feat(ngSanitize): accept SVG elements and attributes #9751
Conversation
SVG elements and attributes are now accepted and sanitized by ngSanitize. Closes angular#9578
| @@ -193,6 +193,12 @@ var inlineElements = angular.extend({}, optionalEndTagInlineElements, makeMap("a | |||
| "bdi,bdo,big,br,cite,code,del,dfn,em,font,i,img,ins,kbd,label,map,mark,q,ruby,rp,rt,s," + | |||
| "samp,small,span,strike,strong,sub,sup,time,tt,u,var")); | |||
|
|
|||
| // SVG Elements | |||
| // https://wiki.whatwg.org/wiki/Sanitization_rules#svg_Elements | |||
| var svgElements = makeMap("a,animate,animateColor,animateMotion,animateTransform,circle,defs," + | |||
There was a problem hiding this comment.
won't a be treated as valid because of the html version anyway? or are we special casing stuff within an <svg>
There was a problem hiding this comment.
Could be omitted, as it's already declared as valid before.
|
I'm sorry, but I wasn't able to verify your Contributor License Agreement (CLA) signature. CLA signature is required for any code contributions to AngularJS. Please sign our CLA and ensure that the CLA signature email address and the email address in this PR's commits match. If you signed the CLA as a corporation, please let us know the company's name. Thanks a bunch! PS: If you signed the CLA in the past then most likely the email addresses don't match. Please sign the CLA again or update the email address in the commit of this PR. |
SVG elements and attributes are now accepted and sanitized by ngSanitize. Closes angular#9578
|
Hi, I just updated my CLA contact details to include the commit email address. |
|
@chliebel did you sign with the email from https://github.com/angular/angular.js/pull/9751.patch ? --- nevermind, I guess you did. |
|
Okay thanks for verifying that |
| var uriAttrs = makeMap("background,cite,href,longdesc,src,usemap"); | ||
| var validAttrs = angular.extend({}, uriAttrs, makeMap( | ||
| 'abbr,align,alt,axis,bgcolor,border,cellpadding,cellspacing,class,clear,'+ | ||
| var uriAttrs = makeMap("background,cite,href,longdesc,src,usemap,xmlns:href"); |
There was a problem hiding this comment.
Did you by any chance mean xlink:href ?
Also, should we add action to the list
(based on https://wiki.whatwg.org/wiki/Sanitization_rules#Attributes_whose_value_is_a_URI) ?
There was a problem hiding this comment.
It is xlink:href -- please send a pr, although I still need to figure out what is causing the failures and revert. I'll get to that in an hour or so.
On Oct 23, 2014, at 7:43 PM, Georgios Kalpakas notifications@github.com wrote:
In src/ngSanitize/sanitize.js:
//Attributes that have href and hence need to be sanitized
-var uriAttrs = makeMap("background,cite,href,longdesc,src,usemap");
-var validAttrs = angular.extend({}, uriAttrs, makeMap(
- 'abbr,align,alt,axis,bgcolor,border,cellpadding,cellspacing,class,clear,'+
+var uriAttrs = makeMap("background,cite,href,longdesc,src,usemap,xmlns:href");
Did you by any chance mean xlink:href ?
Also, should we add action to the list
(based on https://wiki.whatwg.org/wiki/Sanitization_rules#Attributes_whose_value_is_a_URI) ?—
Reply to this email directly or view it on GitHub.
SVG elements and attributes are now accepted and sanitized by ngSanitize.
Closes #9578