Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

Commit 8f2d05f

Browse files
petebacondarwinpetebacondarwin
committed
fix(Angular): do not autobootstrap if the src exists but is empty
In Chrome an empty `src` attribute will be ignored, but in Firefox it seems happy to prepend the `base[href]` and try to load whatever that is.
1 parent 56719ec commit 8f2d05f

File tree

2 files changed

+13
-8
lines changed

2 files changed

+13
-8
lines changed

src/Angular.js

+6-2
Original file line numberDiff line numberDiff line change
@@ -1458,15 +1458,19 @@ function allowAutoBootstrap(document) {
14581458
return false;
14591459
}
14601460

1461-
var srcs = [script.getAttribute('src'), script.getAttribute('href'), script.getAttribute('xlink:href')];
1461+
var attributes = script.attributes;
1462+
var srcs = [attributes.getNamedItem('src'), attributes.getNamedItem('href'), attributes.getNamedItem('xlink:href')];
14621463

14631464
return srcs.every(function(src) {
14641465
if (!src) {
14651466
return true;
14661467
}
1468+
if (!src.value) {
1469+
return false;
1470+
}
14671471

14681472
var link = document.createElement('a');
1469-
link.href = src;
1473+
link.href = src.value;
14701474

14711475
if (document.location.origin === link.origin) {
14721476
// Same-origin resources are always allowed, even for non-whitelisted schemes.

test/AngularSpec.js

+7-6
Original file line numberDiff line numberDiff line change
@@ -1741,16 +1741,17 @@ describe('angular', function() {
17411741
expect(allowAutoBootstrap(createFakeDoc({src: protocol + '//something-else'}, protocol))).toBe(false);
17421742
});
17431743

1744-
it('should bootstrap from a script with empty or no source (e.g. src, href or xlink:href attributes)', function() {
1744+
it('should bootstrap from a script with no source (e.g. src, href or xlink:href attributes)', function() {
17451745

17461746
expect(allowAutoBootstrap(createFakeDoc({src: null}))).toBe(true);
1747-
expect(allowAutoBootstrap(createFakeDoc({src: ''}))).toBe(true);
1748-
17491747
expect(allowAutoBootstrap(createFakeDoc({href: null}))).toBe(true);
1750-
expect(allowAutoBootstrap(createFakeDoc({href: ''}))).toBe(true);
1751-
17521748
expect(allowAutoBootstrap(createFakeDoc({'xlink:href': null}))).toBe(true);
1753-
expect(allowAutoBootstrap(createFakeDoc({'xlink:href': ''}))).toBe(true);
1749+
});
1750+
1751+
it('should not bootstrap from a script with an empty source (e.g. `src=""`)', function() {
1752+
expect(allowAutoBootstrap(createFakeDoc({src: ''}))).toBe(false);
1753+
expect(allowAutoBootstrap(createFakeDoc({href: ''}))).toBe(false);
1754+
expect(allowAutoBootstrap(createFakeDoc({'xlink:href': ''}))).toBe(false);
17541755
});
17551756

17561757

0 commit comments

Comments
 (0)