Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

Commit 30084c1

Browse files
NarretzNarretz
committed
fix(ngHref): allow numbers and other objects in interpolation
Interpolated content in ngHref must be stringified before being passed to $$sanitizeUri by $sce. Before 1.7.x, the sanitization had happened on the already interpolated value inside $compile. Closes #16652 Fixes #16626
1 parent 668a33d commit 30084c1

File tree

2 files changed

+37
-1
lines changed

2 files changed

+37
-1
lines changed

src/ng/sce.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -440,7 +440,7 @@ function $SceDelegateProvider() {
440440
// If we get here, then we will either sanitize the value or throw an exception.
441441
if (type === SCE_CONTEXTS.MEDIA_URL || type === SCE_CONTEXTS.URL) {
442442
// we attempt to sanitize non-resource URLs
443-
return $$sanitizeUri(maybeTrusted, type === SCE_CONTEXTS.MEDIA_URL);
443+
return $$sanitizeUri(maybeTrusted.toString(), type === SCE_CONTEXTS.MEDIA_URL);
444444
} else if (type === SCE_CONTEXTS.RESOURCE_URL) {
445445
if (isResourceUrlAllowedByPolicy(maybeTrusted)) {
446446
return maybeTrusted;

test/ng/directive/ngHrefSpec.js

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,42 @@ describe('ngHref', function() {
7979
}));
8080
}
8181

82+
83+
it('should bind numbers', inject(function($rootScope, $compile) {
84+
element = $compile('<a ng-href="{{1234}}"></a>')($rootScope);
85+
$rootScope.$digest();
86+
expect(element.attr('href')).toEqual('1234');
87+
}));
88+
89+
90+
it('should bind and sanitize the result of a (custom) toString() function', inject(function($rootScope, $compile) {
91+
$rootScope.value = {};
92+
element = $compile('<a ng-href="{{value}}"></a>')($rootScope);
93+
$rootScope.$digest();
94+
expect(element.attr('href')).toEqual('[object Object]');
95+
96+
function SafeClass() {}
97+
98+
SafeClass.prototype.toString = function() {
99+
return 'custom value';
100+
};
101+
102+
$rootScope.value = new SafeClass();
103+
$rootScope.$digest();
104+
expect(element.attr('href')).toEqual('custom value');
105+
106+
function UnsafeClass() {}
107+
108+
UnsafeClass.prototype.toString = function() {
109+
return 'javascript:alert(1);';
110+
};
111+
112+
$rootScope.value = new UnsafeClass();
113+
$rootScope.$digest();
114+
expect(element.attr('href')).toEqual('unsafe:javascript:alert(1);');
115+
}));
116+
117+
82118
if (isDefined(window.SVGElement)) {
83119
describe('SVGAElement', function() {
84120
it('should interpolate the expression and bind to xlink:href', inject(function($compile, $rootScope) {

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy