WIP: ie custom namespaces

Author: IgorMinar

src/ngSanitize/sanitize.js

@@ -336,6 +336,11 @@ function htmlParser(html, handler) {
       throw $sanitizeMinErr('uinput', "Failed to sanitize html because the input is unstable");
     }
     mXSSAttempts--;
+
+    // strip custom-namespaced attributes on IE<=11
+    if (document.documentMode <= 11) {
+      stripCustomNsAttrs(inertBodyElement);
+    }
     html = inertBodyElement.innerHTML; //trigger mXSS
     inertBodyElement.innerHTML = html;
   } while (html !== inertBodyElement.innerHTML);
@@ -467,5 +472,37 @@ function htmlSanitizeWriter(buf, uriValidator) {
 }
 
 
+/**
+ * When IE9-11 comes across an unknown namespaced attribute e.g. 'xlink:foo' it adds 'xmlns:ns1' attribute to declare
+ * ns1 namespace and prefixes the attribute with 'ns1' (e.g. 'ns1:xlink:foo'). This is undesirable since we don't want
+ * to allow any of these custom attributes. This method strips them all.
+ *
+ * @param element Root element to process
+ */
+function stripCustomNsAttrs(node) {
+  if (node.nodeType === Node.ELEMENT_NODE) {
+    var attrs = node.attributes;
+    for (var i = 0, l = attrs.length; i < l; i++) {
+      var attrNode = attrs[i];
+      var attrName = angular.toLowerCase(attrNode.name);
+      if (attrName === 'xmlns:ns1' || attrName.indexOf('ns1:') === 0) {
+        element.removeAttributeNode(attrNode);
+      }
+    }
+  }
+
+  var nextNode = node.firstChild;
+  if (nextNode) {
+    stripCustomNsAttrs(nextNode);
+  }
+
+  nextNode = node.nextSibling;
+  if (nextNode) {
+    stripCustomNsAttrs(nextNode);
+  }
+}
+
+
+
 // define ngSanitize module and register $sanitize service
 angular.module('ngSanitize', []).provider('$sanitize', $SanitizeProvider);