diff --git a/packages/compiler/src/schema/dom_security_schema.ts b/packages/compiler/src/schema/dom_security_schema.ts index beeadef3332..235e174ffbe 100644 --- a/packages/compiler/src/schema/dom_security_schema.ts +++ b/packages/compiler/src/schema/dom_security_schema.ts @@ -105,6 +105,13 @@ export function SECURITY_SCHEMA(): {[k: string]: SecurityContext} { 'none|href', 'none|xlink:href', + // SVG animation value attributes — may animate URL-bearing attrs (e.g. attributeName="href") + // https://www.w3.org/TR/SVG11/animate.html#ToAttribute + 'animate|to', + 'animate|from', + 'animate|values', + 'set|to', + // The below two items are safe and should be removed but they require a G3 clean-up as a small number of tests fail. 'img|src', 'video|src', diff --git a/packages/compiler/test/schema/dom_element_schema_registry_spec.ts b/packages/compiler/test/schema/dom_element_schema_registry_spec.ts index 8a0576caf2c..8ff238c420c 100644 --- a/packages/compiler/test/schema/dom_element_schema_registry_spec.ts +++ b/packages/compiler/test/schema/dom_element_schema_registry_spec.ts @@ -11,14 +11,11 @@ import { DomElementSchemaRegistry, SCHEMA, } from '../../src/schema/dom_element_schema_registry'; -import {CUSTOM_ELEMENTS_SCHEMA, NO_ERRORS_SCHEMA, SecurityContext} from '@angular/core'; -import {isNode} from '@angular/private/testing'; +import {CUSTOM_ELEMENTS_SCHEMA, NO_ERRORS_SCHEMA, SecurityContext} from '../../src/core'; import {Element} from '../../src/ml_parser/ast'; import {HtmlParser} from '../../src/ml_parser/html_parser'; -import {extractSchema} from './schema_extractor'; - describe('DOMElementSchema', () => { let registry: DomElementSchemaRegistry; beforeEach(() => { @@ -157,6 +154,12 @@ If 'onAnything' is a directive input, make sure the directive is imported by the expect(registry.securityContext('a', 'href', false)).toBe(SecurityContext.URL); expect(registry.securityContext('a', 'style', false)).toBe(SecurityContext.STYLE); expect(registry.securityContext('base', 'href', false)).toBe(SecurityContext.RESOURCE_URL); + + // SVG animate and set attributes + expect(registry.securityContext('animate', 'to', false)).toBe(SecurityContext.URL); + expect(registry.securityContext('animate', 'from', false)).toBe(SecurityContext.URL); + expect(registry.securityContext('animate', 'values', false)).toBe(SecurityContext.URL); + expect(registry.securityContext('set', 'to', false)).toBe(SecurityContext.URL); }); it('should detect properties on namespaced elements', () => { diff --git a/packages/core/test/sanitization/sanitization_spec.ts b/packages/core/test/sanitization/sanitization_spec.ts index bdfbc388266..adbefb85cc3 100644 --- a/packages/core/test/sanitization/sanitization_spec.ts +++ b/packages/core/test/sanitization/sanitization_spec.ts @@ -166,6 +166,22 @@ describe('sanitization', () => { expect( ɵɵsanitizeUrlOrResourceUrl(bypassSanitizationTrustUrl('javascript:true'), 'a', 'href'), ).toEqual('javascript:true'); + + // SVG animate and set attributes + expect(ɵɵsanitizeUrlOrResourceUrl('javascript:alert(1)', 'animate', 'to')).toEqual( + 'unsafe:javascript:alert(1)', + ); + expect(ɵɵsanitizeUrlOrResourceUrl('0.2', 'animate', 'to')).toEqual('0.2'); + expect(ɵɵsanitizeUrlOrResourceUrl('javascript:alert(1)', 'animate', 'from')).toEqual( + 'unsafe:javascript:alert(1)', + ); + expect(ɵɵsanitizeUrlOrResourceUrl('javascript:alert(1)', 'animate', 'values')).toEqual( + 'unsafe:javascript:alert(1)', + ); + expect(ɵɵsanitizeUrlOrResourceUrl('javascript:alert(1)', 'set', 'to')).toEqual( + 'unsafe:javascript:alert(1)', + ); + expect(ɵɵsanitizeUrlOrResourceUrl('0.2', 'set', 'to')).toEqual('0.2'); }); it('should only trust constant strings from template literal tags without interpolation', () => {