Skip to content
This repository has been archived by the owner on Apr 12, 2024. It is now read-only.

fix(ngHref): allow numbers as input #16652

Merged
merged 3 commits into from
Aug 20, 2018
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/ng/sce.js
Original file line number Diff line number Diff line change
Expand Up @@ -440,7 +440,7 @@ function $SceDelegateProvider() {
// If we get here, then we will either sanitize the value or throw an exception.
if (type === SCE_CONTEXTS.MEDIA_URL || type === SCE_CONTEXTS.URL) {
// we attempt to sanitize non-resource URLs
return $$sanitizeUri(maybeTrusted, type === SCE_CONTEXTS.MEDIA_URL);
return $$sanitizeUri(maybeTrusted.toString(), type === SCE_CONTEXTS.MEDIA_URL);
} else if (type === SCE_CONTEXTS.RESOURCE_URL) {
if (isResourceUrlAllowedByPolicy(maybeTrusted)) {
return maybeTrusted;
Expand Down
36 changes: 36 additions & 0 deletions test/ng/directive/ngHrefSpec.js
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,42 @@ describe('ngHref', function() {
}));
}


it('should bind numbers', inject(function($rootScope, $compile) {
element = $compile('<a ng-href="{{1234}}"></a>')($rootScope);
$rootScope.$digest();
expect(element.attr('href')).toEqual('1234');
}));


it('should bind and sanitize the result of a (custom) toString() function', inject(function($rootScope, $compile) {
$rootScope.value = {};
element = $compile('<a ng-href="{{value}}"></a>')($rootScope);
$rootScope.$digest();
expect(element.attr('href')).toEqual('[object Object]');

function SafeClass() {}

SafeClass.prototype.toString = function() {
return 'custom value';
};

$rootScope.value = new SafeClass();
$rootScope.$digest();
expect(element.attr('href')).toEqual('custom value');

function UnsafeClass() {}

UnsafeClass.prototype.toString = function() {
return 'javascript:alert(1);';
};

$rootScope.value = new UnsafeClass();
$rootScope.$digest();
expect(element.attr('href')).toEqual('unsafe:javascript:alert(1);');
}));


if (isDefined(window.SVGElement)) {
describe('SVGAElement', function() {
it('should interpolate the expression and bind to xlink:href', inject(function($compile, $rootScope) {
Expand Down