@@ -6,7 +6,7 @@
|
||||
*/
|
||||
function $$SanitizeUriProvider() {
|
||||
var aHrefSanitizationWhitelist = /^\s*(https?|ftp|mailto|tel|file):/,
|
||||
imgSrcSanitizationWhitelist = /^\s*(https?|ftp|file):|data:image\//;
|
||||
imgSrcSanitizationWhitelist = /^\s*((https?|ftp|file):|data:image\/)/;
|
||||
|
||||
/**
|
||||
* @description
|
||||
|
||||
@@ -30,6 +30,11 @@ describe('sanitizeUri', function() {
|
||||
expect(sanitizeImg(testUrl)).toBe('unsafe:javascript:doEvilStuff()');
|
||||
});
|
||||
|
||||
it('should sanitize javascript: urls with comments', function() {
|
||||
testUrl = "javascript:alert(1)//data:image/";
|
||||
expect(sanitizeImg(testUrl)).toBe('unsafe:javascript:alert(1)//data:image/');
|
||||
});
|
||||
|
||||
it('should sanitize non-image data: urls', function() {
|
||||
testUrl = "data:application/javascript;charset=US-ASCII,alert('evil!');";
|
||||
expect(sanitizeImg(testUrl)).toBe("unsafe:data:application/javascript;charset=US-ASCII,alert('evil!');");
|
||||
@@ -235,4 +240,4 @@ describe('sanitizeUri', function() {
|
||||
|
||||
});
|
||||
|
||||
});
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user