The Wayback Machine - https://web.archive.org/web/20230410200843/https://github.com/angular/angular/pull/49659/files
Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(core): change the URL sanitization to only block javascript: URLs #49659

Closed
wants to merge 1 commit into from
+8 −7
Closed

feat(core): change the URL sanitization to only block javascript: URLs #49659

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
12 packages/core/src/sanitization/url_sanitizer.ts
View file
Open in desktop
@@ -9,13 +9,14 @@
import {XSS_SECURITY_URL} from '../error_details_base_url';

/**
* A pattern that recognizes a commonly useful subset of URLs that are safe.
* A pattern that recognizes URLs that are safe wrt. XSS in URL navigation
* contexts.
*
* This regular expression matches a subset of URLs that will not cause script
* execution if used in URL context within a HTML document. Specifically, this
* regular expression matches if (comment from here on and regex copied from
* Soy's EscapingConventions):
* (1) Either an allowed protocol (http, https, mailto or ftp).
* regular expression matches if:
* (1) Either a protocol that is not javascript:, and that has valid characters
* (alphanumeric or [+-.]).
* (2) or no protocol. A protocol must be followed by a colon. The below
* allows that by allowing colons only after one of the characters [/?#].
* A colon after a hash (#) must be in the fragment.
@@ -34,8 +35,7 @@ import {XSS_SECURITY_URL} from '../error_details_base_url';
*
* This regular expression was taken from the Closure sanitization library.
*/
const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|data|ftp|tel|file|sms):|[^&:/?#]*(?:[/?#]|$))/gi;

const SAFE_URL_PATTERN = /^(?!javascript:)(?:[a-z0-9+.-]+:|[^&:\/?#]*(?:[\/?#]|$))/i;
export function _sanitizeUrl(url: string): string {
url = String(url);
if (url.match(SAFE_URL_PATTERN)) return url;
3 packages/core/test/sanitization/url_sanitizer_spec.ts
View file
Open in desktop
@@ -47,6 +47,7 @@ import {_sanitizeUrl} from '../../src/sanitization/url_sanitizer';
'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/', // Truncated.
'data:video/webm;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
'data:audio/opus;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/',
'unknown-scheme:abc',
];
for (const url of validUrls) {
it(`valid ${url}`, () => expect(_sanitizeUrl(url)).toEqual(url));
@@ -57,7 +58,7 @@ import {_sanitizeUrl} from '../../src/sanitization/url_sanitizer';
const invalidUrls = [
'javascript:evil()',
'JavaScript:abc',
'evilNewProtocol:abc',
' javascript:abc',
' \n Java\n Script:abc',
'javascript:',
'&#106avascript:',