refactor(misc): remove usages of whitelist and blacklist
Remove miscellaneous usages and references to usages of whitelist and blacklist throughout the repository.
This commit is contained in:
committed by
Pete Bacon Darwin
parent
10ae3e2932
commit
1d3ec55914
+1
-1
@@ -15,7 +15,7 @@
|
||||
// Stylistic issues
|
||||
"block-spacing": ["error", "always"],
|
||||
"comma-spacing": "error",
|
||||
"id-blacklist": ["error", "event"],
|
||||
"id-denylist": ["error", "event"],
|
||||
"indent": ["error", 2],
|
||||
"key-spacing": ["error", { "beforeColon": false, "afterColon": true, "mode": "minimum" }],
|
||||
"object-curly-spacing": ["error", "never"],
|
||||
|
||||
@@ -13,11 +13,11 @@ module.exports = function generateVersionDocProcessor(gitData) {
|
||||
return {
|
||||
$runAfter: ['generatePagesDataProcessor'],
|
||||
$runBefore: ['rendering-docs'],
|
||||
// the blacklist is to remove rogue builds that are in the npm repository but not on code.angularjs.org
|
||||
blacklist: ['1.3.4-build.3588'],
|
||||
// Remove rogue builds that are in the npm repository but not on code.angularjs.org
|
||||
ignoredBuilds: ['1.3.4-build.3588'],
|
||||
$process: function(docs) {
|
||||
|
||||
var blacklist = this.blacklist;
|
||||
var ignoredBuilds = this.ignoredBuilds;
|
||||
var currentVersion = require('../../../build/version.json');
|
||||
var output = exec('yarn info angular versions --json', { silent: true }).stdout.split('\n')[0];
|
||||
var allVersions = processAllVersionsResponse(JSON.parse(output).data);
|
||||
@@ -57,7 +57,7 @@ module.exports = function generateVersionDocProcessor(gitData) {
|
||||
|
||||
versions = versions
|
||||
.filter(function(versionStr) {
|
||||
return blacklist.indexOf(versionStr) === -1;
|
||||
return ignoredBuilds.indexOf(versionStr) === -1;
|
||||
})
|
||||
.map(function(versionStr) {
|
||||
return semver.parse(versionStr);
|
||||
|
||||
@@ -327,7 +327,7 @@ The default CSS for `ngHide`, the inverse method to `ngShow`, makes ngAria redun
|
||||
|
||||
<h2><span id="ngclick">ngClick</span> and <span id="ngdblclick">ngDblclick</span></h2>
|
||||
If `ng-click` or `ng-dblclick` is encountered, ngAria will add `tabindex="0"` to any element not in
|
||||
a node blacklist:
|
||||
the list of built in aria nodes:
|
||||
|
||||
* Button
|
||||
* Anchor
|
||||
@@ -337,7 +337,8 @@ a node blacklist:
|
||||
* Details/Summary
|
||||
|
||||
To fix widespread accessibility problems with `ng-click` on `div` elements, ngAria will
|
||||
dynamically bind a keypress event by default as long as the element isn't in the node blacklist.
|
||||
dynamically bind a keypress event by default as long as the element isn't in a node from the list of
|
||||
built in aria nodes.
|
||||
You can turn this functionality on or off with the `bindKeypress` configuration option.
|
||||
|
||||
ngAria will also add the `button` role to communicate to users of assistive technologies. This can
|
||||
|
||||
@@ -276,15 +276,16 @@ statement.
|
||||
**Due to [6ccbfa](https://github.com/angular/angular.js/commit/6ccbfa65d60a3dc396d0cf6da21b993ad74653fd)**,
|
||||
the `xlink:href` security context for SVG's `a` and `image` elements has been lowered.
|
||||
|
||||
In the unlikely case that an app relied on `RESOURCE_URL` whitelisting for the
|
||||
In the unlikely case that an app relied on `RESOURCE_URL` trusted list for the
|
||||
purpose of binding to the `xlink:href` property of SVG's `<a>` or `<image>`
|
||||
elements and if the values do not pass the regular URL sanitization, they will
|
||||
break.
|
||||
|
||||
To fix this you need to ensure that the values used for binding to the affected
|
||||
`xlink:href` contexts are considered safe URLs, e.g. by whitelisting them in
|
||||
`$compileProvider`'s `aHrefSanitizationTrustedUri` (for `<a>` elements) or
|
||||
`imgSrcSanitizationTrustedUri` (for `<image>` elements).
|
||||
`xlink:href` contexts are considered safe URLs, e.g. by trusting them in
|
||||
`$compileProvider`'s `aHrefSanitizationWhitelist` (called `aHrefSanitizationTrustedUrlList` form
|
||||
1.8.1 onwards) (for `<a>` elements) or `imgSrcSanitizationWhitelist` (called
|
||||
`imgSrcSanitizationTrustedUrlList` from 1.8.1 onwards) (for `<image>` elements).
|
||||
|
||||
<hr />
|
||||
|
||||
@@ -1309,7 +1310,7 @@ running at `https://docs.angularjs.org` then the following will fail:
|
||||
|
||||
By default, only URLs with the same domain and protocol as the application document are considered
|
||||
safe in the `RESOURCE_URL` context. To use URLs from other domains and/or protocols, you may either
|
||||
whitelist them or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
|
||||
add them to the trusted source URL list or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
|
||||
|
||||
<hr />
|
||||
<minor />
|
||||
@@ -1387,12 +1388,12 @@ $http.json('other/trusted/url', {jsonpCallbackParam: 'cb'});
|
||||
all JSONP requests now require the URL to be trusted as a resource URL. There are two approaches to
|
||||
trust a URL:
|
||||
|
||||
1. **Setting trusted resource URLs with the `$sceDelegateProvider.trustedResourceUrlList()` method.**
|
||||
1. **Setting trusted resource URLs with the `$sceDelegateProvider.resourceUrlWhitelist()` (called `trustedResourceUrlList()` from 1.8.1 onwards) method.**
|
||||
You configure this list in a module configuration block:
|
||||
|
||||
```js
|
||||
appModule.config(['$sceDelegateProvider', function($sceDelegateProvider) {
|
||||
$sceDelegateProvider.trustedResourceUrlList([
|
||||
$sceDelegateProvider.resourceUrlWhitelist([
|
||||
// Allow same origin resource loads.
|
||||
'self',
|
||||
// Allow JSONP calls that match this pattern
|
||||
@@ -2207,7 +2208,7 @@ service does not have access to the resource in order to sanitize it.
|
||||
Similarly, due to [234053fc](https://github.com/angular/angular.js/commit/234053fc9ad90e0d05be7e8359c6af66be94c094),
|
||||
the `$sanitize` service will now also remove instances of the `usemap` attribute from any elements
|
||||
passed to it. This attribute is used to reference another element by `name` or `id`. Since the
|
||||
`name` and `id` attributes are already blacklisted, a sanitized `usemap` attribute could only
|
||||
`name` and `id` attributes are already banned, a sanitized `usemap` attribute could only
|
||||
reference unsanitized content, which is a security risk.
|
||||
|
||||
Due to [98c2db7f](https://github.com/angular/angular.js/commit/98c2db7f9c2d078a408576e722407d518c7ee10a),
|
||||
@@ -2662,11 +2663,12 @@ $scope.findTemplate = function(templateName) {
|
||||
return templateCache[templateName];
|
||||
};
|
||||
|
||||
// Alternatively, use `$sceDelegateProvider.trustedResourceUrlList()`, which means you don't
|
||||
// Alternatively, use `$sceDelegateProvider..resourceUrlWhitelist()` (called
|
||||
// `trustedResourceUrlList()` from 1.8.1 onwards), which means you don't
|
||||
// have to use `$sce.trustAsResourceUrl()` at all:
|
||||
|
||||
angular.module('myApp', []).config(function($sceDelegateProvider) {
|
||||
$sceDelegateProvider.trustedResourceUrlList(['self', 'https://example.com/templates/**'])
|
||||
$sceDelegateProvider.resourceUrlWhitelist(['self', 'https://example.com/templates/**'])
|
||||
});
|
||||
```
|
||||
|
||||
@@ -3353,7 +3355,7 @@ below should still apply, but you may want to consult the
|
||||
<li>{@link guide/migration#directive-priority Directive priority}</li>
|
||||
<li>{@link guide/migration#ngscenario ngScenario}</li>
|
||||
<li>{@link guide/migration#nginclude-and-ngview-replace-its-entire-element-on-update ngInclude and ngView replace its entire element on update}</li>
|
||||
<li>{@link guide/migration#urls-are-now-sanitized-against-a-whitelist URLs are now sanitized against a whitelist}</li>
|
||||
<li>{@link guide/migration#urls-are-now-sanitized-against-a-trusted-uri-matcher URLs are now sanitized against a trusted URI matcher}</li>
|
||||
<li>{@link guide/migration#isolate-scope-only-exposed-to-directives-with-scope-property Isolate scope only exposed to directives with <code>scope</code> property}</li>
|
||||
<li>{@link guide/migration#change-to-interpolation-priority Change to interpolation priority}</li>
|
||||
<li>{@link guide/migration#underscore-prefixed-suffixed-properties-are-non-bindable Underscore-prefixed/suffixed properties are non-bindable}</li>
|
||||
@@ -3843,10 +3845,10 @@ See [7d69d52a](https://github.com/angular/angular.js/commit/7d69d52acff8578e0f7d
|
||||
[aa2133ad](https://github.com/angular/angular.js/commit/aa2133ad818d2e5c27cbd3933061797096356c8a).
|
||||
|
||||
|
||||
### URLs are now sanitized against a whitelist
|
||||
### URLs are now sanitized against a trusted URI matcher
|
||||
|
||||
A whitelist configured via `$compileProvider` can be used to configure what URLs are considered safe.
|
||||
By default all common protocol prefixes are whitelisted including `data:` URIs with mime types `image/*`.
|
||||
A trusted URI matcher configured via `$compileProvider` can be used to configure what URLs are considered safe.
|
||||
By default all common protocol prefixes are trusted including `data:` URIs with mime types `image/*`.
|
||||
This change shouldn't impact apps that don't contain malicious image links.
|
||||
|
||||
See [1adf29af](https://github.com/angular/angular.js/commit/1adf29af13890d61286840177607edd552a9df97),
|
||||
|
||||
+52
-12
@@ -1698,7 +1698,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $compileProvider#aHrefSanitizationTrustedUri
|
||||
* @name $compileProvider#aHrefSanitizationTrustedUrlList
|
||||
* @kind function
|
||||
*
|
||||
* @description
|
||||
@@ -1708,7 +1708,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
|
||||
* The sanitization is a security measure aimed at preventing XSS attacks via html links.
|
||||
*
|
||||
* Any url about to be assigned to a[href] via data-binding is first normalized and turned into
|
||||
* an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUri`
|
||||
* an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUrlList`
|
||||
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
|
||||
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
|
||||
*
|
||||
@@ -1716,20 +1716,40 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.aHrefSanitizationTrustedUri = function(regexp) {
|
||||
this.aHrefSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
$$sanitizeUriProvider.aHrefSanitizationTrustedUri(regexp);
|
||||
$$sanitizeUriProvider.aHrefSanitizationTrustedUrlList(regexp);
|
||||
return this;
|
||||
} else {
|
||||
return $$sanitizeUriProvider.aHrefSanitizationTrustedUri();
|
||||
return $$sanitizeUriProvider.aHrefSanitizationTrustedUrlList();
|
||||
}
|
||||
};
|
||||
this.aHrefSanitizationWhitelist = this.aHrefSanitizationTrustedUri;
|
||||
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $compileProvider#imgSrcSanitizationTrustedUri
|
||||
* @name $compileProvider#aHrefSanitizationWhitelist
|
||||
* @kind function
|
||||
*
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* This function is deprecated. Use {@link $compileProvider#aHrefSanitizationTrustedUrlList
|
||||
* aHrefSanitizationTrustedUrlList} instead.
|
||||
*/
|
||||
Object.defineProperty(this, 'aHrefSanitizationWhitelist', {
|
||||
get: function() {
|
||||
return this.aHrefSanitizationTrustedUrlList;
|
||||
},
|
||||
set: function(regexp) {
|
||||
this.aHrefSanitizationTrustedUrlList = regexp;
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $compileProvider#imgSrcSanitizationTrustedUrlList
|
||||
* @kind function
|
||||
*
|
||||
* @description
|
||||
@@ -1739,7 +1759,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
|
||||
* The sanitization is a security measure aimed at prevent XSS attacks via html links.
|
||||
*
|
||||
* Any url about to be assigned to img[src] via data-binding is first normalized and turned into
|
||||
* an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUri`
|
||||
* an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUrlList`
|
||||
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
|
||||
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
|
||||
*
|
||||
@@ -1747,15 +1767,35 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.imgSrcSanitizationTrustedUri = function(regexp) {
|
||||
this.imgSrcSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
$$sanitizeUriProvider.imgSrcSanitizationTrustedUri(regexp);
|
||||
$$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(regexp);
|
||||
return this;
|
||||
} else {
|
||||
return $$sanitizeUriProvider.imgSrcSanitizationTrustedUri();
|
||||
return $$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList();
|
||||
}
|
||||
};
|
||||
this.imgSrcSanitizationWhitelist = this.imgSrcSanitizationTrustedUri;
|
||||
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $compileProvider#imgSrcSanitizationWhitelist
|
||||
* @kind function
|
||||
*
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* This function is deprecated. Use {@link $compileProvider#imgSrcSanitizationTrustedUrlList
|
||||
* imgSrcSanitizationTrustedUrlList} instead.
|
||||
*/
|
||||
Object.defineProperty(this, 'imgSrcSanitizationWhitelist', {
|
||||
get: function() {
|
||||
return this.imgSrcSanitizationTrustedUrlList;
|
||||
},
|
||||
set: function(regexp) {
|
||||
this.imgSrcSanitizationTrustedUrlList = regexp;
|
||||
}
|
||||
});
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
|
||||
+21
-1
@@ -426,7 +426,27 @@ function $HttpProvider() {
|
||||
* }]);
|
||||
* ```
|
||||
*/
|
||||
var xsrfTrustedOrigins = this.xsrfWhitelistedOrigins = this.xsrfTrustedOrigins = [];
|
||||
var xsrfTrustedOrigins = this.xsrfTrustedOrigins = [];
|
||||
|
||||
/**
|
||||
* @ngdoc property
|
||||
* @name $httpProvider#xsrfWhitelistedOrigins
|
||||
* @description
|
||||
*
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* This function is deprecated. Use {@link $httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}
|
||||
* instead.
|
||||
*/
|
||||
Object.defineProperty(this, 'xsrfWhitelistedOrigins', {
|
||||
get: function() {
|
||||
return this.xsrfTrustedOrigins;
|
||||
},
|
||||
set: function(origins) {
|
||||
this.xsrfTrustedOrigins = origins;
|
||||
}
|
||||
});
|
||||
|
||||
this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce',
|
||||
function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) {
|
||||
|
||||
+10
-10
@@ -7,8 +7,8 @@
|
||||
*/
|
||||
function $$SanitizeUriProvider() {
|
||||
|
||||
var aHrefSanitizationTrustedUri = /^\s*(https?|s?ftp|mailto|tel|file):/,
|
||||
imgSrcSanitizationTrustedUri = /^\s*((https?|ftp|file|blob):|data:image\/)/;
|
||||
var aHrefSanitizationTrustedUrlList = /^\s*(https?|s?ftp|mailto|tel|file):/,
|
||||
imgSrcSanitizationTrustedUrlList = /^\s*((https?|ftp|file|blob):|data:image\/)/;
|
||||
|
||||
/**
|
||||
* @description
|
||||
@@ -21,7 +21,7 @@ function $$SanitizeUriProvider() {
|
||||
* the $sce.URL security context. When interpolation occurs a call is made to `$sce.trustAsUrl(url)`
|
||||
* which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize the potentially malicious URL.
|
||||
*
|
||||
* If the URL matches the `aHrefSanitizationTrustedUri` regular expression, it is returned unchanged.
|
||||
* If the URL matches the `aHrefSanitizationTrustedUrlList` regular expression, it is returned unchanged.
|
||||
*
|
||||
* If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written
|
||||
* to the DOM it is inactive and potentially malicious code will not be executed.
|
||||
@@ -30,12 +30,12 @@ function $$SanitizeUriProvider() {
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.aHrefSanitizationTrustedUri = function(regexp) {
|
||||
this.aHrefSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
aHrefSanitizationTrustedUri = regexp;
|
||||
aHrefSanitizationTrustedUrlList = regexp;
|
||||
return this;
|
||||
}
|
||||
return aHrefSanitizationTrustedUri;
|
||||
return aHrefSanitizationTrustedUrlList;
|
||||
};
|
||||
|
||||
|
||||
@@ -61,18 +61,18 @@ function $$SanitizeUriProvider() {
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.imgSrcSanitizationTrustedUri = function(regexp) {
|
||||
this.imgSrcSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
imgSrcSanitizationTrustedUri = regexp;
|
||||
imgSrcSanitizationTrustedUrlList = regexp;
|
||||
return this;
|
||||
}
|
||||
return imgSrcSanitizationTrustedUri;
|
||||
return imgSrcSanitizationTrustedUrlList;
|
||||
};
|
||||
|
||||
this.$get = function() {
|
||||
return function sanitizeUri(uri, isMediaUrl) {
|
||||
// if (!uri) return uri;
|
||||
var regex = isMediaUrl ? imgSrcSanitizationTrustedUri : aHrefSanitizationTrustedUri;
|
||||
var regex = isMediaUrl ? imgSrcSanitizationTrustedUrlList : aHrefSanitizationTrustedUrlList;
|
||||
var normalizedVal = urlResolve(uri && uri.trim()).href;
|
||||
if (normalizedVal !== '' && !normalizedVal.match(regex)) {
|
||||
return 'unsafe:' + normalizedVal;
|
||||
|
||||
@@ -73,10 +73,10 @@ function $TemplateRequestProvider() {
|
||||
handleRequestFn.totalPendingRequests++;
|
||||
|
||||
// We consider the template cache holds only trusted templates, so
|
||||
// there's no need to go through whitelisting again for keys that already
|
||||
// are included in there. This also makes AngularJS accept any script
|
||||
// directive, no matter its name. However, we still need to unwrap trusted
|
||||
// types.
|
||||
// there's no need to go through adding the template again to the trusted
|
||||
// resources for keys that already are included in there. This also makes
|
||||
// AngularJS accept any script directive, no matter its name. However, we
|
||||
// still need to unwrap trusted types.
|
||||
if (!isString(tpl) || isUndefined($templateCache.get(tpl))) {
|
||||
tpl = $sce.getTrustedResourceUrl(tpl);
|
||||
}
|
||||
|
||||
+5
-5
@@ -125,20 +125,20 @@ function urlIsSameOriginAsBaseUrl(requestUrl) {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a function that can check a URL's origin against a list of allowed/whitelisted origins.
|
||||
* Create a function that can check a URL's origin against a list of allowed/trusted origins.
|
||||
* The current location's origin is implicitly trusted.
|
||||
*
|
||||
* @param {string[]} whitelistedOriginUrls - A list of URLs (strings), whose origins are trusted.
|
||||
* @param {string[]} trustedOriginUrls - A list of URLs (strings), whose origins are trusted.
|
||||
*
|
||||
* @returns {Function} - A function that receives a URL (string or parsed URL object) and returns
|
||||
* whether it is of an allowed origin.
|
||||
*/
|
||||
function urlIsAllowedOriginFactory(whitelistedOriginUrls) {
|
||||
var parsedAllowedOriginUrls = [originUrl].concat(whitelistedOriginUrls.map(urlResolve));
|
||||
function urlIsAllowedOriginFactory(trustedOriginUrls) {
|
||||
var parsedAllowedOriginUrls = [originUrl].concat(trustedOriginUrls.map(urlResolve));
|
||||
|
||||
/**
|
||||
* Check whether the specified URL (string or parsed URL object) has an origin that is allowed
|
||||
* based on a list of whitelisted-origin URLs. The current location's origin is implicitly
|
||||
* based on a list of trusted-origin URLs. The current location's origin is implicitly
|
||||
* trusted.
|
||||
*
|
||||
* @param {string|Object} requestUrl - The URL to be checked (provided as a string that will be
|
||||
|
||||
+16
-16
@@ -64,7 +64,7 @@ var ngAriaModule = angular.module('ngAria', ['ng']).
|
||||
/**
|
||||
* Internal Utilities
|
||||
*/
|
||||
var nodeBlackList = ['BUTTON', 'A', 'INPUT', 'TEXTAREA', 'SELECT', 'DETAILS', 'SUMMARY'];
|
||||
var nativeAriaNodeNames = ['BUTTON', 'A', 'INPUT', 'TEXTAREA', 'SELECT', 'DETAILS', 'SUMMARY'];
|
||||
|
||||
var isNodeOneOf = function(elem, nodeTypeArray) {
|
||||
if (nodeTypeArray.indexOf(elem[0].nodeName) !== -1) {
|
||||
@@ -136,12 +136,12 @@ function $AriaProvider() {
|
||||
config = angular.extend(config, newConfig);
|
||||
};
|
||||
|
||||
function watchExpr(attrName, ariaAttr, nodeBlackList, negate) {
|
||||
function watchExpr(attrName, ariaAttr, nativeAriaNodeNames, negate) {
|
||||
return function(scope, elem, attr) {
|
||||
if (attr.hasOwnProperty(ARIA_DISABLE_ATTR)) return;
|
||||
|
||||
var ariaCamelName = attr.$normalize(ariaAttr);
|
||||
if (config[ariaCamelName] && !isNodeOneOf(elem, nodeBlackList) && !attr[ariaCamelName]) {
|
||||
if (config[ariaCamelName] && !isNodeOneOf(elem, nativeAriaNodeNames) && !attr[ariaCamelName]) {
|
||||
scope.$watch(attr[attrName], function(boolVal) {
|
||||
// ensure boolean value
|
||||
boolVal = negate ? !boolVal : !!boolVal;
|
||||
@@ -165,7 +165,7 @@ function $AriaProvider() {
|
||||
*
|
||||
*```js
|
||||
* ngAriaModule.directive('ngDisabled', ['$aria', function($aria) {
|
||||
* return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nodeBlackList, false);
|
||||
* return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nativeAriaNodeNames, false);
|
||||
* }])
|
||||
*```
|
||||
* Shown above, the ngAria module creates a directive with the same signature as the
|
||||
@@ -217,31 +217,31 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngHide', 'aria-hidden', [], false);
|
||||
}])
|
||||
.directive('ngValue', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngValue', 'aria-checked', nodeBlackList, false);
|
||||
return $aria.$$watchExpr('ngValue', 'aria-checked', nativeAriaNodeNames, false);
|
||||
}])
|
||||
.directive('ngChecked', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngChecked', 'aria-checked', nodeBlackList, false);
|
||||
return $aria.$$watchExpr('ngChecked', 'aria-checked', nativeAriaNodeNames, false);
|
||||
}])
|
||||
.directive('ngReadonly', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngReadonly', 'aria-readonly', nodeBlackList, false);
|
||||
return $aria.$$watchExpr('ngReadonly', 'aria-readonly', nativeAriaNodeNames, false);
|
||||
}])
|
||||
.directive('ngRequired', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngRequired', 'aria-required', nodeBlackList, false);
|
||||
return $aria.$$watchExpr('ngRequired', 'aria-required', nativeAriaNodeNames, false);
|
||||
}])
|
||||
.directive('ngModel', ['$aria', function($aria) {
|
||||
|
||||
function shouldAttachAttr(attr, normalizedAttr, elem, allowBlacklistEls) {
|
||||
function shouldAttachAttr(attr, normalizedAttr, elem, allowNonAriaNodes) {
|
||||
return $aria.config(normalizedAttr) &&
|
||||
!elem.attr(attr) &&
|
||||
(allowBlacklistEls || !isNodeOneOf(elem, nodeBlackList)) &&
|
||||
(allowNonAriaNodes || !isNodeOneOf(elem, nativeAriaNodeNames)) &&
|
||||
(elem.attr('type') !== 'hidden' || elem[0].nodeName !== 'INPUT');
|
||||
}
|
||||
|
||||
function shouldAttachRole(role, elem) {
|
||||
// if element does not have role attribute
|
||||
// AND element type is equal to role (if custom element has a type equaling shape) <-- remove?
|
||||
// AND element is not in nodeBlackList
|
||||
return !elem.attr('role') && (elem.attr('type') === role) && !isNodeOneOf(elem, nodeBlackList);
|
||||
// AND element is not in nativeAriaNodeNames
|
||||
return !elem.attr('role') && (elem.attr('type') === role) && !isNodeOneOf(elem, nativeAriaNodeNames);
|
||||
}
|
||||
|
||||
function getShape(attr, elem) {
|
||||
@@ -349,7 +349,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
|
||||
};
|
||||
}])
|
||||
.directive('ngDisabled', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nodeBlackList, false);
|
||||
return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nativeAriaNodeNames, false);
|
||||
}])
|
||||
.directive('ngMessages', function() {
|
||||
return {
|
||||
@@ -373,7 +373,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
|
||||
var fn = $parse(attr.ngClick);
|
||||
return function(scope, elem, attr) {
|
||||
|
||||
if (!isNodeOneOf(elem, nodeBlackList)) {
|
||||
if (!isNodeOneOf(elem, nativeAriaNodeNames)) {
|
||||
|
||||
if ($aria.config('bindRoleForClick') && !elem.attr('role')) {
|
||||
elem.attr('role', 'button');
|
||||
@@ -389,7 +389,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
|
||||
|
||||
if (keyCode === 13 || keyCode === 32) {
|
||||
// If the event is triggered on a non-interactive element ...
|
||||
if (nodeBlackList.indexOf(event.target.nodeName) === -1 && !event.target.isContentEditable) {
|
||||
if (nativeAriaNodeNames.indexOf(event.target.nodeName) === -1 && !event.target.isContentEditable) {
|
||||
// ... prevent the default browser behavior (e.g. scrolling when pressing spacebar)
|
||||
// See https://github.com/angular/angular.js/issues/16664
|
||||
event.preventDefault();
|
||||
@@ -411,7 +411,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
|
||||
return function(scope, elem, attr) {
|
||||
if (attr.hasOwnProperty(ARIA_DISABLE_ATTR)) return;
|
||||
|
||||
if ($aria.config('tabindex') && !elem.attr('tabindex') && !isNodeOneOf(elem, nodeBlackList)) {
|
||||
if ($aria.config('tabindex') && !elem.attr('tabindex') && !isNodeOneOf(elem, nativeAriaNodeNames)) {
|
||||
elem.attr('tabindex', 0);
|
||||
}
|
||||
};
|
||||
|
||||
@@ -41,12 +41,12 @@ var htmlSanitizeWriter;
|
||||
* @description
|
||||
* Sanitizes an html string by stripping all potentially dangerous tokens.
|
||||
*
|
||||
* The input is sanitized by parsing the HTML into tokens. All safe tokens (from a whitelist) are
|
||||
* The input is sanitized by parsing the HTML into tokens. All safe tokens (from a trusted URI list) are
|
||||
* then serialized back to a properly escaped HTML string. This means that no unsafe input can make
|
||||
* it into the returned string.
|
||||
*
|
||||
* The whitelist for URL sanitization of attribute values is configured using the functions
|
||||
* `aHrefSanitizationTrustedUri` and `imgSrcSanitizationTrustedUri` of {@link $compileProvider}.
|
||||
* The trusted URIs for URL sanitization of attribute values is configured using the functions
|
||||
* `aHrefSanitizationTrustedUrlList` and `imgSrcSanitizationTrustedUrlList` of {@link $compileProvider}.
|
||||
*
|
||||
* The input may also contain SVG markup if this is enabled via {@link $sanitizeProvider}.
|
||||
*
|
||||
@@ -277,8 +277,8 @@ function $SanitizeProvider() {
|
||||
* **Note**:
|
||||
* The new attributes will not be treated as URI attributes, which means their values will not be
|
||||
* sanitized as URIs using `$compileProvider`'s
|
||||
* {@link ng.$compileProvider#aHrefSanitizationTrustedUri aHrefSanitizationTrustedUri} and
|
||||
* {@link ng.$compileProvider#imgSrcSanitizationTrustedUri imgSrcSanitizationTrustedUri}.
|
||||
* {@link ng.$compileProvider#aHrefSanitizationTrustedUrlList aHrefSanitizationTrustedUrlList} and
|
||||
* {@link ng.$compileProvider#imgSrcSanitizationTrustedUrlList imgSrcSanitizationTrustedUrlList}.
|
||||
*
|
||||
* <div class="alert alert-info">
|
||||
* This method must be called during the {@link angular.Module#config config} phase. Once the
|
||||
|
||||
+10
-10
@@ -151,30 +151,30 @@ describe('$compile', function() {
|
||||
|
||||
describe('configuration', function() {
|
||||
|
||||
it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationTrustedUri`', function() {
|
||||
it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationTrustedUrlList`', function() {
|
||||
module(function($compileProvider, $$sanitizeUriProvider) {
|
||||
var newRe = /safe:/, returnVal;
|
||||
|
||||
expect($compileProvider.aHrefSanitizationTrustedUri()).toBe($$sanitizeUriProvider.aHrefSanitizationTrustedUri());
|
||||
returnVal = $compileProvider.aHrefSanitizationTrustedUri(newRe);
|
||||
expect($compileProvider.aHrefSanitizationTrustedUrlList()).toBe($$sanitizeUriProvider.aHrefSanitizationTrustedUrlList());
|
||||
returnVal = $compileProvider.aHrefSanitizationTrustedUrlList(newRe);
|
||||
expect(returnVal).toBe($compileProvider);
|
||||
expect($$sanitizeUriProvider.aHrefSanitizationTrustedUri()).toBe(newRe);
|
||||
expect($compileProvider.aHrefSanitizationTrustedUri()).toBe(newRe);
|
||||
expect($$sanitizeUriProvider.aHrefSanitizationTrustedUrlList()).toBe(newRe);
|
||||
expect($compileProvider.aHrefSanitizationTrustedUrlList()).toBe(newRe);
|
||||
});
|
||||
inject(function() {
|
||||
// needed to the module definition above is run...
|
||||
});
|
||||
});
|
||||
|
||||
it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationTrustedUri`', function() {
|
||||
it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationTrustedUrlList`', function() {
|
||||
module(function($compileProvider, $$sanitizeUriProvider) {
|
||||
var newRe = /safe:/, returnVal;
|
||||
|
||||
expect($compileProvider.imgSrcSanitizationTrustedUri()).toBe($$sanitizeUriProvider.imgSrcSanitizationTrustedUri());
|
||||
returnVal = $compileProvider.imgSrcSanitizationTrustedUri(newRe);
|
||||
expect($compileProvider.imgSrcSanitizationTrustedUrlList()).toBe($$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList());
|
||||
returnVal = $compileProvider.imgSrcSanitizationTrustedUrlList(newRe);
|
||||
expect(returnVal).toBe($compileProvider);
|
||||
expect($$sanitizeUriProvider.imgSrcSanitizationTrustedUri()).toBe(newRe);
|
||||
expect($compileProvider.imgSrcSanitizationTrustedUri()).toBe(newRe);
|
||||
expect($$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList()).toBe(newRe);
|
||||
expect($compileProvider.imgSrcSanitizationTrustedUrlList()).toBe(newRe);
|
||||
});
|
||||
inject(function() {
|
||||
// needed to the module definition above is run...
|
||||
|
||||
+15
-15
@@ -250,9 +250,9 @@ describe('ngProp*', function() {
|
||||
// IE9 rejects the `video` / `audio` tags with "Error: Not implemented"
|
||||
if (msie !== 9 || tag === 'img') {
|
||||
describe(tag + '[src] context requirement', function() {
|
||||
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
|
||||
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
|
||||
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
|
||||
$rootScope.$digest();
|
||||
expect(element.prop('src')).toEqual('http://example.com/image.mp4');
|
||||
}));
|
||||
@@ -279,7 +279,7 @@ describe('ngProp*', function() {
|
||||
expect(element.prop('src')).toEqual('untrusted:foo()');
|
||||
}));
|
||||
|
||||
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
|
||||
it('should sanitize non-trusted values', inject(function($rootScope, $compile, $sce) {
|
||||
// As a MEDIA_URL URL
|
||||
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
|
||||
// Some browsers complain if you try to write `javascript:` into an `img[src]`
|
||||
@@ -308,9 +308,9 @@ describe('ngProp*', function() {
|
||||
if (msie !== 9) {
|
||||
['source', 'track'].forEach(function(tag) {
|
||||
describe(tag + '[src]', function() {
|
||||
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
|
||||
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
|
||||
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
|
||||
$rootScope.$digest();
|
||||
expect(element.find(tag).prop('src')).toEqual('http://example.com/image.mp4');
|
||||
}));
|
||||
@@ -335,7 +335,7 @@ describe('ngProp*', function() {
|
||||
expect(element.find(tag).prop('src')).toEqual('javascript:foo()');
|
||||
}));
|
||||
|
||||
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
|
||||
it('should sanitize non-trusted values', inject(function($rootScope, $compile, $sce) {
|
||||
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
|
||||
$rootScope.testUrl = 'untrusted:foo()';
|
||||
$rootScope.$digest();
|
||||
@@ -412,14 +412,14 @@ describe('ngProp*', function() {
|
||||
expect(element.prop('srcset')).toBe('');
|
||||
}));
|
||||
|
||||
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile, $sce) {
|
||||
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile, $sce) {
|
||||
var element = $compile('<' + srcsetElement + ' ng-prop-srcset="testUrl"></' + srcsetElement + '>')($rootScope);
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
|
||||
$rootScope.$digest();
|
||||
expect(element.prop('srcset')).toEqual('http://example.com/image.png');
|
||||
}));
|
||||
|
||||
it('should accept trusted values, if they are also whitelisted', inject(function($rootScope, $compile, $sce) {
|
||||
it('should accept trusted values, if they are also trusted URIs', inject(function($rootScope, $compile, $sce) {
|
||||
var element = $compile('<' + srcsetElement + ' ng-prop-srcset="testUrl"></' + srcsetElement + '>')($rootScope);
|
||||
$rootScope.testUrl = $sce.trustAsUrl('http://example.com');
|
||||
$rootScope.$digest();
|
||||
@@ -506,8 +506,8 @@ describe('ngProp*', function() {
|
||||
});
|
||||
|
||||
describe('a[href] sanitization', function() {
|
||||
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
|
||||
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
|
||||
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
|
||||
$rootScope.$digest();
|
||||
expect(element.prop('href')).toEqual('http://example.com/image.png');
|
||||
@@ -517,8 +517,8 @@ describe('ngProp*', function() {
|
||||
expect(element.prop('href')).toEqual('http://example.com/image.png');
|
||||
}));
|
||||
|
||||
it('should accept trusted values for non-whitelisted values', inject(function($rootScope, $compile, $sce) {
|
||||
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not whitelisted
|
||||
it('should accept trusted values for non-trusted URI values', inject(function($rootScope, $compile, $sce) {
|
||||
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not trusted
|
||||
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
|
||||
$rootScope.$digest();
|
||||
expect(element.prop('href')).toEqual('javascript:foo()');
|
||||
@@ -528,8 +528,8 @@ describe('ngProp*', function() {
|
||||
expect(element.prop('href')).toEqual('javascript:foo()');
|
||||
}));
|
||||
|
||||
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not whitelisted
|
||||
it('should sanitize non-trusted values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not trusted
|
||||
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
|
||||
$rootScope.$digest();
|
||||
expect(element.prop('href')).toEqual('unsafe:javascript:foo()');
|
||||
|
||||
@@ -127,8 +127,8 @@ describe('sanitizeUri', function() {
|
||||
|
||||
it('should allow reconfiguration of the src trusted URIs', function() {
|
||||
var returnVal;
|
||||
expect(sanitizeUriProvider.imgSrcSanitizationTrustedUri() instanceof RegExp).toBe(true);
|
||||
returnVal = sanitizeUriProvider.imgSrcSanitizationTrustedUri(/javascript:/);
|
||||
expect(sanitizeUriProvider.imgSrcSanitizationTrustedUrlList() instanceof RegExp).toBe(true);
|
||||
returnVal = sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(/javascript:/);
|
||||
expect(returnVal).toBe(sanitizeUriProvider);
|
||||
|
||||
testUrl = 'javascript:doEvilStuff()';
|
||||
@@ -228,8 +228,8 @@ describe('sanitizeUri', function() {
|
||||
|
||||
it('should allow reconfiguration of the href trusted URIs', function() {
|
||||
var returnVal;
|
||||
expect(sanitizeUriProvider.aHrefSanitizationTrustedUri() instanceof RegExp).toBe(true);
|
||||
returnVal = sanitizeUriProvider.aHrefSanitizationTrustedUri(/javascript:/);
|
||||
expect(sanitizeUriProvider.aHrefSanitizationTrustedUrlList() instanceof RegExp).toBe(true);
|
||||
returnVal = sanitizeUriProvider.aHrefSanitizationTrustedUrlList(/javascript:/);
|
||||
expect(returnVal).toBe(sanitizeUriProvider);
|
||||
|
||||
testUrl = 'javascript:doEvilStuff()';
|
||||
|
||||
@@ -97,7 +97,7 @@ describe('urlUtils', function() {
|
||||
});
|
||||
|
||||
|
||||
it('should check against the list of whitelisted origins', function() {
|
||||
it('should check against the list of trusted origins', function() {
|
||||
expect(urlIsAllowedOrigin('https://foo.com/path')).toBe(true);
|
||||
expect(urlIsAllowedOrigin(origin.protocol + '://bar.com:1337/path')).toBe(true);
|
||||
expect(urlIsAllowedOrigin('https://baz.com:1337/path')).toBe(false);
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
'use strict';
|
||||
|
||||
/* globals nodeBlackList false */
|
||||
/* globals nativeAriaNodeNames false */
|
||||
|
||||
describe('$aria', function() {
|
||||
var scope, $compile, element;
|
||||
@@ -1064,7 +1064,7 @@ describe('$aria', function() {
|
||||
);
|
||||
|
||||
they('should not prevent default keyboard action if an interactive $type element' +
|
||||
'is nested inside ng-click', nodeBlackList, function(elementType) {
|
||||
'is nested inside ng-click', nativeAriaNodeNames, function(elementType) {
|
||||
function createHTML(type) {
|
||||
return '<' + type + '></' + type + '>';
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user