Compare commits
66 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| d373b35575 | |||
| ed30c4d0ea | |||
| 4032655100 | |||
| 47f8c65aca | |||
| 56b0ee3275 | |||
| 58cd897420 | |||
| c3769a6b5b | |||
| c140d89583 | |||
| 1a5b0517d0 | |||
| e29900c78f | |||
| 02545a8bab | |||
| 9bff2ce8fb | |||
| d463206d0a | |||
| ae8e903edf | |||
| 89c7794b21 | |||
| 8a941b8ea9 | |||
| 30a4424da2 | |||
| a6fa1ce76e | |||
| 63d613fccf | |||
| ed7d506b7d | |||
| 12df4d6a00 | |||
| 4267ad65a5 | |||
| 66ada20d1b | |||
| c7d68fa044 | |||
| 667ff87ab5 | |||
| b481a16576 | |||
| 6e052a4243 | |||
| 2e72ea13fa | |||
| 9b3b6f7f79 | |||
| e41f018959 | |||
| 71d19f120a | |||
| 8aa3389ed6 | |||
| bb480064b9 | |||
| 6b86a888cb | |||
| f17c7d8f66 | |||
| e7c105c592 | |||
| d0e7dc14bb | |||
| 0a746a2521 | |||
| 2f73f6a8c0 | |||
| e1ecd184c5 | |||
| abff650016 | |||
| b96a1de842 | |||
| b42ab51ad9 | |||
| 3dd42cea68 | |||
| 767381020d | |||
| c953af6b8c | |||
| a206e2675c | |||
| 9679e58ec4 | |||
| 26e13e5797 | |||
| 4428dd0c0f | |||
| a6a6c16195 | |||
| 744862ac31 | |||
| 3e62832680 | |||
| 83f084e5db | |||
| 046887048a | |||
| f9b5cbfcf7 | |||
| 0d14993d75 | |||
| 5541828ff4 | |||
| 4099279426 | |||
| 01ed44efd6 | |||
| 49655fac26 | |||
| 42abc8270a | |||
| d6ae0ee772 | |||
| 94dc1d0e6d | |||
| 2fab3d4e00 | |||
| 72fbd48f2a |
+189
-38
@@ -28,18 +28,110 @@ executors:
|
||||
type: string
|
||||
default: medium
|
||||
docker:
|
||||
- image: circleci/node:12.16.3@sha256:8fe514dae7585bbee1c64bf5a6cd4dcdf393316b5c87565b47e31014872c8860
|
||||
- image: circleci/node:14.16.1@sha256:b094e85848b43209ca83d9bb114d406fe62c75cb73b18c9d8eb1a9c6462c97d4
|
||||
resource_class: << parameters.resource_class >>
|
||||
working_directory: ~/ng
|
||||
cloud-sdk:
|
||||
description: The docker container to use when running gcp-gcs commands
|
||||
docker:
|
||||
- image: google/cloud-sdk:alpine@sha256:7d0cae28cb282b76f2d9babe278c63c910d54f0cceca7a65fdf6806e2b43882e
|
||||
working_directory: ~/ng
|
||||
|
||||
|
||||
# Filter Definitions
|
||||
|
||||
# Filter to run a job on all branches and any `v1.X.Y(-Z)` tags.
|
||||
# Since the jobs need to run on tagged builds too, a `tags` section has to be explicitly specified.
|
||||
# (The `branches` section could be omitted, since it defaults to all branches - just being explicit
|
||||
# here).
|
||||
# See also https://circleci.com/docs/2.0/workflows/#executing-workflows-for-a-git-tag.
|
||||
var-filter-run-always: &run-always
|
||||
filters:
|
||||
branches:
|
||||
only: /.*/
|
||||
tags:
|
||||
only: /v1\.\d+\.\d.*/
|
||||
|
||||
# Filter to run a job when code might need to be deployed - i.e. on builds for the `master` branch.
|
||||
# (Further checks are needed to determine whether a deployment is actually needed, but these are not
|
||||
# possible via filters.)
|
||||
var-filter-run-on-master: &run-on-master
|
||||
filters:
|
||||
branches:
|
||||
only:
|
||||
- master
|
||||
tags:
|
||||
ignore: /.*/
|
||||
|
||||
# Filter to run a job when code/docs might need to be deployed - i.e. on tagged builds and on builds
|
||||
# for master and `v1.*.x` branches.
|
||||
# (Further checks are needed to determine whether a deployment is actually needed, but these are not
|
||||
# possible via filters.)
|
||||
var-filter-run-on-tags-and-master-and-version-branches: &run-on-tags-and-master-and-version-branches
|
||||
filters:
|
||||
branches:
|
||||
only:
|
||||
- master
|
||||
- /v1\.\d+\.x/
|
||||
tags:
|
||||
only: /v1\.\d+\.\d.*/
|
||||
|
||||
# Filter to run a job when docs might need to be deployed - i.e. on builds for `v1.*.x` branches,
|
||||
# which might correspond to the stable branch.
|
||||
# (Further checks are needed to determine whether a deployment is actually needed, but these are not
|
||||
# possible via filters.)
|
||||
var-filter-run-on-version-branches: &run-on-version-branches
|
||||
filters:
|
||||
branches:
|
||||
only:
|
||||
- /v1\.\d+\.x/
|
||||
tags:
|
||||
ignore: /.*/
|
||||
|
||||
|
||||
# Command Definitions
|
||||
# https://circleci.com/docs/2.0/reusing-config/#authoring-reusable-commands
|
||||
commands:
|
||||
skip_on_pr_and_fork_builds:
|
||||
description: Skip a job on pull request and fork builds
|
||||
steps:
|
||||
- run:
|
||||
name: Skip this job if this is a pull request or fork build
|
||||
# Note: Using `CIRCLE_*` env variables (instead of those defined in `env.sh` so that this
|
||||
# step can be run before `init_environment`.
|
||||
command: >
|
||||
if [[ -n "$CIRCLE_PR_NUMBER" ]] ||
|
||||
[[ "$CIRCLE_PROJECT_USERNAME" != "angular" ]] ||
|
||||
[[ "$CIRCLE_PROJECT_REPONAME" != "angular.js" ]]; then
|
||||
echo "Skipping this job, because this is either a pull request or a fork build."
|
||||
circleci step halt
|
||||
fi
|
||||
|
||||
skip_unless_stable_branch:
|
||||
description: Skip a job unless this is the stable branch
|
||||
steps:
|
||||
- run:
|
||||
name: Skip this job unless this is the stable branch
|
||||
command: >
|
||||
if [[ "$DIST_TAG" != "latest" ]]; then
|
||||
echo "Skipping deployment, because this is not the stable branch."
|
||||
circleci step halt
|
||||
fi
|
||||
|
||||
skip_unless_tag_or_master_or_stable_branch:
|
||||
description: Skip a job unless this is a tag or the master or stable branch
|
||||
steps:
|
||||
- run:
|
||||
name: Skip this job unless this is a tag or the master or stable branch
|
||||
command: >
|
||||
if [[ "$CI_GIT_TAG" == "false" ]] &&
|
||||
[[ "$CI_BRANCH" != "master" ]] &&
|
||||
[[ "$DIST_TAG" != "latest" ]]; then
|
||||
echo "Skipping this job, because this is neither a tag nor the master or stable branch."
|
||||
circleci step halt
|
||||
fi
|
||||
|
||||
|
||||
custom_attach_workspace:
|
||||
description: Attach workspace at a predefined location
|
||||
steps:
|
||||
@@ -77,7 +169,6 @@ commands:
|
||||
echo 'github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==' >> ~/.ssh/known_hosts
|
||||
git config --global url."ssh://git@github.com".insteadOf "https://github.com" || true
|
||||
git config --global gc.auto 0 || true
|
||||
- install_java
|
||||
|
||||
init_saucelabs_environment:
|
||||
description: Sets up a domain that resolves to the local host.
|
||||
@@ -112,7 +203,6 @@ commands:
|
||||
name: Stopping Saucelabs tunnel service
|
||||
command: ./lib/saucelabs/sauce-service.sh stop
|
||||
|
||||
|
||||
run_e2e_tests:
|
||||
parameters:
|
||||
specs:
|
||||
@@ -152,6 +242,7 @@ jobs:
|
||||
steps:
|
||||
- checkout
|
||||
- init_environment
|
||||
- install_java
|
||||
- run:
|
||||
name: Running Yarn install
|
||||
command: yarn install --frozen-lockfile --non-interactive
|
||||
@@ -180,6 +271,7 @@ jobs:
|
||||
steps:
|
||||
- custom_attach_workspace
|
||||
- init_environment
|
||||
- install_java
|
||||
- init_saucelabs_environment
|
||||
- run: yarn grunt test:promises-aplus
|
||||
- run:
|
||||
@@ -255,6 +347,7 @@ jobs:
|
||||
executor:
|
||||
name: default-executor
|
||||
steps:
|
||||
- skip_on_pr_and_fork_builds
|
||||
- custom_attach_workspace
|
||||
- init_environment
|
||||
- run: yarn grunt prepareDeploy
|
||||
@@ -262,26 +355,23 @@ jobs:
|
||||
- persist_to_workspace:
|
||||
root: *workspace_location
|
||||
paths:
|
||||
- ./ng/deploy
|
||||
- ./ng
|
||||
|
||||
deploy-docs:
|
||||
executor:
|
||||
name: default-executor
|
||||
steps:
|
||||
- custom_attach_workspace
|
||||
- init_environment
|
||||
- run: yarn grunt prepareDeploy
|
||||
# Install dependencies for Firebase functions to prevent parsing errors during deployment
|
||||
# See https://github.com/angular/angular.js/pull/16453
|
||||
- run: yarn -cwd ~/ng/scripts/docs.angularjs.org-firebase/functions
|
||||
- run: yarn firebase deploy --token "$FIREBASE_TOKEN" --only hosting
|
||||
|
||||
deploy-code:
|
||||
# The `deploy-code-files` job should only run when all of these conditions are true for the build:
|
||||
# - It is for the `angular/angular.js` repository (not a fork).
|
||||
# - It is not for a pull request.
|
||||
# - It is for a tag or the master branch or the stable branch(*).
|
||||
#
|
||||
# *: The stable branch is the one that has the value `latest` in `package.json > distTag`.
|
||||
deploy-code-files:
|
||||
executor:
|
||||
name: cloud-sdk
|
||||
steps:
|
||||
- skip_on_pr_and_fork_builds
|
||||
- custom_attach_workspace
|
||||
- run: ls ~/ng/deploy/code
|
||||
- init_environment
|
||||
- skip_unless_tag_or_master_or_stable_branch
|
||||
- run: ls scripts/code.angularjs.org-firebase/deploy
|
||||
- run:
|
||||
name: Authenticate and configure Docker
|
||||
command: |
|
||||
@@ -290,48 +380,113 @@ jobs:
|
||||
- run:
|
||||
name: Sync files to code.angularjs.org
|
||||
command: |
|
||||
gsutil -m rsync -r ~/ng/deploy/code gs://code-angularjs-org-338b8.appspot.com
|
||||
gsutil -m rsync -r scripts/code.angularjs.org-firebase/deploy gs://code-angularjs-org-338b8.appspot.com
|
||||
|
||||
# The `deploy-code-firebase` job should only run when all of these conditions are true for the build:
|
||||
# - It is for the `angular/angular.js` repository (not a fork).
|
||||
# - It is not for a pull request.
|
||||
# - It is for the master branch.
|
||||
# (This is enforced via job filters, so we don't need to a step to check it here.)
|
||||
deploy-code-firebase:
|
||||
executor:
|
||||
name: default-executor
|
||||
steps:
|
||||
- skip_on_pr_and_fork_builds
|
||||
- custom_attach_workspace
|
||||
- init_environment
|
||||
# Install dependencies for Firebase functions to prevent parsing errors during deployment.
|
||||
# See https://github.com/angular/angular.js/pull/16453.
|
||||
- run:
|
||||
name: Install dependencies in `scripts/code.angularjs.org-firebase/functions/`.
|
||||
working_directory: scripts/code.angularjs.org-firebase/functions
|
||||
command: yarn install --frozen-lockfile --ignore-engines --non-interactive
|
||||
- run:
|
||||
name: Deploy to Firebase from `scripts/code.angularjs.org-firebase/`.
|
||||
working_directory: scripts/code.angularjs.org-firebase
|
||||
command: |
|
||||
# Do not use `yarn firebase` as that causes the Firebase CLI to look for `firebase.json`
|
||||
# in the root directory, even if run from inside `scripts/code.angularjs.org-firebase/`.
|
||||
firebase=$(yarn bin)/firebase
|
||||
$firebase use
|
||||
$firebase deploy --message "Commit:\ $CI_COMMIT" --non-interactive --token "$FIREBASE_TOKEN"
|
||||
|
||||
# The `deploy-docs` job should only run when all of these conditions are true for the build:
|
||||
# - It is for the `angular/angular.js` repository (not a fork).
|
||||
# - It is not for a pull request.
|
||||
# - It is for the stable branch(*).
|
||||
#
|
||||
# *: The stable branch is the one that has the value `latest` in `package.json > distTag`.
|
||||
deploy-docs:
|
||||
executor:
|
||||
name: default-executor
|
||||
steps:
|
||||
- skip_on_pr_and_fork_builds
|
||||
- custom_attach_workspace
|
||||
- init_environment
|
||||
- skip_unless_stable_branch
|
||||
# Install dependencies for Firebase functions to prevent parsing errors during deployment.
|
||||
# See https://github.com/angular/angular.js/pull/16453.
|
||||
- run:
|
||||
name: Install dependencies in `scripts/docs.angularjs.org-firebase/functions/`.
|
||||
working_directory: scripts/docs.angularjs.org-firebase/functions
|
||||
command: yarn install --frozen-lockfile --ignore-engines --non-interactive
|
||||
- run:
|
||||
name: Deploy to Firebase from `scripts/docs.angularjs.org-firebase/`.
|
||||
working_directory: scripts/docs.angularjs.org-firebase
|
||||
command: |
|
||||
# Do not use `yarn firebase` as that causes the Firebase CLI to look for `firebase.json`
|
||||
# in the root directory, even if run from inside `scripts/docs.angularjs.org-firebase/`.
|
||||
firebase=$(yarn bin)/firebase
|
||||
$firebase use
|
||||
$firebase deploy --message "Commit:\ $CI_COMMIT" --non-interactive --token "$FIREBASE_TOKEN"
|
||||
|
||||
workflows:
|
||||
version: 2
|
||||
default_workflow:
|
||||
jobs:
|
||||
- setup
|
||||
- setup:
|
||||
<<: *run-always
|
||||
- lint:
|
||||
<<: *run-always
|
||||
requires:
|
||||
- setup
|
||||
- unit-test:
|
||||
<<: *run-always
|
||||
requires:
|
||||
- setup
|
||||
- unit-test-jquery:
|
||||
<<: *run-always
|
||||
requires:
|
||||
- setup
|
||||
- e2e-test-1:
|
||||
<<: *run-always
|
||||
requires:
|
||||
- setup
|
||||
- e2e-test-2a:
|
||||
<<: *run-always
|
||||
requires:
|
||||
- setup
|
||||
- e2e-test-2b:
|
||||
<<: *run-always
|
||||
requires:
|
||||
- setup
|
||||
- e2e-test-jquery-1:
|
||||
<<: *run-always
|
||||
requires:
|
||||
- setup
|
||||
- e2e-test-jquery-2a:
|
||||
<<: *run-always
|
||||
requires:
|
||||
- setup
|
||||
- e2e-test-jquery-2b:
|
||||
<<: *run-always
|
||||
requires:
|
||||
- setup
|
||||
- prepare-deployment:
|
||||
filters:
|
||||
branches:
|
||||
only:
|
||||
- master
|
||||
- latest
|
||||
<<: *run-on-tags-and-master-and-version-branches
|
||||
requires:
|
||||
- setup
|
||||
- lint
|
||||
- unit-test
|
||||
- unit-test-jquery
|
||||
- e2e-test-1
|
||||
@@ -340,19 +495,15 @@ workflows:
|
||||
- e2e-test-jquery-1
|
||||
- e2e-test-jquery-2a
|
||||
- e2e-test-jquery-2b
|
||||
|
||||
- deploy-code-files:
|
||||
<<: *run-on-tags-and-master-and-version-branches
|
||||
requires:
|
||||
- prepare-deployment
|
||||
- deploy-code-firebase:
|
||||
<<: *run-on-master
|
||||
requires:
|
||||
- prepare-deployment
|
||||
- deploy-docs:
|
||||
filters:
|
||||
branches:
|
||||
only:
|
||||
- latest
|
||||
requires:
|
||||
- prepare-deployment
|
||||
- deploy-code:
|
||||
filters:
|
||||
branches:
|
||||
only:
|
||||
- master
|
||||
- latest
|
||||
<<: *run-on-version-branches
|
||||
requires:
|
||||
- prepare-deployment
|
||||
|
||||
+5
-4
@@ -19,10 +19,9 @@ setPublicVar PROJECT_ROOT "$projectDir";
|
||||
setPublicVar CI_BRANCH "$CIRCLE_BRANCH";
|
||||
setPublicVar CI_BUILD_URL "$CIRCLE_BUILD_URL";
|
||||
setPublicVar CI_COMMIT "$CIRCLE_SHA1";
|
||||
# `CI_COMMIT_RANGE` is only used on push builds (a.k.a. non-PR, non-scheduled builds and rerun
|
||||
# workflows of such builds).
|
||||
setPublicVar CI_GIT_BASE_REVISION "${CIRCLE_GIT_BASE_REVISION}";
|
||||
setPublicVar CI_GIT_REVISION "${CIRCLE_GIT_REVISION}";
|
||||
setPublicVar CI_GIT_TAG "${CIRCLE_TAG:-false}";
|
||||
setPublicVar CI_COMMIT_RANGE "$CIRCLE_GIT_BASE_REVISION..$CIRCLE_GIT_REVISION";
|
||||
setPublicVar CI_PULL_REQUEST "${CIRCLE_PR_NUMBER:-false}";
|
||||
setPublicVar CI_REPO_NAME "$CIRCLE_PROJECT_REPONAME";
|
||||
@@ -57,12 +56,14 @@ setPublicVar SAUCE_READY_FILE_TIMEOUT 120
|
||||
####################################################################################################
|
||||
# Define additional environment variables
|
||||
####################################################################################################
|
||||
setPublicVar DIST_TAG $( jq ".distTag" "package.json" | tr -d "\"[:space:]" )
|
||||
|
||||
# NOTE: Make sure the tools used to compute this are available in all executors in `config.yml`.
|
||||
setPublicVar DIST_TAG $( cat package.json | grep distTag | sed -E 's/^\s*"distTag"\s*:\s*"([^"]+)"\s*,\s*$/\1/' )
|
||||
|
||||
####################################################################################################
|
||||
####################################################################################################
|
||||
## Source `$BASH_ENV` to make the variables available immediately. ##
|
||||
## ***NOTE: This must remain the the last action in this script*** ##
|
||||
## *** NOTE: This must remain the last command in this script. *** ##
|
||||
####################################################################################################
|
||||
####################################################################################################
|
||||
source $BASH_ENV;
|
||||
|
||||
+1
-1
@@ -15,7 +15,7 @@
|
||||
// Stylistic issues
|
||||
"block-spacing": ["error", "always"],
|
||||
"comma-spacing": "error",
|
||||
"id-blacklist": ["error", "event"],
|
||||
"id-denylist": ["error", "event"],
|
||||
"indent": ["error", 2],
|
||||
"key-spacing": ["error", { "beforeColon": false, "afterColon": true, "mode": "minimum" }],
|
||||
"object-curly-spacing": ["error", "never"],
|
||||
|
||||
+2
-2
@@ -1,5 +1,4 @@
|
||||
/build/
|
||||
/deploy/
|
||||
/benchpress-build/
|
||||
.DS_Store
|
||||
gen_docs.disable
|
||||
@@ -23,5 +22,6 @@ npm-debug.log
|
||||
.vscode
|
||||
*.log
|
||||
*.stackdump
|
||||
scripts/code.angularjs.org-firebase/deploy
|
||||
scripts/docs.angularjs.org-firebase/deploy
|
||||
scripts/docs.angularjs.org-firebase/functions/content
|
||||
/firebase.json
|
||||
|
||||
@@ -1,7 +1,52 @@
|
||||
<a name="1.8.2"></a>
|
||||
# 1.8.2 meteoric-mining (2020-10-21)
|
||||
|
||||
## Bug Fixes
|
||||
- **$sceDelegate:** ensure that `resourceUrlWhitelist()` is identical to `trustedResourceUrlList()`
|
||||
([e41f01](https://github.com/angular/angular.js/commit/e41f018959934bfbf982ba996cd654b1fce88d43),
|
||||
[#17090](https://github.com/angular/angular.js/issues/17090))
|
||||
|
||||
|
||||
<a name="1.8.1"></a>
|
||||
# 1.8.1 mutually-supporting (2020-09-30)
|
||||
|
||||
## Bug Fixes
|
||||
- **$sanitize:** do not trigger CSP alert/report in Firefox and Chrome
|
||||
([2fab3d](https://github.com/angular/angular.js/commit/2fab3d4e00f4fe35bfa3cf255160cb97404baf24))
|
||||
|
||||
## Refactorings
|
||||
|
||||
- **SanitizeUriProvider:** remove usages of whitelist
|
||||
([76738102](https://github.com/angular/angular.js/commit/767381020d88bda2855ac87ca6f00748907e14ff))
|
||||
- **httpProvider:** remove usages of whitelist and blacklist
|
||||
([c953af6b](https://github.com/angular/angular.js/commit/c953af6b8cfeefe4acc0ca358550eed5da8cfe00))
|
||||
- **sceDelegateProvider:** remove usages of whitelist and blacklist
|
||||
([a206e267](https://github.com/angular/angular.js/commit/a206e2675c351c3cdcde3402978126774c1c5df9))
|
||||
|
||||
## Deprecation Notices
|
||||
|
||||
- Deprecated ~~`$compileProvider.aHrefSanitizationWhitelist`~~.
|
||||
It is now [`aHrefSanitizationTrustedUrlList`](https://docs.angularjs.org/api/ng/provider/$compileProvider#aHrefSanitizationTrustedUrlList).
|
||||
- Deprecated ~~`$compileProvider.imgSrcSanitizationWhitelist`~~.
|
||||
It is now [`imgSrcSanitizationTrustedUrlList`](https://docs.angularjs.org/api/ng/provider/$compileProvider#imgSrcSanitizationTrustedUrlList).
|
||||
- Deprecated ~~`$httpProvider.xsrfWhitelistedOrigins`~~.
|
||||
It is now [`xsrfTrustedOrigins`](https://docs.angularjs.org/api/ng/provider/$httpProvider#xsrfTrustedOrigins).
|
||||
- Deprecated ~~`$sceDelegateProvider.resourceUrlWhitelist`~~.
|
||||
It is now [`trustedResourceUrlList`](https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#trustedResourceUrlList).
|
||||
- Deprecated ~~`$sceDelegateProvider.resourceUrlBlacklist`~~.
|
||||
It is now [`bannedResourceUrlList`](https://docs.angularjs.org/api/ng/provider/$sceDelegateProvider#bannedResourceUrlList).
|
||||
|
||||
For the purposes of backward compatibility, the previous symbols are aliased to their new symbol.
|
||||
|
||||
|
||||
<a name="1.8.0"></a>
|
||||
# 1.8.0 nested-vaccination (2020-06-01)
|
||||
|
||||
_This release contains a breaking change to resolve a security issue which was discovered by
|
||||
Krzysztof Kotowicz(@koto); and independently by Esben Sparre Andreasen (@esbena) while
|
||||
performing a Variant Analysis of [CVE-2020-11022](https://github.com/advisories/GHSA-gxr4-xjj5-5px2)
|
||||
which itself was found and reported by Masato Kinugawa (@masatokinugawa)._
|
||||
|
||||
## Bug Fixes
|
||||
- **jqLite:**
|
||||
- prevent possible XSS due to regex-based HTML replacement
|
||||
|
||||
+9
-9
@@ -14,6 +14,7 @@ var semver = require('semver');
|
||||
var exec = require('shelljs').exec;
|
||||
var pkg = require(__dirname + '/package.json');
|
||||
|
||||
var codeScriptFolder = util.codeScriptFolder;
|
||||
var docsScriptFolder = util.docsScriptFolder;
|
||||
|
||||
// Node.js version checks
|
||||
@@ -166,9 +167,9 @@ module.exports = function(grunt) {
|
||||
build: ['build'],
|
||||
tmp: ['tmp'],
|
||||
deploy: [
|
||||
'deploy/docs',
|
||||
'deploy/code',
|
||||
docsScriptFolder + '/functions/html'
|
||||
codeScriptFolder + '/deploy',
|
||||
docsScriptFolder + '/deploy',
|
||||
docsScriptFolder + '/functions/content'
|
||||
]
|
||||
},
|
||||
|
||||
@@ -372,7 +373,7 @@ module.exports = function(grunt) {
|
||||
{
|
||||
cwd: 'build',
|
||||
src: '**',
|
||||
dest: 'deploy/code/' + deployVersion + '/',
|
||||
dest: codeScriptFolder + '/deploy/' + deployVersion + '/',
|
||||
expand: true
|
||||
}
|
||||
]
|
||||
@@ -382,19 +383,19 @@ module.exports = function(grunt) {
|
||||
// The source files are needed by the embedded examples in the docs app.
|
||||
{
|
||||
src: ['build/angular*.{js,js.map,min.js}', 'build/sitemap.xml'],
|
||||
dest: 'deploy/docs/',
|
||||
dest: docsScriptFolder + '/deploy/',
|
||||
expand: true,
|
||||
flatten: true
|
||||
},
|
||||
{
|
||||
cwd: 'build/docs',
|
||||
src: ['**', '!ptore2e/**', '!index*.html'],
|
||||
dest: 'deploy/docs/',
|
||||
dest: docsScriptFolder + '/deploy/',
|
||||
expand: true
|
||||
},
|
||||
{
|
||||
src: 'build/docs/index-production.html',
|
||||
dest: 'deploy/docs/index.html'
|
||||
dest: docsScriptFolder + '/deploy/index.html'
|
||||
},
|
||||
{
|
||||
src: 'build/docs/index-production.html',
|
||||
@@ -403,7 +404,7 @@ module.exports = function(grunt) {
|
||||
{
|
||||
cwd: 'build/docs',
|
||||
src: 'partials/**',
|
||||
dest: docsScriptFolder + '/functions/content',
|
||||
dest: docsScriptFolder + '/functions/content/',
|
||||
expand: true
|
||||
}
|
||||
]
|
||||
@@ -517,7 +518,6 @@ module.exports = function(grunt) {
|
||||
]);
|
||||
grunt.registerTask('prepareDeploy', [
|
||||
'copy:deployFirebaseCode',
|
||||
'firebaseDocsJsonForCI',
|
||||
'copy:deployFirebaseDocs'
|
||||
]);
|
||||
grunt.registerTask('default', ['package']);
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
The MIT License
|
||||
|
||||
Copyright (c) 2010-2020 Google, Inc. http://angularjs.org
|
||||
Copyright (c) 2010-2020 Google LLC. http://angularjs.org
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
|
||||
@@ -55,11 +55,12 @@ component in an interconnected way like a well-oiled machine. AngularJS is JavaS
|
||||
and done right. (Well it is not really MVC, read on, to understand what this means.)
|
||||
|
||||
#### MVC, no, MV* done the right way!
|
||||
MVC, short for Model-View-Controller, is a design pattern, i.e. how the code should be organized and
|
||||
how the different parts of an application separated for proper readability and debugging. Model is
|
||||
the data and the database. View is the user interface and what the user sees. Controller is the main
|
||||
link between Model and View. These are the three pillars of major programming frameworks present on
|
||||
the market today. On the other hand AngularJS works on MV*, short for Model-View-_Whatever_. The
|
||||
[MVC](https://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller), short for
|
||||
Model-View-Controller, is a design pattern, i.e. how the code should be organized and how the
|
||||
different parts of an application separated for proper readability and debugging. Model is the data
|
||||
and the database. View is the user interface and what the user sees. Controller is the main link
|
||||
between Model and View. These are the three pillars of major programming frameworks present on the
|
||||
market today. On the other hand AngularJS works on MV*, short for Model-View-_Whatever_. The
|
||||
_Whatever_ is AngularJS's way of telling that you may create any kind of linking between the Model
|
||||
and the View here.
|
||||
|
||||
|
||||
+20
@@ -0,0 +1,20 @@
|
||||
# Security Policy
|
||||
|
||||
## Supported Versions
|
||||
|
||||
| Version | Supported | Status | Comments |
|
||||
| ----------- | ------------------ | --------------------- | ------------------------------------ |
|
||||
| 1.8.x | :white_check_mark: | Long Term Support | See [Long Term Support policy][0] |
|
||||
| 1.3.x-1.7.x | :x: | | |
|
||||
| 1.2.x | :warning: | Security patches only | Last version to provide IE 8 support |
|
||||
| <1.2.0 | :x: | | |
|
||||
|
||||
## Reporting a Vulnerability
|
||||
|
||||
Email us at [security@angularjs.org](mailto:security@angularjs.org) to report any potential security issues in AngularJS.
|
||||
|
||||
Please [use the latest AngularJS possible](https://docs.angularjs.org/guide/security#use-the-latest-angularjs-possible)
|
||||
and keep in mind the guidance around AngularJS'
|
||||
[expression language](https://docs.angularjs.org/guide/security#angularjs-templates-and-expressions).
|
||||
|
||||
[0]: https://docs.angularjs.org/misc/version-support-status#long-term-support
|
||||
@@ -55,7 +55,7 @@ angular.module('examples', [])
|
||||
return function(url, newWindow, fields) {
|
||||
/**
|
||||
* If the form posts to target="_blank", pop-up blockers can cause it not to work.
|
||||
* If a user choses to bypass pop-up blocker one time and click the link, they will arrive at
|
||||
* If a user chooses to bypass pop-up blocker one time and click the link, they will arrive at
|
||||
* a new default plnkr, not a plnkr with the desired template. Given this undesired behavior,
|
||||
* some may still want to open the plnk in a new window by opting-in via ctrl+click. The
|
||||
* newWindow param allows for this possibility.
|
||||
@@ -74,7 +74,7 @@ angular.module('examples', [])
|
||||
}])
|
||||
|
||||
.factory('createCopyrightNotice', function() {
|
||||
var COPYRIGHT = 'Copyright ' + (new Date()).getFullYear() + ' Google Inc. All Rights Reserved.\n'
|
||||
var COPYRIGHT = 'Copyright ' + (new Date()).getFullYear() + ' Google LLC. All Rights Reserved.\n'
|
||||
+ 'Use of this source code is governed by an MIT-style license that\n'
|
||||
+ 'can be found in the LICENSE file at http://angular.io/license';
|
||||
var COPYRIGHT_JS_CSS = '\n\n/*\n' + COPYRIGHT + '\n*/';
|
||||
|
||||
@@ -47,13 +47,13 @@ module.exports = function generateKeywordsProcessor(log, readFilesProcessor) {
|
||||
|
||||
}
|
||||
|
||||
areasToSearch = _.indexBy(this.areasToSearch);
|
||||
propertiesToIgnore = _.indexBy(this.propertiesToIgnore);
|
||||
areasToSearch = _.keyBy(this.areasToSearch);
|
||||
propertiesToIgnore = _.keyBy(this.propertiesToIgnore);
|
||||
log.debug('Properties to ignore', propertiesToIgnore);
|
||||
docTypesToIgnore = _.indexBy(this.docTypesToIgnore);
|
||||
docTypesToIgnore = _.keyBy(this.docTypesToIgnore);
|
||||
log.debug('Doc types to ignore', docTypesToIgnore);
|
||||
|
||||
var ignoreWordsMap = _.indexBy(wordsToIgnore);
|
||||
var ignoreWordsMap = _.keyBy(wordsToIgnore);
|
||||
|
||||
// If the title contains a name starting with ng, e.g. "ngController", then add the module name
|
||||
// without the ng to the title text, e.g. "controller".
|
||||
|
||||
@@ -224,7 +224,7 @@ module.exports = function generatePagesDataProcessor(log) {
|
||||
.map(function(doc) {
|
||||
return _.pick(doc, ['name', 'area', 'path']);
|
||||
})
|
||||
.indexBy('path')
|
||||
.keyBy('path')
|
||||
.value();
|
||||
|
||||
docs.push({
|
||||
|
||||
@@ -13,11 +13,11 @@ module.exports = function generateVersionDocProcessor(gitData) {
|
||||
return {
|
||||
$runAfter: ['generatePagesDataProcessor'],
|
||||
$runBefore: ['rendering-docs'],
|
||||
// the blacklist is to remove rogue builds that are in the npm repository but not on code.angularjs.org
|
||||
blacklist: ['1.3.4-build.3588'],
|
||||
// Remove rogue builds that are in the npm repository but not on code.angularjs.org
|
||||
ignoredBuilds: ['1.3.4-build.3588'],
|
||||
$process: function(docs) {
|
||||
|
||||
var blacklist = this.blacklist;
|
||||
var ignoredBuilds = this.ignoredBuilds;
|
||||
var currentVersion = require('../../../build/version.json');
|
||||
var output = exec('yarn info angular versions --json', { silent: true }).stdout.split('\n')[0];
|
||||
var allVersions = processAllVersionsResponse(JSON.parse(output).data);
|
||||
@@ -57,7 +57,7 @@ module.exports = function generateVersionDocProcessor(gitData) {
|
||||
|
||||
versions = versions
|
||||
.filter(function(versionStr) {
|
||||
return blacklist.indexOf(versionStr) === -1;
|
||||
return ignoredBuilds.indexOf(versionStr) === -1;
|
||||
})
|
||||
.map(function(versionStr) {
|
||||
return semver.parse(versionStr);
|
||||
|
||||
@@ -5,7 +5,7 @@
|
||||
|
||||
Occurs when an expression is trying to assign a value to a non-assignable expression.
|
||||
|
||||
This can happen if the left side of an assigment is not a valid reference to a variable
|
||||
This can happen if the left side of an assignment is not a valid reference to a variable
|
||||
or property. E.g. In the following snippet `1+2` is not assignable.
|
||||
|
||||
```
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
@fullName Invalid matcher (only string patterns and RegExp instances are supported)
|
||||
@description
|
||||
|
||||
Please see {@link $sceDelegateProvider#resourceUrlWhitelist
|
||||
$sceDelegateProvider.resourceUrlWhitelist} and {@link
|
||||
$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist} for the
|
||||
Please see {@link $sceDelegateProvider#trustedResourceUrlList
|
||||
$sceDelegateProvider.trustedResourceUrlList} and {@link
|
||||
$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList} for the
|
||||
list of acceptable items.
|
||||
|
||||
@@ -15,8 +15,8 @@ By default, only URLs that belong to the same origin are trusted. These are urls
|
||||
The {@link ng.directive:ngInclude ngInclude} directive and {@link guide/directive directives} that specify a `templateUrl` require a trusted resource URL.
|
||||
|
||||
To load templates from other domains and/or protocols, either adjust the {@link
|
||||
ng.$sceDelegateProvider#resourceUrlWhitelist whitelist}/ {@link
|
||||
ng.$sceDelegateProvider#resourceUrlBlacklist blacklist} or wrap the URL with a call to {@link
|
||||
ng.$sceDelegateProvider#trustedResourceUrlList trusted resource URL list}/ {@link
|
||||
ng.$sceDelegateProvider#bannedResourceUrlList banned resource URL list} or wrap the URL with a call to {@link
|
||||
ng.$sce#trustAsResourceUrl $sce.trustAsResourceUrl}.
|
||||
|
||||
**Note**: The browser's [Same Origin
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
@fullName The sequence *** is not a valid pattern wildcard
|
||||
@description
|
||||
|
||||
The strings in {@link $sceDelegateProvider#resourceUrlWhitelist
|
||||
$sceDelegateProvider.resourceUrlWhitelist} and {@link
|
||||
$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist} may not
|
||||
The strings in {@link $sceDelegateProvider#trustedResourceUrlList
|
||||
$sceDelegateProvider.trustedResourceUrlList} and {@link
|
||||
$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList} may not
|
||||
contain the undefined sequence `***`. Only `*` and `**` wildcard patterns are defined.
|
||||
|
||||
@@ -327,7 +327,7 @@ The default CSS for `ngHide`, the inverse method to `ngShow`, makes ngAria redun
|
||||
|
||||
<h2><span id="ngclick">ngClick</span> and <span id="ngdblclick">ngDblclick</span></h2>
|
||||
If `ng-click` or `ng-dblclick` is encountered, ngAria will add `tabindex="0"` to any element not in
|
||||
a node blacklist:
|
||||
the list of built in aria nodes:
|
||||
|
||||
* Button
|
||||
* Anchor
|
||||
@@ -337,7 +337,8 @@ a node blacklist:
|
||||
* Details/Summary
|
||||
|
||||
To fix widespread accessibility problems with `ng-click` on `div` elements, ngAria will
|
||||
dynamically bind a keypress event by default as long as the element isn't in the node blacklist.
|
||||
dynamically bind a keypress event by default as long as the element isn't in a node from the list of
|
||||
built in aria nodes.
|
||||
You can turn this functionality on or off with the `bindKeypress` configuration option.
|
||||
|
||||
ngAria will also add the `button` role to communicate to users of assistive technologies. This can
|
||||
|
||||
@@ -276,15 +276,16 @@ statement.
|
||||
**Due to [6ccbfa](https://github.com/angular/angular.js/commit/6ccbfa65d60a3dc396d0cf6da21b993ad74653fd)**,
|
||||
the `xlink:href` security context for SVG's `a` and `image` elements has been lowered.
|
||||
|
||||
In the unlikely case that an app relied on `RESOURCE_URL` whitelisting for the
|
||||
In the unlikely case that an app relied on `RESOURCE_URL` trusted list for the
|
||||
purpose of binding to the `xlink:href` property of SVG's `<a>` or `<image>`
|
||||
elements and if the values do not pass the regular URL sanitization, they will
|
||||
break.
|
||||
|
||||
To fix this you need to ensure that the values used for binding to the affected
|
||||
`xlink:href` contexts are considered safe URLs, e.g. by whitelisting them in
|
||||
`$compileProvider`'s `aHrefSanitizationWhitelist` (for `<a>` elements) or
|
||||
`imgSrcSanitizationWhitelist` (for `<image>` elements).
|
||||
`xlink:href` contexts are considered safe URLs, e.g. by trusting them in
|
||||
`$compileProvider`'s `aHrefSanitizationWhitelist` (called `aHrefSanitizationTrustedUrlList` form
|
||||
1.8.1 onwards) (for `<a>` elements) or `imgSrcSanitizationWhitelist` (called
|
||||
`imgSrcSanitizationTrustedUrlList` from 1.8.1 onwards) (for `<image>` elements).
|
||||
|
||||
<hr />
|
||||
|
||||
@@ -1309,7 +1310,7 @@ running at `https://docs.angularjs.org` then the following will fail:
|
||||
|
||||
By default, only URLs with the same domain and protocol as the application document are considered
|
||||
safe in the `RESOURCE_URL` context. To use URLs from other domains and/or protocols, you may either
|
||||
whitelist them or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
|
||||
add them to the trusted source URL list or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
|
||||
|
||||
<hr />
|
||||
<minor />
|
||||
@@ -1387,7 +1388,7 @@ $http.json('other/trusted/url', {jsonpCallbackParam: 'cb'});
|
||||
all JSONP requests now require the URL to be trusted as a resource URL. There are two approaches to
|
||||
trust a URL:
|
||||
|
||||
1. **Whitelisting with the `$sceDelegateProvider.resourceUrlWhitelist()` method.**
|
||||
1. **Setting trusted resource URLs with the `$sceDelegateProvider.resourceUrlWhitelist()` (called `trustedResourceUrlList()` from 1.8.1 onwards) method.**
|
||||
You configure this list in a module configuration block:
|
||||
|
||||
```js
|
||||
@@ -2207,7 +2208,7 @@ service does not have access to the resource in order to sanitize it.
|
||||
Similarly, due to [234053fc](https://github.com/angular/angular.js/commit/234053fc9ad90e0d05be7e8359c6af66be94c094),
|
||||
the `$sanitize` service will now also remove instances of the `usemap` attribute from any elements
|
||||
passed to it. This attribute is used to reference another element by `name` or `id`. Since the
|
||||
`name` and `id` attributes are already blacklisted, a sanitized `usemap` attribute could only
|
||||
`name` and `id` attributes are already banned, a sanitized `usemap` attribute could only
|
||||
reference unsanitized content, which is a security risk.
|
||||
|
||||
Due to [98c2db7f](https://github.com/angular/angular.js/commit/98c2db7f9c2d078a408576e722407d518c7ee10a),
|
||||
@@ -2647,8 +2648,8 @@ $scope.findTemplate = function(templateName) {
|
||||
};
|
||||
```
|
||||
|
||||
To migrate, either cache the result of `trustAsResourceUrl()`, or put the template url in the resource
|
||||
whitelist in the `config()` function:
|
||||
To migrate, either cache the result of `trustAsResourceUrl()`, or put the template url in the trusted resource
|
||||
URL list in the `config()` function:
|
||||
|
||||
After:
|
||||
|
||||
@@ -2662,7 +2663,8 @@ $scope.findTemplate = function(templateName) {
|
||||
return templateCache[templateName];
|
||||
};
|
||||
|
||||
// Alternatively, use `$sceDelegateProvider.resourceUrlWhitelist()`, which means you don't
|
||||
// Alternatively, use `$sceDelegateProvider.resourceUrlWhitelist()` (called
|
||||
// `trustedResourceUrlList()` from 1.8.1 onwards), which means you don't
|
||||
// have to use `$sce.trustAsResourceUrl()` at all:
|
||||
|
||||
angular.module('myApp', []).config(function($sceDelegateProvider) {
|
||||
@@ -3353,7 +3355,7 @@ below should still apply, but you may want to consult the
|
||||
<li>{@link guide/migration#directive-priority Directive priority}</li>
|
||||
<li>{@link guide/migration#ngscenario ngScenario}</li>
|
||||
<li>{@link guide/migration#nginclude-and-ngview-replace-its-entire-element-on-update ngInclude and ngView replace its entire element on update}</li>
|
||||
<li>{@link guide/migration#urls-are-now-sanitized-against-a-whitelist URLs are now sanitized against a whitelist}</li>
|
||||
<li>{@link guide/migration#urls-are-now-sanitized-against-a-trusted-uri-matcher URLs are now sanitized against a trusted URI matcher}</li>
|
||||
<li>{@link guide/migration#isolate-scope-only-exposed-to-directives-with-scope-property Isolate scope only exposed to directives with <code>scope</code> property}</li>
|
||||
<li>{@link guide/migration#change-to-interpolation-priority Change to interpolation priority}</li>
|
||||
<li>{@link guide/migration#underscore-prefixed-suffixed-properties-are-non-bindable Underscore-prefixed/suffixed properties are non-bindable}</li>
|
||||
@@ -3843,10 +3845,10 @@ See [7d69d52a](https://github.com/angular/angular.js/commit/7d69d52acff8578e0f7d
|
||||
[aa2133ad](https://github.com/angular/angular.js/commit/aa2133ad818d2e5c27cbd3933061797096356c8a).
|
||||
|
||||
|
||||
### URLs are now sanitized against a whitelist
|
||||
### URLs are now sanitized against a trusted URI matcher
|
||||
|
||||
A whitelist configured via `$compileProvider` can be used to configure what URLs are considered safe.
|
||||
By default all common protocol prefixes are whitelisted including `data:` URIs with mime types `image/*`.
|
||||
A trusted URI matcher configured via `$compileProvider` can be used to configure what URLs are considered safe.
|
||||
By default all common protocol prefixes are trusted including `data:` URIs with mime types `image/*`.
|
||||
This change shouldn't impact apps that don't contain malicious image links.
|
||||
|
||||
See [1adf29af](https://github.com/angular/angular.js/commit/1adf29af13890d61286840177607edd552a9df97),
|
||||
|
||||
@@ -7,7 +7,11 @@
|
||||
This page describes the support status of the significant versions of AngularJS.
|
||||
|
||||
<div class="alert alert-info">
|
||||
On July 1, 2018 AngularJS entered a 3 year Long Term Support period.
|
||||
On July 1, 2018 AngularJS entered a 3 year Long Term Support period.<br />
|
||||
<br />
|
||||
_**UPDATE (2020-07-27):**_<br />
|
||||
_Due to COVID-19 affecting teams migrating from AngularJS, we are extending the LTS by six months
|
||||
(until December 31, 2021)._
|
||||
</div>
|
||||
|
||||
Any version branch not shown in the following table (e.g. 1.7.x) is no longer being developed.
|
||||
@@ -42,6 +46,16 @@ We now focus exclusively on providing fixes to bugs that satisfy at least one of
|
||||
|
||||
AngularJS 1.2.x will get a new version if and only if a new severe security issue is discovered.
|
||||
|
||||
|
||||
|
||||
### Blog Post
|
||||
|
||||
You can read more about these plans in our [blog post announcement](https://blog.angular.io/stable-angularjs-and-long-term-support-7e077635ee9c).
|
||||
|
||||
### Extended Long Term Support
|
||||
|
||||
If you need support for AngularJS beyond December 2021, you should consider:
|
||||
|
||||
* [XLTS.dev](https://xlts.dev/angularjs)
|
||||
|
||||
|
||||
|
||||
+5
-16
@@ -7,10 +7,12 @@ var spawn = require('npm-run').spawn;
|
||||
|
||||
var CSP_CSS_HEADER = '/* Include this file in your html if you are using the CSP mode. */\n\n';
|
||||
|
||||
const docsScriptFolder = 'scripts/docs.angularjs.org-firebase';
|
||||
|
||||
module.exports = {
|
||||
|
||||
codeScriptFolder: 'scripts/code.angularjs.org-firebase',
|
||||
|
||||
docsScriptFolder: 'scripts/docs.angularjs.org-firebase',
|
||||
|
||||
startKarma: function(config, singleRun, done) {
|
||||
var browsers = grunt.option('browsers');
|
||||
var reporters = grunt.option('reporters');
|
||||
@@ -301,19 +303,6 @@ module.exports = {
|
||||
}
|
||||
next();
|
||||
};
|
||||
},
|
||||
|
||||
docsScriptFolder,
|
||||
|
||||
// Our Firebase projects are in subfolders, but the firebase tool expects them in the root,
|
||||
// so we need to modify the upload folder path and copy the file into the root
|
||||
firebaseDocsJsonForCI: function() {
|
||||
var fileName = docsScriptFolder + '/firebase.json';
|
||||
var json = grunt.file.readJSON(fileName);
|
||||
|
||||
(json.hosting || (json.hosting = {})).public = 'deploy/docs';
|
||||
(json.functions || (json.functions = {})).source = docsScriptFolder + '/functions';
|
||||
|
||||
grunt.file.write('firebase.json', JSON.stringify(json));
|
||||
}
|
||||
|
||||
};
|
||||
|
||||
+8
-8
@@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "angular",
|
||||
"license": "MIT",
|
||||
"branchVersion": "^1.7.0",
|
||||
"branchVersion": "^1.8.0",
|
||||
"branchPattern": "1.8.*",
|
||||
"distTag": "next",
|
||||
"repository": {
|
||||
@@ -27,7 +27,7 @@
|
||||
"changez": "^2.1.1",
|
||||
"changez-angular": "^2.1.2",
|
||||
"cheerio": "^0.17.0",
|
||||
"commitizen": "^2.3.0",
|
||||
"commitizen": "^4.2.4",
|
||||
"commitplease": "^2.7.10",
|
||||
"cross-spawn": "^4.0.0",
|
||||
"cz-conventional-changelog": "1.1.4",
|
||||
@@ -35,10 +35,10 @@
|
||||
"dgeni-packages": "^0.26.5",
|
||||
"eslint-plugin-promise": "^3.6.0",
|
||||
"event-stream": "~3.1.0",
|
||||
"firebase-tools": "^8.3.0",
|
||||
"firebase-tools": "^9.3.0",
|
||||
"glob": "^6.0.1",
|
||||
"google-code-prettify": "1.0.1",
|
||||
"grunt": "^1.0.1",
|
||||
"grunt": "^1.4.1",
|
||||
"grunt-bump": "^0.8.0",
|
||||
"grunt-cli": "^1.2.0",
|
||||
"grunt-contrib-clean": "^1.0.0",
|
||||
@@ -55,7 +55,7 @@
|
||||
"gulp-foreach": "0.0.1",
|
||||
"gulp-rename": "^1.2.0",
|
||||
"gulp-sourcemaps": "^1.2.2",
|
||||
"gulp-uglify": "^1.0.1",
|
||||
"gulp-uglify": "^3.0.2",
|
||||
"gulp-util": "^3.0.1",
|
||||
"jasmine-core": "^2.8.0",
|
||||
"jasmine-node": "^2.0.0",
|
||||
@@ -76,7 +76,7 @@
|
||||
"karma-script-launcher": "1.0.0",
|
||||
"karma-spec-reporter": "0.0.32",
|
||||
"load-grunt-tasks": "^3.5.0",
|
||||
"lodash": "~2.4.1",
|
||||
"lodash": "~4.17.21",
|
||||
"log4js": "^0.6.27",
|
||||
"lunr": "^0.7.2",
|
||||
"marked": "~0.3.0",
|
||||
@@ -89,7 +89,7 @@
|
||||
"q-io": "^1.10.9",
|
||||
"qq": "^0.3.5",
|
||||
"rewire": "~2.1.0",
|
||||
"sauce-connect": "https://saucelabs.com/downloads/sc-4.5.1-linux.tar.gz",
|
||||
"sauce-connect": "https://saucelabs.com/downloads/sc-4.6.2-linux.tar.gz",
|
||||
"sax": "^1.1.1",
|
||||
"selenium-webdriver": "^4.0.0-alpha.1",
|
||||
"semver": "^5.4.1",
|
||||
@@ -105,7 +105,7 @@
|
||||
"//1": "`natives@1.1.0` does not work with Node.js 10.x on Windows 10",
|
||||
"//2": "(E.g. see https://github.com/gulpjs/gulp/issues/2162 and https://github.com/nodejs/node/issues/25132.)",
|
||||
"natives": "1.1.6",
|
||||
"//3": "`graceful-fs` needs to be pinned to support gulp 3, on Node v12+",
|
||||
"//3": "`graceful-fs` needs to be pinned to support gulp 3, on Node v12+",
|
||||
"graceful-fs": "^4.2.3"
|
||||
},
|
||||
"commitplease": {
|
||||
|
||||
@@ -10,13 +10,13 @@ config.sauceKey = process.env.SAUCE_ACCESS_KEY;
|
||||
config.multiCapabilities = [
|
||||
capabilitiesForSauceLabs({
|
||||
browserName: 'chrome',
|
||||
platform: 'OS X 10.14',
|
||||
version: '81'
|
||||
platform: 'OS X 10.15',
|
||||
version: '91'
|
||||
}),
|
||||
capabilitiesForSauceLabs({
|
||||
browserName: 'firefox',
|
||||
platform: 'OS X 10.14',
|
||||
version: '76'
|
||||
platform: 'OS X 10.15',
|
||||
version: '85'
|
||||
})
|
||||
];
|
||||
|
||||
|
||||
@@ -2,7 +2,6 @@
|
||||
|
||||
const functions = require('firebase-functions');
|
||||
const {Storage} = require('@google-cloud/storage');
|
||||
const path = require('path');
|
||||
|
||||
const storage = new Storage();
|
||||
const gcsBucketId = `${process.env.GCLOUD_PROJECT}.appspot.com`;
|
||||
@@ -41,13 +40,13 @@ function sendStoredFile(request, response) {
|
||||
return getDirectoryListing('/').catch(sendErrorResponse);
|
||||
}
|
||||
|
||||
downloadSource = path.join.apply(null, filePathSegments);
|
||||
downloadSource = filePathSegments.join('/');
|
||||
|
||||
downloadAndSend(downloadSource).catch(error => {
|
||||
if (isDocsPath && error.code === 404) {
|
||||
fileName = 'index.html';
|
||||
filePathSegments = [version, 'docs', fileName];
|
||||
downloadSource = path.join.apply(null, filePathSegments);
|
||||
downloadSource = filePathSegments.join('/');
|
||||
|
||||
return downloadAndSend(downloadSource);
|
||||
}
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -2,12 +2,12 @@
|
||||
"name": "functions-firebase-code.angularjs.org",
|
||||
"description": "Cloud Functions to serve files from gcs to code.angularjs.org",
|
||||
"engines": {
|
||||
"node": "10"
|
||||
"node": "14"
|
||||
},
|
||||
"dependencies": {
|
||||
"@google-cloud/storage": "^4.7.0",
|
||||
"firebase-admin": "^8.10.0",
|
||||
"firebase-functions": "^3.6.0"
|
||||
"@google-cloud/storage": "^5.8.5",
|
||||
"firebase-admin": "^9.9.0",
|
||||
"firebase-functions": "^3.14.1"
|
||||
},
|
||||
"private": true
|
||||
}
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,15 +1,15 @@
|
||||
Firebase for code.angularjs.org
|
||||
===============================
|
||||
|
||||
This folder contains the Google Firebase scripts for the code.angularjs.org setup.
|
||||
This folder contains the Google Firebase scripts for the `code.angularjs.org` setup.
|
||||
|
||||
firebase.json contains the rewrite rules that route every subdirectory request to the cloud function
|
||||
in functions/index.js that serves the docs from the Firebase Google Cloud Storage bucket.
|
||||
`firebase.json` contains the rewrite rules that route every subdirectory request to the cloud function in `functions/index.js` that serves the docs from the Firebase Google Cloud Storage bucket.
|
||||
|
||||
functions/index.js also contains a rule that deletes outdated build zip files
|
||||
from the snapshot and snapshot-stable folders when new zip files are uploaded.
|
||||
`functions/index.js` also contains a rule that deletes outdated build zip files from the snapshot and snapshot-stable folders when new zip files are uploaded.
|
||||
|
||||
The deployment to the Google Cloud Storage bucket happens automatically via CI.
|
||||
See the .circleci/config.yml file in the repository root.
|
||||
See `/scripts/docs.angularjs.org-firebase/readme.firebase.code.md` for the Firebase deployment to `docs.angularjs.org`.
|
||||
|
||||
See /readme.firebase.docs.md for the firebase deployment to docs.angularjs.org
|
||||
# Continuous integration
|
||||
|
||||
The code is deployed to Google Firebase hosting and functions as well as to the Google Cloud Storage bucket automatically via CI.
|
||||
See `.circleci/config.yml` for the complete deployment config and build steps.
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"hosting": {
|
||||
"public": "../../deploy/docs",
|
||||
"public": "deploy",
|
||||
"redirects": [
|
||||
{
|
||||
"source": "/error/:namespace\\::error*",
|
||||
|
||||
@@ -1,21 +1,24 @@
|
||||
{
|
||||
"name": "functions",
|
||||
"description": "Cloud Functions for Firebase",
|
||||
"engines": {
|
||||
"node": "14"
|
||||
},
|
||||
"scripts": {
|
||||
"lint": "eslint .",
|
||||
"serve": "firebase serve --only functions",
|
||||
"shell": "firebase experimental:functions:shell",
|
||||
"serve": "firebase emulators:start --only functions",
|
||||
"shell": "firebase functions:shell",
|
||||
"start": "npm run shell",
|
||||
"deploy": "firebase deploy --only functions",
|
||||
"logs": "firebase functions:log"
|
||||
},
|
||||
"dependencies": {
|
||||
"firebase-admin": "^8.10.0",
|
||||
"firebase-functions": "^3.6.0"
|
||||
"firebase-admin": "^9.9.0",
|
||||
"firebase-functions": "^3.14.1"
|
||||
},
|
||||
"devDependencies": {
|
||||
"eslint": "^4.12.0",
|
||||
"eslint-plugin-promise": "^3.6.0"
|
||||
"eslint": "^7.28.0",
|
||||
"eslint-plugin-promise": "^5.1.0"
|
||||
},
|
||||
"private": true
|
||||
}
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
@@ -1,28 +1,26 @@
|
||||
Firebase for docs.angularjs.org
|
||||
===============================
|
||||
|
||||
This folder contains the Google Firebase scripts for the `docs.angularjs.org` setup.
|
||||
|
||||
See `/scripts/code.angularjs.org-firebase/readme.firebase.code.md` for the Firebase deployment to `code.angularjs.org`.
|
||||
|
||||
# Continuous integration
|
||||
|
||||
The docs are deployed to Google Firebase hosting via a CI deployment config, which expects
|
||||
firebase.json to be in the repository root, which is done by a Grunt task
|
||||
(`firebaseDocsJsonForCI` which is included in `prepareDeploy`).
|
||||
The `firebaseDocsJsonForCI` task modifies the paths in the `firebase.json` and copies it to the
|
||||
repository root.
|
||||
The docs are deployed to Google Firebase hosting and functions automatically via CI.
|
||||
|
||||
See .circleci/config.yml for the complete deployment config and build steps.
|
||||
See `.circleci/config.yml` for the complete deployment config and build steps.
|
||||
|
||||
# Serving locally:
|
||||
|
||||
- Run `cd scripts/docs.angularjs.org-firebase`.
|
||||
This changes the current working directory.
|
||||
|
||||
- Run `yarn grunt package`.
|
||||
This builds the files that will be deployed.
|
||||
|
||||
- Run `yarn grunt prepareDeploy`.
|
||||
This copies docs content files into deploy/docs and the partials for Search Engine AJAX
|
||||
Crawling into ./functions/content.
|
||||
It also moves the firebase.json file to the root folder, where the firebase-cli expects it
|
||||
This copies docs content files into `./deploy` and the partials for Search Engine AJAX Crawling into `./functions/content`.
|
||||
|
||||
- Run `firebase serve --only functions,hosting`
|
||||
Creates a server at localhost:5000 that serves from deploy/docs and uses the local function
|
||||
|
||||
See /scripts/code.angularjs.org-firebase/readme.firebase.code.md for the firebase deployment to
|
||||
code.angularjs.org
|
||||
- Run `$(yarn bin)/firebase emulators:start` (or `..\..\node_modules\.bin\firebase emulators:start` on Windows).
|
||||
Creates a server at http://localhost:5000 that serves from `./deploy` and uses the local function.
|
||||
|
||||
+1
-1
@@ -1532,7 +1532,7 @@ function allowAutoBootstrap(document) {
|
||||
link.href = src.value;
|
||||
|
||||
if (document.location.origin === link.origin) {
|
||||
// Same-origin resources are always allowed, even for non-whitelisted schemes.
|
||||
// Same-origin resources are always allowed, even for banned URL schemes.
|
||||
return true;
|
||||
}
|
||||
// Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
/**
|
||||
* @license AngularJS v"NG_VERSION_FULL"
|
||||
* (c) 2010-2020 Google, Inc. http://angularjs.org
|
||||
* (c) 2010-2020 Google LLC. http://angularjs.org
|
||||
* License: MIT
|
||||
*/
|
||||
(function(window) {
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
/**
|
||||
* @license AngularJS v"NG_VERSION_FULL"
|
||||
* (c) 2010-2020 Google, Inc. http://angularjs.org
|
||||
* (c) 2010-2020 Google LLC. http://angularjs.org
|
||||
* License: MIT
|
||||
*/
|
||||
'use strict';
|
||||
|
||||
+1
-1
@@ -1,6 +1,6 @@
|
||||
/**
|
||||
* @license AngularJS v"NG_VERSION_FULL"
|
||||
* (c) 2010-2020 Google, Inc. http://angularjs.org
|
||||
* (c) 2010-2020 Google LLC. http://angularjs.org
|
||||
* License: MIT
|
||||
*/
|
||||
(function(window, angular) {
|
||||
|
||||
+72
-30
@@ -1106,8 +1106,8 @@
|
||||
*
|
||||
* Based on the context, other options may exist to mark a value as trusted / configure the behavior
|
||||
* of {@link ng.$sce}. For example, to restrict the `RESOURCE_URL` context to specific origins, use
|
||||
* the {@link $sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist()}
|
||||
* and {@link $sceDelegateProvider#resourceUrlBlacklist resourceUrlBlacklist()}.
|
||||
* the {@link $sceDelegateProvider#trustedResourceUrlList trustedResourceUrlList()}
|
||||
* and {@link $sceDelegateProvider#bannedResourceUrlList bannedResourceUrlList()}.
|
||||
*
|
||||
* {@link ng.$sce#what-trusted-context-types-are-supported- Find out more about the different context types}.
|
||||
*
|
||||
@@ -1116,7 +1116,7 @@
|
||||
* By default, `$sce` will throw an error if it detects untrusted HTML content, and will not bind the
|
||||
* content.
|
||||
* However, if you include the {@link ngSanitize ngSanitize module}, it will try to sanitize the
|
||||
* potentially dangerous HTML, e.g. strip non-whitelisted tags and attributes when binding to
|
||||
* potentially dangerous HTML, e.g. strip non-trusted tags and attributes when binding to
|
||||
* `innerHTML`.
|
||||
*
|
||||
* @example
|
||||
@@ -1698,30 +1698,81 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $compileProvider#aHrefSanitizationWhitelist
|
||||
* @name $compileProvider#aHrefSanitizationTrustedUrlList
|
||||
* @kind function
|
||||
*
|
||||
* @description
|
||||
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
|
||||
* Retrieves or overrides the default regular expression that is used for determining trusted safe
|
||||
* urls during a[href] sanitization.
|
||||
*
|
||||
* The sanitization is a security measure aimed at preventing XSS attacks via html links.
|
||||
*
|
||||
* Any url about to be assigned to a[href] via data-binding is first normalized and turned into
|
||||
* an absolute url. Afterwards, the url is matched against the `aHrefSanitizationWhitelist`
|
||||
* an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUrlList`
|
||||
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
|
||||
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
|
||||
*
|
||||
* @param {RegExp=} regexp New regexp to whitelist urls with.
|
||||
* @param {RegExp=} regexp New regexp to trust urls with.
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.aHrefSanitizationWhitelist = function(regexp) {
|
||||
this.aHrefSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
$$sanitizeUriProvider.aHrefSanitizationWhitelist(regexp);
|
||||
$$sanitizeUriProvider.aHrefSanitizationTrustedUrlList(regexp);
|
||||
return this;
|
||||
} else {
|
||||
return $$sanitizeUriProvider.aHrefSanitizationWhitelist();
|
||||
return $$sanitizeUriProvider.aHrefSanitizationTrustedUrlList();
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $compileProvider#aHrefSanitizationWhitelist
|
||||
* @kind function
|
||||
*
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* This method is deprecated. Use {@link $compileProvider#aHrefSanitizationTrustedUrlList
|
||||
* aHrefSanitizationTrustedUrlList} instead.
|
||||
*/
|
||||
Object.defineProperty(this, 'aHrefSanitizationWhitelist', {
|
||||
get: function() {
|
||||
return this.aHrefSanitizationTrustedUrlList;
|
||||
},
|
||||
set: function(value) {
|
||||
this.aHrefSanitizationTrustedUrlList = value;
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $compileProvider#imgSrcSanitizationTrustedUrlList
|
||||
* @kind function
|
||||
*
|
||||
* @description
|
||||
* Retrieves or overrides the default regular expression that is used for determining trusted safe
|
||||
* urls during img[src] sanitization.
|
||||
*
|
||||
* The sanitization is a security measure aimed at prevent XSS attacks via html links.
|
||||
*
|
||||
* Any url about to be assigned to img[src] via data-binding is first normalized and turned into
|
||||
* an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUrlList`
|
||||
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
|
||||
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
|
||||
*
|
||||
* @param {RegExp=} regexp New regexp to trust urls with.
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.imgSrcSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
$$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(regexp);
|
||||
return this;
|
||||
} else {
|
||||
return $$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList();
|
||||
}
|
||||
};
|
||||
|
||||
@@ -1731,29 +1782,20 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
|
||||
* @name $compileProvider#imgSrcSanitizationWhitelist
|
||||
* @kind function
|
||||
*
|
||||
* @description
|
||||
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
|
||||
* urls during img[src] sanitization.
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* The sanitization is a security measure aimed at prevent XSS attacks via html links.
|
||||
*
|
||||
* Any url about to be assigned to img[src] via data-binding is first normalized and turned into
|
||||
* an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationWhitelist`
|
||||
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
|
||||
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
|
||||
*
|
||||
* @param {RegExp=} regexp New regexp to whitelist urls with.
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
* This method is deprecated. Use {@link $compileProvider#imgSrcSanitizationTrustedUrlList
|
||||
* imgSrcSanitizationTrustedUrlList} instead.
|
||||
*/
|
||||
this.imgSrcSanitizationWhitelist = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
$$sanitizeUriProvider.imgSrcSanitizationWhitelist(regexp);
|
||||
return this;
|
||||
} else {
|
||||
return $$sanitizeUriProvider.imgSrcSanitizationWhitelist();
|
||||
Object.defineProperty(this, 'imgSrcSanitizationWhitelist', {
|
||||
get: function() {
|
||||
return this.imgSrcSanitizationTrustedUrlList;
|
||||
},
|
||||
set: function(value) {
|
||||
this.imgSrcSanitizationTrustedUrlList = value;
|
||||
}
|
||||
};
|
||||
});
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
|
||||
@@ -13,9 +13,9 @@
|
||||
* By default, the template URL is restricted to the same domain and protocol as the
|
||||
* application document. This is done by calling {@link $sce#getTrustedResourceUrl
|
||||
* $sce.getTrustedResourceUrl} on it. To load templates from other domains or protocols
|
||||
* you may either {@link ng.$sceDelegateProvider#resourceUrlWhitelist whitelist them} or
|
||||
* {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to AngularJS's {@link
|
||||
* ng.$sce Strict Contextual Escaping}.
|
||||
* you may either add them to your {@link ng.$sceDelegateProvider#trustedResourceUrlList trusted
|
||||
* resource URL list} or {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to
|
||||
* AngularJS's {@link ng.$sce Strict Contextual Escaping}.
|
||||
*
|
||||
* In addition, the browser's
|
||||
* [Same Origin Policy](https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest)
|
||||
|
||||
+34
-14
@@ -388,7 +388,7 @@ function $HttpProvider() {
|
||||
|
||||
/**
|
||||
* @ngdoc property
|
||||
* @name $httpProvider#xsrfWhitelistedOrigins
|
||||
* @name $httpProvider#xsrfTrustedOrigins
|
||||
* @description
|
||||
*
|
||||
* Array containing URLs whose origins are trusted to receive the XSRF token. See the
|
||||
@@ -402,7 +402,7 @@ function $HttpProvider() {
|
||||
* Examples: `http://example.com`, `https://api.example.com:9876`
|
||||
*
|
||||
* <div class="alert alert-warning">
|
||||
* It is not possible to whitelist specific URLs/paths. The `path`, `query` and `fragment` parts
|
||||
* It is not possible to trust specific URLs/paths. The `path`, `query` and `fragment` parts
|
||||
* of a URL will be ignored. For example, `https://foo.com/path/bar?query=baz#fragment` will be
|
||||
* treated as `https://foo.com`, meaning that **all** requests to URLs starting with
|
||||
* `https://foo.com/` will include the XSRF token.
|
||||
@@ -413,9 +413,9 @@ function $HttpProvider() {
|
||||
* ```js
|
||||
* // App served from `https://example.com/`.
|
||||
* angular.
|
||||
* module('xsrfWhitelistedOriginsExample', []).
|
||||
* module('xsrfTrustedOriginsExample', []).
|
||||
* config(['$httpProvider', function($httpProvider) {
|
||||
* $httpProvider.xsrfWhitelistedOrigins.push('https://api.example.com');
|
||||
* $httpProvider.xsrfTrustedOrigins.push('https://api.example.com');
|
||||
* }]).
|
||||
* run(['$http', function($http) {
|
||||
* // The XSRF token will be sent.
|
||||
@@ -426,7 +426,27 @@ function $HttpProvider() {
|
||||
* }]);
|
||||
* ```
|
||||
*/
|
||||
var xsrfWhitelistedOrigins = this.xsrfWhitelistedOrigins = [];
|
||||
var xsrfTrustedOrigins = this.xsrfTrustedOrigins = [];
|
||||
|
||||
/**
|
||||
* @ngdoc property
|
||||
* @name $httpProvider#xsrfWhitelistedOrigins
|
||||
* @description
|
||||
*
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* This property is deprecated. Use {@link $httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}
|
||||
* instead.
|
||||
*/
|
||||
Object.defineProperty(this, 'xsrfWhitelistedOrigins', {
|
||||
get: function() {
|
||||
return this.xsrfTrustedOrigins;
|
||||
},
|
||||
set: function(origins) {
|
||||
this.xsrfTrustedOrigins = origins;
|
||||
}
|
||||
});
|
||||
|
||||
this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce',
|
||||
function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) {
|
||||
@@ -454,7 +474,7 @@ function $HttpProvider() {
|
||||
/**
|
||||
* A function to check request URLs against a list of allowed origins.
|
||||
*/
|
||||
var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfWhitelistedOrigins);
|
||||
var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfTrustedOrigins);
|
||||
|
||||
/**
|
||||
* @ngdoc service
|
||||
@@ -828,16 +848,16 @@ function $HttpProvider() {
|
||||
* The header will — by default — **not** be set for cross-domain requests. This
|
||||
* prevents unauthorized servers (e.g. malicious or compromised 3rd-party APIs) from gaining
|
||||
* access to your users' XSRF tokens and exposing them to Cross Site Request Forgery. If you
|
||||
* want to, you can whitelist additional origins to also receive the XSRF token, by adding them
|
||||
* to {@link ng.$httpProvider#xsrfWhitelistedOrigins xsrfWhitelistedOrigins}. This might be
|
||||
* want to, you can trust additional origins to also receive the XSRF token, by adding them
|
||||
* to {@link ng.$httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}. This might be
|
||||
* useful, for example, if your application, served from `example.com`, needs to access your API
|
||||
* at `api.example.com`.
|
||||
* See {@link ng.$httpProvider#xsrfWhitelistedOrigins $httpProvider.xsrfWhitelistedOrigins} for
|
||||
* See {@link ng.$httpProvider#xsrfTrustedOrigins $httpProvider.xsrfTrustedOrigins} for
|
||||
* more details.
|
||||
*
|
||||
* <div class="alert alert-danger">
|
||||
* **Warning**<br />
|
||||
* Only whitelist origins that you have control over and make sure you understand the
|
||||
* Only trusted origins that you have control over and make sure you understand the
|
||||
* implications of doing so.
|
||||
* </div>
|
||||
*
|
||||
@@ -964,8 +984,8 @@ function $HttpProvider() {
|
||||
<file name="script.js">
|
||||
angular.module('httpExample', [])
|
||||
.config(['$sceDelegateProvider', function($sceDelegateProvider) {
|
||||
// We must whitelist the JSONP endpoint that we are using to show that we trust it
|
||||
$sceDelegateProvider.resourceUrlWhitelist([
|
||||
// We must add the JSONP endpoint that we are using to the trusted list to show that we trust it
|
||||
$sceDelegateProvider.trustedResourceUrlList([
|
||||
'self',
|
||||
'https://angularjs.org/**'
|
||||
]);
|
||||
@@ -1222,8 +1242,8 @@ function $HttpProvider() {
|
||||
*
|
||||
* Note that, since JSONP requests are sensitive because the response is given full access to the browser,
|
||||
* the url must be declared, via {@link $sce} as a trusted resource URL.
|
||||
* You can trust a URL by adding it to the whitelist via
|
||||
* {@link $sceDelegateProvider#resourceUrlWhitelist `$sceDelegateProvider.resourceUrlWhitelist`} or
|
||||
* You can trust a URL by adding it to the trusted resource URL list via
|
||||
* {@link $sceDelegateProvider#trustedResourceUrlList `$sceDelegateProvider.trustedResourceUrlList`} or
|
||||
* by explicitly trusting the URL via {@link $sce#trustAsResourceUrl `$sce.trustAsResourceUrl(url)`}.
|
||||
*
|
||||
* You should avoid generating the URL for the JSONP request from user provided data.
|
||||
|
||||
+2
-2
@@ -1900,7 +1900,7 @@ function $ParseProvider() {
|
||||
|
||||
var useInputs = parsedExpression.inputs && !exp.inputs;
|
||||
|
||||
// Propogate the literal/inputs/constant attributes
|
||||
// Propagate the literal/inputs/constant attributes
|
||||
// ... but not oneTime since we are handling it
|
||||
oneTimeWatch.literal = parsedExpression.literal;
|
||||
oneTimeWatch.constant = parsedExpression.constant;
|
||||
@@ -1987,7 +1987,7 @@ function $ParseProvider() {
|
||||
fn.$$intercepted = parsedExpression;
|
||||
fn.$$interceptor = interceptorFn;
|
||||
|
||||
// Propogate the literal/oneTime/constant attributes
|
||||
// Propagate the literal/oneTime/constant attributes
|
||||
fn.literal = parsedExpression.literal;
|
||||
fn.oneTime = parsedExpression.oneTime;
|
||||
fn.constant = parsedExpression.constant;
|
||||
|
||||
+16
-15
@@ -7,12 +7,12 @@
|
||||
*/
|
||||
function $$SanitizeUriProvider() {
|
||||
|
||||
var aHrefSanitizationWhitelist = /^\s*(https?|s?ftp|mailto|tel|file):/,
|
||||
imgSrcSanitizationWhitelist = /^\s*((https?|ftp|file|blob):|data:image\/)/;
|
||||
var aHrefSanitizationTrustedUrlList = /^\s*(https?|s?ftp|mailto|tel|file):/,
|
||||
imgSrcSanitizationTrustedUrlList = /^\s*((https?|ftp|file|blob):|data:image\/)/;
|
||||
|
||||
/**
|
||||
* @description
|
||||
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
|
||||
* Retrieves or overrides the default regular expression that is used for determining trusted safe
|
||||
* urls during a[href] sanitization.
|
||||
*
|
||||
* The sanitization is a security measure aimed at prevent XSS attacks via HTML anchor links.
|
||||
@@ -21,27 +21,27 @@ function $$SanitizeUriProvider() {
|
||||
* the $sce.URL security context. When interpolation occurs a call is made to `$sce.trustAsUrl(url)`
|
||||
* which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize the potentially malicious URL.
|
||||
*
|
||||
* If the URL matches the `aHrefSanitizationWhitelist` regular expression, it is returned unchanged.
|
||||
* If the URL matches the `aHrefSanitizationTrustedUrlList` regular expression, it is returned unchanged.
|
||||
*
|
||||
* If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written
|
||||
* to the DOM it is inactive and potentially malicious code will not be executed.
|
||||
*
|
||||
* @param {RegExp=} regexp New regexp to whitelist urls with.
|
||||
* @param {RegExp=} regexp New regexp to trust urls with.
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.aHrefSanitizationWhitelist = function(regexp) {
|
||||
this.aHrefSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
aHrefSanitizationWhitelist = regexp;
|
||||
aHrefSanitizationTrustedUrlList = regexp;
|
||||
return this;
|
||||
}
|
||||
return aHrefSanitizationWhitelist;
|
||||
return aHrefSanitizationTrustedUrlList;
|
||||
};
|
||||
|
||||
|
||||
/**
|
||||
* @description
|
||||
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
|
||||
* Retrieves or overrides the default regular expression that is used for determining trusted safe
|
||||
* urls during img[src] sanitization.
|
||||
*
|
||||
* The sanitization is a security measure aimed at prevent XSS attacks via HTML image src links.
|
||||
@@ -51,27 +51,28 @@ function $$SanitizeUriProvider() {
|
||||
* `$sce.trustAsMediaUrl(url)` which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize
|
||||
* the potentially malicious URL.
|
||||
*
|
||||
* If the URL matches the `aImgSanitizationWhitelist` regular expression, it is returned unchanged.
|
||||
* If the URL matches the `imgSrcSanitizationTrustedUrlList` regular expression, it is returned
|
||||
* unchanged.
|
||||
*
|
||||
* If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written
|
||||
* to the DOM it is inactive and potentially malicious code will not be executed.
|
||||
*
|
||||
* @param {RegExp=} regexp New regexp to whitelist urls with.
|
||||
* @param {RegExp=} regexp New regexp to trust urls with.
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.imgSrcSanitizationWhitelist = function(regexp) {
|
||||
this.imgSrcSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
imgSrcSanitizationWhitelist = regexp;
|
||||
imgSrcSanitizationTrustedUrlList = regexp;
|
||||
return this;
|
||||
}
|
||||
return imgSrcSanitizationWhitelist;
|
||||
return imgSrcSanitizationTrustedUrlList;
|
||||
};
|
||||
|
||||
this.$get = function() {
|
||||
return function sanitizeUri(uri, isMediaUrl) {
|
||||
// if (!uri) return uri;
|
||||
var regex = isMediaUrl ? imgSrcSanitizationWhitelist : aHrefSanitizationWhitelist;
|
||||
var regex = isMediaUrl ? imgSrcSanitizationTrustedUrlList : aHrefSanitizationTrustedUrlList;
|
||||
var normalizedVal = urlResolve(uri && uri.trim()).href;
|
||||
if (normalizedVal !== '' && !normalizedVal.match(regex)) {
|
||||
return 'unsafe:' + normalizedVal;
|
||||
|
||||
+118
-77
@@ -118,10 +118,10 @@ function adjustMatchers(matchers) {
|
||||
* The default instance of `$sceDelegate` should work out of the box with little pain. While you
|
||||
* can override it completely to change the behavior of `$sce`, the common case would
|
||||
* involve configuring the {@link ng.$sceDelegateProvider $sceDelegateProvider} instead by setting
|
||||
* your own whitelists and blacklists for trusting URLs used for loading AngularJS resources such as
|
||||
* templates. Refer {@link ng.$sceDelegateProvider#resourceUrlWhitelist
|
||||
* $sceDelegateProvider.resourceUrlWhitelist} and {@link
|
||||
* ng.$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist}
|
||||
* your own trusted and banned resource lists for trusting URLs used for loading AngularJS resources
|
||||
* such as templates. Refer {@link ng.$sceDelegateProvider#trustedResourceUrlList
|
||||
* $sceDelegateProvider.trustedResourceUrlList} and {@link
|
||||
* ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList}
|
||||
*/
|
||||
|
||||
/**
|
||||
@@ -134,12 +134,12 @@ function adjustMatchers(matchers) {
|
||||
* The `$sceDelegateProvider` provider allows developers to configure the {@link ng.$sceDelegate
|
||||
* $sceDelegate service}, used as a delegate for {@link ng.$sce Strict Contextual Escaping (SCE)}.
|
||||
*
|
||||
* The `$sceDelegateProvider` allows one to get/set the whitelists and blacklists used to ensure
|
||||
* that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all
|
||||
* places that use the `$sce.RESOURCE_URL` context). See
|
||||
* {@link ng.$sceDelegateProvider#resourceUrlWhitelist $sceDelegateProvider.resourceUrlWhitelist}
|
||||
* and
|
||||
* {@link ng.$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist},
|
||||
* The `$sceDelegateProvider` allows one to get/set the `trustedResourceUrlList` and
|
||||
* `bannedResourceUrlList` used to ensure that the URLs used for sourcing AngularJS templates and
|
||||
* other script-running URLs are safe (all places that use the `$sce.RESOURCE_URL` context). See
|
||||
* {@link ng.$sceDelegateProvider#trustedResourceUrlList
|
||||
* $sceDelegateProvider.trustedResourceUrlList} and
|
||||
* {@link ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList},
|
||||
*
|
||||
* For the general details about this service in AngularJS, read the main page for {@link ng.$sce
|
||||
* Strict Contextual Escaping (SCE)}.
|
||||
@@ -155,64 +155,117 @@ function adjustMatchers(matchers) {
|
||||
*
|
||||
* ```
|
||||
* angular.module('myApp', []).config(function($sceDelegateProvider) {
|
||||
* $sceDelegateProvider.resourceUrlWhitelist([
|
||||
* $sceDelegateProvider.trustedResourceUrlList([
|
||||
* // Allow same origin resource loads.
|
||||
* 'self',
|
||||
* // Allow loading from our assets domain. Notice the difference between * and **.
|
||||
* 'http://srv*.assets.example.com/**'
|
||||
* ]);
|
||||
*
|
||||
* // The blacklist overrides the whitelist so the open redirect here is blocked.
|
||||
* $sceDelegateProvider.resourceUrlBlacklist([
|
||||
* // The banned resource URL list overrides the trusted resource URL list so the open redirect
|
||||
* // here is blocked.
|
||||
* $sceDelegateProvider.bannedResourceUrlList([
|
||||
* 'http://myapp.example.com/clickThru**'
|
||||
* ]);
|
||||
* });
|
||||
* ```
|
||||
* Note that an empty whitelist will block every resource URL from being loaded, and will require
|
||||
* Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require
|
||||
* you to manually mark each one as trusted with `$sce.trustAsResourceUrl`. However, templates
|
||||
* requested by {@link ng.$templateRequest $templateRequest} that are present in
|
||||
* {@link ng.$templateCache $templateCache} will not go through this check. If you have a mechanism
|
||||
* to populate your templates in that cache at config time, then it is a good idea to remove 'self'
|
||||
* from that whitelist. This helps to mitigate the security impact of certain types of issues, like
|
||||
* for instance attacker-controlled `ng-includes`.
|
||||
* from the trusted resource URL lsit. This helps to mitigate the security impact of certain types
|
||||
* of issues, like for instance attacker-controlled `ng-includes`.
|
||||
*/
|
||||
|
||||
function $SceDelegateProvider() {
|
||||
this.SCE_CONTEXTS = SCE_CONTEXTS;
|
||||
|
||||
// Resource URLs can also be trusted by policy.
|
||||
var resourceUrlWhitelist = ['self'],
|
||||
resourceUrlBlacklist = [];
|
||||
var trustedResourceUrlList = ['self'],
|
||||
bannedResourceUrlList = [];
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $sceDelegateProvider#trustedResourceUrlList
|
||||
* @kind function
|
||||
*
|
||||
* @param {Array=} trustedResourceUrlList When provided, replaces the trustedResourceUrlList with
|
||||
* the value provided. This must be an array or null. A snapshot of this array is used so
|
||||
* further changes to the array are ignored.
|
||||
* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
|
||||
* allowed in this array.
|
||||
*
|
||||
* @return {Array} The currently set trusted resource URL array.
|
||||
*
|
||||
* @description
|
||||
* Sets/Gets the list trusted of resource URLs.
|
||||
*
|
||||
* The **default value** when no `trustedResourceUrlList` has been explicitly set is `['self']`
|
||||
* allowing only same origin resource requests.
|
||||
*
|
||||
* <div class="alert alert-warning">
|
||||
* **Note:** the default `trustedResourceUrlList` of 'self' is not recommended if your app shares
|
||||
* its origin with other apps! It is a good idea to limit it to only your application's directory.
|
||||
* </div>
|
||||
*/
|
||||
this.trustedResourceUrlList = function(value) {
|
||||
if (arguments.length) {
|
||||
trustedResourceUrlList = adjustMatchers(value);
|
||||
}
|
||||
return trustedResourceUrlList;
|
||||
};
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $sceDelegateProvider#resourceUrlWhitelist
|
||||
* @kind function
|
||||
*
|
||||
* @param {Array=} whitelist When provided, replaces the resourceUrlWhitelist with the value
|
||||
* provided. This must be an array or null. A snapshot of this array is used so further
|
||||
* changes to the array are ignored.
|
||||
* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
|
||||
* allowed in this array.
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* @return {Array} The currently set whitelist array.
|
||||
* This method is deprecated. Use {@link $sceDelegateProvider#trustedResourceUrlList
|
||||
* trustedResourceUrlList} instead.
|
||||
*/
|
||||
Object.defineProperty(this, 'resourceUrlWhitelist', {
|
||||
get: function() {
|
||||
return this.trustedResourceUrlList;
|
||||
},
|
||||
set: function(value) {
|
||||
this.trustedResourceUrlList = value;
|
||||
}
|
||||
});
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $sceDelegateProvider#bannedResourceUrlList
|
||||
* @kind function
|
||||
*
|
||||
* @param {Array=} bannedResourceUrlList When provided, replaces the `bannedResourceUrlList` with
|
||||
* the value provided. This must be an array or null. A snapshot of this array is used so
|
||||
* further changes to the array are ignored.</p><p>
|
||||
* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
|
||||
* allowed in this array.</p><p>
|
||||
* The typical usage for the `bannedResourceUrlList` is to **block
|
||||
* [open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as
|
||||
* these would otherwise be trusted but actually return content from the redirected domain.
|
||||
* </p><p>
|
||||
* Finally, **the banned resource URL list overrides the trusted resource URL list** and has
|
||||
* the final say.
|
||||
*
|
||||
* @return {Array} The currently set `bannedResourceUrlList` array.
|
||||
*
|
||||
* @description
|
||||
* Sets/Gets the whitelist of trusted resource URLs.
|
||||
* Sets/Gets the `bannedResourceUrlList` of trusted resource URLs.
|
||||
*
|
||||
* The **default value** when no whitelist has been explicitly set is `['self']` allowing only
|
||||
* same origin resource requests.
|
||||
*
|
||||
* <div class="alert alert-warning">
|
||||
* **Note:** the default whitelist of 'self' is not recommended if your app shares its origin
|
||||
* with other apps! It is a good idea to limit it to only your application's directory.
|
||||
* </div>
|
||||
* The **default value** when no trusted resource URL list has been explicitly set is the empty
|
||||
* array (i.e. there is no `bannedResourceUrlList`.)
|
||||
*/
|
||||
this.resourceUrlWhitelist = function(value) {
|
||||
this.bannedResourceUrlList = function(value) {
|
||||
if (arguments.length) {
|
||||
resourceUrlWhitelist = adjustMatchers(value);
|
||||
bannedResourceUrlList = adjustMatchers(value);
|
||||
}
|
||||
return resourceUrlWhitelist;
|
||||
return bannedResourceUrlList;
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -220,32 +273,20 @@ function $SceDelegateProvider() {
|
||||
* @name $sceDelegateProvider#resourceUrlBlacklist
|
||||
* @kind function
|
||||
*
|
||||
* @param {Array=} blacklist When provided, replaces the resourceUrlBlacklist with the value
|
||||
* provided. This must be an array or null. A snapshot of this array is used so further
|
||||
* changes to the array are ignored.</p><p>
|
||||
* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
|
||||
* allowed in this array.</p><p>
|
||||
* The typical usage for the blacklist is to **block
|
||||
* [open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as
|
||||
* these would otherwise be trusted but actually return content from the redirected domain.
|
||||
* </p><p>
|
||||
* Finally, **the blacklist overrides the whitelist** and has the final say.
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* @return {Array} The currently set blacklist array.
|
||||
*
|
||||
* @description
|
||||
* Sets/Gets the blacklist of trusted resource URLs.
|
||||
*
|
||||
* The **default value** when no whitelist has been explicitly set is the empty array (i.e. there
|
||||
* is no blacklist.)
|
||||
* This method is deprecated. Use {@link $sceDelegateProvider#bannedResourceUrlList
|
||||
* bannedResourceUrlList} instead.
|
||||
*/
|
||||
|
||||
this.resourceUrlBlacklist = function(value) {
|
||||
if (arguments.length) {
|
||||
resourceUrlBlacklist = adjustMatchers(value);
|
||||
Object.defineProperty(this, 'resourceUrlBlacklist', {
|
||||
get: function() {
|
||||
return this.bannedResourceUrlList;
|
||||
},
|
||||
set: function(value) {
|
||||
this.bannedResourceUrlList = value;
|
||||
}
|
||||
return resourceUrlBlacklist;
|
||||
};
|
||||
});
|
||||
|
||||
this.$get = ['$injector', '$$sanitizeUri', function($injector, $$sanitizeUri) {
|
||||
|
||||
@@ -270,17 +311,17 @@ function $SceDelegateProvider() {
|
||||
function isResourceUrlAllowedByPolicy(url) {
|
||||
var parsedUrl = urlResolve(url.toString());
|
||||
var i, n, allowed = false;
|
||||
// Ensure that at least one item from the whitelist allows this url.
|
||||
for (i = 0, n = resourceUrlWhitelist.length; i < n; i++) {
|
||||
if (matchUrl(resourceUrlWhitelist[i], parsedUrl)) {
|
||||
// Ensure that at least one item from the trusted resource URL list allows this url.
|
||||
for (i = 0, n = trustedResourceUrlList.length; i < n; i++) {
|
||||
if (matchUrl(trustedResourceUrlList[i], parsedUrl)) {
|
||||
allowed = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (allowed) {
|
||||
// Ensure that no item from the blacklist blocked this url.
|
||||
for (i = 0, n = resourceUrlBlacklist.length; i < n; i++) {
|
||||
if (matchUrl(resourceUrlBlacklist[i], parsedUrl)) {
|
||||
// Ensure that no item from the banned resource URL list has blocked this url.
|
||||
for (i = 0, n = bannedResourceUrlList.length; i < n; i++) {
|
||||
if (matchUrl(bannedResourceUrlList[i], parsedUrl)) {
|
||||
allowed = false;
|
||||
break;
|
||||
}
|
||||
@@ -401,9 +442,9 @@ function $SceDelegateProvider() {
|
||||
* The contexts that can be sanitized are $sce.MEDIA_URL, $sce.URL and $sce.HTML. The first two are available
|
||||
* by default, and the third one relies on the `$sanitize` service (which may be loaded through
|
||||
* the `ngSanitize` module). Furthermore, for $sce.RESOURCE_URL context, a plain string may be
|
||||
* accepted if the resource url policy defined by {@link ng.$sceDelegateProvider#resourceUrlWhitelist
|
||||
* `$sceDelegateProvider.resourceUrlWhitelist`} and {@link ng.$sceDelegateProvider#resourceUrlBlacklist
|
||||
* `$sceDelegateProvider.resourceUrlBlacklist`} accepts that resource.
|
||||
* accepted if the resource url policy defined by {@link ng.$sceDelegateProvider#trustedResourceUrlList
|
||||
* `$sceDelegateProvider.trustedResourceUrlList`} and {@link ng.$sceDelegateProvider#bannedResourceUrlList
|
||||
* `$sceDelegateProvider.bannedResourceUrlList`} accepts that resource.
|
||||
*
|
||||
* This function will throw if the safe type isn't appropriate for this context, or if the
|
||||
* value given cannot be accepted in the context (which might be caused by sanitization not
|
||||
@@ -497,9 +538,9 @@ function $SceDelegateProvider() {
|
||||
*
|
||||
* To systematically block XSS security bugs, AngularJS treats all values as untrusted by default in
|
||||
* HTML or sensitive URL bindings. When binding untrusted values, AngularJS will automatically
|
||||
* run security checks on them (sanitizations, whitelists, depending on context), or throw when it
|
||||
* cannot guarantee the security of the result. That behavior depends strongly on contexts: HTML
|
||||
* can be sanitized, but template URLs cannot, for instance.
|
||||
* run security checks on them (sanitizations, trusted URL resource, depending on context), or throw
|
||||
* when it cannot guarantee the security of the result. That behavior depends strongly on contexts:
|
||||
* HTML can be sanitized, but template URLs cannot, for instance.
|
||||
*
|
||||
* To illustrate this, consider the `ng-bind-html` directive. It renders its value directly as HTML:
|
||||
* we call that the *context*. When given an untrusted input, AngularJS will attempt to sanitize it
|
||||
@@ -578,8 +619,8 @@ function $SceDelegateProvider() {
|
||||
* By default, AngularJS only loads templates from the same domain and protocol as the application
|
||||
* document. This is done by calling {@link ng.$sce#getTrustedResourceUrl
|
||||
* $sce.getTrustedResourceUrl} on the template URL. To load templates from other domains and/or
|
||||
* protocols, you may either {@link ng.$sceDelegateProvider#resourceUrlWhitelist whitelist
|
||||
* them} or {@link ng.$sce#trustAsResourceUrl wrap it} into a trusted value.
|
||||
* protocols, you may either add them to the {@link ng.$sceDelegateProvider#trustedResourceUrlList
|
||||
* trustedResourceUrlList} or {@link ng.$sce#trustAsResourceUrl wrap them} into trusted values.
|
||||
*
|
||||
* *Please note*:
|
||||
* The browser's
|
||||
@@ -607,8 +648,8 @@ function $SceDelegateProvider() {
|
||||
* templates in `ng-include` from your application's domain without having to even know about SCE.
|
||||
* It blocks loading templates from other domains or loading templates over http from an https
|
||||
* served document. You can change these by setting your own custom {@link
|
||||
* ng.$sceDelegateProvider#resourceUrlWhitelist whitelists} and {@link
|
||||
* ng.$sceDelegateProvider#resourceUrlBlacklist blacklists} for matching such URLs.
|
||||
* ng.$sceDelegateProvider#trustedResourceUrlList trusted resource URL list} and {@link
|
||||
* ng.$sceDelegateProvider#bannedResourceUrlList banned resource URL list} for matching such URLs.
|
||||
*
|
||||
* This significantly reduces the overhead. It is far easier to pay the small overhead and have an
|
||||
* application that's secure and can be audited to verify that with much more ease than bolting
|
||||
@@ -623,7 +664,7 @@ function $SceDelegateProvider() {
|
||||
* | `$sce.CSS` | For CSS that's safe to source into the application. Currently unused. Feel free to use it in your own directives. |
|
||||
* | `$sce.MEDIA_URL` | For URLs that are safe to render as media. Is automatically converted from string by sanitizing when needed. |
|
||||
* | `$sce.URL` | For URLs that are safe to follow as links. Is automatically converted from string by sanitizing when needed. Note that `$sce.URL` makes a stronger statement about the URL than `$sce.MEDIA_URL` does and therefore contexts requiring values trusted for `$sce.URL` can be used anywhere that values trusted for `$sce.MEDIA_URL` are required.|
|
||||
* | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application. Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.) <br><br>Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` or `$sce.MEDIA_URL` do and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` or `$sce.MEDIA_URL` are required. <br><br> The {@link $sceDelegateProvider#resourceUrlWhitelist $sceDelegateProvider#resourceUrlWhitelist()} and {@link $sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider#resourceUrlBlacklist()} can be used to restrict trusted origins for `RESOURCE_URL` |
|
||||
* | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application. Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.) <br><br>Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` or `$sce.MEDIA_URL` do and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` or `$sce.MEDIA_URL` are required. <br><br> The {@link $sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider#trustedResourceUrlList()} and {@link $sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider#bannedResourceUrlList()} can be used to restrict trusted origins for `RESOURCE_URL` |
|
||||
* | `$sce.JS` | For JavaScript that is safe to execute in your application's context. Currently unused. Feel free to use it in your own directives. |
|
||||
*
|
||||
*
|
||||
@@ -641,7 +682,7 @@ function $SceDelegateProvider() {
|
||||
* There are no CSS or JS context bindings in AngularJS currently, so their corresponding `$sce.trustAs`
|
||||
* functions aren't useful yet. This might evolve.
|
||||
*
|
||||
* ### Format of items in {@link ng.$sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist}/{@link ng.$sceDelegateProvider#resourceUrlBlacklist Blacklist} <a name="resourceUrlPatternItem"></a>
|
||||
* ### Format of items in {@link ng.$sceDelegateProvider#trustedResourceUrlList trustedResourceUrlList}/{@link ng.$sceDelegateProvider#bannedResourceUrlList bannedResourceUrlList} <a name="resourceUrlPatternItem"></a>
|
||||
*
|
||||
* Each element in these arrays must be one of the following:
|
||||
*
|
||||
@@ -655,7 +696,7 @@ function $SceDelegateProvider() {
|
||||
* match themselves.
|
||||
* - `*`: matches zero or more occurrences of any character other than one of the following 6
|
||||
* characters: '`:`', '`/`', '`.`', '`?`', '`&`' and '`;`'. It's a useful wildcard for use
|
||||
* in a whitelist.
|
||||
* for matching resource URL lists.
|
||||
* - `**`: matches zero or more occurrences of *any* character. As such, it's not
|
||||
* appropriate for use in a scheme, domain, etc. as it would match too much. (e.g.
|
||||
* http://**.example.com/ would match http://evil.com/?ignore=.example.com/ and that might
|
||||
|
||||
@@ -73,10 +73,10 @@ function $TemplateRequestProvider() {
|
||||
handleRequestFn.totalPendingRequests++;
|
||||
|
||||
// We consider the template cache holds only trusted templates, so
|
||||
// there's no need to go through whitelisting again for keys that already
|
||||
// are included in there. This also makes AngularJS accept any script
|
||||
// directive, no matter its name. However, we still need to unwrap trusted
|
||||
// types.
|
||||
// there's no need to go through adding the template again to the trusted
|
||||
// resources for keys that already are included in there. This also makes
|
||||
// AngularJS accept any script directive, no matter its name. However, we
|
||||
// still need to unwrap trusted types.
|
||||
if (!isString(tpl) || isUndefined($templateCache.get(tpl))) {
|
||||
tpl = $sce.getTrustedResourceUrl(tpl);
|
||||
}
|
||||
|
||||
+5
-5
@@ -125,20 +125,20 @@ function urlIsSameOriginAsBaseUrl(requestUrl) {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a function that can check a URL's origin against a list of allowed/whitelisted origins.
|
||||
* Create a function that can check a URL's origin against a list of allowed/trusted origins.
|
||||
* The current location's origin is implicitly trusted.
|
||||
*
|
||||
* @param {string[]} whitelistedOriginUrls - A list of URLs (strings), whose origins are trusted.
|
||||
* @param {string[]} trustedOriginUrls - A list of URLs (strings), whose origins are trusted.
|
||||
*
|
||||
* @returns {Function} - A function that receives a URL (string or parsed URL object) and returns
|
||||
* whether it is of an allowed origin.
|
||||
*/
|
||||
function urlIsAllowedOriginFactory(whitelistedOriginUrls) {
|
||||
var parsedAllowedOriginUrls = [originUrl].concat(whitelistedOriginUrls.map(urlResolve));
|
||||
function urlIsAllowedOriginFactory(trustedOriginUrls) {
|
||||
var parsedAllowedOriginUrls = [originUrl].concat(trustedOriginUrls.map(urlResolve));
|
||||
|
||||
/**
|
||||
* Check whether the specified URL (string or parsed URL object) has an origin that is allowed
|
||||
* based on a list of whitelisted-origin URLs. The current location's origin is implicitly
|
||||
* based on a list of trusted-origin URLs. The current location's origin is implicitly
|
||||
* trusted.
|
||||
*
|
||||
* @param {string|Object} requestUrl - The URL to be checked (provided as a string that will be
|
||||
|
||||
+16
-16
@@ -64,7 +64,7 @@ var ngAriaModule = angular.module('ngAria', ['ng']).
|
||||
/**
|
||||
* Internal Utilities
|
||||
*/
|
||||
var nodeBlackList = ['BUTTON', 'A', 'INPUT', 'TEXTAREA', 'SELECT', 'DETAILS', 'SUMMARY'];
|
||||
var nativeAriaNodeNames = ['BUTTON', 'A', 'INPUT', 'TEXTAREA', 'SELECT', 'DETAILS', 'SUMMARY'];
|
||||
|
||||
var isNodeOneOf = function(elem, nodeTypeArray) {
|
||||
if (nodeTypeArray.indexOf(elem[0].nodeName) !== -1) {
|
||||
@@ -136,12 +136,12 @@ function $AriaProvider() {
|
||||
config = angular.extend(config, newConfig);
|
||||
};
|
||||
|
||||
function watchExpr(attrName, ariaAttr, nodeBlackList, negate) {
|
||||
function watchExpr(attrName, ariaAttr, nativeAriaNodeNames, negate) {
|
||||
return function(scope, elem, attr) {
|
||||
if (attr.hasOwnProperty(ARIA_DISABLE_ATTR)) return;
|
||||
|
||||
var ariaCamelName = attr.$normalize(ariaAttr);
|
||||
if (config[ariaCamelName] && !isNodeOneOf(elem, nodeBlackList) && !attr[ariaCamelName]) {
|
||||
if (config[ariaCamelName] && !isNodeOneOf(elem, nativeAriaNodeNames) && !attr[ariaCamelName]) {
|
||||
scope.$watch(attr[attrName], function(boolVal) {
|
||||
// ensure boolean value
|
||||
boolVal = negate ? !boolVal : !!boolVal;
|
||||
@@ -165,7 +165,7 @@ function $AriaProvider() {
|
||||
*
|
||||
*```js
|
||||
* ngAriaModule.directive('ngDisabled', ['$aria', function($aria) {
|
||||
* return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nodeBlackList, false);
|
||||
* return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nativeAriaNodeNames, false);
|
||||
* }])
|
||||
*```
|
||||
* Shown above, the ngAria module creates a directive with the same signature as the
|
||||
@@ -217,31 +217,31 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngHide', 'aria-hidden', [], false);
|
||||
}])
|
||||
.directive('ngValue', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngValue', 'aria-checked', nodeBlackList, false);
|
||||
return $aria.$$watchExpr('ngValue', 'aria-checked', nativeAriaNodeNames, false);
|
||||
}])
|
||||
.directive('ngChecked', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngChecked', 'aria-checked', nodeBlackList, false);
|
||||
return $aria.$$watchExpr('ngChecked', 'aria-checked', nativeAriaNodeNames, false);
|
||||
}])
|
||||
.directive('ngReadonly', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngReadonly', 'aria-readonly', nodeBlackList, false);
|
||||
return $aria.$$watchExpr('ngReadonly', 'aria-readonly', nativeAriaNodeNames, false);
|
||||
}])
|
||||
.directive('ngRequired', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngRequired', 'aria-required', nodeBlackList, false);
|
||||
return $aria.$$watchExpr('ngRequired', 'aria-required', nativeAriaNodeNames, false);
|
||||
}])
|
||||
.directive('ngModel', ['$aria', function($aria) {
|
||||
|
||||
function shouldAttachAttr(attr, normalizedAttr, elem, allowBlacklistEls) {
|
||||
function shouldAttachAttr(attr, normalizedAttr, elem, allowNonAriaNodes) {
|
||||
return $aria.config(normalizedAttr) &&
|
||||
!elem.attr(attr) &&
|
||||
(allowBlacklistEls || !isNodeOneOf(elem, nodeBlackList)) &&
|
||||
(allowNonAriaNodes || !isNodeOneOf(elem, nativeAriaNodeNames)) &&
|
||||
(elem.attr('type') !== 'hidden' || elem[0].nodeName !== 'INPUT');
|
||||
}
|
||||
|
||||
function shouldAttachRole(role, elem) {
|
||||
// if element does not have role attribute
|
||||
// AND element type is equal to role (if custom element has a type equaling shape) <-- remove?
|
||||
// AND element is not in nodeBlackList
|
||||
return !elem.attr('role') && (elem.attr('type') === role) && !isNodeOneOf(elem, nodeBlackList);
|
||||
// AND element is not in nativeAriaNodeNames
|
||||
return !elem.attr('role') && (elem.attr('type') === role) && !isNodeOneOf(elem, nativeAriaNodeNames);
|
||||
}
|
||||
|
||||
function getShape(attr, elem) {
|
||||
@@ -349,7 +349,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
|
||||
};
|
||||
}])
|
||||
.directive('ngDisabled', ['$aria', function($aria) {
|
||||
return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nodeBlackList, false);
|
||||
return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nativeAriaNodeNames, false);
|
||||
}])
|
||||
.directive('ngMessages', function() {
|
||||
return {
|
||||
@@ -373,7 +373,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
|
||||
var fn = $parse(attr.ngClick);
|
||||
return function(scope, elem, attr) {
|
||||
|
||||
if (!isNodeOneOf(elem, nodeBlackList)) {
|
||||
if (!isNodeOneOf(elem, nativeAriaNodeNames)) {
|
||||
|
||||
if ($aria.config('bindRoleForClick') && !elem.attr('role')) {
|
||||
elem.attr('role', 'button');
|
||||
@@ -389,7 +389,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
|
||||
|
||||
if (keyCode === 13 || keyCode === 32) {
|
||||
// If the event is triggered on a non-interactive element ...
|
||||
if (nodeBlackList.indexOf(event.target.nodeName) === -1 && !event.target.isContentEditable) {
|
||||
if (nativeAriaNodeNames.indexOf(event.target.nodeName) === -1 && !event.target.isContentEditable) {
|
||||
// ... prevent the default browser behavior (e.g. scrolling when pressing spacebar)
|
||||
// See https://github.com/angular/angular.js/issues/16664
|
||||
event.preventDefault();
|
||||
@@ -411,7 +411,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) {
|
||||
return function(scope, elem, attr) {
|
||||
if (attr.hasOwnProperty(ARIA_DISABLE_ATTR)) return;
|
||||
|
||||
if ($aria.config('tabindex') && !elem.attr('tabindex') && !isNodeOneOf(elem, nodeBlackList)) {
|
||||
if ($aria.config('tabindex') && !elem.attr('tabindex') && !isNodeOneOf(elem, nativeAriaNodeNames)) {
|
||||
elem.attr('tabindex', 0);
|
||||
}
|
||||
};
|
||||
|
||||
+18
-40
@@ -41,12 +41,12 @@ var htmlSanitizeWriter;
|
||||
* @description
|
||||
* Sanitizes an html string by stripping all potentially dangerous tokens.
|
||||
*
|
||||
* The input is sanitized by parsing the HTML into tokens. All safe tokens (from a whitelist) are
|
||||
* The input is sanitized by parsing the HTML into tokens. All safe tokens (from a trusted URI list) are
|
||||
* then serialized back to a properly escaped HTML string. This means that no unsafe input can make
|
||||
* it into the returned string.
|
||||
*
|
||||
* The whitelist for URL sanitization of attribute values is configured using the functions
|
||||
* `aHrefSanitizationWhitelist` and `imgSrcSanitizationWhitelist` of {@link $compileProvider}.
|
||||
* The trusted URIs for URL sanitization of attribute values is configured using the functions
|
||||
* `aHrefSanitizationTrustedUrlList` and `imgSrcSanitizationTrustedUrlList` of {@link $compileProvider}.
|
||||
*
|
||||
* The input may also contain SVG markup if this is enabled via {@link $sanitizeProvider}.
|
||||
*
|
||||
@@ -277,8 +277,8 @@ function $SanitizeProvider() {
|
||||
* **Note**:
|
||||
* The new attributes will not be treated as URI attributes, which means their values will not be
|
||||
* sanitized as URIs using `$compileProvider`'s
|
||||
* {@link ng.$compileProvider#aHrefSanitizationWhitelist aHrefSanitizationWhitelist} and
|
||||
* {@link ng.$compileProvider#imgSrcSanitizationWhitelist imgSrcSanitizationWhitelist}.
|
||||
* {@link ng.$compileProvider#aHrefSanitizationTrustedUrlList aHrefSanitizationTrustedUrlList} and
|
||||
* {@link ng.$compileProvider#imgSrcSanitizationTrustedUrlList imgSrcSanitizationTrustedUrlList}.
|
||||
*
|
||||
* <div class="alert alert-info">
|
||||
* This method must be called during the {@link angular.Module#config config} phase. Once the
|
||||
@@ -421,50 +421,28 @@ function $SanitizeProvider() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an inert document that contains the dirty HTML that needs sanitizing
|
||||
* Depending upon browser support we use one of three strategies for doing this.
|
||||
* Support: Safari 10.x -> XHR strategy
|
||||
* Support: Firefox -> DomParser strategy
|
||||
* Create an inert document that contains the dirty HTML that needs sanitizing.
|
||||
* We use the DOMParser API by default and fall back to createHTMLDocument if DOMParser is not
|
||||
* available.
|
||||
*/
|
||||
var getInertBodyElement /* function(html: string): HTMLBodyElement */ = (function(window, document) {
|
||||
var inertDocument;
|
||||
if (document && document.implementation) {
|
||||
inertDocument = document.implementation.createHTMLDocument('inert');
|
||||
} else {
|
||||
if (isDOMParserAvailable()) {
|
||||
return getInertBodyElement_DOMParser;
|
||||
}
|
||||
|
||||
if (!document || !document.implementation) {
|
||||
throw $sanitizeMinErr('noinert', 'Can\'t create an inert html document');
|
||||
}
|
||||
var inertDocument = document.implementation.createHTMLDocument('inert');
|
||||
var inertBodyElement = (inertDocument.documentElement || inertDocument.getDocumentElement()).querySelector('body');
|
||||
return getInertBodyElement_InertDocument;
|
||||
|
||||
// Check for the Safari 10.1 bug - which allows JS to run inside the SVG G element
|
||||
inertBodyElement.innerHTML = '<svg><g onload="this.parentNode.remove()"></g></svg>';
|
||||
if (!inertBodyElement.querySelector('svg')) {
|
||||
return getInertBodyElement_XHR;
|
||||
} else {
|
||||
// Check for the Firefox bug - which prevents the inner img JS from being sanitized
|
||||
inertBodyElement.innerHTML = '<svg><p><style><img src="</style><img src=x onerror=alert(1)//">';
|
||||
if (inertBodyElement.querySelector('svg img')) {
|
||||
return getInertBodyElement_DOMParser;
|
||||
} else {
|
||||
return getInertBodyElement_InertDocument;
|
||||
}
|
||||
}
|
||||
|
||||
function getInertBodyElement_XHR(html) {
|
||||
// We add this dummy element to ensure that the rest of the content is parsed as expected
|
||||
// e.g. leading whitespace is maintained and tags like `<meta>` do not get hoisted to the `<head>` tag.
|
||||
html = '<remove></remove>' + html;
|
||||
function isDOMParserAvailable() {
|
||||
try {
|
||||
html = encodeURI(html);
|
||||
return !!getInertBodyElement_DOMParser('');
|
||||
} catch (e) {
|
||||
return undefined;
|
||||
return false;
|
||||
}
|
||||
var xhr = new window.XMLHttpRequest();
|
||||
xhr.responseType = 'document';
|
||||
xhr.open('GET', 'data:text/html;charset=utf-8,' + html, false);
|
||||
xhr.send(null);
|
||||
var body = xhr.response.body;
|
||||
body.firstChild.remove();
|
||||
return body;
|
||||
}
|
||||
|
||||
function getInertBodyElement_DOMParser(html) {
|
||||
|
||||
+25
-25
@@ -151,30 +151,30 @@ describe('$compile', function() {
|
||||
|
||||
describe('configuration', function() {
|
||||
|
||||
it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationWhitelist`', function() {
|
||||
it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationTrustedUrlList`', function() {
|
||||
module(function($compileProvider, $$sanitizeUriProvider) {
|
||||
var newRe = /safe:/, returnVal;
|
||||
|
||||
expect($compileProvider.aHrefSanitizationWhitelist()).toBe($$sanitizeUriProvider.aHrefSanitizationWhitelist());
|
||||
returnVal = $compileProvider.aHrefSanitizationWhitelist(newRe);
|
||||
expect($compileProvider.aHrefSanitizationTrustedUrlList()).toBe($$sanitizeUriProvider.aHrefSanitizationTrustedUrlList());
|
||||
returnVal = $compileProvider.aHrefSanitizationTrustedUrlList(newRe);
|
||||
expect(returnVal).toBe($compileProvider);
|
||||
expect($$sanitizeUriProvider.aHrefSanitizationWhitelist()).toBe(newRe);
|
||||
expect($compileProvider.aHrefSanitizationWhitelist()).toBe(newRe);
|
||||
expect($$sanitizeUriProvider.aHrefSanitizationTrustedUrlList()).toBe(newRe);
|
||||
expect($compileProvider.aHrefSanitizationTrustedUrlList()).toBe(newRe);
|
||||
});
|
||||
inject(function() {
|
||||
// needed to the module definition above is run...
|
||||
});
|
||||
});
|
||||
|
||||
it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationWhitelist`', function() {
|
||||
it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationTrustedUrlList`', function() {
|
||||
module(function($compileProvider, $$sanitizeUriProvider) {
|
||||
var newRe = /safe:/, returnVal;
|
||||
|
||||
expect($compileProvider.imgSrcSanitizationWhitelist()).toBe($$sanitizeUriProvider.imgSrcSanitizationWhitelist());
|
||||
returnVal = $compileProvider.imgSrcSanitizationWhitelist(newRe);
|
||||
expect($compileProvider.imgSrcSanitizationTrustedUrlList()).toBe($$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList());
|
||||
returnVal = $compileProvider.imgSrcSanitizationTrustedUrlList(newRe);
|
||||
expect(returnVal).toBe($compileProvider);
|
||||
expect($$sanitizeUriProvider.imgSrcSanitizationWhitelist()).toBe(newRe);
|
||||
expect($compileProvider.imgSrcSanitizationWhitelist()).toBe(newRe);
|
||||
expect($$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList()).toBe(newRe);
|
||||
expect($compileProvider.imgSrcSanitizationTrustedUrlList()).toBe(newRe);
|
||||
});
|
||||
inject(function() {
|
||||
// needed to the module definition above is run...
|
||||
@@ -11334,9 +11334,9 @@ describe('$compile', function() {
|
||||
// IE9 rejects the `video` / `audio` tags with "Error: Not implemented"
|
||||
if (msie !== 9 || tag === 'img') {
|
||||
describe(tag + '[src] context requirement', function() {
|
||||
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
|
||||
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
|
||||
element = $compile('<' + tag + ' src="{{testUrl}}"></' + tag + '>')($rootScope);
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
|
||||
$rootScope.$digest();
|
||||
expect(element.attr('src')).toEqual('http://example.com/image.mp4');
|
||||
}));
|
||||
@@ -11372,9 +11372,9 @@ describe('$compile', function() {
|
||||
if (msie !== 9) {
|
||||
['source', 'track'].forEach(function(tag) {
|
||||
describe(tag + '[src]', function() {
|
||||
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
|
||||
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
|
||||
element = $compile('<video><' + tag + ' src="{{testUrl}}"></' + tag + '></video>')($rootScope);
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
|
||||
$rootScope.$digest();
|
||||
expect(element.find(tag).attr('src')).toEqual('http://example.com/image.mp4');
|
||||
}));
|
||||
@@ -11509,14 +11509,14 @@ describe('$compile', function() {
|
||||
});
|
||||
});
|
||||
|
||||
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile, $sce) {
|
||||
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile, $sce) {
|
||||
element = $compile('<img srcset="{{testUrl}}"></img>')($rootScope);
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
|
||||
$rootScope.$digest();
|
||||
expect(element.attr('srcset')).toEqual('http://example.com/image.png');
|
||||
}));
|
||||
|
||||
it('should accept trusted values, if they are also whitelisted', inject(function($rootScope, $compile, $sce) {
|
||||
it('should accept trusted values, if they are also trusted URIs', inject(function($rootScope, $compile, $sce) {
|
||||
element = $compile('<img srcset="{{testUrl}}"></img>')($rootScope);
|
||||
$rootScope.testUrl = $sce.trustAsUrl('http://example.com');
|
||||
$rootScope.$digest();
|
||||
@@ -11602,8 +11602,8 @@ describe('$compile', function() {
|
||||
});
|
||||
|
||||
describe('a[href] sanitization', function() {
|
||||
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
|
||||
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
|
||||
element = $compile('<a href="{{testUrl}}"></a>')($rootScope);
|
||||
$rootScope.$digest();
|
||||
expect(element.attr('href')).toEqual('http://example.com/image.png');
|
||||
@@ -11613,8 +11613,8 @@ describe('$compile', function() {
|
||||
expect(element.attr('ng-href')).toEqual('http://example.com/image.png');
|
||||
}));
|
||||
|
||||
it('should accept trusted values for non-whitelisted values', inject(function($rootScope, $compile, $sce) {
|
||||
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not whitelisted
|
||||
it('should accept trusted values for non-trusted URI values', inject(function($rootScope, $compile, $sce) {
|
||||
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not trusted
|
||||
element = $compile('<a href="{{testUrl}}"></a>')($rootScope);
|
||||
$rootScope.$digest();
|
||||
expect(element.attr('href')).toEqual('javascript:foo()');
|
||||
@@ -11624,8 +11624,8 @@ describe('$compile', function() {
|
||||
expect(element.attr('ng-href')).toEqual('javascript:foo()');
|
||||
}));
|
||||
|
||||
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not whitelisted
|
||||
it('should sanitize non-trusted values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not trusted
|
||||
element = $compile('<a href="{{testUrl}}"></a>')($rootScope);
|
||||
$rootScope.$digest();
|
||||
expect(element.attr('href')).toEqual('unsafe:javascript:foo()');
|
||||
@@ -11678,7 +11678,7 @@ describe('$compile', function() {
|
||||
$provide.value('$$sanitizeUri', $$sanitizeUri);
|
||||
});
|
||||
inject(function($compile, $rootScope) {
|
||||
// This URL would fail the RESOURCE_URL whitelist, but that test shouldn't be run
|
||||
// This URL would fail the RESOURCE_URL trusted list, but that test shouldn't be run
|
||||
// because these interpolations will be resolved against the URL context instead
|
||||
$rootScope.testUrl = 'https://bad.example.org';
|
||||
|
||||
@@ -11700,7 +11700,7 @@ describe('$compile', function() {
|
||||
$provide.value('$$sanitizeUri', $$sanitizeUri);
|
||||
});
|
||||
inject(function($compile, $rootScope) {
|
||||
// This URL would fail the RESOURCE_URL whitelist, but that test shouldn't be run
|
||||
// This URL would fail the RESOURCE_URL trusted list, but that test shouldn't be run
|
||||
// because these interpolations will be resolved against the URL context instead
|
||||
$rootScope.testUrl = 'https://bad.example.org';
|
||||
|
||||
|
||||
+10
-10
@@ -288,8 +288,8 @@ describe('$http', function() {
|
||||
var $httpBackend, $http, $rootScope, $sce;
|
||||
|
||||
beforeEach(module(function($sceDelegateProvider) {
|
||||
// Setup a special whitelisted url that we can use in testing JSONP requests
|
||||
$sceDelegateProvider.resourceUrlWhitelist(['http://special.whitelisted.resource.com/**']);
|
||||
// Setup a special trusted url that we can use in testing JSONP requests
|
||||
$sceDelegateProvider.trustedResourceUrlList(['http://special.trusted.resource.com/**']);
|
||||
}));
|
||||
|
||||
beforeEach(inject(['$httpBackend', '$http', '$rootScope', '$sce', function($hb, $h, $rs, $sc) {
|
||||
@@ -2213,9 +2213,9 @@ describe('$http', function() {
|
||||
var $httpBackend;
|
||||
|
||||
beforeEach(module(function($httpProvider) {
|
||||
$httpProvider.xsrfWhitelistedOrigins.push(
|
||||
'https://whitelisted.example.com',
|
||||
'https://whitelisted2.example.com:1337/ignored/path');
|
||||
$httpProvider.xsrfTrustedOrigins.push(
|
||||
'https://trusted.example.com',
|
||||
'https://trusted2.example.com:1337/ignored/path');
|
||||
}));
|
||||
|
||||
beforeEach(inject(function(_$http_, _$httpBackend_) {
|
||||
@@ -2312,8 +2312,8 @@ describe('$http', function() {
|
||||
}
|
||||
var requestUrls = [
|
||||
'https://api.example.com/path',
|
||||
'http://whitelisted.example.com',
|
||||
'https://whitelisted2.example.com:1338'
|
||||
'http://trusted.example.com',
|
||||
'https://trusted2.example.com:1338'
|
||||
];
|
||||
|
||||
mockedCookies['XSRF-TOKEN'] = 'secret';
|
||||
@@ -2326,15 +2326,15 @@ describe('$http', function() {
|
||||
});
|
||||
|
||||
|
||||
it('should set an XSRF header for cross-domain requests to whitelisted origins',
|
||||
it('should set an XSRF header for cross-domain requests to trusted origins',
|
||||
inject(function($browser) {
|
||||
function checkHeaders(headers) {
|
||||
return headers['X-XSRF-TOKEN'] === 'secret';
|
||||
}
|
||||
var currentUrl = 'https://example.com/path';
|
||||
var requestUrls = [
|
||||
'https://whitelisted.example.com/path',
|
||||
'https://whitelisted2.example.com:1337/path'
|
||||
'https://trusted.example.com/path',
|
||||
'https://trusted2.example.com:1337/path'
|
||||
];
|
||||
|
||||
$browser.url(currentUrl);
|
||||
|
||||
+15
-15
@@ -250,9 +250,9 @@ describe('ngProp*', function() {
|
||||
// IE9 rejects the `video` / `audio` tags with "Error: Not implemented"
|
||||
if (msie !== 9 || tag === 'img') {
|
||||
describe(tag + '[src] context requirement', function() {
|
||||
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
|
||||
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
|
||||
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
|
||||
$rootScope.$digest();
|
||||
expect(element.prop('src')).toEqual('http://example.com/image.mp4');
|
||||
}));
|
||||
@@ -279,7 +279,7 @@ describe('ngProp*', function() {
|
||||
expect(element.prop('src')).toEqual('untrusted:foo()');
|
||||
}));
|
||||
|
||||
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
|
||||
it('should sanitize non-trusted values', inject(function($rootScope, $compile, $sce) {
|
||||
// As a MEDIA_URL URL
|
||||
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
|
||||
// Some browsers complain if you try to write `javascript:` into an `img[src]`
|
||||
@@ -308,9 +308,9 @@ describe('ngProp*', function() {
|
||||
if (msie !== 9) {
|
||||
['source', 'track'].forEach(function(tag) {
|
||||
describe(tag + '[src]', function() {
|
||||
it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) {
|
||||
it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) {
|
||||
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted
|
||||
$rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted
|
||||
$rootScope.$digest();
|
||||
expect(element.find(tag).prop('src')).toEqual('http://example.com/image.mp4');
|
||||
}));
|
||||
@@ -335,7 +335,7 @@ describe('ngProp*', function() {
|
||||
expect(element.find(tag).prop('src')).toEqual('javascript:foo()');
|
||||
}));
|
||||
|
||||
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
|
||||
it('should sanitize non-trusted values', inject(function($rootScope, $compile, $sce) {
|
||||
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
|
||||
$rootScope.testUrl = 'untrusted:foo()';
|
||||
$rootScope.$digest();
|
||||
@@ -412,14 +412,14 @@ describe('ngProp*', function() {
|
||||
expect(element.prop('srcset')).toBe('');
|
||||
}));
|
||||
|
||||
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile, $sce) {
|
||||
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile, $sce) {
|
||||
var element = $compile('<' + srcsetElement + ' ng-prop-srcset="testUrl"></' + srcsetElement + '>')($rootScope);
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
|
||||
$rootScope.$digest();
|
||||
expect(element.prop('srcset')).toEqual('http://example.com/image.png');
|
||||
}));
|
||||
|
||||
it('should accept trusted values, if they are also whitelisted', inject(function($rootScope, $compile, $sce) {
|
||||
it('should accept trusted values, if they are also trusted URIs', inject(function($rootScope, $compile, $sce) {
|
||||
var element = $compile('<' + srcsetElement + ' ng-prop-srcset="testUrl"></' + srcsetElement + '>')($rootScope);
|
||||
$rootScope.testUrl = $sce.trustAsUrl('http://example.com');
|
||||
$rootScope.$digest();
|
||||
@@ -506,8 +506,8 @@ describe('ngProp*', function() {
|
||||
});
|
||||
|
||||
describe('a[href] sanitization', function() {
|
||||
it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted
|
||||
it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted
|
||||
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
|
||||
$rootScope.$digest();
|
||||
expect(element.prop('href')).toEqual('http://example.com/image.png');
|
||||
@@ -517,8 +517,8 @@ describe('ngProp*', function() {
|
||||
expect(element.prop('href')).toEqual('http://example.com/image.png');
|
||||
}));
|
||||
|
||||
it('should accept trusted values for non-whitelisted values', inject(function($rootScope, $compile, $sce) {
|
||||
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not whitelisted
|
||||
it('should accept trusted values for non-trusted URI values', inject(function($rootScope, $compile, $sce) {
|
||||
$rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not trusted
|
||||
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
|
||||
$rootScope.$digest();
|
||||
expect(element.prop('href')).toEqual('javascript:foo()');
|
||||
@@ -528,8 +528,8 @@ describe('ngProp*', function() {
|
||||
expect(element.prop('href')).toEqual('javascript:foo()');
|
||||
}));
|
||||
|
||||
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not whitelisted
|
||||
it('should sanitize non-trusted values', inject(function($rootScope, $compile) {
|
||||
$rootScope.testUrl = 'javascript:foo()'; // `javascript` is not trusted
|
||||
var element = $compile('<a ng-prop-href="testUrl"></a>')($rootScope);
|
||||
$rootScope.$digest();
|
||||
expect(element.prop('href')).toEqual('unsafe:javascript:foo()');
|
||||
|
||||
@@ -125,10 +125,10 @@ describe('sanitizeUri', function() {
|
||||
expect(sanitizeImg(testUrl)).toBe('data:image/gif;base64,R0lGODlhAQABAAAAACH5BAEKAAEALAAAAAABAAEAAAICTAEAOw==');
|
||||
});
|
||||
|
||||
it('should allow reconfiguration of the src whitelist', function() {
|
||||
it('should allow reconfiguration of the src trusted URIs', function() {
|
||||
var returnVal;
|
||||
expect(sanitizeUriProvider.imgSrcSanitizationWhitelist() instanceof RegExp).toBe(true);
|
||||
returnVal = sanitizeUriProvider.imgSrcSanitizationWhitelist(/javascript:/);
|
||||
expect(sanitizeUriProvider.imgSrcSanitizationTrustedUrlList() instanceof RegExp).toBe(true);
|
||||
returnVal = sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(/javascript:/);
|
||||
expect(returnVal).toBe(sanitizeUriProvider);
|
||||
|
||||
testUrl = 'javascript:doEvilStuff()';
|
||||
@@ -226,10 +226,10 @@ describe('sanitizeUri', function() {
|
||||
expect(sanitizeHref(testUrl)).toBe('file:///foo/bar.html');
|
||||
}));
|
||||
|
||||
it('should allow reconfiguration of the href whitelist', function() {
|
||||
it('should allow reconfiguration of the href trusted URIs', function() {
|
||||
var returnVal;
|
||||
expect(sanitizeUriProvider.aHrefSanitizationWhitelist() instanceof RegExp).toBe(true);
|
||||
returnVal = sanitizeUriProvider.aHrefSanitizationWhitelist(/javascript:/);
|
||||
expect(sanitizeUriProvider.aHrefSanitizationTrustedUrlList() instanceof RegExp).toBe(true);
|
||||
returnVal = sanitizeUriProvider.aHrefSanitizationTrustedUrlList(/javascript:/);
|
||||
expect(returnVal).toBe(sanitizeUriProvider);
|
||||
|
||||
testUrl = 'javascript:doEvilStuff()';
|
||||
|
||||
+35
-36
@@ -309,11 +309,11 @@ describe('SCE', function() {
|
||||
function runTest(cfg, testFn) {
|
||||
return function() {
|
||||
module(function($sceDelegateProvider) {
|
||||
if (isDefined(cfg.whiteList)) {
|
||||
$sceDelegateProvider.resourceUrlWhitelist(cfg.whiteList);
|
||||
if (isDefined(cfg.trustedUrls)) {
|
||||
$sceDelegateProvider.trustedResourceUrlList(cfg.trustedUrls);
|
||||
}
|
||||
if (isDefined(cfg.blackList)) {
|
||||
$sceDelegateProvider.resourceUrlBlacklist(cfg.blackList);
|
||||
if (isDefined(cfg.bannedUrls)) {
|
||||
$sceDelegateProvider.bannedResourceUrlList(cfg.bannedUrls);
|
||||
}
|
||||
});
|
||||
inject(testFn);
|
||||
@@ -324,10 +324,10 @@ describe('SCE', function() {
|
||||
expect($sce.getTrustedResourceUrl('foo/bar')).toEqual('foo/bar');
|
||||
}));
|
||||
|
||||
it('should reject everything when whitelist is empty', runTest(
|
||||
it('should reject everything when trusted resource URL list is empty', runTest(
|
||||
{
|
||||
whiteList: [],
|
||||
blackList: []
|
||||
trustedUrls: [],
|
||||
bannedUrls: []
|
||||
}, function($sce) {
|
||||
expect(function() { $sce.getTrustedResourceUrl('#'); }).toThrowMinErr(
|
||||
'$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: #');
|
||||
@@ -336,8 +336,8 @@ describe('SCE', function() {
|
||||
|
||||
it('should match against normalized urls', runTest(
|
||||
{
|
||||
whiteList: [/^foo$/],
|
||||
blackList: []
|
||||
trustedUrls: [/^foo$/],
|
||||
bannedUrls: []
|
||||
}, function($sce) {
|
||||
expect(function() { $sce.getTrustedResourceUrl('foo'); }).toThrowMinErr(
|
||||
'$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: foo');
|
||||
@@ -346,7 +346,7 @@ describe('SCE', function() {
|
||||
|
||||
it('should not accept unknown matcher type', function() {
|
||||
expect(function() {
|
||||
runTest({whiteList: [{}]}, null)();
|
||||
runTest({trustedUrls: [{}]}, null)();
|
||||
}).toThrowMinErr('$injector', 'modulerr', new RegExp(
|
||||
/Failed to instantiate module function ?\(\$sceDelegateProvider\) due to:\n/.source +
|
||||
/[^[]*\[\$sce:imatcher] Matchers may only be "self", string patterns or RegExp objects/.source));
|
||||
@@ -370,8 +370,8 @@ describe('SCE', function() {
|
||||
describe('regex matcher', function() {
|
||||
it('should support custom regex', runTest(
|
||||
{
|
||||
whiteList: [/^http:\/\/example\.com\/.*/],
|
||||
blackList: []
|
||||
trustedUrls: [/^http:\/\/example\.com\/.*/],
|
||||
bannedUrls: []
|
||||
}, function($sce) {
|
||||
expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo');
|
||||
// must match entire regex
|
||||
@@ -385,8 +385,8 @@ describe('SCE', function() {
|
||||
|
||||
it('should match entire regex', runTest(
|
||||
{
|
||||
whiteList: [/https?:\/\/example\.com\/foo/],
|
||||
blackList: []
|
||||
trustedUrls: [/https?:\/\/example\.com\/foo/],
|
||||
bannedUrls: []
|
||||
}, function($sce) {
|
||||
expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo');
|
||||
expect($sce.getTrustedResourceUrl('https://example.com/foo')).toEqual('https://example.com/foo');
|
||||
@@ -405,8 +405,8 @@ describe('SCE', function() {
|
||||
describe('string matchers', function() {
|
||||
it('should support strings as matchers', runTest(
|
||||
{
|
||||
whiteList: ['http://example.com/foo'],
|
||||
blackList: []
|
||||
trustedUrls: ['http://example.com/foo'],
|
||||
bannedUrls: []
|
||||
}, function($sce) {
|
||||
expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo');
|
||||
// "." is not a special character like in a regex.
|
||||
@@ -423,8 +423,8 @@ describe('SCE', function() {
|
||||
|
||||
it('should support the * wildcard', runTest(
|
||||
{
|
||||
whiteList: ['http://example.com/foo*'],
|
||||
blackList: []
|
||||
trustedUrls: ['http://example.com/foo*'],
|
||||
bannedUrls: []
|
||||
}, function($sce) {
|
||||
expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo');
|
||||
// The * wildcard should match extra characters.
|
||||
@@ -452,8 +452,8 @@ describe('SCE', function() {
|
||||
|
||||
it('should support the ** wildcard', runTest(
|
||||
{
|
||||
whiteList: ['http://example.com/foo**'],
|
||||
blackList: []
|
||||
trustedUrls: ['http://example.com/foo**'],
|
||||
bannedUrls: []
|
||||
}, function($sce) {
|
||||
expect($sce.getTrustedResourceUrl('http://example.com/foo')).toEqual('http://example.com/foo');
|
||||
// The ** wildcard should match extra characters.
|
||||
@@ -465,7 +465,7 @@ describe('SCE', function() {
|
||||
|
||||
it('should not accept *** in the string', function() {
|
||||
expect(function() {
|
||||
runTest({whiteList: ['http://***']}, null)();
|
||||
runTest({trustedUrls: ['http://***']}, null)();
|
||||
}).toThrowMinErr('$injector', 'modulerr', new RegExp(
|
||||
/Failed to instantiate module function ?\(\$sceDelegateProvider\) due to:\n/.source +
|
||||
/[^[]*\[\$sce:iwcard] Illegal sequence \*\*\* in string matcher\. {2}String: http:\/\/\*\*\*/.source));
|
||||
@@ -473,19 +473,19 @@ describe('SCE', function() {
|
||||
});
|
||||
|
||||
describe('"self" matcher', function() {
|
||||
it('should support the special string "self" in whitelist', runTest(
|
||||
it('should support the special string "self" in trusted resource URL list', runTest(
|
||||
{
|
||||
whiteList: ['self'],
|
||||
blackList: []
|
||||
trustedUrls: ['self'],
|
||||
bannedUrls: []
|
||||
}, function($sce) {
|
||||
expect($sce.getTrustedResourceUrl('foo')).toEqual('foo');
|
||||
}
|
||||
));
|
||||
|
||||
it('should support the special string "self" in blacklist', runTest(
|
||||
it('should support the special string "self" in baneed resource URL list', runTest(
|
||||
{
|
||||
whiteList: [/.*/],
|
||||
blackList: ['self']
|
||||
trustedUrls: [/.*/],
|
||||
bannedUrls: ['self']
|
||||
}, function($sce) {
|
||||
expect(function() { $sce.getTrustedResourceUrl('foo'); }).toThrowMinErr(
|
||||
'$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: foo');
|
||||
@@ -494,7 +494,7 @@ describe('SCE', function() {
|
||||
|
||||
describe('when the document base URL has changed', function() {
|
||||
var baseElem;
|
||||
var cfg = {whitelist: ['self'], blacklist: []};
|
||||
var cfg = {trustedUrls: ['self'], bannedUrls: []};
|
||||
|
||||
beforeEach(function() {
|
||||
baseElem = window.document.createElement('BASE');
|
||||
@@ -526,10 +526,10 @@ describe('SCE', function() {
|
||||
});
|
||||
});
|
||||
|
||||
it('should have blacklist override the whitelist', runTest(
|
||||
it('should have the banned resource URL list override the trusted resource URL list', runTest(
|
||||
{
|
||||
whiteList: ['self'],
|
||||
blackList: ['self']
|
||||
trustedUrls: ['self'],
|
||||
bannedUrls: ['self']
|
||||
}, function($sce) {
|
||||
expect(function() { $sce.getTrustedResourceUrl('foo'); }).toThrowMinErr(
|
||||
'$sce', 'insecurl', 'Blocked loading resource from url not allowed by $sceDelegate policy. URL: foo');
|
||||
@@ -538,8 +538,8 @@ describe('SCE', function() {
|
||||
|
||||
it('should support multiple items in both lists', runTest(
|
||||
{
|
||||
whiteList: [/^http:\/\/example.com\/1$/, /^http:\/\/example.com\/2$/, /^http:\/\/example.com\/3$/, 'self'],
|
||||
blackList: [/^http:\/\/example.com\/3$/, /.*\/open_redirect/]
|
||||
trustedUrls: [/^http:\/\/example.com\/1$/, /^http:\/\/example.com\/2$/, /^http:\/\/example.com\/3$/, 'self'],
|
||||
bannedUrls: [/^http:\/\/example.com\/3$/, /.*\/open_redirect/]
|
||||
}, function($sce) {
|
||||
expect($sce.getTrustedResourceUrl('same_domain')).toEqual('same_domain');
|
||||
expect($sce.getTrustedResourceUrl('http://example.com/1')).toEqual('http://example.com/1');
|
||||
@@ -553,12 +553,12 @@ describe('SCE', function() {
|
||||
});
|
||||
|
||||
describe('URL-context sanitization', function() {
|
||||
it('should sanitize values that are not whitelisted', inject(function($sce) {
|
||||
it('should sanitize values that are not found in the trusted resource URL list', inject(function($sce) {
|
||||
expect($sce.getTrustedMediaUrl('javascript:foo')).toEqual('unsafe:javascript:foo');
|
||||
expect($sce.getTrustedUrl('javascript:foo')).toEqual('unsafe:javascript:foo');
|
||||
}));
|
||||
|
||||
it('should not sanitize values that are whitelisted', inject(function($sce) {
|
||||
it('should not sanitize values that are found in the trusted resource URL list', inject(function($sce) {
|
||||
expect($sce.getTrustedMediaUrl('http://example.com')).toEqual('http://example.com');
|
||||
expect($sce.getTrustedUrl('http://example.com')).toEqual('http://example.com');
|
||||
}));
|
||||
@@ -620,4 +620,3 @@ describe('SCE', function() {
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
|
||||
@@ -97,7 +97,7 @@ describe('urlUtils', function() {
|
||||
});
|
||||
|
||||
|
||||
it('should check against the list of whitelisted origins', function() {
|
||||
it('should check against the list of trusted origins', function() {
|
||||
expect(urlIsAllowedOrigin('https://foo.com/path')).toBe(true);
|
||||
expect(urlIsAllowedOrigin(origin.protocol + '://bar.com:1337/path')).toBe(true);
|
||||
expect(urlIsAllowedOrigin('https://baz.com:1337/path')).toBe(false);
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
'use strict';
|
||||
|
||||
/* globals nodeBlackList false */
|
||||
/* globals nativeAriaNodeNames false */
|
||||
|
||||
describe('$aria', function() {
|
||||
var scope, $compile, element;
|
||||
@@ -1064,7 +1064,7 @@ describe('$aria', function() {
|
||||
);
|
||||
|
||||
they('should not prevent default keyboard action if an interactive $type element' +
|
||||
'is nested inside ng-click', nodeBlackList, function(elementType) {
|
||||
'is nested inside ng-click', nativeAriaNodeNames, function(elementType) {
|
||||
function createHTML(type) {
|
||||
return '<' + type + '></' + type + '>';
|
||||
}
|
||||
|
||||
@@ -803,7 +803,7 @@ describe('$route', function() {
|
||||
it('should load cross domain templates that are trusted', function() {
|
||||
module(function($routeProvider, $sceDelegateProvider) {
|
||||
$routeProvider.when('/foo', { templateUrl: 'http://example.com/foo.html' });
|
||||
$sceDelegateProvider.resourceUrlWhitelist([/^http:\/\/example\.com\/foo\.html$/]);
|
||||
$sceDelegateProvider.trustedResourceUrlList([/^http:\/\/example\.com\/foo\.html$/]);
|
||||
});
|
||||
|
||||
inject(function($route, $location, $rootScope) {
|
||||
|
||||
Vendored
+1
-1
@@ -1,6 +1,6 @@
|
||||
The MIT License
|
||||
|
||||
Copyright (c) 2013 Google, Inc. http://angularjs.org
|
||||
Copyright (c) 2013-2020 Google LLC. http://angularjs.org
|
||||
|
||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
||||
of this software and associated documentation files (the "Software"), to deal
|
||||
|
||||
Reference in New Issue
Block a user