Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

Commit 14119a9

Browse files
jbedardjbedard
committed
fixup! feat($compile): add support for arbitrary property and event bindings
1 parent 0beb9ba commit 14119a9

File tree

1 file changed

+34
-0
lines changed

1 file changed

+34
-0
lines changed

test/ng/ngPropSpec.js

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -236,6 +236,26 @@ describe('ngProp*', function() {
236236
$rootScope.$digest();
237237
expect(element.prop('src')).toEqual('untrusted:foo()');
238238
}));
239+
240+
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
241+
// As a MEDIA_URL URL
242+
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
243+
// Some browsers complain if you try to write `javascript:` into an `img[src]`
244+
// So for the test use something different
245+
$rootScope.testUrl = 'untrusted:foo()';
246+
$rootScope.$digest();
247+
expect(element.prop('src')).toEqual('unsafe:untrusted:foo()');
248+
}));
249+
250+
it('should sanitize wrongly typed values', inject(function($rootScope, $compile, $sce) {
251+
// As a MEDIA_URL URL
252+
var element = $compile('<' + tag + ' ng-prop-src="testUrl"></' + tag + '>')($rootScope);
253+
// Some browsers complain if you try to write `javascript:` into an `img[src]`
254+
// So for the test use something different
255+
$rootScope.testUrl = $sce.trustAsCss('untrusted:foo()');
256+
$rootScope.$digest();
257+
expect(element.prop('src')).toEqual('unsafe:untrusted:foo()');
258+
}));
239259
});
240260
}
241261
});
@@ -272,6 +292,20 @@ describe('ngProp*', function() {
272292
$rootScope.$digest();
273293
expect(element.find(tag).prop('src')).toEqual('javascript:foo()');
274294
}));
295+
296+
it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) {
297+
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
298+
$rootScope.testUrl = 'untrusted:foo()';
299+
$rootScope.$digest();
300+
expect(element.find(tag).prop('src')).toEqual('unsafe:untrusted:foo()');
301+
}));
302+
303+
it('should sanitize wrongly typed values', inject(function($rootScope, $compile, $sce) {
304+
var element = $compile('<video><' + tag + ' ng-prop-src="testUrl"></' + tag + '></video>')($rootScope);
305+
$rootScope.testUrl = $sce.trustAsCss('untrusted:foo()');
306+
$rootScope.$digest();
307+
expect(element.find(tag).prop('src')).toEqual('unsafe:untrusted:foo()');
308+
}));
275309
});
276310
});
277311
}

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy