fix($sanitize): Use same whitelist mechanism as $compile does. #5137
Conversation
|
Thanks for the PR!
If you need to make changes to your pull request, you can update the commit with Thanks again for your help! |
ghost
assigned 
|
the commit message should read: |
| @@ -500,7 +500,8 @@ function $CompileProvider($provide) { | |||
| COMMENT_DIRECTIVE_REGEXP = /^\s*directive\:\s*([\d\w\-_]+)\s+(.*)$/, | |||
| CLASS_DIRECTIVE_REGEXP = /(([\d\w\-_]+)(?:\:([^;]+))?;?)/, | |||
| aHrefSanitizationWhitelist = /^\s*(https?|ftp|mailto|tel|file):/, | |||
| imgSrcSanitizationWhitelist = /^\s*(https?|ftp|file):|data:image\//; | |||
| imgSrcSanitizationWhitelist = /^\s*(https?|ftp|file):|data:image\//, | |||
| selfProvider = this; | |||
There was a problem hiding this comment.
this name is not very good because it makes it sounds like the variable is provider of self, but it's really just $compileProvider so I would call it like that.
|
I'm not too crazy about how the state is shared via $compileProvider but right now I don't have a better suggestion. Can you think of another way? |
|
The whitelist regex of $compileProvider can be configured and might be different for every injector. The only other way I can think of is creating a new service whose only purpose is to validate uris. But that would be a new public API, although we could prefix it with E.g.
That would be the nicest way of doing it... |
|
Either way we introduce a new public api:
I would vote for 2) |
|
I like 2 better |
|
Introduced the new |
| return uri; | ||
| }; | ||
| }; | ||
| } |
There was a problem hiding this comment.
missing blank line at the end of the file
|
lgtm. next time please split this into two separate commits ($$sanitizeUri + linky) to make it easier to review |
|
Will do. Thanks! |
`$sanitize` now uses the same mechanism as `$compile` to validate uris. By this, the validation in `$sanitize` is more general and can be configured in the same way as the one in `$compile`. Changes - Creates the new private service `$$sanitizeUri`. - Moves related specs from `compileSpec.js` into `sanitizeUriSpec.js`. - Refactors the `linky` filter to be less dependent on `$sanitize` internal functions. Fixes angular#3748.
|
Landed in master as 3335234 |
$sanitize now uses the same mechanism as $compile to validate uris.
By this, the validation in $sanitize is now more general and can be
configured using $compileProvider#imgSrcSanitizationWhitelist and
$compileProvider#aHrefSanitizationWhitelist.
This commit also refactors the linky filter to use $sanitize as a
service instead of directly referencing private functions of $sanitize.
Fixes #3748.