From 30084c13699c814ff6703d7aa2d3947a9b2f7067 Mon Sep 17 00:00:00 2001
From: Martin Staffa <mjstaffa@googlemail.com>
Date: Mon, 20 Aug 2018 20:04:28 +0200
Subject: [PATCH] fix(ngHref): allow numbers and other objects in interpolation

Interpolated content in ngHref must be stringified before being passed to $$sanitizeUri by $sce. Before 1.7.x, the sanitization had happened on the already interpolated value inside $compile.

Closes #16652
Fixes #16626
---
 src/ng/sce.js                   |  2 +-
 test/ng/directive/ngHrefSpec.js | 36 +++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/src/ng/sce.js b/src/ng/sce.js
index 6bc99f23761f..0ee69fc89d8b 100644
--- a/src/ng/sce.js
+++ b/src/ng/sce.js
@@ -440,7 +440,7 @@ function $SceDelegateProvider() {
       // If we get here, then we will either sanitize the value or throw an exception.
       if (type === SCE_CONTEXTS.MEDIA_URL || type === SCE_CONTEXTS.URL) {
         // we attempt to sanitize non-resource URLs
-        return $$sanitizeUri(maybeTrusted, type === SCE_CONTEXTS.MEDIA_URL);
+        return $$sanitizeUri(maybeTrusted.toString(), type === SCE_CONTEXTS.MEDIA_URL);
       } else if (type === SCE_CONTEXTS.RESOURCE_URL) {
         if (isResourceUrlAllowedByPolicy(maybeTrusted)) {
           return maybeTrusted;
diff --git a/test/ng/directive/ngHrefSpec.js b/test/ng/directive/ngHrefSpec.js
index 6d44ac8b5631..2c5e99c076b3 100644
--- a/test/ng/directive/ngHrefSpec.js
+++ b/test/ng/directive/ngHrefSpec.js
@@ -79,6 +79,42 @@ describe('ngHref', function() {
     }));
   }
 
+
+  it('should bind numbers', inject(function($rootScope, $compile) {
+    element = $compile('<a ng-href="{{1234}}"></a>')($rootScope);
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual('1234');
+  }));
+
+
+  it('should bind and sanitize the result of a (custom) toString() function', inject(function($rootScope, $compile) {
+    $rootScope.value = {};
+    element = $compile('<a ng-href="{{value}}"></a>')($rootScope);
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual('[object Object]');
+
+    function SafeClass() {}
+
+    SafeClass.prototype.toString = function() {
+      return 'custom value';
+    };
+
+    $rootScope.value = new SafeClass();
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual('custom value');
+
+    function UnsafeClass() {}
+
+    UnsafeClass.prototype.toString = function() {
+      return 'javascript:alert(1);';
+    };
+
+    $rootScope.value = new UnsafeClass();
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual('unsafe:javascript:alert(1);');
+  }));
+
+
   if (isDefined(window.SVGElement)) {
     describe('SVGAElement', function() {
       it('should interpolate the expression and bind to xlink:href', inject(function($compile, $rootScope) {