Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

Commit 21e9e8c

Browse files
R. Merkertvojtajina
R. Merkert
authored and
vojtajina
committed
fix(ngSanitize): sanitizer should not accept <!--> as a valid comment
According to http://validator.w3.org/ , <!--> is not a valid comment and neither is any comment containing the -- substring.
1 parent bf512bb commit 21e9e8c

File tree

2 files changed

+36
-3
lines changed

2 files changed

+36
-3
lines changed

src/ngSanitize/sanitize.js

+3-2
Original file line numberDiff line numberDiff line change
@@ -210,9 +210,10 @@ function htmlParser( html, handler ) {
210210

211211
// Comment
212212
if ( html.indexOf("<!--") === 0 ) {
213-
index = html.indexOf("-->");
213+
// comments containing -- are not allowed unless they terminate the comment
214+
index = html.indexOf("--", 4);
214215

215-
if ( index >= 0 ) {
216+
if ( index >= 0 && html.lastIndexOf("-->", index) === index) {
216217
if (handler.comment) handler.comment( html.substring( 4, index ) );
217218
html = html.substring( index + 3 );
218219
chars = false;

test/ngSanitize/sanitizeSpec.js

+33-1
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ describe('HTML', function() {
1515
describe('htmlParser', function() {
1616
if (angular.isUndefined(window.htmlParser)) return;
1717

18-
var handler, start, text;
18+
var handler, start, text, comment;
1919
beforeEach(function() {
2020
handler = {
2121
start: function(tag, attrs, unary){
@@ -35,10 +35,42 @@ describe('HTML', function() {
3535
},
3636
end:function(tag) {
3737
expect(tag).toEqual(start.tag);
38+
},
39+
comment:function(comment_) {
40+
comment = comment_;
3841
}
3942
};
4043
});
4144

45+
it('should parse comments', function() {
46+
htmlParser('<!--FOOBAR-->', handler);
47+
expect(comment).toEqual('FOOBAR');
48+
});
49+
50+
it('should throw an exception for invalid comments', function() {
51+
var caught=false;
52+
try {
53+
htmlParser('<!-->', handler);
54+
}
55+
catch (ex) {
56+
caught = true;
57+
// expected an exception due to a bad parse
58+
}
59+
expect(caught).toBe(true);
60+
});
61+
62+
it('double-dashes are not allowed in a comment', function() {
63+
var caught=false;
64+
try {
65+
htmlParser('<!-- -- -->', handler);
66+
}
67+
catch (ex) {
68+
caught = true;
69+
// expected an exception due to a bad parse
70+
}
71+
expect(caught).toBe(true);
72+
});
73+
4274
it('should parse basic format', function() {
4375
htmlParser('<tag attr="value">text</tag>', handler);
4476
expect(start).toEqual({tag:'tag', attrs:{attr:'value'}, unary:false});

0 commit comments

Comments
 (0)