Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

Commit 14119a9

Browse files
jbedardjbedard
committed
fixup! feat($compile): add support for arbitrary property and event bindings
1 parent 0beb9ba commit 14119a9

File tree

1 file changed

+34
-0
lines changed

1 file changed

+34
-0
lines changed

test/ng/ngPropSpec.js

+34
Original file line numberDiff line numberDiff line change
@@ -236,6 +236,26 @@ describe('ngProp*', function() {
236236
$rootScope.$digest();
237237
expect(element.prop('src')).toEqual('untrusted:foo()');
238238
}));
239+
240+
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
241+
// As a MEDIA_URL URL
242+
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
243+
// Some browsers complain if you try to write `javascript:` into an `img[src]`
244+
// So for the test use something different
245+
$rootScope.testUrl = 'untrusted:foo()';
246+
$rootScope.$digest();
247+
expect(element.prop('src')).toEqual('unsafe:untrusted:foo()');
248+
}));
249+
250+
it('should sanitize wrongly typed values', inject(function($rootScope, $compile, $sce) {
251+
// As a MEDIA_URL URL
252+
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
253+
// Some browsers complain if you try to write `javascript:` into an `img[src]`
254+
// So for the test use something different
255+
$rootScope.testUrl = $sce.trustAsCss('untrusted:foo()');
256+
$rootScope.$digest();
257+
expect(element.prop('src')).toEqual('unsafe:untrusted:foo()');
258+
}));
239259
});
240260
}
241261
});
@@ -272,6 +292,20 @@ describe('ngProp*', function() {
272292
$rootScope.$digest();
273293
expect(element.find(tag).prop('src')).toEqual('javascript:foo()');
274294
}));
295+
296+
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
297+
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
298+
$rootScope.testUrl = 'untrusted:foo()';
299+
$rootScope.$digest();
300+
expect(element.find(tag).prop('src')).toEqual('unsafe:untrusted:foo()');
301+
}));
302+
303+
it('should sanitize wrongly typed values', inject(function($rootScope, $compile, $sce) {
304+
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
305+
$rootScope.testUrl = $sce.trustAsCss('untrusted:foo()');
306+
$rootScope.$digest();
307+
expect(element.find(tag).prop('src')).toEqual('unsafe:untrusted:foo()');
308+
}));
275309
});
276310
});
277311
}

0 commit comments

Comments
 (0)