Skip to content

Commit

Permalink
Sanitize __amp_source_origin from templates URLs (ampproject#4670)
Browse files Browse the repository at this point in the history
  • Loading branch information
mkhatib authored and mityaha committed Nov 30, 2016
1 parent 8590255 commit a470b5e
Show file tree
Hide file tree
Showing 3 changed files with 13 additions and 2 deletions.
4 changes: 4 additions & 0 deletions src/sanitizer.js
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import {
isProxyOrigin,
parseUrl,
resolveRelativeUrl,
SOURCE_ORIGIN_PARAM,
} from './url';
import {parseSrcset} from './srcset';
import {user} from './log';
Expand Down Expand Up @@ -286,6 +287,9 @@ function resolveAttrValue(tagName, attrName, attrValue) {
* @private Visible for testing.
*/
export function resolveUrlAttr(tagName, attrName, attrValue, windowLocation) {
user().assert(attrValue.indexOf(SOURCE_ORIGIN_PARAM) == -1,
'Source origin is not allowed in %s', attrValue);

const isProxyHost = isProxyOrigin(windowLocation);
const baseUrl = parseUrl(getSourceUrl(windowLocation));

Expand Down
4 changes: 2 additions & 2 deletions src/url.js
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,8 @@ let cache;
/** @private @const Matches amp_js_* paramters in query string. */
const AMP_JS_PARAMS_REGEX = /[?&]amp_js[^&]*/;

/** @private @const {string} */
const SOURCE_ORIGIN_PARAM = '__amp_source_origin';
/** @const {string} */
export const SOURCE_ORIGIN_PARAM = '__amp_source_origin';

/**
* @typedef {({
Expand Down
7 changes: 7 additions & 0 deletions test/functional/test-sanitizer.js
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,13 @@ describe('sanitizeHtml', () => {

describe('resolveUrlAttr', () => {

it('should throw if __amp_source_origin is set', () => {
expect(() => resolveUrlAttr('a', 'href',
'/doc2?__amp_source_origin=https://google.com',
'http://acme.org/doc1'))
.to.throw(/Source origin is not allowed in/);
});

it('should be called by sanitizer', () => {
expect(sanitizeHtml('<a href="/path"></a>')).to.match(/http/);
expect(sanitizeHtml('<amp-img src="/path"></amp-img>')).to.match(/http/);
Expand Down

0 comments on commit a470b5e

Please sign in to comment.