diff --git a/src/ngSanitize/sanitize.js b/src/ngSanitize/sanitize.js
index eae696396d08..6c4402433557 100644
--- a/src/ngSanitize/sanitize.js
+++ b/src/ngSanitize/sanitize.js
@@ -313,16 +313,78 @@ function $SanitizeProvider() {
return obj;
}
- var inertBodyElement = (function(window) {
- var doc;
- if (window.document && window.document.implementation) {
- doc = window.document.implementation.createHTMLDocument('inert');
+ /**
+ * Create an inert document that contains the dirty HTML that needs sanitizing
+ * Depending upon browser support we use one of three strategies for doing this.
+ * Support: Safari 10.x -> XHR strategy
+ * Support: Firefox -> DomParser strategy
+ */
+ var getInertBodyElement /* function(html: string): HTMLBodyElement */ = (function(window, document) {
+ var inertDocument;
+ if (document && document.implementation) {
+ inertDocument = document.implementation.createHTMLDocument('inert');
} else {
throw $sanitizeMinErr('noinert', 'Can\'t create an inert html document');
}
- var docElement = doc.documentElement || doc.getDocumentElement();
- return docElement.getElementsByTagName('body')[0];
- })(window);
+ var inertBodyElement = (inertDocument.documentElement || inertDocument.getDocumentElement()).querySelector('body');
+
+ // Check for the Safari 10.1 bug - which allows JS to run inside the SVG G element
+ inertBodyElement.innerHTML = '';
+ if (!inertBodyElement.querySelector('svg')) {
+ return getInertBodyElement_XHR;
+ } else {
+ // Check for the Firefox bug - which prevents the inner img JS from being sanitized
+ inertBodyElement.innerHTML = '