Allow "about" as a blockedURI

About is a legit blockedURI. This commit allows them to be accepted as a value for this field. This commit allowed for this by adding a concept of a "special case" for blocked URIs, which should be easy to update as more are needed.
tollmanz · May 12, 2016 · f31f06e · f31f06e
1 parent e8d1339
commit f31f06e
Show file tree

Hide file tree

Showing 2 changed files with 75 additions and 35 deletions.
diff --git a/lib/sanitize/blockedURI.js b/lib/sanitize/blockedURI.js
@@ -5,6 +5,21 @@ var sanitizeGloballyUniqueIdentifier = require('../util').sanitizeGloballyUnique
 var url = require('url');
 var validator = require('validator');
 
+/**
+ * Check for special blocked-uri values that are not URI and should be allowed.
+ *
+ * @param   {String}     blockedURI    The blocked-uri value to test.
+ * @returns {boolean}                  Whether or not the value is allowed.
+ */
+function isSpecialCase(blockedURI) {
+  var specialCases = [
+    'about',
+    'about:blank'
+  ];
+
+  return (specialCases.indexOf(blockedURI.trim()) >= 0);
+}
+
 /**
  * Sanitizes a `blocked-uri` value.
  *
@@ -20,6 +35,8 @@ function sanitize(blockedURI, protectedResource) {
 
   if (true === isGloballyUniqueIdentifier(blockedURI)) {
     result = sanitizeGloballyUniqueIdentifier(blockedURI);
+  } else if (isSpecialCase(blockedURI)) {
+    result = blockedURI.trim();
   } else if (validator.isURL(blockedURI)) {
     blockedURIPieces = url.parse(blockedURI);
 
@@ -42,5 +59,6 @@ function sanitize(blockedURI, protectedResource) {
 }
 
 module.exports = {
+  isSpecialCase: isSpecialCase,
   sanitize: sanitize
 };
diff --git a/test/lib/sanitize/blockedURI.js b/test/lib/sanitize/blockedURI.js
@@ -2,47 +2,69 @@
 
 var assert = require('chai').assert;
 var sanitize = require('../../../lib/sanitize/blockedURI').sanitize;
+var isSpecialCase = require('../../../lib/sanitize/blockedURI').isSpecialCase;
 
 suite(__dirname.split('/').pop(), function() {
   suite(__filename.split('/').pop().replace('.js', ''), function() {
-    test('sanitize is a function', function() {
-      assert.isFunction(sanitize);
+    suite('sanitize', function () {
+      test('sanitize is a function', function() {
+        assert.isFunction(sanitize);
+      });
+
+      test('convert data URIs to data', function() {
+        assert.equal(sanitize('data:xxxxxxxx'), 'data');
+      });
+
+      test('convert filesystem URIs to filesystem', function() {
+        assert.equal(sanitize('filesystem:xxxxxxxx'), 'filesystem');
+      });
+
+      test('convert blob URIs to blob', function() {
+        assert.equal(sanitize('blob:xxxxxxxx'), 'blob');
+      });
+
+      test('convert a non-URI string to an empty string', function() {
+        assert.equal(sanitize('test', {}), '');
+      });
+
+      test('return the origin of a blocked URI when it does not match the protected resource\'s origin', function() {
+        assert.equal(sanitize('http://www.example.com/hello-world', 'http://www.another-example.com'), 'http://www.example.com');
+      });
+
+      test('return the origin of a blocked URI when it does not match the protected resource\'s origin and the resource has a path', function() {
+        assert.equal(sanitize('http://www.example.com/hello-world', 'http://www.another-example.com/yolo'), 'http://www.example.com');
+      });
+
+      test('return the full blocked URI when it matches the protected resource\'s origin', function() {
+        assert.equal(sanitize('http://www.example.com/hello-world', 'http://www.example.com'), 'http://www.example.com/hello-world');
+      });
+
+      test('return the full blocked URI when it matches the protected resource\'s origin and the resource has a path', function() {
+        assert.equal(sanitize('http://www.example.com/hello-world', 'http://www.example.com/testing'), 'http://www.example.com/hello-world');
+      });
+
+      test('return the blocked URI origin when it matches the protected resource\'s origin, but not protocol', function() {
+        assert.equal(sanitize('http://www.example.com/hello-world', 'https://www.example.com/testing'), 'http://www.example.com');
+      });
+
+      test('return a special case blocked URI', function() {
+        assert.equal(sanitize('about', 'https://www.example.com/testing'), 'about');
+      });
     });
 
-    test('convert data URIs to data', function() {
-      assert.equal(sanitize('data:xxxxxxxx'), 'data');
-    });
-
-    test('convert filesystem URIs to filesystem', function() {
-      assert.equal(sanitize('filesystem:xxxxxxxx'), 'filesystem');
-    });
-
-    test('convert blob URIs to blob', function() {
-      assert.equal(sanitize('blob:xxxxxxxx'), 'blob');
-    });
-
-    test('convert a non-URI string to an empty string', function() {
-      assert.equal(sanitize('test', {}), '');
-    });
-
-    test('return the origin of a blocked URI when it does not match the protected resource\'s origin', function() {
-      assert.equal(sanitize('http://www.example.com/hello-world', 'http://www.another-example.com'), 'http://www.example.com');
-    });
-
-    test('return the origin of a blocked URI when it does not match the protected resource\'s origin and the resource has a path', function() {
-      assert.equal(sanitize('http://www.example.com/hello-world', 'http://www.another-example.com/yolo'), 'http://www.example.com');
-    });
-
-    test('return the full blocked URI when it matches the protected resource\'s origin', function() {
-      assert.equal(sanitize('http://www.example.com/hello-world', 'http://www.example.com'), 'http://www.example.com/hello-world');
-    });
-
-    test('return the full blocked URI when it matches the protected resource\'s origin and the resource has a path', function() {
-      assert.equal(sanitize('http://www.example.com/hello-world', 'http://www.example.com/testing'), 'http://www.example.com/hello-world');
-    });
+    suite('isSpecialCase', function() {
+      test('isSpecialCase is a function', function() {
+        assert.isFunction(isSpecialCase);
+      });
 
-    test('return the blocked URI origin when it matches the protected resource\'s origin, but not protocol', function() {
-      assert.equal(sanitize('http://www.example.com/hello-world', 'https://www.example.com/testing'), 'http://www.example.com');
+      test('returns true when special case is passed', function() {
+        assert.equal(isSpecialCase('about'), true);
+        assert.equal(isSpecialCase('about:blank'), true);
+        assert.equal(isSpecialCase(' about:blank'), true);
+        assert.equal(isSpecialCase(' about:blank '), true);
+        assert.equal(isSpecialCase('about:blank '), true);
+        assert.equal(isSpecialCase('    about:blank     '), true);
+      });
     });
   });
 });