docs(errorDisplay): encode < and > in error messages

gkalpak · Narretz · commit 9c7c494c3e4f · 2016-02-29T17:19:29.000+01:00
When an error message contains an HTML string (e.g. `$location:nobase` containing `<base>`), it was interpreted as a literal HTML element, instead of text. Error messages are not expected to render as HTML, but we still need to use `.html()` in `errorDisplay`, so that the links created by `errorLinkFilter` are properly displayed. This commit solves this issue by replacing `<`/`>` with `&lt;`/`&gt;`. Related to angular#14016.
diff --git a/docs/app/src/errors.js b/docs/app/src/errors.js
@@ -13,10 +13,10 @@ angular.module('errors', ['ngSanitize'])
   };
 
   return function (text, target) {
-    var targetHtml = target ? ' target="' + target + '"' : '';
-
     if (!text) return text;
 
+    var targetHtml = target ? ' target="' + target + '"' : '';
+
     return $sanitize(text.replace(LINKY_URL_REGEXP, function (url) {
       if (STACK_TRACE_REGEXP.test(url)) {
         return url;
@@ -34,6 +34,10 @@ angular.module('errors', ['ngSanitize'])
 
 
 .directive('errorDisplay', ['$location', 'errorLinkFilter', function ($location, errorLinkFilter) {
+  var encodeAngleBrackets = function (text) {
+    return text.replace(/</g, '&lt;').replace(/>/g, '&gt;');
+  };
+
   var interpolate = function (formatString) {
     var formatArgs = arguments;
     return formatString.replace(/\{\d+\}/g, function (match) {
@@ -51,12 +55,15 @@ angular.module('errors', ['ngSanitize'])
     link: function (scope, element, attrs) {
       var search = $location.search(),
         formatArgs = [attrs.errorDisplay],
+        formattedText,
         i;
 
       for (i = 0; angular.isDefined(search['p'+i]); i++) {
         formatArgs.push(search['p'+i]);
       }
-      element.html(errorLinkFilter(interpolate.apply(null, formatArgs), '_blank'));
+
+      formattedText = encodeAngleBrackets(interpolate.apply(null, formatArgs));
+      element.html(errorLinkFilter(formattedText, '_blank'));
     }
   };
 }]);
diff --git a/docs/app/test/errorsSpec.js b/docs/app/test/errorsSpec.js
@@ -156,5 +156,11 @@ describe('errors', function() {
       expect(errorLinkFilter.callCount).toBe(1);
       expect(errorLinkFilter).toHaveBeenCalledWith('foo = foo', '_blank');
     });
+
+
+    it('should encode `<` and `>`', function() {
+      var elem = $compile('<span error-display="&lt;xyz&gt;"></span>')($rootScope);
+      expect(elem.text()).toBe('<xyz>');
+    });
   });
 });
