Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(core): CSS sanitizer now allows parens in file names #30322

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.

Always

Just for now

fix(core): CSS sanitizer now allows parens in file names

Resolves an issue where images that were created with a name like `'foo (1).png'` would not pass CSS url sanitization.
  • Loading branch information...
benlesh committed May 8, 2019
commit 1c6b00ff52a99d4e20d56c3e6022d57bfe560dab
@@ -54,7 +54,7 @@ const SAFE_STYLE_VALUE = new RegExp(
* Given the common use case, low likelihood of attack vector, and low impact of an attack, this
* code is permissive and allows URLs that sanitize otherwise.
*/
const URL_RE = /^url\(([^)]+)\)$/;
const URL_RE = /^url\(([\w\W]*)\)$/;
This conversation was marked as resolved by benlesh

This comment has been minimized.

Copy link
@alfaproject

alfaproject May 8, 2019

Contributor

Isn't this equivalent? . and [\w\W]

This comment has been minimized.

Copy link
@benlesh

benlesh May 8, 2019

Author Contributor

:) I reached for that first, too. But . doesn't match \n which is a valid character in the url string.

'url( foo/bar.png\n )'.match(re2); // null

/**
* Checks that quotes (" and ') are properly balanced inside a string. Assumes
@@ -32,7 +32,7 @@ import {_sanitizeStyle} from '../../src/sanitization/style_sanitizer';
expectSanitize('rgb(255, 0, 0)').toEqual('rgb(255, 0, 0)');
expectSanitize('expression(haha)').toEqual('unsafe');
});
t.it('rejects unblanaced quotes', () => { expectSanitize('"value" "').toEqual('unsafe'); });
t.it('rejects unbalanced quotes', () => { expectSanitize('"value" "').toEqual('unsafe'); });
t.it('accepts transform functions', () => {
expectSanitize('rotate(90deg)').toEqual('rotate(90deg)');
expectSanitize('rotate(javascript:evil())').toEqual('unsafe');
@@ -58,6 +58,7 @@ import {_sanitizeStyle} from '../../src/sanitization/style_sanitizer';
t.it('accepts quoted URLs', () => {
expectSanitize('url("foo/bar.png")').toEqual('url("foo/bar.png")');
expectSanitize(`url('foo/bar.png')`).toEqual(`url('foo/bar.png')`);
expectSanitize(`url('foo/bar (1).png')`).toEqual(`url('foo/bar (1).png')`);
expectSanitize(`url( 'foo/bar.png'\n )`).toEqual(`url( 'foo/bar.png'\n )`);
expectSanitize('url("javascript:evil()")').toEqual('unsafe');
expectSanitize('url( " javascript:evil() " )').toEqual('unsafe');
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.