refactor(misc): remove usages of whitelist and blacklist

Remove miscellaneous usages and references to usages of whitelist and blacklist
throughout the repository.
This commit is contained in:
Joey Perrott
2020-09-23 11:09:18 -07:00
committed by Pete Bacon Darwin
parent 10ae3e2932
commit 1d3ec55914
16 changed files with 169 additions and 106 deletions
+1 -1
View File
@@ -15,7 +15,7 @@
// Stylistic issues
"block-spacing": ["error", "always"],
"comma-spacing": "error",
"id-blacklist": ["error", "event"],
"id-denylist": ["error", "event"],
"indent": ["error", 2],
"key-spacing": ["error", { "beforeColon": false, "afterColon": true, "mode": "minimum" }],
"object-curly-spacing": ["error", "never"],
+4 -4
View File
@@ -13,11 +13,11 @@ module.exports = function generateVersionDocProcessor(gitData) {
return {
$runAfter: ['generatePagesDataProcessor'],
$runBefore: ['rendering-docs'],
// the blacklist is to remove rogue builds that are in the npm repository but not on code.angularjs.org
blacklist: ['1.3.4-build.3588'],
// Remove rogue builds that are in the npm repository but not on code.angularjs.org
ignoredBuilds: ['1.3.4-build.3588'],
$process: function(docs) {
var blacklist = this.blacklist;
var ignoredBuilds = this.ignoredBuilds;
var currentVersion = require('../../../build/version.json');
var output = exec('yarn info angular versions --json', { silent: true }).stdout.split('\n')[0];
var allVersions = processAllVersionsResponse(JSON.parse(output).data);
@@ -57,7 +57,7 @@ module.exports = function generateVersionDocProcessor(gitData) {
versions = versions
.filter(function(versionStr) {
return blacklist.indexOf(versionStr) === -1;
return ignoredBuilds.indexOf(versionStr) === -1;
})
.map(function(versionStr) {
return semver.parse(versionStr);
+3 -2
View File
@@ -327,7 +327,7 @@ The default CSS for `ngHide`, the inverse method to `ngShow`, makes ngAria redun
<h2><span id="ngclick">ngClick</span> and <span id="ngdblclick">ngDblclick</span></h2>
If `ng-click` or `ng-dblclick` is encountered, ngAria will add `tabindex="0"` to any element not in
a node blacklist:
the list of built in aria nodes:
* Button
* Anchor
@@ -337,7 +337,8 @@ a node blacklist:
* Details/Summary
To fix widespread accessibility problems with `ng-click` on `div` elements, ngAria will
dynamically bind a keypress event by default as long as the element isn't in the node blacklist.
dynamically bind a keypress event by default as long as the element isn't in a node from the list of
built in aria nodes.
You can turn this functionality on or off with the `bindKeypress` configuration option.
ngAria will also add the `button` role to communicate to users of assistive technologies. This can
+16 -14
View File
@@ -276,15 +276,16 @@ statement.
**Due to [6ccbfa](https://github.com/angular/angular.js/commit/6ccbfa65d60a3dc396d0cf6da21b993ad74653fd)**,
the `xlink:href` security context for SVG's `a` and `image` elements has been lowered.
In the unlikely case that an app relied on `RESOURCE_URL` whitelisting for the
In the unlikely case that an app relied on `RESOURCE_URL` trusted list for the
purpose of binding to the `xlink:href` property of SVG's `<a>` or `<image>`
elements and if the values do not pass the regular URL sanitization, they will
break.
To fix this you need to ensure that the values used for binding to the affected
`xlink:href` contexts are considered safe URLs, e.g. by whitelisting them in
`$compileProvider`'s `aHrefSanitizationTrustedUri` (for `<a>` elements) or
`imgSrcSanitizationTrustedUri` (for `<image>` elements).
`xlink:href` contexts are considered safe URLs, e.g. by trusting them in
`$compileProvider`'s `aHrefSanitizationWhitelist` (called `aHrefSanitizationTrustedUrlList` form
1.8.1 onwards) (for `<a>` elements) or `imgSrcSanitizationWhitelist` (called
`imgSrcSanitizationTrustedUrlList` from 1.8.1 onwards) (for `<image>` elements).
<hr />
@@ -1309,7 +1310,7 @@ running at `https://docs.angularjs.org` then the following will fail:
By default, only URLs with the same domain and protocol as the application document are considered
safe in the `RESOURCE_URL` context. To use URLs from other domains and/or protocols, you may either
whitelist them or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
add them to the trusted source URL list or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
<hr />
<minor />
@@ -1387,12 +1388,12 @@ $http.json('other/trusted/url', {jsonpCallbackParam: 'cb'});
all JSONP requests now require the URL to be trusted as a resource URL. There are two approaches to
trust a URL:
1. **Setting trusted resource URLs with the `$sceDelegateProvider.trustedResourceUrlList()` method.**
1. **Setting trusted resource URLs with the `$sceDelegateProvider.resourceUrlWhitelist()` (called `trustedResourceUrlList()` from 1.8.1 onwards) method.**
You configure this list in a module configuration block:
```js
appModule.config(['$sceDelegateProvider', function($sceDelegateProvider) {
$sceDelegateProvider.trustedResourceUrlList([
$sceDelegateProvider.resourceUrlWhitelist([
// Allow same origin resource loads.
'self',
// Allow JSONP calls that match this pattern
@@ -2207,7 +2208,7 @@ service does not have access to the resource in order to sanitize it.
Similarly, due to [234053fc](https://github.com/angular/angular.js/commit/234053fc9ad90e0d05be7e8359c6af66be94c094),
the `$sanitize` service will now also remove instances of the `usemap` attribute from any elements
passed to it. This attribute is used to reference another element by `name` or `id`. Since the
`name` and `id` attributes are already blacklisted, a sanitized `usemap` attribute could only
`name` and `id` attributes are already banned, a sanitized `usemap` attribute could only
reference unsanitized content, which is a security risk.
Due to [98c2db7f](https://github.com/angular/angular.js/commit/98c2db7f9c2d078a408576e722407d518c7ee10a),
@@ -2662,11 +2663,12 @@ $scope.findTemplate = function(templateName) {
return templateCache[templateName];
};
// Alternatively, use `$sceDelegateProvider.trustedResourceUrlList()`, which means you don't
// Alternatively, use `$sceDelegateProvider..resourceUrlWhitelist()` (called
// `trustedResourceUrlList()` from 1.8.1 onwards), which means you don't
// have to use `$sce.trustAsResourceUrl()` at all:
angular.module('myApp', []).config(function($sceDelegateProvider) {
$sceDelegateProvider.trustedResourceUrlList(['self', 'https://example.com/templates/**'])
$sceDelegateProvider.resourceUrlWhitelist(['self', 'https://example.com/templates/**'])
});
```
@@ -3353,7 +3355,7 @@ below should still apply, but you may want to consult the
<li>{@link guide/migration#directive-priority Directive priority}</li>
<li>{@link guide/migration#ngscenario ngScenario}</li>
<li>{@link guide/migration#nginclude-and-ngview-replace-its-entire-element-on-update ngInclude and ngView replace its entire element on update}</li>
<li>{@link guide/migration#urls-are-now-sanitized-against-a-whitelist URLs are now sanitized against a whitelist}</li>
<li>{@link guide/migration#urls-are-now-sanitized-against-a-trusted-uri-matcher URLs are now sanitized against a trusted URI matcher}</li>
<li>{@link guide/migration#isolate-scope-only-exposed-to-directives-with-scope-property Isolate scope only exposed to directives with <code>scope</code> property}</li>
<li>{@link guide/migration#change-to-interpolation-priority Change to interpolation priority}</li>
<li>{@link guide/migration#underscore-prefixed-suffixed-properties-are-non-bindable Underscore-prefixed/suffixed properties are non-bindable}</li>
@@ -3843,10 +3845,10 @@ See [7d69d52a](https://github.com/angular/angular.js/commit/7d69d52acff8578e0f7d
[aa2133ad](https://github.com/angular/angular.js/commit/aa2133ad818d2e5c27cbd3933061797096356c8a).
### URLs are now sanitized against a whitelist
### URLs are now sanitized against a trusted URI matcher
A whitelist configured via `$compileProvider` can be used to configure what URLs are considered safe.
By default all common protocol prefixes are whitelisted including `data:` URIs with mime types `image/*`.
A trusted URI matcher configured via `$compileProvider` can be used to configure what URLs are considered safe.
By default all common protocol prefixes are trusted including `data:` URIs with mime types `image/*`.
This change shouldn't impact apps that don't contain malicious image links.
See [1adf29af](https://github.com/angular/angular.js/commit/1adf29af13890d61286840177607edd552a9df97),
+52 -12
View File
@@ -1698,7 +1698,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
/**
* @ngdoc method
* @name $compileProvider#aHrefSanitizationTrustedUri
* @name $compileProvider#aHrefSanitizationTrustedUrlList
* @kind function
*
* @description
@@ -1708,7 +1708,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
* The sanitization is a security measure aimed at preventing XSS attacks via html links.
*
* Any url about to be assigned to a[href] via data-binding is first normalized and turned into
* an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUri`
* an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUrlList`
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
*
@@ -1716,20 +1716,40 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
* chaining otherwise.
*/
this.aHrefSanitizationTrustedUri = function(regexp) {
this.aHrefSanitizationTrustedUrlList = function(regexp) {
if (isDefined(regexp)) {
$$sanitizeUriProvider.aHrefSanitizationTrustedUri(regexp);
$$sanitizeUriProvider.aHrefSanitizationTrustedUrlList(regexp);
return this;
} else {
return $$sanitizeUriProvider.aHrefSanitizationTrustedUri();
return $$sanitizeUriProvider.aHrefSanitizationTrustedUrlList();
}
};
this.aHrefSanitizationWhitelist = this.aHrefSanitizationTrustedUri;
/**
* @ngdoc method
* @name $compileProvider#imgSrcSanitizationTrustedUri
* @name $compileProvider#aHrefSanitizationWhitelist
* @kind function
*
* @deprecated
* sinceVersion="1.8.1"
*
* This function is deprecated. Use {@link $compileProvider#aHrefSanitizationTrustedUrlList
* aHrefSanitizationTrustedUrlList} instead.
*/
Object.defineProperty(this, 'aHrefSanitizationWhitelist', {
get: function() {
return this.aHrefSanitizationTrustedUrlList;
},
set: function(regexp) {
this.aHrefSanitizationTrustedUrlList = regexp;
}
});
/**
* @ngdoc method
* @name $compileProvider#imgSrcSanitizationTrustedUrlList
* @kind function
*
* @description
@@ -1739,7 +1759,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
* The sanitization is a security measure aimed at prevent XSS attacks via html links.
*
* Any url about to be assigned to img[src] via data-binding is first normalized and turned into
* an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUri`
* an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUrlList`
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
*
@@ -1747,15 +1767,35 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
* chaining otherwise.
*/
this.imgSrcSanitizationTrustedUri = function(regexp) {
this.imgSrcSanitizationTrustedUrlList = function(regexp) {
if (isDefined(regexp)) {
$$sanitizeUriProvider.imgSrcSanitizationTrustedUri(regexp);
$$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(regexp);
return this;
} else {
return $$sanitizeUriProvider.imgSrcSanitizationTrustedUri();
return $$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList();
}
};
this.imgSrcSanitizationWhitelist = this.imgSrcSanitizationTrustedUri;
/**
* @ngdoc method
* @name $compileProvider#imgSrcSanitizationWhitelist
* @kind function
*
* @deprecated
* sinceVersion="1.8.1"
*
* This function is deprecated. Use {@link $compileProvider#imgSrcSanitizationTrustedUrlList
* imgSrcSanitizationTrustedUrlList} instead.
*/
Object.defineProperty(this, 'imgSrcSanitizationWhitelist', {
get: function() {
return this.imgSrcSanitizationTrustedUrlList;
},
set: function(regexp) {
this.imgSrcSanitizationTrustedUrlList = regexp;
}
});
/**
* @ngdoc method
+21 -1
View File
@@ -426,7 +426,27 @@ function $HttpProvider() {
* }]);
* ```
*/
var xsrfTrustedOrigins = this.xsrfWhitelistedOrigins = this.xsrfTrustedOrigins = [];
var xsrfTrustedOrigins = this.xsrfTrustedOrigins = [];
/**
* @ngdoc property
* @name $httpProvider#xsrfWhitelistedOrigins
* @description
*
* @deprecated
* sinceVersion="1.8.1"
*
* This function is deprecated. Use {@link $httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}
* instead.
*/
Object.defineProperty(this, 'xsrfWhitelistedOrigins', {
get: function() {
return this.xsrfTrustedOrigins;
},
set: function(origins) {
this.xsrfTrustedOrigins = origins;
}
});
this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce',
function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) {
+10 -10
View File
@@ -7,8 +7,8 @@
*/
function $$SanitizeUriProvider() {
var aHrefSanitizationTrustedUri = /^\s*(https?|s?ftp|mailto|tel|file):/,
imgSrcSanitizationTrustedUri = /^\s*((https?|ftp|file|blob):|data:image\/)/;
var aHrefSanitizationTrustedUrlList = /^\s*(https?|s?ftp|mailto|tel|file):/,
imgSrcSanitizationTrustedUrlList = /^\s*((https?|ftp|file|blob):|data:image\/)/;
/**
* @description
@@ -21,7 +21,7 @@ function $$SanitizeUriProvider() {
* the $sce.URL security context. When interpolation occurs a call is made to `$sce.trustAsUrl(url)`
* which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize the potentially malicious URL.
*
* If the URL matches the `aHrefSanitizationTrustedUri` regular expression, it is returned unchanged.
* If the URL matches the `aHrefSanitizationTrustedUrlList` regular expression, it is returned unchanged.
*
* If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written
* to the DOM it is inactive and potentially malicious code will not be executed.
@@ -30,12 +30,12 @@ function $$SanitizeUriProvider() {
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
* chaining otherwise.
*/
this.aHrefSanitizationTrustedUri = function(regexp) {
this.aHrefSanitizationTrustedUrlList = function(regexp) {
if (isDefined(regexp)) {
aHrefSanitizationTrustedUri = regexp;
aHrefSanitizationTrustedUrlList = regexp;
return this;
}
return aHrefSanitizationTrustedUri;
return aHrefSanitizationTrustedUrlList;
};
@@ -61,18 +61,18 @@ function $$SanitizeUriProvider() {
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
* chaining otherwise.
*/
this.imgSrcSanitizationTrustedUri = function(regexp) {
this.imgSrcSanitizationTrustedUrlList = function(regexp) {
if (isDefined(regexp)) {
imgSrcSanitizationTrustedUri = regexp;
imgSrcSanitizationTrustedUrlList = regexp;
return this;
}
return imgSrcSanitizationTrustedUri;
return imgSrcSanitizationTrustedUrlList;
};
this.$get = function() {
return function sanitizeUri(uri, isMediaUrl) {
// if (!uri) return uri;
var regex = isMediaUrl ? imgSrcSanitizationTrustedUri : aHrefSanitizationTrustedUri;
var regex = isMediaUrl ? imgSrcSanitizationTrustedUrlList : aHrefSanitizationTrustedUrlList;
var normalizedVal = urlResolve(uri && uri.trim()).href;
if (normalizedVal !== '' && !normalizedVal.match(regex)) {
return 'unsafe:' + normalizedVal;
+4 -4
View File
@@ -73,10 +73,10 @@ function $TemplateRequestProvider() {
handleRequestFn.totalPendingRequests++;
// We consider the template cache holds only trusted templates, so
// there's no need to go through whitelisting again for keys that already
// are included in there. This also makes AngularJS accept any script
// directive, no matter its name. However, we still need to unwrap trusted
// types.
// there's no need to go through adding the template again to the trusted
// resources for keys that already are included in there. This also makes
// AngularJS accept any script directive, no matter its name. However, we
// still need to unwrap trusted types.
if (!isString(tpl) || isUndefined($templateCache.get(tpl))) {
tpl = $sce.getTrustedResourceUrl(tpl);
}
+5 -5
View File
@@ -125,20 +125,20 @@ function urlIsSameOriginAsBaseUrl(requestUrl) {
}
/**
* Create a function that can check a URL's origin against a list of allowed/whitelisted origins.
* Create a function that can check a URL's origin against a list of allowed/trusted origins.
* The current location's origin is implicitly trusted.
*
* @param {string[]} whitelistedOriginUrls - A list of URLs (strings), whose origins are trusted.
* @param {string[]} trustedOriginUrls - A list of URLs (strings), whose origins are trusted.
*
* @returns {Function} - A function that receives a URL (string or parsed URL object) and returns
* whether it is of an allowed origin.
*/
function urlIsAllowedOriginFactory(whitelistedOriginUrls) {
var parsedAllowedOriginUrls = [originUrl].concat(whitelistedOriginUrls.map(urlResolve));
function urlIsAllowedOriginFactory(trustedOriginUrls) {
var parsedAllowedOriginUrls = [originUrl].concat(trustedOriginUrls.map(urlResolve));
/**
* Check whether the specified URL (string or parsed URL object) has an origin that is allowed
* based on a list of whitelisted-origin URLs. The current location's origin is implicitly
* based on a list of trusted-origin URLs. The current location's origin is implicitly
* trusted.
*
* @param {string|Object} requestUrl - The URL to be checked (provided as a string that will be
+16 -16
View File
@@ -64,7 +64,7 @@ var ngAriaModule = angular.module('ngAria', ['ng']).
/**
* Internal Utilities
*/
var nodeBlackList = ['BUTTON', 'A', 'INPUT', 'TEXTAREA', 'SELECT', 'DETAILS', 'SUMMARY'];
var nativeAriaNodeNames = ['BUTTON', 'A', 'INPUT', 'TEXTAREA', 'SELECT', 'DETAILS', 'SUMMARY'];
var isNodeOneOf = function(elem, nodeTypeArray) {
if (nodeTypeArray.indexOf(elem[0].nodeName) !== -1) {
@@ -136,12 +136,12 @@ function $AriaProvider() {
config = angular.extend(config, newConfig);
};
function watchExpr(attrName, ariaAttr, nodeBlackList, negate) {
function watchExpr(attrName, ariaAttr, nativeAriaNodeNames, negate) {
return function(scope, elem, attr) {
if (attr.hasOwnProperty(ARIA_DISABLE_ATTR)) return;
var ariaCamelName = attr.$normalize(ariaAttr);
if (config[ariaCamelName] && !isNodeOneOf(elem, nodeBlackList) && !attr[ariaCamelName]) {
if (config[ariaCamelName] && !isNodeOneOf(elem, nativeAriaNodeNames) && !attr[ariaCamelName]) {
scope.$watch(attr[attrName], function(boolVal) {
// ensure boolean value
boolVal = negate ? !boolVal : !!boolVal;
@@ -165,7 +165,7 @@ function $AriaProvider() {
*
*```js
* ngAriaModule.directive('ngDisabled', ['$aria', function($aria) {
* return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nodeBlackList, false);
* return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nativeAriaNodeNames, false);
* }])
*```
* Shown above, the ngAria module creates a directive with the same signature as the
@@ -217,31 +217,31 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
return $aria.$$watchExpr('ngHide', 'aria-hidden', [], false);
}])
.directive('ngValue', ['$aria', function($aria) {
return $aria.$$watchExpr('ngValue', 'aria-checked', nodeBlackList, false);
return $aria.$$watchExpr('ngValue', 'aria-checked', nativeAriaNodeNames, false);
}])
.directive('ngChecked', ['$aria', function($aria) {
return $aria.$$watchExpr('ngChecked', 'aria-checked', nodeBlackList, false);
return $aria.$$watchExpr('ngChecked', 'aria-checked', nativeAriaNodeNames, false);
}])
.directive('ngReadonly', ['$aria', function($aria) {
return $aria.$$watchExpr('ngReadonly', 'aria-readonly', nodeBlackList, false);
return $aria.$$watchExpr('ngReadonly', 'aria-readonly', nativeAriaNodeNames, false);
}])
.directive('ngRequired', ['$aria', function($aria) {
return $aria.$$watchExpr('ngRequired', 'aria-required', nodeBlackList, false);
return $aria.$$watchExpr('ngRequired', 'aria-required', nativeAriaNodeNames, false);
}])
.directive('ngModel', ['$aria', function($aria) {
function shouldAttachAttr(attr, normalizedAttr, elem, allowBlacklistEls) {
function shouldAttachAttr(attr, normalizedAttr, elem, allowNonAriaNodes) {
return $aria.config(normalizedAttr) &&
!elem.attr(attr) &&
(allowBlacklistEls || !isNodeOneOf(elem, nodeBlackList)) &&
(allowNonAriaNodes || !isNodeOneOf(elem, nativeAriaNodeNames)) &&
(elem.attr('type') !== 'hidden' || elem[0].nodeName !== 'INPUT');
}
function shouldAttachRole(role, elem) {
// if element does not have role attribute
// AND element type is equal to role (if custom element has a type equaling shape) <-- remove?
// AND element is not in nodeBlackList
return !elem.attr('role') && (elem.attr('type') === role) && !isNodeOneOf(elem, nodeBlackList);
// AND element is not in nativeAriaNodeNames
return !elem.attr('role') && (elem.attr('type') === role) && !isNodeOneOf(elem, nativeAriaNodeNames);
}
function getShape(attr, elem) {
@@ -349,7 +349,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
};
}])
.directive('ngDisabled', ['$aria', function($aria) {
return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nodeBlackList, false);
return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nativeAriaNodeNames, false);
}])
.directive('ngMessages', function() {
return {
@@ -373,7 +373,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
var fn = $parse(attr.ngClick);
return function(scope, elem, attr) {
if (!isNodeOneOf(elem, nodeBlackList)) {
if (!isNodeOneOf(elem, nativeAriaNodeNames)) {
if ($aria.config('bindRoleForClick') && !elem.attr('role')) {
elem.attr('role', 'button');
@@ -389,7 +389,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
if (keyCode === 13 || keyCode === 32) {
// If the event is triggered on a non-interactive element ...
if (nodeBlackList.indexOf(event.target.nodeName) === -1 && !event.target.isContentEditable) {
if (nativeAriaNodeNames.indexOf(event.target.nodeName) === -1 && !event.target.isContentEditable) {
// ... prevent the default browser behavior (e.g. scrolling when pressing spacebar)
// See https://github.com/angular/angular.js/issues/16664
event.preventDefault();
@@ -411,7 +411,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
return function(scope, elem, attr) {
if (attr.hasOwnProperty(ARIA_DISABLE_ATTR)) return;
if ($aria.config('tabindex') && !elem.attr('tabindex') && !isNodeOneOf(elem, nodeBlackList)) {
if ($aria.config('tabindex') && !elem.attr('tabindex') && !isNodeOneOf(elem, nativeAriaNodeNames)) {
elem.attr('tabindex', 0);
}
};
+5 -5
View File
@@ -41,12 +41,12 @@ var htmlSanitizeWriter;
* @description
* Sanitizes an html string by stripping all potentially dangerous tokens.
*
* The input is sanitized by parsing the HTML into tokens. All safe tokens (from a whitelist) are
* The input is sanitized by parsing the HTML into tokens. All safe tokens (from a trusted URI list) are
* then serialized back to a properly escaped HTML string. This means that no unsafe input can make
* it into the returned string.
*
* The whitelist for URL sanitization of attribute values is configured using the functions
* `aHrefSanitizationTrustedUri` and `imgSrcSanitizationTrustedUri` of {@link $compileProvider}.
* The trusted URIs for URL sanitization of attribute values is configured using the functions
* `aHrefSanitizationTrustedUrlList` and `imgSrcSanitizationTrustedUrlList` of {@link $compileProvider}.
*
* The input may also contain SVG markup if this is enabled via {@link $sanitizeProvider}.
*
@@ -277,8 +277,8 @@ function $SanitizeProvider() {
* **Note**:
* The new attributes will not be treated as URI attributes, which means their values will not be
* sanitized as URIs using `$compileProvider`'s
* {@link ng.$compileProvider#aHrefSanitizationTrustedUri aHrefSanitizationTrustedUri} and
* {@link ng.$compileProvider#imgSrcSanitizationTrustedUri imgSrcSanitizationTrustedUri}.
* {@link ng.$compileProvider#aHrefSanitizationTrustedUrlList aHrefSanitizationTrustedUrlList} and
* {@link ng.$compileProvider#imgSrcSanitizationTrustedUrlList imgSrcSanitizationTrustedUrlList}.
*
* <div class="alert alert-info">
* This method must be called during the {@link angular.Module#config config} phase. Once the
+10 -10
View File
@@ -151,30 +151,30 @@ describe('$compile', function() {
describe('configuration', function() {
it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationTrustedUri`', function() {
it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationTrustedUrlList`', function() {
module(function($compileProvider, $$sanitizeUriProvider) {
var newRe = /safe:/, returnVal;
expect($compileProvider.aHrefSanitizationTrustedUri()).toBe($$sanitizeUriProvider.aHrefSanitizationTrustedUri());
returnVal = $compileProvider.aHrefSanitizationTrustedUri(newRe);
expect($compileProvider.aHrefSanitizationTrustedUrlList()).toBe($$sanitizeUriProvider.aHrefSanitizationTrustedUrlList());
returnVal = $compileProvider.aHrefSanitizationTrustedUrlList(newRe);
expect(returnVal).toBe($compileProvider);
expect($$sanitizeUriProvider.aHrefSanitizationTrustedUri()).toBe(newRe);
expect($compileProvider.aHrefSanitizationTrustedUri()).toBe(newRe);
expect($$sanitizeUriProvider.aHrefSanitizationTrustedUrlList()).toBe(newRe);
expect($compileProvider.aHrefSanitizationTrustedUrlList()).toBe(newRe);
});
inject(function() {
// needed to the module definition above is run...
});
});
it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationTrustedUri`', function() {
it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationTrustedUrlList`', function() {
module(function($compileProvider, $$sanitizeUriProvider) {
var newRe = /safe:/, returnVal;
expect($compileProvider.imgSrcSanitizationTrustedUri()).toBe($$sanitizeUriProvider.imgSrcSanitizationTrustedUri());
returnVal = $compileProvider.imgSrcSanitizationTrustedUri(newRe);
expect($compileProvider.imgSrcSanitizationTrustedUrlList()).toBe($$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList());
returnVal = $compileProvider.imgSrcSanitizationTrustedUrlList(newRe);
expect(returnVal).toBe($compileProvider);
expect($$sanitizeUriProvider.imgSrcSanitizationTrustedUri()).toBe(newRe);
expect($compileProvider.imgSrcSanitizationTrustedUri()).toBe(newRe);
expect($$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList()).toBe(newRe);
expect($compileProvider.imgSrcSanitizationTrustedUrlList()).toBe(newRe);
});
inject(function() {
// needed to the module definition above is run...
+15 -15
View File
@@ -250,9 +250,9 @@ describe('ngProp*', function() {
// IE9 rejects the `video` / `audio` tags with "Error: Not implemented"
if (msie !== 9 || tag === 'img') {
describe(tag + '[src] context requirement', function() {
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
$rootScope.$digest();
expect(element.prop('src')).toEqual('http://example.com/image.mp4');
}));
@@ -279,7 +279,7 @@ describe('ngProp*', function() {
expect(element.prop('src')).toEqual('untrusted:foo()');
}));
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
it('should sanitize non-trusted values', inject(function($rootScope, $compile, $sce) {
// As a MEDIA_URL URL
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
// Some browsers complain if you try to write `javascript:` into an `img[src]`
@@ -308,9 +308,9 @@ describe('ngProp*', function() {
if (msie !== 9) {
['source', 'track'].forEach(function(tag) {
describe(tag + '[src]', function() {
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
$rootScope.$digest();
expect(element.find(tag).prop('src')).toEqual('http://example.com/image.mp4');
}));
@@ -335,7 +335,7 @@ describe('ngProp*', function() {
expect(element.find(tag).prop('src')).toEqual('javascript:foo()');
}));
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
it('should sanitize non-trusted values', inject(function($rootScope, $compile, $sce) {
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
$rootScope.testUrl = 'untrusted:foo()';
$rootScope.$digest();
@@ -412,14 +412,14 @@ describe('ngProp*', function() {
expect(element.prop('srcset')).toBe('');
}));
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile, $sce) {
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile, $sce) {
var element = $compile('<' + srcsetElement + ' ng-prop-srcset="testUrl"></' + srcsetElement + '>')($rootScope);
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
$rootScope.$digest();
expect(element.prop('srcset')).toEqual('http://example.com/image.png');
}));
it('should accept trusted values, if they are also whitelisted', inject(function($rootScope, $compile, $sce) {
it('should accept trusted values, if they are also trusted URIs', inject(function($rootScope, $compile, $sce) {
var element = $compile('<' + srcsetElement + ' ng-prop-srcset="testUrl"></' + srcsetElement + '>')($rootScope);
$rootScope.testUrl = $sce.trustAsUrl('http://example.com');
$rootScope.$digest();
@@ -506,8 +506,8 @@ describe('ngProp*', function() {
});
describe('a[href] sanitization', function() {
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
$rootScope.$digest();
expect(element.prop('href')).toEqual('http://example.com/image.png');
@@ -517,8 +517,8 @@ describe('ngProp*', function() {
expect(element.prop('href')).toEqual('http://example.com/image.png');
}));
it('should accept trusted values for non-whitelisted values', inject(function($rootScope, $compile, $sce) {
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not whitelisted
it('should accept trusted values for non-trusted URI values', inject(function($rootScope, $compile, $sce) {
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not trusted
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
$rootScope.$digest();
expect(element.prop('href')).toEqual('javascript:foo()');
@@ -528,8 +528,8 @@ describe('ngProp*', function() {
expect(element.prop('href')).toEqual('javascript:foo()');
}));
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not whitelisted
it('should sanitize non-trusted values', inject(function($rootScope, $compile) {
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not trusted
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
$rootScope.$digest();
expect(element.prop('href')).toEqual('unsafe:javascript:foo()');
+4 -4
View File
@@ -127,8 +127,8 @@ describe('sanitizeUri', function() {
it('should allow reconfiguration of the src trusted URIs', function() {
var returnVal;
expect(sanitizeUriProvider.imgSrcSanitizationTrustedUri() instanceof RegExp).toBe(true);
returnVal = sanitizeUriProvider.imgSrcSanitizationTrustedUri(/javascript:/);
expect(sanitizeUriProvider.imgSrcSanitizationTrustedUrlList() instanceof RegExp).toBe(true);
returnVal = sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(/javascript:/);
expect(returnVal).toBe(sanitizeUriProvider);
testUrl = 'javascript:doEvilStuff()';
@@ -228,8 +228,8 @@ describe('sanitizeUri', function() {
it('should allow reconfiguration of the href trusted URIs', function() {
var returnVal;
expect(sanitizeUriProvider.aHrefSanitizationTrustedUri() instanceof RegExp).toBe(true);
returnVal = sanitizeUriProvider.aHrefSanitizationTrustedUri(/javascript:/);
expect(sanitizeUriProvider.aHrefSanitizationTrustedUrlList() instanceof RegExp).toBe(true);
returnVal = sanitizeUriProvider.aHrefSanitizationTrustedUrlList(/javascript:/);
expect(returnVal).toBe(sanitizeUriProvider);
testUrl = 'javascript:doEvilStuff()';
+1 -1
View File
@@ -97,7 +97,7 @@ describe('urlUtils', function() {
});
it('should check against the list of whitelisted origins', function() {
it('should check against the list of trusted origins', function() {
expect(urlIsAllowedOrigin('https://foo.com/path')).toBe(true);
expect(urlIsAllowedOrigin(origin.protocol + '://bar.com:1337/path')).toBe(true);
expect(urlIsAllowedOrigin('https://baz.com:1337/path')).toBe(false);
+2 -2
View File
@@ -1,6 +1,6 @@
'use strict';
/* globals nodeBlackList false */
/* globals nativeAriaNodeNames false */
describe('$aria', function() {
var scope, $compile, element;
@@ -1064,7 +1064,7 @@ describe('$aria', function() {
);
they('should not prevent default keyboard action if an interactive $type element' +
'is nested inside ng-click', nodeBlackList, function(elementType) {
'is nested inside ng-click', nativeAriaNodeNames, function(elementType) {
function createHTML(type) {
return '<' + type + '></' + type + '>';
}