angular · IgorMinar · May 1, 2015 · Aug 7, 2015 · Aug 7, 2015 · Aug 11, 2015
diff --git a/.travis.yml b/.travis.yml
@@ -19,10 +19,10 @@ env:
     - JOB=docs-e2e BROWSER_PROVIDER=saucelabs
     - JOB=e2e TEST_TARGET=jqlite BROWSER_PROVIDER=saucelabs
     - JOB=e2e TEST_TARGET=jquery BROWSER_PROVIDER=saucelabs
-    - JOB=unit BROWSER_PROVIDER=browserstack
-    - JOB=docs-e2e BROWSER_PROVIDER=browserstack
-    - JOB=e2e TEST_TARGET=jqlite BROWSER_PROVIDER=browserstack
-    - JOB=e2e TEST_TARGET=jquery BROWSER_PROVIDER=browserstack
+#    - JOB=unit BROWSER_PROVIDER=browserstack
+#    - JOB=docs-e2e BROWSER_PROVIDER=browserstack
+#    - JOB=e2e TEST_TARGET=jqlite BROWSER_PROVIDER=browserstack
+#    - JOB=e2e TEST_TARGET=jquery BROWSER_PROVIDER=browserstack
   global:
     - SAUCE_USERNAME=angular-ci
     - SAUCE_ACCESS_KEY=9b988f434ff8-fbca-8aa4-4ae3-35442987
@@ -31,12 +31,12 @@ env:
     - LOGS_DIR=/tmp/angular-build/logs
     - BROWSER_PROVIDER_READY_FILE=/tmp/browsersprovider-tunnel-ready
 
-matrix:
-  allow_failures:
-    - env: "JOB=unit BROWSER_PROVIDER=browserstack"
-    - env: "JOB=docs-e2e BROWSER_PROVIDER=browserstack"
-    - env: "JOB=e2e TEST_TARGET=jqlite BROWSER_PROVIDER=browserstack"
-    - env: "JOB=e2e TEST_TARGET=jquery BROWSER_PROVIDER=browserstack"
+#matrix:
+#  allow_failures:
+#    - env: "JOB=unit BROWSER_PROVIDER=browserstack"
+#    - env: "JOB=docs-e2e BROWSER_PROVIDER=browserstack"
+#    - env: "JOB=e2e TEST_TARGET=jqlite BROWSER_PROVIDER=browserstack"
+#    - env: "JOB=e2e TEST_TARGET=jquery BROWSER_PROVIDER=browserstack"
 
 install:
   # Check the size of caches

diff --git a/docs/content/error/$sanitize/badparse.ngdoc b/docs/content/error/$sanitize/badparse.ngdoc
diff --git a/docs/content/error/$sanitize/noinert.ngdoc b/docs/content/error/$sanitize/noinert.ngdoc
@@ -0,0 +1,10 @@
+@ngdoc error
+@name $sanitize:noinert
+@fullName Can't create an inert html document
+@description
+
+This error occurs when `$sanitize` sanitizer determines that `document.implementation.createHTMLDocument ` api is not supported by the current browser.
+
+This api is necessary for safe parsing of HTML strings into DOM trees and without it the sanitizer can't sanitize the input.
+
+The api is present in all supported browsers including IE 9.0, so the presence of this error usually indicates that Angular's `$sanitize` is being used on an unsupported platform.
diff --git a/docs/content/error/$sanitize/uinput.ngdoc b/docs/content/error/$sanitize/uinput.ngdoc
@@ -0,0 +1,13 @@
+@ngdoc error
+@name $sanitize:uinput
+@fullName Failed to sanitize html because the input is unstable
+@description
+
+This error occurs when `$sanitize` sanitizer tries to check the input for possible mXSS payload and the verification
+errors due to the input mutating indefinitely. This could be a sign that the payload contains code exploiting an mXSS
+vulnerability in the browser.
+
+mXSS attack exploit browser bugs that cause some browsers parse a certain html strings into DOM, which once serialized
+doesn't match the original input. These browser bugs can be exploited by attackers to create payload which looks
+harmless to sanitizers, but due to mutations caused by the browser are turned into dangerous code once processed after
+sanitization.
diff --git a/lib/htmlparser/htmlparser.js b/lib/htmlparser/htmlparser.js
diff --git a/src/ng/compile.js b/src/ng/compile.js
@@ -1124,7 +1124,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
 
         nodeName = nodeName_(this.$$element);
 
-        if ((nodeName === 'a' && key === 'href') ||
+        if ((nodeName === 'a' && (key === 'href' || key === 'xlinkHref')) ||
             (nodeName === 'img' && key === 'src')) {
           // sanitize a[href] and img[src] values
           this[key] = value = $$sanitizeUri(value, key === 'src');