Skip to content

Commit 837e519

Browse files
NarretzNarretz
authored
fix(ngHref): allow numbers and other objects in interpolation
Interpolated content in ngHref must be stringified before being passed to $$sanitizeUri by $sce. Before 1.7.x, the sanitization had happened on the already interpolated value inside $compile. Closes angular#16652 Fixes angular#16626
1 parent ad7ea95 commit 837e519

File tree

2 files changed

+37
-1
lines changed

2 files changed

+37
-1
lines changed

src/ng/sce.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -440,7 +440,7 @@ function $SceDelegateProvider() {
440440
// If we get here, then we will either sanitize the value or throw an exception.
441441
if (type === SCE_CONTEXTS.MEDIA_URL || type === SCE_CONTEXTS.URL) {
442442
// we attempt to sanitize non-resource URLs
443-
return $$sanitizeUri(maybeTrusted, type === SCE_CONTEXTS.MEDIA_URL);
443+
return $$sanitizeUri(maybeTrusted.toString(), type === SCE_CONTEXTS.MEDIA_URL);
444444
} else if (type === SCE_CONTEXTS.RESOURCE_URL) {
445445
if (isResourceUrlAllowedByPolicy(maybeTrusted)) {
446446
return maybeTrusted;

test/ng/directive/ngHrefSpec.js

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,6 +79,42 @@ describe('ngHref', function() {
7979
}));
8080
}
8181

82+
83+
it('should bind numbers', inject(function($rootScope, $compile) {
84+
element = $compile('<a ng-href="{{1234}}"></a>')($rootScope);
85+
$rootScope.$digest();
86+
expect(element.attr('href')).toEqual('1234');
87+
}));
88+
89+
90+
it('should bind and sanitize the result of a (custom) toString() function', inject(function($rootScope, $compile) {
91+
$rootScope.value = {};
92+
element = $compile('<a ng-href="{{value}}"></a>')($rootScope);
93+
$rootScope.$digest();
94+
expect(element.attr('href')).toEqual('[object Object]');
95+
96+
function SafeClass() {}
97+
98+
SafeClass.prototype.toString = function() {
99+
return 'custom value';
100+
};
101+
102+
$rootScope.value = new SafeClass();
103+
$rootScope.$digest();
104+
expect(element.attr('href')).toEqual('custom value');
105+
106+
function UnsafeClass() {}
107+
108+
UnsafeClass.prototype.toString = function() {
109+
return 'javascript:alert(1);';
110+
};
111+
112+
$rootScope.value = new UnsafeClass();
113+
$rootScope.$digest();
114+
expect(element.attr('href')).toEqual('unsafe:javascript:alert(1);');
115+
}));
116+
117+
82118
if (isDefined(window.SVGElement)) {
83119
describe('SVGAElement', function() {
84120
it('should interpolate the expression and bind to xlink:href', inject(function($compile, $rootScope) {

0 commit comments

Comments
 (0)