Compare commits

...

25 Commits

Author SHA1 Message Date
Georgios Kalpakas 70724e3918 test($log): fix up to work with IE8 2016-12-07 15:18:07 +02:00
Peter Bacon Darwin 9a0156d258 test($log): fix up to work with Safari 9
On Safari 9.0.2, you are not allowed to write to `sourceUrl` or `line`
on a native Error object.

This commit uses a custom error instead.
2016-12-07 14:39:42 +02:00
Peter Bacon Darwin 5730c665e8 docs(CHANGELOG): add 1.2.32 release notes 2016-10-11 22:49:02 +01:00
Peter Bacon Darwin b8a0ecdd61 fix($compile): ensure that hidden input values are correct after history.back
Due to the nature of some browser's PageCache/BFCache, returning to an Angular
app sometimes causes `input[hidden]` elements to retain the last value
that was stored before the page was navigated away from previously.

This is particularly problematic if the input has an interpolated value.
E.g. `<input type="hidden" value="{{ 1 + 2 }}">` since when the browser
returns, instead of the original interpolation template, the HTML contains
the previous value `<input type="hidden" value="3">`.

This commit instructs the browser not to attempt to reinstate the previous
value when navigating back in history by setting `autocomplete="off"` on
the hidden input element element.
2016-10-11 13:48:38 +01:00
Peter Bacon Darwin ed44dd0659 revert:fix(input): ensure that hidden input values are correct after history.back
This reverts commit 7ec663fc70.
There was a regression against angular-material that relied upon the input directive.
2016-10-11 13:39:13 +01:00
Peter Bacon Darwin a5f4d32d01 chore(bower): fix up URL to closure compiler 2016-10-11 07:48:26 +01:00
Peter Bacon Darwin e4fcf9244b docs(CHANGELOG): update with 1.2.30 and 1.2.31 changes 2016-10-10 23:05:24 +01:00
Peter Bacon Darwin 7ec663fc70 fix(input): ensure that hidden input values are correct after history.back
Due to the nature of some browser's PageCache/BFCache, returning to an Angular
app sometimes causes `input[hidden]` elements to retain the last value
that was stored before the page was navigated away from previously.

This is particularly problematic if the input has an interpolated value.
E.g. `<input type="hidden" value="{{ 1 + 2 }}">` since when the browser
returns, instead of the original interpolation template, the HTML contains
the previous value `<input type="hidden" value="3">`.

This commit instructs the browser not to attempt to reinstate the previous
value when navigating back in history by setting `autocomplete="off"` on
the hidden input element element.
2016-10-10 23:01:20 +01:00
Georgios Kalpakas 2687c26140 fix($compile): detect <a> elements inside <svg> 2016-07-20 23:17:37 +03:00
Igor Minar f2fa1ed83d fix($compile): properly sanitize xlink:href attribute interoplation
Closes #12524
2016-07-20 19:14:51 +03:00
Raphael Jamet f35f334bd3 fix($compile): secure link[href] as a RESOURCE_URLs in $sce.
User-controlled imports or stylesheets can run script in your origin,
which warrants that we require that they are safe `RESOURCE_URL`s.

Closes #14687

BREAKING CHANGE

`link[href]` attributes are now protected via `$sce`, which prevents interpolated
values that fail the `RESOURCE_URL` context tests from being used in interpolation.

For example if the application is running at `https://docs.angularjs.org` then the
following will fail:

```
<link href="{{ 'http://mydomain.org/unsafe.css' }}" rel="stylesheet">
```

By default, `RESOURCE_URL` safe URLs are only allowed from the same domain and protocol
as the application document.

To use URLs from other domains and/or protocols, you may either whitelist them or
wrap it into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
2016-07-20 19:09:47 +03:00
Georgios Kalpakas dd4ce50392 chore(ci): update Safari to v8 2016-07-13 14:14:12 +03:00
Georgios Kalpakas ac0d5286b8 fix($sanitize): blacklist the attribute usemap as it can be used as a security exploit
Backport of 234053f.

Closes #14903

BREAKING CHANGE:

The `$sanitize` service will now remove instances of the `usemap` attribute from any elements passed
to it.

This attribute is used to reference another element by `name` or `id`. Since the `name` and `id`
attributes are already blacklisted, a sanitized `usemap` attribute could only reference unsanitized
content, which is a security risk.
2016-07-13 14:13:27 +03:00
Matias Niemelä 8d83b56334 fix(ngAnimate): do not use event.timeStamp anymore for time tracking
Due to recent changes in Chrome, Firefox and Webkit use of the
event.timeStamp value will lead to unpredictable behaviour due to
precision changes. Therefore it's best to stick entirely to use
`Date.now()` when it comes to confirming the end of transition-
ending values. See #13494 for more info.

Applies to 1.2, 1.3, 1.4 and 1.5.

Closes #13494
Closes #13495
2016-01-05 13:09:20 +00:00
Peter Bacon Darwin b31234e3b1 chore(Gruntfile): replace double quotes with single quotes 2015-12-17 23:00:56 +00:00
Peter Bacon Darwin ffee742a78 chore(GruntFile): fix whitespace in lists 2015-12-17 23:00:56 +00:00
Peter Bacon Darwin 1346b0a562 chore(GruntFile): move validate-angular-files task into its own file
Closes #13569
2015-12-17 23:00:46 +00:00
Matias Niemelä 5fec3da64d chore(build): add a validation step for angularFiles
Closes #13553
2015-12-17 22:59:42 +00:00
Peter Bacon Darwin d662a17e57 chore(angularFiles): add documentation only file to list of files
This prevents errors when checking `validate-angular-files`
2015-12-17 22:40:54 +00:00
Peter Bacon Darwin 07f3ba5d66 chore(npm-shrinkwrap): install glob package 2015-12-17 22:40:51 +00:00
Peter Bacon Darwin eacd9ad853 chore(jenkins): remove unused argument definition 2015-12-17 14:15:43 +00:00
Peter Bacon Darwin 84dc5edd65 chore(jenkins): run Jenkins builds on Node 4 (via nvm)
Closes #13568
2015-12-17 14:12:22 +00:00
Peter Bacon Darwin de8e1121cf chore(jenkins): move jenkins_build.sh to scripts/jenkins/build.sh 2015-12-16 14:23:15 +00:00
Peter Bacon Darwin fb8f1ddd58 chore(travis): update to use node 4.x 2015-12-16 11:17:45 +00:00
Martin Staffa 34e5623542 chore(travis): add a new job that runs ci-checks
Previously, ddescribe, merge-conflicts, jshint, and jscs would run
after unit & e2e tests ran. The order was orginally changed as part of
https://github.com/angular/angular.js/pull/9792.

While the logic is sound that style errors shouldn't block tests from
running, ddescribe should always run. This was not guaraneteed; when
Travis exits with a warning after some browsers have run, ddescribe
doesn't get run and it doesn't become apparent that not
all tests have run.

Additionally, a separate job clearly separates style from test errors,
which e.g. means you can open a PR that includes an iit to speed up
the job, and see immediately if the test passes, because the ddescribe
error is in another job.
2015-12-16 10:30:28 +00:00
23 changed files with 10952 additions and 1045 deletions
+15 -21
View File
@@ -1,7 +1,7 @@
language: node_js
sudo: false
node_js:
- '0.10'
- '4.2'
cache:
directories:
@@ -15,28 +15,26 @@ branches:
env:
matrix:
- JOB=ci-checks
- JOB=unit BROWSER_PROVIDER=saucelabs
- JOB=docs-e2e BROWSER_PROVIDER=saucelabs
- JOB=e2e TEST_TARGET=jqlite BROWSER_PROVIDER=saucelabs
- JOB=e2e TEST_TARGET=jquery BROWSER_PROVIDER=saucelabs
- JOB=unit BROWSER_PROVIDER=browserstack
- JOB=docs-e2e BROWSER_PROVIDER=browserstack
- JOB=e2e TEST_TARGET=jqlite BROWSER_PROVIDER=browserstack
- JOB=e2e TEST_TARGET=jquery BROWSER_PROVIDER=browserstack
global:
- CXX=g++-4.8 # node 4 likes the G++ v4.8 compiler
- SAUCE_USERNAME=angular-ci
- SAUCE_ACCESS_KEY=9b988f434ff8-fbca-8aa4-4ae3-35442987
- BROWSER_STACK_USERNAME=VojtaJina
- BROWSER_STACK_ACCESS_KEY=QCQJ1ZpWXpBkSwEdD8ev
- LOGS_DIR=/tmp/angular-build/logs
- BROWSER_PROVIDER_READY_FILE=/tmp/browsersprovider-tunnel-ready
matrix:
allow_failures:
- env: "JOB=unit BROWSER_PROVIDER=browserstack"
- env: "JOB=docs-e2e BROWSER_PROVIDER=browserstack"
- env: "JOB=e2e TEST_TARGET=jqlite BROWSER_PROVIDER=browserstack"
- env: "JOB=e2e TEST_TARGET=jquery BROWSER_PROVIDER=browserstack"
# node 4 likes the G++ v4.8 compiler
# see https://docs.travis-ci.com/user/languages/javascript-with-nodejs#Node.js-v4-(or-io.js-v3)-compiler-requirements
addons:
apt:
sources:
- ubuntu-toolchain-r-test
packages:
- g++-4.8
install:
# Check the size of caches
@@ -46,16 +44,12 @@ install:
- npm config set spin false
# Log HTTP requests
- npm config set loglevel http
- npm install -g npm@2.5
# Instal npm dependecies and ensure that npm cache is not stale
- scripts/npm/install-dependencies.sh
#- npm install -g npm@2.5
# Install npm dependencies and ensure that npm cache is not stale
- npm install
before_script:
- mkdir -p $LOGS_DIR
- ./scripts/travis/start_browser_provider.sh
- npm install -g grunt-cli
- grunt package
- ./scripts/travis/wait_for_browser_provider.sh
- ./scripts/travis/before_build.sh
script:
- ./scripts/travis/build.sh
+76
View File
@@ -1,3 +1,79 @@
<a name="1.2.32"></a>
# 1.2.32 alternation-intention (2016-10-10)
This release reverts the fix in 1.2.31 and provides an alternative fix that doesn't break Angular Material.
## Reverts
- **input:** ensure that hidden input values are correct after history back
([ed44dd065](https://github.com/angular/angular.js/commit/ed44dd0659f346ced78a112e4a2b30d3af4fd572))
## Bug Fixes
- **$compile:** ensure that hidden input values are correct after history back
([b8a0ecdd6](https://github.com/angular/angular.js/commit/b8a0ecdd6189fb111734eb5b6d4d473d0dcf4c36))
<a name="1.2.31"></a>
# 1.2.31 barking-moustache (2016-10-10)
## Bug Fixes
- **input:** ensure that hidden input values are correct after history back
([7ec663fc](https://github.com/angular/angular.js/commit/7ec663fc708aa7a9a9ce62d2306f24d7a733a86d))
<a name="1.2.30"></a>
# 1.2.30 patronal-resurrection (2016-07-21)
_**Note:** This release contains some security fixes that required breaking changes. Since the
legacy 1.2.x branch is the only version branch that supports IE8, it was necessary to introduce a
couple of low-impact breaking changes in a patch release - something we generally avoid - in order
to make the fixes available to people that still need IE8 support._
## Bug Fixes
- **$compile:**
- secure `link[href]` as a `RESOURCE_URL`s in `$sce`
([f35f334b](https://github.com/angular/angular.js/commit/f35f334bd3197585bdf034f4b6d9ffa3122dac62),
[#14687](https://github.com/angular/angular.js/issues/14687))
- properly sanitize `xlink:href` attribute interpolation
([f2fa1ed8](https://github.com/angular/angular.js/commit/f2fa1ed83d18d4e79a36f8c0db1c2524d762e513),
[2687c261](https://github.com/angular/angular.js/commit/2687c26140585d9e3716f9f559390f5d8d598fdf))
- **ngSanitize:** blacklist the attribute `usemap` as it can be used as a security exploit
([ac0d5286](https://github.com/angular/angular.js/commit/ac0d5286b8931633d774080d6396fb4825d8be33),
[#14903](https://github.com/angular/angular.js/issues/14903))
- **ngAnimate:** do not use event.timeStamp anymore for time tracking
([8d83b563](https://github.com/angular/angular.js/commit/8d83b5633471c847d58f337426fe069797dd49d9),
[#13494](https://github.com/angular/angular.js/issues/13494), [#13495](https://github.com/angular/angular.js/issues/13495))
## Breaking Changes
- **$compile:** due to [f35f334b](https://github.com/angular/angular.js/commit/f35f334bd3197585bdf034f4b6d9ffa3122dac62),
`link[href]` attributes are now protected via `$sce`, which prevents interpolated values that fail
the `RESOURCE_URL` context tests from being used in interpolation. For example if the application is
running at `https://mydomain.org/` then the following will fail:
```html
<link rel="stylesheet" href="{{ 'https://otherdomain.org/unsafe.css' }}" />
```
By default, `RESOURCE_URL` safe URLs are only allowed from the same domain and protocol as the
application document. To use URLs from other domains and/or protocols, you may either whitelist them
using `$sceDelegateProvider.resourceUrlWhitelist(...)` or wrap them into a trusted value by calling
`$sce.trustAsResourceUrl(url)`.
- **ngSanitize:** due to [234053fc](https://github.com/angular/angular.js/commit/234053fc9ad90e0d05be7e8359c6af66be94c094),
The `$sanitize` service will now remove instances of the `usemap` attribute from any elements passed
to it.
This attribute is used to reference another element by `name` or `id`. Since the `name` and `id`
attributes are already blacklisted, a sanitized `usemap` attribute could only reference unsanitized
content, which is a security risk.
<a name="1.2.29"></a>
# 1.2.29 ultimate-deprecation (2015-09-29)
+9 -7
View File
@@ -209,7 +209,7 @@ module.exports = function(grunt) {
},
"promises-aplus-adapter": {
dest:'tmp/promises-aplus-adapter++.js',
src:['src/ng/q.js','lib/promises-aplus/promises-aplus-test-adapter.js']
src:['src/ng/q.js', 'lib/promises-aplus/promises-aplus-test-adapter.js']
}
},
@@ -226,7 +226,7 @@ module.exports = function(grunt) {
},
"ddescribe-iit": {
'ddescribe-iit': {
files: [
'src/**/*.js',
'test/**/*.js',
@@ -236,7 +236,7 @@ module.exports = function(grunt) {
]
},
"merge-conflict": {
'merge-conflict': {
files: [
'src/**/*',
'test/**/*',
@@ -293,8 +293,10 @@ module.exports = function(grunt) {
});
//alias tasks
grunt.registerTask('test', 'Run unit, docs and e2e tests with Karma', ['jshint', 'jscs', 'package','test:unit','test:promises-aplus', 'tests:docs', 'test:protractor']);
grunt.registerTask('test', 'Run unit, docs and e2e tests with Karma', ['jshint', 'jscs', 'package', 'test:unit', 'test:promises-aplus', 'tests:docs', 'test:protractor']);
grunt.registerTask('test:jqlite', 'Run the unit tests with Karma' , ['tests:jqlite']);
grunt.registerTask('test:jquery', 'Run the jQuery unit tests with Karma', ['tests:jquery']);
grunt.registerTask('test:modules', 'Run the Karma module tests with Karma', ['tests:modules']);
@@ -304,11 +306,11 @@ module.exports = function(grunt) {
grunt.registerTask('test:travis-protractor', 'Run the end to end tests with Protractor for Travis CI builds', ['connect:testserver', 'protractor:travis']);
grunt.registerTask('test:ci-protractor', 'Run the end to end tests with Protractor for Jenkins CI builds', ['webdriver', 'connect:testserver', 'protractor:jenkins']);
grunt.registerTask('test:e2e', 'Alias for test:protractor', ['test:protractor']);
grunt.registerTask('test:promises-aplus',['build:promises-aplus-adapter','shell:promises-aplus-tests']);
grunt.registerTask('test:promises-aplus',['build:promises-aplus-adapter', 'shell:promises-aplus-tests']);
grunt.registerTask('minify', ['bower','clean', 'build', 'minall']);
grunt.registerTask('minify', ['bower', 'clean', 'build', 'minall']);
grunt.registerTask('webserver', ['connect:devserver']);
grunt.registerTask('package', ['bower','clean', 'buildall', 'minall', 'collect-errors', 'docs', 'copy', 'write', 'compress']);
grunt.registerTask('package', ['bower', 'validate-angular-files', 'clean', 'buildall', 'minall', 'collect-errors', 'docs', 'copy', 'write', 'compress']);
grunt.registerTask('ci-checks', ['ddescribe-iit', 'merge-conflict', 'jshint', 'jscs']);
grunt.registerTask('default', ['package']);
};
+1
View File
@@ -31,6 +31,7 @@ var angularFiles = {
'src/ng/q.js',
'src/ng/raf.js',
'src/ng/rootScope.js',
'src/ng/rootElement.js',
'src/ng/sanitizeUri.js',
'src/ng/sce.js',
'src/ng/sniffer.js',
+1 -1
View File
@@ -2,7 +2,7 @@
"name": "AngularJS",
"devDependencies": {
"jquery": "1.10.2",
"closure-compiler": "https://closure-compiler.googlecode.com/files/compiler-20130603.zip",
"closure-compiler": "https://dl.google.com/closure-compiler/compiler-20130603.zip",
"ng-closure-runner": "https://raw.github.com/angular/ng-closure-runner/v0.2.3/assets/ng-closure-runner.zip"
}
}
+2 -2
View File
@@ -45,8 +45,8 @@ module.exports = function(config, specificOptions) {
'SL_Safari': {
base: 'SauceLabs',
browserName: 'safari',
platform: 'OS X 10.9',
version: '7'
platform: 'OS X 10.10',
version: '8'
},
'SL_IE_8': {
base: 'SauceLabs',
+58
View File
@@ -0,0 +1,58 @@
'use strict';
var path = require('path');
var fs = require('fs');
var glob = require("glob");
var _ = require('lodash');
var files = require('../../angularFiles').files;
module.exports = function(grunt) {
grunt.registerTask('validate-angular-files', function() {
var combinedFiles = _.clone(files.angularModules);
combinedFiles.ng = files.angularSrc;
combinedFiles.angularLoader = files.angularLoader;
var errorsDetected = false;
var directories = [];
var detectedFiles = {};
for (var section in combinedFiles) {
var sectionFiles = combinedFiles[section];
if (section != 'angularLoader') {
directories.push('src/' + section);
}
grunt.log.debug('Validating ' + sectionFiles.length + ' files from the "' + section + '" module.');
sectionFiles.forEach(function(file) {
detectedFiles[file] = true;
if (!fs.existsSync(file)) {
grunt.log.error(file + ' does not exist in the local file structure.');
errorsDetected = true;
}
});
}
directories.forEach(function(directory) {
glob.sync(directory + '/**/*').forEach(function(filePath) {
if (!fs.lstatSync(filePath).isDirectory()) {
var fileName = path.basename(filePath);
var isHiddenFile = fileName[0] == '.';
if (!isHiddenFile && !detectedFiles[filePath]) {
grunt.log.error(filePath + ' exists in the local file structure but isn\'t used by any module.');
errorsDetected = true;
}
}
});
});
if (errorsDetected) {
throw new Error('Not all files were properly detected in the local file structure.');
} else {
grunt.log.ok('All files were detected successfully!');
}
});
};
File diff suppressed because it is too large Load Diff
+5071 -980
View File
File diff suppressed because it is too large Load Diff
+1
View File
@@ -16,6 +16,7 @@
"dgeni": "^0.4.0",
"dgeni-packages": "^0.10.0",
"event-stream": "~3.1.0",
"glob": "^6.0.1",
"grunt": "~0.4.2",
"grunt-bump": "~0.0.13",
"grunt-contrib-clean": "~0.5.0",
+2 -2
View File
@@ -20,8 +20,8 @@ config.multiCapabilities = [{
'version': '28'
}, {
browserName: 'safari',
'platform': 'OS X 10.9',
'version': '7',
'platform': 'OS X 10.10',
'version': '8',
'name': 'Angular E2E',
'tunnel-identifier': process.env.TRAVIS_JOB_NUMBER,
'build': process.env.TRAVIS_BUILD_NUMBER
@@ -7,7 +7,9 @@ echo "#################################"
# Enable tracing and exit on first failure
set -xe
# Define reasonable set of browsers in case we are running manually from commandline
scripts/jenkins/set-node-version.sh
# This is the default set of browsers to use on the CI server unless overridden via env variable
if [[ -z "$BROWSERS" ]]
then
BROWSERS="Chrome,Firefox,Opera,/Users/jenkins/bin/safari.sh"
@@ -19,6 +21,7 @@ rm -f angular.js.size
# BUILD #
npm install -g grunt-cli
npm install --color false
grunt ci-checks package --no-color
+2 -11
View File
@@ -4,9 +4,7 @@ echo "#################################"
echo "#### Update master ##############"
echo "#################################"
ARG_DEFS=(
"[--no-test=(true|false)]"
)
ARG_DEFS=()
function init {
if [[ ! $VERBOSE ]]; then
@@ -17,14 +15,7 @@ function init {
function build {
cd ../..
if [[ $NO_TEST == "true" ]]; then
npm install --color false
grunt ci-checks package --no-color
else
./jenkins_build.sh
fi
scripts/jenkins/build.sh
cd $SCRIPT_DIR
}
+2
View File
@@ -35,8 +35,10 @@ function init {
}
function build {
./set-node-version.sh
cd ../..
npm install -g grunt-cli
npm install --color false
grunt ci-checks package --no-color
+7
View File
@@ -0,0 +1,7 @@
#!/bin/bash
# Install nvm for this shell
source ~/.nvm/nvm.sh
# Use node.js at 4.2.x
nvm install 4.2
+18
View File
@@ -0,0 +1,18 @@
#!/bin/bash
set -e
mkdir -p $LOGS_DIR
if [ $JOB != "ci-checks" ]; then
echo "start_browser_provider"
./scripts/travis/start_browser_provider.sh
fi
npm install -g grunt-cli
if [ $JOB != "ci-checks" ]; then
grunt package
echo "wait_for_browser_provider"
./scripts/travis/wait_for_browser_provider.sh
fi
+6 -5
View File
@@ -5,16 +5,17 @@ set -e
export BROWSER_STACK_ACCESS_KEY=`echo $BROWSER_STACK_ACCESS_KEY | rev`
export SAUCE_ACCESS_KEY=`echo $SAUCE_ACCESS_KEY | rev`
if [ $JOB = "unit" ]; then
if [ $JOB = "ci-checks" ]; then
grunt ci-checks
elif [ $JOB = "unit" ]; then
if [ "$BROWSER_PROVIDER" == "browserstack" ]; then
BROWSERS="BS_Chrome,BS_Safari,BS_Firefox,BS_IE_8,BS_IE_9,BS_IE_10,BS_IE_11"
BROWSERS="BS_Chrome,BS_Firefox,BS_Safari,BS_IE_8,BS_IE_9,BS_IE_10,BS_IE_11"
else
BROWSERS="SL_Chrome,SL_Safari,SL_Firefox,SL_IE_8,SL_IE_9,SL_IE_10,SL_IE_11"
BROWSERS="SL_Chrome,SL_Firefox,SL_Safari,SL_IE_8,SL_IE_9,SL_IE_10,SL_IE_11"
fi
grunt test:promises-aplus
grunt test:unit --browsers $BROWSERS --reporters dots
grunt ci-checks
grunt tests:docs --browsers $BROWSERS --reporters dots
elif [ $JOB = "docs-e2e" ]; then
grunt test:travis-protractor --specs "docs/app/e2e/**/*.scenario.js"
@@ -29,5 +30,5 @@ elif [ $JOB = "e2e" ]; then
fi
grunt test:travis-protractor --specs "$TARGET_SPECS"
else
echo "Unknown job type. Please set JOB=unit or JOB=e2e-*."
echo "Unknown job type. Please set JOB=ci-checks, JOB=unit or JOB=e2e-*."
fi
+16 -3
View File
@@ -765,10 +765,11 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
}
}
nodeName = nodeName_(this.$$element);
// SVG elements' `nodeName` can be lowercase
nodeName = nodeName_(this.$$element).toUpperCase();
// sanitize a[href] and img[src] values
if ((nodeName === 'A' && key === 'href') ||
if ((nodeName === 'A' && (key === 'href' || key === 'xlinkHref')) ||
(nodeName === 'IMG' && key === 'src')) {
this[key] = value = $$sanitizeUri(value, key === 'src');
}
@@ -1029,13 +1030,17 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
var nodeType = node.nodeType,
attrsMap = attrs.$attr,
match,
nodeName,
className;
switch(nodeType) {
case 1: /* Element */
nodeName = nodeName_(node).toLowerCase();
// use the node name: <directive>
addDirective(directives,
directiveNormalize(nodeName_(node).toLowerCase()), 'E', maxPriority, ignoreDirective);
directiveNormalize(nodeName), 'E', maxPriority, ignoreDirective);
// iterate over the attributes
for (var attr, name, nName, ngAttrName, value, isNgAttr, nAttrs = node.attributes,
@@ -1075,6 +1080,12 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
}
}
if (nodeName === 'input' && node.getAttribute('type') === 'hidden') {
// Hidden input elements can have strange behaviour when navigating back to the page
// This tells the browser not to try to cache and reinstate previous values
node.setAttribute('autocomplete', 'off');
}
// use class as directive
className = node.className;
if (isString(className) && className !== '') {
@@ -1880,6 +1891,8 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
// maction[xlink:href] can source SVG. It's not limited to <maction>.
if (attrNormalizedName == "xlinkHref" ||
(tag == "FORM" && attrNormalizedName == "action") ||
// links can be stylesheets or imports, which can run script in the current origin
(tag == "LINK" && attrNormalizedName == "href") ||
(tag != "IMG" && (attrNormalizedName == "src" ||
attrNormalizedName == "ngSrc"))) {
return $sce.RESOURCE_URL;
+2 -2
View File
@@ -1486,7 +1486,7 @@ angular.module('ngAnimate', ['ng'])
function onAnimationProgress(event) {
event.stopPropagation();
var ev = event.originalEvent || event;
var timeStamp = ev.$manualTimeStamp || ev.timeStamp || Date.now();
var timeStamp = ev.$manualTimeStamp || Date.now();
/* Firefox (or possibly just Gecko) likes to not round values up
* when a ms measurement is used for the animation */
@@ -1494,7 +1494,7 @@ angular.module('ngAnimate', ['ng'])
/* $manualTimeStamp is a mocked timeStamp value which is set
* within browserTrigger(). This is only here so that tests can
* mock animations properly. Real events fallback to event.timeStamp,
* mock animations properly. Real events fallback to Date.now(),
* or, if they don't, then a timeStamp is automatically created for them.
* We're checking to see if the timeStamp surpasses the expected delay,
* but we're using elapsedTime instead of the timeStamp on the 2nd
+1 -1
View File
@@ -204,7 +204,7 @@ var validElements = angular.extend({},
optionalEndTagElements);
//Attributes that have href and hence need to be sanitized
var uriAttrs = makeMap("background,cite,href,longdesc,src,usemap");
var uriAttrs = makeMap("background,cite,href,longdesc,src");
var validAttrs = angular.extend({}, uriAttrs, makeMap(
'abbr,align,alt,axis,bgcolor,border,cellpadding,cellspacing,class,clear,'+
'color,cols,colspan,compact,coords,dir,face,headers,height,hreflang,hspace,'+
+64
View File
@@ -4787,6 +4787,39 @@ describe('$compile', function() {
});
});
it('should use $$sanitizeUri when declared via ng-href', function() {
var $$sanitizeUri = jasmine.createSpy('$$sanitizeUri');
module(function($provide) {
$provide.value('$$sanitizeUri', $$sanitizeUri);
});
inject(function($compile, $rootScope) {
element = $compile('<a ng-href="{{testUrl}}"></a>')($rootScope);
$rootScope.testUrl = "someUrl";
$$sanitizeUri.andReturn('someSanitizedUrl');
$rootScope.$apply();
expect(element.attr('href')).toBe('someSanitizedUrl');
expect($$sanitizeUri).toHaveBeenCalledWith($rootScope.testUrl, false);
});
});
it('should use $$sanitizeUri when working with svg and xlink:href', function() {
if (!window.SVGElement) return;
var $$sanitizeUri = jasmine.createSpy('$$sanitizeUri');
module(function($provide) {
$provide.value('$$sanitizeUri', $$sanitizeUri);
});
inject(function($compile, $rootScope) {
element = $compile('<svg><a xlink:href="" ng-href="{{ testUrl }}"></a></svg>')($rootScope);
$rootScope.testUrl = "evilUrl";
$$sanitizeUri.andReturn('someSanitizedUrl');
$rootScope.$apply();
expect(element.find('a').prop('href').baseVal).toBe('someSanitizedUrl');
expect($$sanitizeUri).toHaveBeenCalledWith($rootScope.testUrl, false);
});
});
});
describe('interpolation on HTML DOM event handler attributes onclick, onXYZ, formaction', function() {
@@ -4913,6 +4946,7 @@ describe('$compile', function() {
"loading resource from url not allowed by $sceDelegate policy. URL: javascript:doTrustedStuff()");
}));
it('should pass through $sce.trustAs() values in action attribute', inject(function($compile, $rootScope, $sce) {
/* jshint scripturl:true */
element = $compile('<form action="{{testUrl}}"></form>')($rootScope);
@@ -4923,6 +4957,36 @@ describe('$compile', function() {
}));
});
describe('link[href]', function() {
it('should reject invalid RESOURCE_URLs', inject(function($compile, $rootScope) {
element = $compile('<link href="{{testUrl}}" rel="stylesheet" />')($rootScope);
$rootScope.testUrl = "https://evil.example.org/css.css";
expect(function() { $rootScope.$apply(); }).toThrowMinErr(
"$interpolate", "interr", "Can't interpolate: {{testUrl}}\nError: [$sce:insecurl] Blocked " +
"loading resource from url not allowed by $sceDelegate policy. URL: " +
"https://evil.example.org/css.css");
}));
it('should accept valid RESOURCE_URLs', inject(function($compile, $rootScope, $sce) {
element = $compile('<link href="{{testUrl}}" rel="stylesheet" />')($rootScope);
$rootScope.testUrl = "./css1.css";
$rootScope.$apply();
expect(element.attr('href')).toContain('css1.css');
$rootScope.testUrl = $sce.trustAsResourceUrl('https://elsewhere.example.org/css2.css');
$rootScope.$apply();
expect(element.attr('href')).toContain('https://elsewhere.example.org/css2.css');
}));
it('should accept valid constants', inject(function($compile, $rootScope) {
element = $compile('<link href="https://elsewhere.example.org/css2.css" rel="stylesheet" />')($rootScope);
$rootScope.$apply();
expect(element.attr('href')).toContain('https://elsewhere.example.org/css2.css');
}));
});
if (!msie || msie >= 11) {
describe('iframe[srcdoc]', function() {
it('should NOT set iframe contents for untrusted values', inject(function($compile, $rootScope, $sce) {
+22 -9
View File
@@ -144,16 +144,29 @@ describe('$log', function() {
describe('$log.error', function() {
var e, $log, errorArgs;
beforeEach(function() {
e = new Error('');
e.message = undefined;
e.sourceURL = undefined;
e.line = undefined;
e.stack = undefined;
function TestErrorPrototype() {}
TestErrorPrototype.prototype = Error.prototype;
$log = new $LogProvider().$get[1]({console:{error:function() {
errorArgs = [].slice.call(arguments, 0);
}}});
function TestError() {
Error.prototype.constructor.apply(this, arguments);
this.message = undefined;
this.sourceURL = undefined;
this.line = undefined;
this.stack = undefined;
}
TestError.prototype = new TestErrorPrototype();
TestError.prototype.constructor = TestError;
beforeEach(function() {
e = new TestError('');
var mockWindow = {
console: {
error: function() {
errorArgs = [].slice.call(arguments, 0);
}
}
};
$log = new $LogProvider().$get[1](mockWindow);
});
+1
View File
@@ -174,6 +174,7 @@ describe('HTML', function() {
it('should remove unsafe value', function() {
expectHTML('<a href="javascript:alert()">').toEqual('<a></a>');
expectHTML('<img src="foo.gif" usemap="#foomap">').toEqual('<img src="foo.gif"/>');
});
it('should handle self closed elements', function() {