From edf903d4c46dcfcb73cdf686be5487748708bbcf Mon Sep 17 00:00:00 2001 From: "Dmitriy.Stepanov" Date: Wed, 12 Jul 2017 13:15:49 +0300 Subject: [PATCH 1/7] fix($$SanitizeUriProvider): added support for the sftp protocol in $$ SanitizeUriProvider Added support for the sftp protocol in $$ SanitizeUriProvider and linky filter --- src/ng/sanitizeUri.js | 4 ++-- src/ngSanitize/filter/linky.js | 2 +- test/ng/sanitizeUriSpec.js | 6 ++++++ 3 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/ng/sanitizeUri.js b/src/ng/sanitizeUri.js index aa09d0b4864d..29c9ae402697 100644 --- a/src/ng/sanitizeUri.js +++ b/src/ng/sanitizeUri.js @@ -6,8 +6,8 @@ * Private service to sanitize uris for links and images. Used by $compile and $sanitize. */ function $$SanitizeUriProvider() { - var aHrefSanitizationWhitelist = /^\s*(https?|ftp|mailto|tel|file):/, - imgSrcSanitizationWhitelist = /^\s*((https?|ftp|file|blob):|data:image\/)/; + var aHrefSanitizationWhitelist = /^\s*(https?|s?ftp|mailto|tel|file):/, + imgSrcSanitizationWhitelist = /^\s*((https?|s?ftp|file|blob):|data:image\/)/; /** * @description diff --git a/src/ngSanitize/filter/linky.js b/src/ngSanitize/filter/linky.js index 6247cb626b46..ac021a359489 100644 --- a/src/ngSanitize/filter/linky.js +++ b/src/ngSanitize/filter/linky.js @@ -129,7 +129,7 @@ */ angular.module('ngSanitize').filter('linky', ['$sanitize', function($sanitize) { var LINKY_URL_REGEXP = - /((ftp|https?):\/\/|(www\.)|(mailto:)?[A-Za-z0-9._%+-]+@)\S*[^\s.;,(){}<>"\u201d\u2019]/i, + /((s?ftp|https?):\/\/|(www\.)|(mailto:)?[A-Za-z0-9._%+-]+@)\S*[^\s.;,(){}<>"\u201d\u2019]/i, MAILTO_REGEXP = /^mailto:/i; var linkyMinErr = angular.$$minErr('linky'); diff --git a/test/ng/sanitizeUriSpec.js b/test/ng/sanitizeUriSpec.js index 7d01e3c4ba64..472391c75cf8 100644 --- a/test/ng/sanitizeUriSpec.js +++ b/test/ng/sanitizeUriSpec.js @@ -109,6 +109,9 @@ describe('sanitizeUri', function() { testUrl = 'ftp://foo.com/bar'; expect(sanitizeImg(testUrl)).toBe('ftp://foo.com/bar'); + testUrl = 'sftp://foo.com/bar'; + expect(sanitizeImg(testUrl)).toBe('sftp://foo.com/bar'); + testUrl = 'file:///foo/bar.html'; expect(sanitizeImg(testUrl)).toBe('file:///foo/bar.html'); }); @@ -216,6 +219,9 @@ describe('sanitizeUri', function() { testUrl = 'ftp://foo/bar'; expect(sanitizeHref(testUrl)).toBe('ftp://foo/bar'); + testUrl = 'sftp://foo/bar'; + expect(sanitizeHref(testUrl)).toBe('sftp://foo/bar'); + testUrl = 'mailto:foo@bar.com'; expect(sanitizeHref(testUrl)).toBe('mailto:foo@bar.com'); From 345a0ba3edafa969ce0e30f79178092699c73d5f Mon Sep 17 00:00:00 2001 From: "Dmitriy.Stepanov" Date: Wed, 12 Jul 2017 15:13:45 +0300 Subject: [PATCH 2/7] test(compileSpec): fix allow aHrefSanitizationWhitelist --- test/ng/compileSpec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/ng/compileSpec.js b/test/ng/compileSpec.js index 4fa14d2daff0..f8b56ea93a94 100644 --- a/test/ng/compileSpec.js +++ b/test/ng/compileSpec.js @@ -153,7 +153,7 @@ describe('$compile', function() { it('should allow aHrefSanitizationWhitelist to be configured', function() { module(function($compileProvider) { - expect($compileProvider.aHrefSanitizationWhitelist()).toEqual(/^\s*(https?|ftp|mailto|tel|file):/); // the default + expect($compileProvider.aHrefSanitizationWhitelist()).toEqual(/^\s*(https?|s?ftp|mailto|tel|file):/); // the default $compileProvider.aHrefSanitizationWhitelist(/other/); expect($compileProvider.aHrefSanitizationWhitelist()).toEqual(/other/); }); From 47b58406164b5c8f9d8172e127b6c5e47afd7606 Mon Sep 17 00:00:00 2001 From: "Dmitriy.Stepanov" Date: Tue, 15 Aug 2017 13:50:03 +0300 Subject: [PATCH 3/7] test($linkyFilter): add ftp and sftp tests --- test/ngSanitize/filter/linkySpec.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/ngSanitize/filter/linkySpec.js b/test/ngSanitize/filter/linkySpec.js index 4599c1ee48ab..236766e61038 100644 --- a/test/ngSanitize/filter/linkySpec.js +++ b/test/ngSanitize/filter/linkySpec.js @@ -58,6 +58,10 @@ describe('linky', function() { expect(linky('HTTP://example.com')).toEqual('HTTP://example.com'); expect(linky('HTTPS://www.example.com')).toEqual('HTTPS://www.example.com'); expect(linky('HTTPS://example.com')).toEqual('HTTPS://example.com'); + expect(linky('FTP://www.example.com')).toEqual('FTP://www.example.com'); + expect(linky('FTP://example.com')).toEqual('FTP://example.com'); + expect(linky('SFTP://www.example.com')).toEqual('SFTP://www.example.com'); + expect(linky('SFTP://example.com')).toEqual('SFTP://example.com'); }); it('should handle www.', function() { From 01a48718c3bd4b85c3f95a4b1a3d5aa486c280d7 Mon Sep 17 00:00:00 2001 From: "Dmitriy.Stepanov" Date: Thu, 7 Sep 2017 10:04:02 +0300 Subject: [PATCH 4/7] docs(linky): add sftp protocol --- src/ngSanitize/filter/linky.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngSanitize/filter/linky.js b/src/ngSanitize/filter/linky.js index ac021a359489..34881c847729 100644 --- a/src/ngSanitize/filter/linky.js +++ b/src/ngSanitize/filter/linky.js @@ -6,7 +6,7 @@ * @kind function * * @description - * Finds links in text input and turns them into html links. Supports `http/https/ftp/mailto` and + * Finds links in text input and turns them into html links. Supports `http/https/ftp/sftp/mailto` and * plain email address links. * * Requires the {@link ngSanitize `ngSanitize`} module to be installed. From c818c7740104596416552e3c2288edaf881f0777 Mon Sep 17 00:00:00 2001 From: Dmitriy Stepanov Date: Fri, 8 Sep 2017 12:46:32 +0300 Subject: [PATCH 5/7] chore(sanitizeSpec): remove unused var --- test/ngSanitize/sanitizeSpec.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/test/ngSanitize/sanitizeSpec.js b/test/ngSanitize/sanitizeSpec.js index 70682c23ed4d..c3206948e990 100644 --- a/test/ngSanitize/sanitizeSpec.js +++ b/test/ngSanitize/sanitizeSpec.js @@ -270,7 +270,8 @@ describe('HTML', function() { // See https://github.com/cure53/DOMPurify/blob/a992d3a75031cb8bb032e5ea8399ba972bdf9a65/src/purify.js#L439-L449 it('should not allow JavaScript execution when creating inert document', inject(function($sanitize) { - var doc = $sanitize(''); + $sanitize(''); + expect(window.xxx).toBe(undefined); delete window.xxx; })); From 1922577d1221f40e9f18db1e0516087eceb8550f Mon Sep 17 00:00:00 2001 From: Dmitriy Stepanov Date: Tue, 19 Sep 2017 16:57:16 +0300 Subject: [PATCH 6/7] chore($$SanitizeUriProvider): remove sftp from img Sanitization White list --- src/ng/sanitizeUri.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ng/sanitizeUri.js b/src/ng/sanitizeUri.js index 29c9ae402697..a5302994415d 100644 --- a/src/ng/sanitizeUri.js +++ b/src/ng/sanitizeUri.js @@ -7,7 +7,7 @@ */ function $$SanitizeUriProvider() { var aHrefSanitizationWhitelist = /^\s*(https?|s?ftp|mailto|tel|file):/, - imgSrcSanitizationWhitelist = /^\s*((https?|s?ftp|file|blob):|data:image\/)/; + imgSrcSanitizationWhitelist = /^\s*((https?|ftp|file|blob):|data:image\/)/; /** * @description From f35c17bf7eab6e476ee1ca09b41711740f39c56b Mon Sep 17 00:00:00 2001 From: Dmitriy Stepanov Date: Tue, 19 Sep 2017 17:39:30 +0300 Subject: [PATCH 7/7] test(sanitizeUri): remove sftp test for img --- test/ng/sanitizeUriSpec.js | 3 --- 1 file changed, 3 deletions(-) diff --git a/test/ng/sanitizeUriSpec.js b/test/ng/sanitizeUriSpec.js index 472391c75cf8..c5ca4c5d040f 100644 --- a/test/ng/sanitizeUriSpec.js +++ b/test/ng/sanitizeUriSpec.js @@ -109,9 +109,6 @@ describe('sanitizeUri', function() { testUrl = 'ftp://foo.com/bar'; expect(sanitizeImg(testUrl)).toBe('ftp://foo.com/bar'); - testUrl = 'sftp://foo.com/bar'; - expect(sanitizeImg(testUrl)).toBe('sftp://foo.com/bar'); - testUrl = 'file:///foo/bar.html'; expect(sanitizeImg(testUrl)).toBe('file:///foo/bar.html'); });