Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

Commit

Permalink
Fix sanitization issues as suggested by evn
Browse files Browse the repository at this point in the history
  • Loading branch information
mhevery committed Dec 3, 2010
1 parent 5a8ad8f commit 2bbced2
Show file tree
Hide file tree
Showing 4 changed files with 86 additions and 25 deletions.
10 changes: 10 additions & 0 deletions regression/issue-169.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
<!DOCTYPE HTML>
<html xmlns:ng="http://angularjs.org">
<script type="text/javascript" src="../src/angular-bootstrap.js" ng:autobind></script>
<body>
<span ng:init='x = {d:3}; x1 = {bar:[x,5]}; x1.bar[0].d = 4'>
<input name="x1.bar[0].d" type="text"></input>
<input name="x.d" type="text"></input>
<span> {{x1}} -- {{x1.bar[0].d}}</span>
</body>
</html>
8 changes: 8 additions & 0 deletions regression/sanitizer.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
<!DOCTYPE HTML>
<html xmlns:ng="http://angularjs.org">
<script type="text/javascript" src="../src/angular-bootstrap.js" ng:autobind></script>
<body>
<textarea name="html" rows="10" cols="100"></textarea>
<div>{{html|html}}</div>
</body>
</html>
28 changes: 14 additions & 14 deletions src/sanitizer.js
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
// Regular Expressions for parsing tags and attributes
var START_TAG_REGEXP = /^<\s*([\w:]+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']*')|[^>\s]+))?)*)\s*(\/?)\s*>/,
END_TAG_REGEXP = /^<\s*\/\s*([\w:]+)[^>]*>/,
ATTR_REGEXP = /(\w+)(?:\s*=\s*(?:(?:"((?:\\.|[^"])*)")|(?:'((?:\\.|[^'])*)')|([^>\s]+)))?/g,
ATTR_REGEXP = /(\w+)(?:\s*=\s*(?:(?:"((?:[^"])*)")|(?:'((?:[^'])*)')|([^>\s]+)))?/g,
BEGIN_TAG_REGEXP = /^</,
BEGING_END_TAGE_REGEXP = /^<\s*\//,
COMMENT_REGEXP = /<!--(.*?)-->/g,
Expand All @@ -26,32 +26,32 @@ var START_TAG_REGEXP = /^<\s*([\w:]+)((?:\s+\w+(?:\s*=\s*(?:(?:"[^"]*")|(?:'[^']
NON_ALPHANUMERIC_REGEXP = /([^\#-~| |!])/g; // Match everything outside of normal chars and " (quote character)

// Empty Elements - HTML 4.01
var emptyElements = makeMap("area,base,basefont,br,col,hr,img,input,isindex,link,param");
var emptyElements = makeMap("area,br,col,hr,img");

// Block Elements - HTML 4.01
var blockElements = makeMap("address,blockquote,button,center,dd,del,dir,div,dl,dt,fieldset,"+
"form,hr,ins,isindex,li,map,menu,ol,p,pre,script,table,tbody,td,tfoot,th,thead,tr,ul");
var blockElements = makeMap("address,blockquote,center,dd,del,dir,div,dl,dt,"+
"hr,ins,li,map,menu,ol,p,pre,script,table,tbody,td,tfoot,th,thead,tr,ul");

// Inline Elements - HTML 4.01
var inlineElements = makeMap("a,abbr,acronym,b,basefont,bdo,big,br,button,cite,code,del,dfn,em,font,i,img,"+
"input,ins,kbd,label,map,q,s,samp,select,small,span,strike,strong,sub,sup,textarea,tt,u,var");
var inlineElements = makeMap("a,abbr,acronym,b,bdo,big,br,cite,code,del,dfn,em,font,i,img,"+
"ins,kbd,label,map,q,s,samp,small,span,strike,strong,sub,sup,tt,u,var");
// Elements that you can, intentionally, leave open
// (and which close themselves)
var closeSelfElements = makeMap("colgroup,dd,dt,li,options,p,td,tfoot,th,thead,tr");
var closeSelfElements = makeMap("colgroup,dd,dt,li,p,td,tfoot,th,thead,tr");
// Special Elements (can contain anything)
var specialElements = makeMap("script,style");
var validElements = extend({}, emptyElements, blockElements, inlineElements, closeSelfElements);

//see: http://www.w3.org/TR/html4/index/attributes.html
//Attributes that have their values filled in disabled="disabled"
var fillAttrs = makeMap("checked,compact,declare,defer,disabled,ismap,multiple,nohref,noresize,noshade,nowrap,readonly,selected");
var fillAttrs = makeMap("compact,ismap,nohref,nowrap");
//Attributes that have href and hence need to be sanitized
var uriAttrs = makeMap("background,href,longdesc,src,usemap");
var validAttrs = extend({}, fillAttrs, uriAttrs, makeMap(
'abbr,align,alt,axis,bgcolor,border,cellpadding,cellspacing,class,clear,'+
'color,cols,colspan,coords,dir,face,for,headers,height,hreflang,hspace,id,'+
'label,lang,language,maxlength,method,name,prompt,rel,rev,rows,rowspan,rules,'+
'scope,scrolling,shape,size,span,start,summary,tabindex,target,title,type,'+
'color,cols,colspan,coords,dir,face,headers,height,hreflang,hspace,'+
'lang,language,rel,rev,rows,rowspan,rules,'+
'scope,scrolling,shape,span,start,summary,target,title,type,'+
'valign,value,vspace,width'));

/**
Expand Down Expand Up @@ -249,12 +249,12 @@ function htmlSanitizeWriter(buf){
if (!ignore && specialElements[tag]) {
ignore = tag;
}
if (!ignore && validElements[tag]) {
if (!ignore && validElements[tag] == true) {
out('<');
out(tag);
foreach(attrs, function(value, key){
var lkey=lowercase(key);
if (validAttrs[lkey] && (uriAttrs[lkey]!==true || value.match(URI_REGEXP))) {
if (validAttrs[lkey]==true && (uriAttrs[lkey]!==true || value.match(URI_REGEXP))) {
out(' ');
out(key);
out('="');
Expand All @@ -267,7 +267,7 @@ function htmlSanitizeWriter(buf){
},
end: function(tag){
tag = lowercase(tag);
if (!ignore && validElements[tag]) {
if (!ignore && validElements[tag] == true) {
out('</');
out(tag);
out('>');
Expand Down
65 changes: 54 additions & 11 deletions test/sanitizerSpec.js
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ describe('HTML', function(){
expectHTML('a<SCRIPT>ev<script>evil</sCript>il</scrIpt>c.').toEqual('ac.');
});

it('should remove unknown tag names', function(){
it('should remove unknown names', function(){
expectHTML('a<xxx><B>b</B></xxx>c').toEqual('a<b>b</b>c');
});

Expand All @@ -50,21 +50,33 @@ describe('HTML', function(){
});

it('should handle entities', function(){
var everything = '<div id="!@#$%^&amp;*()_+-={}[]:&#34;;\'&lt;&gt;?,./`~ &#295;">' +
var everything = '<div rel="!@#$%^&amp;*()_+-={}[]:&#34;;\'&lt;&gt;?,./`~ &#295;">' +
'!@#$%^&amp;*()_+-={}[]:&#34;;\'&lt;&gt;?,./`~ &#295;</div>';
expectHTML(everything).toEqual(everything);
});

it('should handle improper html', function(){
expectHTML('< div id="</div>" alt=abc dir=\'"\' >text< /div>').
toEqual('<div id="&lt;/div&gt;" alt="abc" dir="&#34;">text</div>');
expectHTML('< div rel="</div>" alt=abc dir=\'"\' >text< /div>').
toEqual('<div rel="&lt;/div&gt;" alt="abc" dir="&#34;">text</div>');
});

it('should handle improper html2', function(){
expectHTML('< div id="</div>" / >').
toEqual('<div id="&lt;/div&gt;"/>');
expectHTML('< div rel="</div>" / >').
toEqual('<div rel="&lt;/div&gt;"/>');
});


it('should ignore back slash as escape', function(){
expectHTML('<img alt="xxx\\" title="><script>....">').
toEqual('<img alt="xxx\\" title="&gt;&lt;script&gt;...."/>');
});

it('should ignore object attributes', function(){
expectHTML('<a constructor="hola">:)</a>').
toEqual('<a>:)</a>');
expectHTML('<constructor constructor="hola">:)</constructor>').
toEqual('');
});

describe('htmlSanitizerWriter', function(){
var writer, html;
beforeEach(function(){
Expand All @@ -74,12 +86,12 @@ describe('HTML', function(){

it('should write basic HTML', function(){
writer.chars('before');
writer.start('div', {id:'123'}, false);
writer.start('div', {rel:'123'}, false);
writer.chars('in');
writer.end('div');
writer.chars('after');

expect(html).toEqual('before<div id="123">in</div>after');
expect(html).toEqual('before<div rel="123">in</div>after');
});

it('should escape text nodes', function(){
Expand All @@ -93,8 +105,8 @@ describe('HTML', function(){
});

it('should escape attributes', function(){
writer.start('div', {id:'!@#$%^&*()_+-={}[]:";\'<>?,./`~ \n\0\r\u0127'});
expect(html).toEqual('<div id="!@#$%^&amp;*()_+-={}[]:&#34;;\'&lt;&gt;?,./`~ &#10;&#0;&#13;&#295;">');
writer.start('div', {rel:'!@#$%^&*()_+-={}[]:";\'<>?,./`~ \n\0\r\u0127'});
expect(html).toEqual('<div rel="!@#$%^&amp;*()_+-={}[]:&#34;;\'&lt;&gt;?,./`~ &#10;&#0;&#13;&#295;">');
});

it('should ignore missformed elements', function(){
Expand All @@ -107,6 +119,37 @@ describe('HTML', function(){
expect(html).toEqual('<div>');
});

describe('explicitly dissallow', function(){
it('should not allow attributes', function(){
writer.start('div', {id:'a', name:'a', style:'a'});
expect(html).toEqual('<div>');
});

it('should not allow tags', function(){
function tag(name) {
writer.start(name, {});
writer.end(name);
};
tag('frameset');
tag('frame');
tag('form');
tag('param');
tag('object');
tag('embed');
tag('textarea');
tag('input');
tag('button');
tag('option');
tag('select');
tag('script');
tag('style');
tag('link');
tag('base');
tag('basefont');
expect(html).toEqual('');
});
});

describe('isUri', function(){

function isUri(value) {
Expand Down

0 comments on commit 2bbced2

Please sign in to comment.