Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

style_sanitizer should allow quoted URLs #8701

Closed
vicb opened this issue May 17, 2016 · 1 comment
Closed

style_sanitizer should allow quoted URLs #8701

vicb opened this issue May 17, 2016 · 1 comment
Assignees
@mprobst
Labels
type: bug/fix

Comments

@vicb
Copy link
Contributor

vicb commented May 17, 2016

Current behavior
url("...") and url('...') both get sanitized to unsafe after 15ae710

Expected/desired behavior

  • Quoted URLs should be allowed per spec
  • Do we want to sanitize to url("unsafe:<src url - no quotes>") to be consistent

Other information

  • Discussed with @mprobst.
  • The( current code has no security concern (we are too conservative).
  • url() value also allow for optional WS but they should be seldom used.
mprobst added a commit to mprobst/angular that referenced this issue May 26, 2016
@mprobst
test(security): test case for quoted URL values.
cccef3d 
Test case that fixes angular#8701. This is already supported with the latest sanitizer
changes, but it's good to have an explicit test case.
@mprobst mprobst mentioned this issue May 26, 2016
Closed
mprobst added a commit to mprobst/angular that referenced this issue May 26, 2016
@mprobst
test(security): test case for quoted URL values.
3295be3 
Test case that fixes angular#8701. This is already supported with the latest sanitizer
changes, but it's good to have an explicit test case.
KiaraGrouwstra pushed a commit to KiaraGrouwstra/angular that referenced this issue Jun 21, 2016
@mprobst @KiaraGrouwstra
test(security): test case for quoted URL values.
02da77c 
Test case that fixes angular#8701. This is already supported with the latest sanitizer
changes, but it's good to have an explicit test case.
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Sep 8, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mprobst mprobst

Labels
type: bug/fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

test(security): test case for quoted URL values. mprobst/angular
2 participants
@mprobst @vicb