/** * @license AngularJS v1.5.6 * (c) 2010-2016 Google, Inc. http://angularjs.org * License: MIT */ (function(window, angular) {'use strict'; /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * Any commits to this file should be reviewed with security in mind. * * Changes to this file can potentially create security vulnerabilities. * * An approval from 2 Core members with history of modifying * * this file is required. * * * * Does the change somehow allow for arbitrary javascript to be executed? * * Or allows for someone to change the prototype of built-in objects? * * Or gives undesired access to variables likes document or window? * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ var $sanitizeMinErr = angular.$$minErr('$sanitize'); /** * @ngdoc module * @name ngSanitize * @description * * # ngSanitize * * The `ngSanitize` module provides functionality to sanitize HTML. * * *
* * See {@link ngSanitize.$sanitize `$sanitize`} for usage. */ /** * @ngdoc service * @name $sanitize * @kind function * * @description * Sanitizes an html string by stripping all potentially dangerous tokens. * * The input is sanitized by parsing the HTML into tokens. All safe tokens (from a whitelist) are * then serialized back to properly escaped html string. This means that no unsafe input can make * it into the returned string. * * The whitelist for URL sanitization of attribute values is configured using the functions * `aHrefSanitizationWhitelist` and `imgSrcSanitizationWhitelist` of {@link ng.$compileProvider * `$compileProvider`}. * * The input may also contain SVG markup if this is enabled via {@link $sanitizeProvider}. * * @param {string} html HTML input. * @returns {string} Sanitized HTML. * * @exampleDirective | How | Source | Rendered |
ng-bind-html | Automatically uses $sanitize | <div ng-bind-html="snippet"> |
|
ng-bind-html | Bypass $sanitize by explicitly trusting the dangerous value |
<div ng-bind-html="deliberatelyTrustDangerousSnippet()"> </div> |
|
ng-bind | Automatically escapes | <div ng-bind="snippet"> |
an html\nclick here\nsnippet
'); }); it('should inline raw snippet if bound to a trusted value', function() { expect(element(by.css('#bind-html-with-trust div')).getInnerHtml()). toBe("an html\n" + "click here\n" + "snippet
"); }); it('should escape snippet without any filter', function() { expect(element(by.css('#bind-default div')).getInnerHtml()). toBe("<p style=\"color:blue\">an html\n" + "<em onmouseover=\"this.textContent='PWN3D!'\">click here</em>\n" + "snippet</p>"); }); it('should update', function() { element(by.model('snippet')).clear(); element(by.model('snippet')).sendKeys('new text'); expect(element(by.css('#bind-html-with-sanitize div')).getInnerHtml()). toBe('new text'); expect(element(by.css('#bind-html-with-trust div')).getInnerHtml()).toBe( 'new text'); expect(element(by.css('#bind-default div')).getInnerHtml()).toBe( "new <b onclick=\"alert(1)\">text</b>"); });By enabling this setting without taking other precautions, you might expose your * application to click-hijacking attacks. In these attacks, sanitized svg elements could be positioned * outside of the containing element and be rendered over other elements on the page (e.g. a login * link). Such behavior can then result in phishing incidents.
* *To protect against these, explicitly setup `overflow: hidden` css rule for all potential svg * tags within the sanitized content:
* *
* .rootOfTheIncludedContent svg {
* overflow: hidden !important;
* }
*
* Filter | Source | Rendered |
---|---|---|
linky filter |
<div ng-bind-html="snippet | linky"> |
|
linky target |
<div ng-bind-html="snippetWithSingleURL | linky:'_blank'"> |
|
linky custom attributes |
<div ng-bind-html="snippetWithSingleURL | linky:'_self':{rel: 'nofollow'}"> |
|
no filter | <div ng-bind="snippet"> |