Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(core): hardening rules related to the attribute order on <iframe>…
… elements This commit updates the logic related to the attribute order on <iframe>s and makes the rules more strict. There is a set of <iframe> attributes that may affect the behavior of an <iframe>, this change enforces that these attributes are applied before an `src` or `srcdoc` attributes are applied to an <iframe>, so that they are taken into account. If Angular detects that some of the attributes are set after the `src` or `srcdoc`, it throws an error message, which contains the name of ann attribute that is causing the problem and the name of a Component where an <iframe> is located. In most cases, it should be enough to change the order of attributes in a template to move the `src` or `srcdoc` ones to the very end.
- Loading branch information
1 parent
0bc4405
commit 4b7207c
Showing
14 changed files
with
1,020 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/** | ||
* @license | ||
* Copyright Google LLC All Rights Reserved. | ||
* | ||
* Use of this source code is governed by an MIT-style license that can be | ||
* found in the LICENSE file at https://angular.io/license | ||
*/ | ||
|
||
import {IFRAME_SECURITY_SENSITIVE_ATTRS, SECURITY_SCHEMA} from '../src/schema/dom_security_schema'; | ||
|
||
|
||
describe('security-related tests', () => { | ||
it('should have no overlap between `IFRAME_SECURITY_SENSITIVE_ATTRS` and `SECURITY_SCHEMA`', | ||
() => { | ||
// The `IFRAME_SECURITY_SENSITIVE_ATTRS` and `SECURITY_SCHEMA` tokens configure sanitization | ||
// and validation rules and used to pick the right sanitizer function. | ||
// This test verifies that there is no overlap between two sets of rules to flag | ||
// a situation when 2 sanitizer functions may be needed at the same time (in which | ||
// case, compiler logic should be extended to support that). | ||
const schema = new Set(); | ||
Object.keys(SECURITY_SCHEMA()).forEach((key: string) => schema.add(key.toLowerCase())); | ||
let hasOverlap = false; | ||
IFRAME_SECURITY_SENSITIVE_ATTRS.forEach(attr => { | ||
if (schema.has('*|' + attr) || schema.has('iframe|' + attr)) { | ||
hasOverlap = true; | ||
} | ||
}); | ||
expect(hasOverlap).toBeFalse(); | ||
}); | ||
}); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.