); inject(function($compile, $rootScope) { - // This URL would fail the RESOURCE_URL whitelist, but that test shouldn't be run + // This URL would fail the RESOURCE_URL trusted list, but that test shouldn't be run // because these interpolations will be resolved against the URL context instead $rootScope.testUrl = 'https://bad.example.org'; diff --git a/test/ng/sanitizeUriSpec.js b/test/ng/sanitizeUriSpec.js index c5ca4c5d040f..bd51aa6855e7 100644 --- a/test/ng/sanitizeUriSpec.js +++ b/test/ng/sanitizeUriSpec.js @@ -125,10 +125,10 @@ describe('sanitizeUri', function() { expect(sanitizeImg(testUrl)).toBe('data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw=='); }); - it('should allow reconfiguration of the src whitelist', function() { + it('should allow reconfiguration of the src trusted URIs', function() { var returnVal; - expect(sanitizeUriProvider.imgSrcSanitizationWhitelist() instanceof RegExp).toBe(true); - returnVal = sanitizeUriProvider.imgSrcSanitizationWhitelist(/javascript:/); + expect(sanitizeUriProvider.imgSrcSanitizationTrustedUri() instanceof RegExp).toBe(true); + returnVal = sanitizeUriProvider.imgSrcSanitizationTrustedUri(/javascript:/); expect(returnVal).toBe(sanitizeUriProvider); testUrl = 'javascript:doEvilStuff()'; @@ -226,10 +226,10 @@ describe('sanitizeUri', function() { expect(sanitizeHref(testUrl)).toBe('file:///foo/bar.html'); })); - it('should allow reconfiguration of the href whitelist', function() { + it('should allow reconfiguration of the href trusted URIs', function() { var returnVal; - expect(sanitizeUriProvider.aHrefSanitizationWhitelist() instanceof RegExp).toBe(true); - returnVal = sanitizeUriProvider.aHrefSanitizationWhitelist(/javascript:/); + expect(sanitizeUriProvider.aHrefSanitizationTrustedUri() instanceof RegExp).toBe(true); + returnVal = sanitizeUriProvider.aHrefSanitizationTrustedUri(/javascript:/); expect(returnVal).toBe(sanitizeUriProvider); testUrl = 'javascript:doEvilStuff()';