Skip to content
This repository was archived by the owner on Aug 1, 2024. It is now read-only.

Commit 6429300

Browse files
Closure Teamcopybara-github
Closure Team
authored and
copybara-github
committed
goog.dom.safe SafeUrl wrappers only block javascript: URLs. This is consistent with the behavior of safevalues/dom which replaces this library.
RELNOTES: goog.dom.safe SafeUrl wrappers only block javascript: URLs. PiperOrigin-RevId: 502800611 Change-Id: I6bf2bd1ed59eb73525fc80fa91994e9a5ceed7aa
1 parent 24200ff commit 6429300

File tree

2 files changed

+11
-19
lines changed

2 files changed

+11
-19
lines changed

closure/goog/dom/safe.js

Lines changed: 11 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -222,7 +222,7 @@ goog.dom.safe.setFormElementAction = function(form, url) {
222222
if (url instanceof goog.html.SafeUrl) {
223223
safeUrl = url;
224224
} else {
225-
safeUrl = goog.html.SafeUrl.sanitizeAssertUnchanged(url);
225+
safeUrl = goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged(url);
226226
}
227227
goog.asserts.dom.assertIsHtmlFormElement(form).action =
228228
goog.html.SafeUrl.unwrap(safeUrl);
@@ -255,7 +255,7 @@ goog.dom.safe.setButtonFormAction = function(button, url) {
255255
if (url instanceof goog.html.SafeUrl) {
256256
safeUrl = url;
257257
} else {
258-
safeUrl = goog.html.SafeUrl.sanitizeAssertUnchanged(url);
258+
safeUrl = goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged(url);
259259
}
260260
goog.asserts.dom.assertIsHtmlButtonElement(button).formAction =
261261
goog.html.SafeUrl.unwrap(safeUrl);
@@ -287,7 +287,7 @@ goog.dom.safe.setInputFormAction = function(input, url) {
287287
if (url instanceof goog.html.SafeUrl) {
288288
safeUrl = url;
289289
} else {
290-
safeUrl = goog.html.SafeUrl.sanitizeAssertUnchanged(url);
290+
safeUrl = goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged(url);
291291
}
292292
goog.asserts.dom.assertIsHtmlInputElement(input).formAction =
293293
goog.html.SafeUrl.unwrap(safeUrl);
@@ -346,7 +346,7 @@ goog.dom.safe.setAnchorHref = function(anchor, url) {
346346
if (url instanceof goog.html.SafeUrl) {
347347
safeUrl = url;
348348
} else {
349-
safeUrl = goog.html.SafeUrl.sanitizeAssertUnchanged(url);
349+
safeUrl = goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged(url);
350350
}
351351
anchor.href = goog.html.SafeUrl.unwrap(safeUrl);
352352
};
@@ -373,8 +373,7 @@ goog.dom.safe.setAudioSrc = function(audioElement, url) {
373373
if (url instanceof goog.html.SafeUrl) {
374374
safeUrl = url;
375375
} else {
376-
var allowDataUrl = /^data:audio\//i.test(url);
377-
safeUrl = goog.html.SafeUrl.sanitizeAssertUnchanged(url, allowDataUrl);
376+
safeUrl = goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged(url);
378377
}
379378
audioElement.src = goog.html.SafeUrl.unwrap(safeUrl);
380379
};
@@ -400,8 +399,7 @@ goog.dom.safe.setVideoSrc = function(videoElement, url) {
400399
if (url instanceof goog.html.SafeUrl) {
401400
safeUrl = url;
402401
} else {
403-
var allowDataUrl = /^data:video\//i.test(url);
404-
safeUrl = goog.html.SafeUrl.sanitizeAssertUnchanged(url, allowDataUrl);
402+
safeUrl = goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged(url);
405403
}
406404
videoElement.src = goog.html.SafeUrl.unwrap(safeUrl);
407405
};
@@ -539,7 +537,7 @@ goog.dom.safe.setLinkHrefAndRel = function(link, url, rel) {
539537
} else { // string
540538
// SafeUrl.sanitize must return legitimate SafeUrl when passed a string.
541539
link.href = goog.html.SafeUrl.unwrap(
542-
goog.html.SafeUrl.sanitizeAssertUnchanged(url));
540+
goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged(url));
543541
}
544542
};
545543

@@ -657,7 +655,7 @@ goog.dom.safe.setLocationHref = function(loc, url) {
657655
if (url instanceof goog.html.SafeUrl) {
658656
safeUrl = url;
659657
} else {
660-
safeUrl = goog.html.SafeUrl.sanitizeAssertUnchanged(url);
658+
safeUrl = goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged(url);
661659
}
662660
loc.href = goog.html.SafeUrl.unwrap(safeUrl);
663661
};
@@ -692,7 +690,7 @@ goog.dom.safe.assignLocation = function(loc, url) {
692690
if (url instanceof goog.html.SafeUrl) {
693691
safeUrl = url;
694692
} else {
695-
safeUrl = goog.html.SafeUrl.sanitizeAssertUnchanged(url);
693+
safeUrl = goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged(url);
696694
}
697695
loc.assign(goog.html.SafeUrl.unwrap(safeUrl));
698696
};
@@ -724,7 +722,7 @@ goog.dom.safe.replaceLocation = function(loc, url) {
724722
if (url instanceof goog.html.SafeUrl) {
725723
safeUrl = url;
726724
} else {
727-
safeUrl = goog.html.SafeUrl.sanitizeAssertUnchanged(url);
725+
safeUrl = goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged(url);
728726
}
729727
loc.replace(goog.html.SafeUrl.unwrap(safeUrl));
730728
};
@@ -764,7 +762,7 @@ goog.dom.safe.openInWindow = function(url, opt_openerWin, opt_name, opt_specs) {
764762
if (url instanceof goog.html.SafeUrl) {
765763
safeUrl = url;
766764
} else {
767-
safeUrl = goog.html.SafeUrl.sanitizeAssertUnchanged(url);
765+
safeUrl = goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged(url);
768766
}
769767
var win = opt_openerWin || goog.global;
770768
// If opt_name is undefined, simply passing that in to open() causes IE to

closure/goog/dom/safe_test.js

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -496,9 +496,6 @@ testSuite({
496496
const safeUrl = 'data:audio/mp3;base64,a';
497497
safe.setAudioSrc(mockAudioElement, safeUrl);
498498
assertEquals(safeUrl, mockAudioElement.src);
499-
assertThrows(() => {
500-
safe.setAudioSrc(mockAudioElement, 'data:image/gif;base64,a');
501-
});
502499
},
503500

504501
testSetVideoSrc() {
@@ -538,9 +535,6 @@ testSuite({
538535
const safeUrl = 'data:video/mp4;base64,a';
539536
safe.setVideoSrc(mockVideoElement, safeUrl);
540537
assertEquals(safeUrl, mockVideoElement.src);
541-
assertThrows(() => {
542-
safe.setVideoSrc(mockVideoElement, 'data:image/gif;base64,a');
543-
});
544538
},
545539

546540
testSetEmbedSrc() {

0 commit comments

Comments
 (0)