fix(ngHref): allow numbers and other objects in interpolation

Interpolated content in ngHref must be stringified before being passed to $$sanitizeUri by $sce. Before 1.7.x, the sanitization had happened on the already interpolated value inside $compile. Closes #16652 Fixes #16626
angular · Aug 20, 2018 · 30084c1 · 30084c1
1 parent 668a33d
commit 30084c1
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 1 deletion.
diff --git a/src/ng/sce.js b/src/ng/sce.js
@@ -440,7 +440,7 @@ function $SceDelegateProvider() {
       // If we get here, then we will either sanitize the value or throw an exception.
       if (type === SCE_CONTEXTS.MEDIA_URL || type === SCE_CONTEXTS.URL) {
         // we attempt to sanitize non-resource URLs
-        return $$sanitizeUri(maybeTrusted, type === SCE_CONTEXTS.MEDIA_URL);
+        return $$sanitizeUri(maybeTrusted.toString(), type === SCE_CONTEXTS.MEDIA_URL);
       } else if (type === SCE_CONTEXTS.RESOURCE_URL) {
         if (isResourceUrlAllowedByPolicy(maybeTrusted)) {
           return maybeTrusted;

diff --git a/test/ng/directive/ngHrefSpec.js b/test/ng/directive/ngHrefSpec.js
@@ -79,6 +79,42 @@ describe('ngHref', function() {
     }));
   }
 
+
+  it('should bind numbers', inject(function($rootScope, $compile) {
+    element = $compile('<a ng-href="{{1234}}"></a>')($rootScope);
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual('1234');
+  }));
+
+
+  it('should bind and sanitize the result of a (custom) toString() function', inject(function($rootScope, $compile) {
+    $rootScope.value = {};
+    element = $compile('<a ng-href="{{value}}"></a>')($rootScope);
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual('[object Object]');
+
+    function SafeClass() {}
+
+    SafeClass.prototype.toString = function() {
+      return 'custom value';
+    };
+
+    $rootScope.value = new SafeClass();
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual('custom value');
+
+    function UnsafeClass() {}
+
+    UnsafeClass.prototype.toString = function() {
+      return 'javascript:alert(1);';
+    };
+
+    $rootScope.value = new UnsafeClass();
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual('unsafe:javascript:alert(1);');
+  }));
+
+
   if (isDefined(window.SVGElement)) {
     describe('SVGAElement', function() {
       it('should interpolate the expression and bind to xlink:href', inject(function($compile, $rootScope) {