mirror of
https://github.com/angular/angular
synced 2026-05-24 09:28:37 +00:00
fix(compiler): disallow translations of iframe src
Fixes that the compiler was allowing translations of `src` attributes in iframes which can be a security issue.
This commit is contained in:
parent
626bc8bc20
commit
02fbf08890
2 changed files with 3 additions and 1 deletions
|
|
@ -11,7 +11,7 @@
|
|||
* tags use '*'.
|
||||
*
|
||||
* Extracted from, and should be kept in sync with
|
||||
* https://w3c.github.io/webappsec-trusted-types/dist/spec/#integrations
|
||||
* https://www.w3.org/TR/trusted-types/#integrations
|
||||
*/
|
||||
const TRUSTED_TYPES_SINKS = new Set<string>([
|
||||
// NOTE: All strings in this set *must* be lowercase!
|
||||
|
|
@ -25,6 +25,7 @@ const TRUSTED_TYPES_SINKS = new Set<string>([
|
|||
|
||||
// TrustedScriptURL
|
||||
'embed|src',
|
||||
'iframe|src',
|
||||
'object|codebase',
|
||||
'object|data',
|
||||
]);
|
||||
|
|
|
|||
|
|
@ -13,6 +13,7 @@ describe('isTrustedTypesSink', () => {
|
|||
expect(isTrustedTypesSink('iframe', 'srcdoc')).toBeTrue();
|
||||
expect(isTrustedTypesSink('p', 'innerHTML')).toBeTrue();
|
||||
expect(isTrustedTypesSink('embed', 'src')).toBeTrue();
|
||||
expect(isTrustedTypesSink('iframe', 'src')).toBeTrue();
|
||||
expect(isTrustedTypesSink('a', 'href')).toBeFalse();
|
||||
expect(isTrustedTypesSink('base', 'href')).toBeFalse();
|
||||
expect(isTrustedTypesSink('div', 'style')).toBeFalse();
|
||||
|
|
|
|||
Loading…
Reference in a new issue