forked from angular/angular.js
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathngSrcSpec.js
71 lines (61 loc) · 3.13 KB
/
ngSrcSpec.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
/*jshint scripturl:true*/
'use strict';
describe('ngSrc', function() {
var element;
afterEach(function() {
dealoc(element);
});
describe('img[ng-src]', function() {
it('should not result empty string in img src', inject(function($rootScope, $compile) {
$rootScope.image = {};
element = $compile('<img ng-src="{{image.url}}">')($rootScope);
$rootScope.$digest();
expect(element.attr('src')).not.toBe('');
expect(element.attr('src')).toBeUndefined();
}));
it('should sanitize url', inject(function($rootScope, $compile) {
$rootScope.imageUrl = 'javascript:alert(1);';
element = $compile('<img ng-src="{{imageUrl}}">')($rootScope);
$rootScope.$digest();
expect(element.attr('src')).toBe('unsafe:javascript:alert(1);');
}));
});
describe('iframe[ng-src]', function() {
it('should pass through src attributes for the same domain', inject(function($compile, $rootScope) {
element = $compile('<iframe ng-src="{{testUrl}}"></iframe>')($rootScope);
$rootScope.testUrl = "different_page";
$rootScope.$apply();
expect(element.attr('src')).toEqual('different_page');
}));
it('should error on src attributes for a different domain', inject(function($compile, $rootScope) {
element = $compile('<iframe ng-src="{{testUrl}}"></iframe>')($rootScope);
$rootScope.testUrl = "http://a.different.domain.example.com";
expect(function() { $rootScope.$apply(); }).toThrowMinErr(
"$interpolate", "interr", "Can't interpolate: {{testUrl}}\nError: [$sce:insecurl] Blocked " +
"loading resource from url not allowed by $sceDelegate policy. URL: " +
"http://a.different.domain.example.com");
}));
it('should error on JS src attributes', inject(function($compile, $rootScope) {
element = $compile('<iframe ng-src="{{testUrl}}"></iframe>')($rootScope);
$rootScope.testUrl = "javascript:alert(1);";
expect(function() { $rootScope.$apply(); }).toThrowMinErr(
"$interpolate", "interr", "Can't interpolate: {{testUrl}}\nError: [$sce:insecurl] Blocked " +
"loading resource from url not allowed by $sceDelegate policy. URL: " +
"javascript:alert(1);");
}));
it('should error on non-resource_url src attributes', inject(function($compile, $rootScope, $sce) {
element = $compile('<iframe ng-src="{{testUrl}}"></iframe>')($rootScope);
$rootScope.testUrl = $sce.trustAsUrl("javascript:doTrustedStuff()");
expect($rootScope.$apply).toThrowMinErr(
"$interpolate", "interr", "Can't interpolate: {{testUrl}}\nError: [$sce:insecurl] Blocked " +
"loading resource from url not allowed by $sceDelegate policy. URL: " +
"javascript:doTrustedStuff()");
}));
it('should pass through $sce.trustAs() values in src attributes', inject(function($compile, $rootScope, $sce) {
element = $compile('<iframe ng-src="{{testUrl}}"></iframe>')($rootScope);
$rootScope.testUrl = $sce.trustAsResourceUrl("javascript:doTrustedStuff()");
$rootScope.$apply();
expect(element.attr('src')).toEqual('javascript:doTrustedStuff()');
}));
});
});