Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

imgSrcSanitizationWhitelist seems too broad #8274

Closed
sirdarckcat opened this issue Jul 21, 2014 · 3 comments
Closed

imgSrcSanitizationWhitelist seems too broad #8274

sirdarckcat opened this issue Jul 21, 2014 · 3 comments
Assignees
@btford
Labels
component: misc core frequency: high severity: security
Milestone
1.3.0-beta.19

Comments

@sirdarckcat
Copy link

in
https://github.com/angular/angular.js/blob/master/src/ng/sanitizeUri.js

imgSrcSanitizationWhitelist = /^\s*(https?|ftp|file|blob):|data:image\//;

probably should be:

imgSrcSanitizationWhitelist = /^\s*(https?|ftp|file|blob):|^\s*data:image\//;

otherwise:

javascript:alert(1)//data:image/

passes as valid.
@jeffbcross jeffbcross self-assigned this Jul 21, 2014
@btford btford assigned btford and unassigned jeffbcross Jul 21, 2014
@btford btford added this to the 1.3.0-beta.17 milestone Jul 21, 2014
@petebacondarwin
Copy link
Contributor

Or perhaps:

/^\s*((https?|ftp|file|blob):|data:image\/)/

@petebacondarwin
Copy link
Contributor

@btford - do you have any comment on this? I could take this and knock up a PR if there is not something more complex to worry about here.

@btford btford modified the milestones: 1.3.0-beta.18, 1.3.0-beta.19 Aug 11, 2014
@sirdarckcat
Copy link
Author

oh, also, it would be nice to add chrome-extension: and chrome-extension-resource: to the list of schemes

btford added a commit to btford/angular.js that referenced this issue Aug 19, 2014
@btford
fix($sanitize): sanitize javascript urls with comments
91b7a97 
Closes angular#8274
@btford btford mentioned this issue Aug 19, 2014
Closed
@btford btford closed this as completed in b7e82a3 Aug 19, 2014
btford added a commit that referenced this issue Aug 19, 2014
@btford
fix($sanitize): sanitize javascript urls with comments
4f38705 
Closes #8274
@theurere theurere mentioned this issue Aug 26, 2014
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@btford btford

Labels
component: misc core frequency: high severity: security
Projects
None yet
Milestone
1.3.0-beta.19
Development

Successfully merging a pull request may close this issue.

fix($sanitize): sanitize javascript urls with comments btford/angular.js
4 participants
@petebacondarwin @sirdarckcat @jeffbcross @btford