From 3dd42cea688a7b6f77893f49c254dad430f3ab49 Mon Sep 17 00:00:00 2001 From: Joey Perrott Date: Wed, 23 Sep 2020 11:09:18 -0700 Subject: [PATCH] refactor(misc): remove usages of whitelist and blacklist Remove miscellaneous usages and references to usages of whitelist and blacklist throughout the repository. --- .eslintrc-todo.json | 2 +- docs/config/processors/versions-data.js | 8 ++-- docs/content/guide/accessibility.ngdoc | 5 +- docs/content/guide/migration.ngdoc | 30 ++++++------ src/ng/compile.js | 64 ++++++++++++++++++++----- src/ng/http.js | 22 ++++++++- src/ng/sanitizeUri.js | 20 ++++---- src/ng/templateRequest.js | 8 ++-- src/ng/urlUtils.js | 10 ++-- src/ngAria/aria.js | 32 ++++++------- src/ngSanitize/sanitize.js | 10 ++-- test/ng/compileSpec.js | 20 ++++---- test/ng/ngPropSpec.js | 30 ++++++------ test/ng/sanitizeUriSpec.js | 8 ++-- test/ng/urlUtilsSpec.js | 2 +- test/ngAria/ariaSpec.js | 4 +- 16 files changed, 169 insertions(+), 106 deletions(-) diff --git a/.eslintrc-todo.json b/.eslintrc-todo.json index 7e89110084b7..a7b24d7a05b0 100644 --- a/.eslintrc-todo.json +++ b/.eslintrc-todo.json @@ -15,7 +15,7 @@ // Stylistic issues "block-spacing": ["error", "always"], "comma-spacing": "error", - "id-blacklist": ["error", "event"], + "id-denylist": ["error", "event"], "indent": ["error", 2], "key-spacing": ["error", { "beforeColon": false, "afterColon": true, "mode": "minimum" }], "object-curly-spacing": ["error", "never"], diff --git a/docs/config/processors/versions-data.js b/docs/config/processors/versions-data.js index d52b6c420f69..fd7aceaa4d70 100644 --- a/docs/config/processors/versions-data.js +++ b/docs/config/processors/versions-data.js @@ -13,11 +13,11 @@ module.exports = function generateVersionDocProcessor(gitData) { return { $runAfter: ['generatePagesDataProcessor'], $runBefore: ['rendering-docs'], - // the blacklist is to remove rogue builds that are in the npm repository but not on code.angularjs.org - blacklist: ['1.3.4-build.3588'], + // Remove rogue builds that are in the npm repository but not on code.angularjs.org + ignoredBuilds: ['1.3.4-build.3588'], $process: function(docs) { - var blacklist = this.blacklist; + var ignoredBuilds = this.ignoredBuilds; var currentVersion = require('../../../build/version.json'); var output = exec('yarn info angular versions --json', { silent: true }).stdout.split('\n')[0]; var allVersions = processAllVersionsResponse(JSON.parse(output).data); @@ -57,7 +57,7 @@ module.exports = function generateVersionDocProcessor(gitData) { versions = versions .filter(function(versionStr) { - return blacklist.indexOf(versionStr) === -1; + return ignoredBuilds.indexOf(versionStr) === -1; }) .map(function(versionStr) { return semver.parse(versionStr); diff --git a/docs/content/guide/accessibility.ngdoc b/docs/content/guide/accessibility.ngdoc index c97aa51ae875..29d2ccd1f146 100644 --- a/docs/content/guide/accessibility.ngdoc +++ b/docs/content/guide/accessibility.ngdoc @@ -327,7 +327,7 @@ The default CSS for `ngHide`, the inverse method to `ngShow`, makes ngAria redun

ngClick and ngDblclick

If `ng-click` or `ng-dblclick` is encountered, ngAria will add `tabindex="0"` to any element not in -a node blacklist: +the list of built in aria nodes: * Button * Anchor @@ -337,7 +337,8 @@ a node blacklist: * Details/Summary To fix widespread accessibility problems with `ng-click` on `div` elements, ngAria will -dynamically bind a keypress event by default as long as the element isn't in the node blacklist. +dynamically bind a keypress event by default as long as the element isn't in a node from the list of +built in aria nodes. You can turn this functionality on or off with the `bindKeypress` configuration option. ngAria will also add the `button` role to communicate to users of assistive technologies. This can diff --git a/docs/content/guide/migration.ngdoc b/docs/content/guide/migration.ngdoc index ac76896f6d5e..9d5f85dc9106 100644 --- a/docs/content/guide/migration.ngdoc +++ b/docs/content/guide/migration.ngdoc @@ -276,15 +276,16 @@ statement. **Due to [6ccbfa](https://github.com/angular/angular.js/commit/6ccbfa65d60a3dc396d0cf6da21b993ad74653fd)**, the `xlink:href` security context for SVG's `a` and `image` elements has been lowered. -In the unlikely case that an app relied on `RESOURCE_URL` whitelisting for the +In the unlikely case that an app relied on `RESOURCE_URL` trusted list for the purpose of binding to the `xlink:href` property of SVG's `` or `` elements and if the values do not pass the regular URL sanitization, they will break. To fix this you need to ensure that the values used for binding to the affected -`xlink:href` contexts are considered safe URLs, e.g. by whitelisting them in -`$compileProvider`'s `aHrefSanitizationTrustedUri` (for `` elements) or -`imgSrcSanitizationTrustedUri` (for `` elements). +`xlink:href` contexts are considered safe URLs, e.g. by trusting them in +`$compileProvider`'s `aHrefSanitizationWhitelist` (called `aHrefSanitizationTrustedUrlList` form +1.8.1 onwards) (for `` elements) or `imgSrcSanitizationWhitelist` (called +`imgSrcSanitizationTrustedUrlList` from 1.8.1 onwards) (for `` elements).
@@ -1309,7 +1310,7 @@ running at `https://docs.angularjs.org` then the following will fail: By default, only URLs with the same domain and protocol as the application document are considered safe in the `RESOURCE_URL` context. To use URLs from other domains and/or protocols, you may either -whitelist them or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`. +add them to the trusted source URL list or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
@@ -1387,12 +1388,12 @@ $http.json('other/trusted/url', {jsonpCallbackParam: 'cb'}); all JSONP requests now require the URL to be trusted as a resource URL. There are two approaches to trust a URL: -1. **Setting trusted resource URLs with the `$sceDelegateProvider.trustedResourceUrlList()` method.** +1. **Setting trusted resource URLs with the `$sceDelegateProvider.resourceUrlWhitelist()` (called `trustedResourceUrlList()` from 1.8.1 onwards) method.** You configure this list in a module configuration block: ```js appModule.config(['$sceDelegateProvider', function($sceDelegateProvider) { - $sceDelegateProvider.trustedResourceUrlList([ + $sceDelegateProvider.resourceUrlWhitelist([ // Allow same origin resource loads. 'self', // Allow JSONP calls that match this pattern @@ -2207,7 +2208,7 @@ service does not have access to the resource in order to sanitize it. Similarly, due to [234053fc](https://github.com/angular/angular.js/commit/234053fc9ad90e0d05be7e8359c6af66be94c094), the `$sanitize` service will now also remove instances of the `usemap` attribute from any elements passed to it. This attribute is used to reference another element by `name` or `id`. Since the -`name` and `id` attributes are already blacklisted, a sanitized `usemap` attribute could only +`name` and `id` attributes are already banned, a sanitized `usemap` attribute could only reference unsanitized content, which is a security risk. Due to [98c2db7f](https://github.com/angular/angular.js/commit/98c2db7f9c2d078a408576e722407d518c7ee10a), @@ -2662,11 +2663,12 @@ $scope.findTemplate = function(templateName) { return templateCache[templateName]; }; -// Alternatively, use `$sceDelegateProvider.trustedResourceUrlList()`, which means you don't +// Alternatively, use `$sceDelegateProvider..resourceUrlWhitelist()` (called +// `trustedResourceUrlList()` from 1.8.1 onwards), which means you don't // have to use `$sce.trustAsResourceUrl()` at all: angular.module('myApp', []).config(function($sceDelegateProvider) { - $sceDelegateProvider.trustedResourceUrlList(['self', 'https://example.com/templates/**']) + $sceDelegateProvider.resourceUrlWhitelist(['self', 'https://example.com/templates/**']) }); ``` @@ -3353,7 +3355,7 @@ below should still apply, but you may want to consult the
  • {@link guide/migration#directive-priority Directive priority}
  • {@link guide/migration#ngscenario ngScenario}
  • {@link guide/migration#nginclude-and-ngview-replace-its-entire-element-on-update ngInclude and ngView replace its entire element on update}
    • -
  • {@link guide/migration#urls-are-now-sanitized-against-a-whitelist URLs are now sanitized against a whitelist}
    • +
  • {@link guide/migration#urls-are-now-sanitized-against-a-trusted-uri-matcher URLs are now sanitized against a trusted URI matcher}
  • {@link guide/migration#isolate-scope-only-exposed-to-directives-with-scope-property Isolate scope only exposed to directives with scope property}
  • {@link guide/migration#change-to-interpolation-priority Change to interpolation priority}
  • {@link guide/migration#underscore-prefixed-suffixed-properties-are-non-bindable Underscore-prefixed/suffixed properties are non-bindable}
    • @@ -3843,10 +3845,10 @@ See [7d69d52a](https://github.com/angular/angular.js/commit/7d69d52acff8578e0f7d [aa2133ad](https://github.com/angular/angular.js/commit/aa2133ad818d2e5c27cbd3933061797096356c8a). -### URLs are now sanitized against a whitelist +### URLs are now sanitized against a trusted URI matcher -A whitelist configured via `$compileProvider` can be used to configure what URLs are considered safe. -By default all common protocol prefixes are whitelisted including `data:` URIs with mime types `image/*`. +A trusted URI matcher configured via `$compileProvider` can be used to configure what URLs are considered safe. +By default all common protocol prefixes are trusted including `data:` URIs with mime types `image/*`. This change shouldn't impact apps that don't contain malicious image links. See [1adf29af](https://github.com/angular/angular.js/commit/1adf29af13890d61286840177607edd552a9df97), diff --git a/src/ng/compile.js b/src/ng/compile.js index c30e1aa530e8..1ea8ecd71b6a 100644 --- a/src/ng/compile.js +++ b/src/ng/compile.js @@ -1698,7 +1698,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) { /** * @ngdoc method - * @name $compileProvider#aHrefSanitizationTrustedUri + * @name $compileProvider#aHrefSanitizationTrustedUrlList * @kind function * * @description @@ -1708,7 +1708,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) { * The sanitization is a security measure aimed at preventing XSS attacks via html links. * * Any url about to be assigned to a[href] via data-binding is first normalized and turned into - * an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUri` + * an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUrlList` * regular expression. If a match is found, the original url is written into the dom. Otherwise, * the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM. * @@ -1716,20 +1716,40 @@ function $CompileProvider($provide, $$sanitizeUriProvider) { * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.aHrefSanitizationTrustedUri = function(regexp) { + this.aHrefSanitizationTrustedUrlList = function(regexp) { if (isDefined(regexp)) { - $$sanitizeUriProvider.aHrefSanitizationTrustedUri(regexp); + $$sanitizeUriProvider.aHrefSanitizationTrustedUrlList(regexp); return this; } else { - return $$sanitizeUriProvider.aHrefSanitizationTrustedUri(); + return $$sanitizeUriProvider.aHrefSanitizationTrustedUrlList(); } }; - this.aHrefSanitizationWhitelist = this.aHrefSanitizationTrustedUri; /** * @ngdoc method - * @name $compileProvider#imgSrcSanitizationTrustedUri + * @name $compileProvider#aHrefSanitizationWhitelist + * @kind function + * + * @deprecated + * sinceVersion="1.8.1" + * + * This function is deprecated. Use {@link $compileProvider#aHrefSanitizationTrustedUrlList + * aHrefSanitizationTrustedUrlList} instead. + */ + Object.defineProperty(this, 'aHrefSanitizationWhitelist', { + get: function() { + return this.aHrefSanitizationTrustedUrlList; + }, + set: function(regexp) { + this.aHrefSanitizationTrustedUrlList = regexp; + } + }); + + + /** + * @ngdoc method + * @name $compileProvider#imgSrcSanitizationTrustedUrlList * @kind function * * @description @@ -1739,7 +1759,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) { * The sanitization is a security measure aimed at prevent XSS attacks via html links. * * Any url about to be assigned to img[src] via data-binding is first normalized and turned into - * an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUri` + * an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUrlList` * regular expression. If a match is found, the original url is written into the dom. Otherwise, * the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM. * @@ -1747,15 +1767,35 @@ function $CompileProvider($provide, $$sanitizeUriProvider) { * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.imgSrcSanitizationTrustedUri = function(regexp) { + this.imgSrcSanitizationTrustedUrlList = function(regexp) { if (isDefined(regexp)) { - $$sanitizeUriProvider.imgSrcSanitizationTrustedUri(regexp); + $$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(regexp); return this; } else { - return $$sanitizeUriProvider.imgSrcSanitizationTrustedUri(); + return $$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(); } }; - this.imgSrcSanitizationWhitelist = this.imgSrcSanitizationTrustedUri; + + + /** + * @ngdoc method + * @name $compileProvider#imgSrcSanitizationWhitelist + * @kind function + * + * @deprecated + * sinceVersion="1.8.1" + * + * This function is deprecated. Use {@link $compileProvider#imgSrcSanitizationTrustedUrlList + * imgSrcSanitizationTrustedUrlList} instead. + */ + Object.defineProperty(this, 'imgSrcSanitizationWhitelist', { + get: function() { + return this.imgSrcSanitizationTrustedUrlList; + }, + set: function(regexp) { + this.imgSrcSanitizationTrustedUrlList = regexp; + } + }); /** * @ngdoc method diff --git a/src/ng/http.js b/src/ng/http.js index b35d73a50d93..15654d3ed550 100644 --- a/src/ng/http.js +++ b/src/ng/http.js @@ -426,7 +426,27 @@ function $HttpProvider() { * }]); * ``` */ - var xsrfTrustedOrigins = this.xsrfWhitelistedOrigins = this.xsrfTrustedOrigins = []; + var xsrfTrustedOrigins = this.xsrfTrustedOrigins = []; + + /** + * @ngdoc property + * @name $httpProvider#xsrfWhitelistedOrigins + * @description + * + * @deprecated + * sinceVersion="1.8.1" + * + * This function is deprecated. Use {@link $httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins} + * instead. + */ + Object.defineProperty(this, 'xsrfWhitelistedOrigins', { + get: function() { + return this.xsrfTrustedOrigins; + }, + set: function(origins) { + this.xsrfTrustedOrigins = origins; + } + }); this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce', function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) { diff --git a/src/ng/sanitizeUri.js b/src/ng/sanitizeUri.js index fc4ebcaacbb4..495f49e03df0 100644 --- a/src/ng/sanitizeUri.js +++ b/src/ng/sanitizeUri.js @@ -7,8 +7,8 @@ */ function $$SanitizeUriProvider() { - var aHrefSanitizationTrustedUri = /^\s*(https?|s?ftp|mailto|tel|file):/, - imgSrcSanitizationTrustedUri = /^\s*((https?|ftp|file|blob):|data:image\/)/; + var aHrefSanitizationTrustedUrlList = /^\s*(https?|s?ftp|mailto|tel|file):/, + imgSrcSanitizationTrustedUrlList = /^\s*((https?|ftp|file|blob):|data:image\/)/; /** * @description @@ -21,7 +21,7 @@ function $$SanitizeUriProvider() { * the $sce.URL security context. When interpolation occurs a call is made to `$sce.trustAsUrl(url)` * which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize the potentially malicious URL. * - * If the URL matches the `aHrefSanitizationTrustedUri` regular expression, it is returned unchanged. + * If the URL matches the `aHrefSanitizationTrustedUrlList` regular expression, it is returned unchanged. * * If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written * to the DOM it is inactive and potentially malicious code will not be executed. @@ -30,12 +30,12 @@ function $$SanitizeUriProvider() { * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.aHrefSanitizationTrustedUri = function(regexp) { + this.aHrefSanitizationTrustedUrlList = function(regexp) { if (isDefined(regexp)) { - aHrefSanitizationTrustedUri = regexp; + aHrefSanitizationTrustedUrlList = regexp; return this; } - return aHrefSanitizationTrustedUri; + return aHrefSanitizationTrustedUrlList; }; @@ -61,18 +61,18 @@ function $$SanitizeUriProvider() { * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.imgSrcSanitizationTrustedUri = function(regexp) { + this.imgSrcSanitizationTrustedUrlList = function(regexp) { if (isDefined(regexp)) { - imgSrcSanitizationTrustedUri = regexp; + imgSrcSanitizationTrustedUrlList = regexp; return this; } - return imgSrcSanitizationTrustedUri; + return imgSrcSanitizationTrustedUrlList; }; this.$get = function() { return function sanitizeUri(uri, isMediaUrl) { // if (!uri) return uri; - var regex = isMediaUrl ? imgSrcSanitizationTrustedUri : aHrefSanitizationTrustedUri; + var regex = isMediaUrl ? imgSrcSanitizationTrustedUrlList : aHrefSanitizationTrustedUrlList; var normalizedVal = urlResolve(uri && uri.trim()).href; if (normalizedVal !== '' && !normalizedVal.match(regex)) { return 'unsafe:' + normalizedVal; diff --git a/src/ng/templateRequest.js b/src/ng/templateRequest.js index 7653b92a9126..27c4411179eb 100644 --- a/src/ng/templateRequest.js +++ b/src/ng/templateRequest.js @@ -73,10 +73,10 @@ function $TemplateRequestProvider() { handleRequestFn.totalPendingRequests++; // We consider the template cache holds only trusted templates, so - // there's no need to go through whitelisting again for keys that already - // are included in there. This also makes AngularJS accept any script - // directive, no matter its name. However, we still need to unwrap trusted - // types. + // there's no need to go through adding the template again to the trusted + // resources for keys that already are included in there. This also makes + // AngularJS accept any script directive, no matter its name. However, we + // still need to unwrap trusted types. if (!isString(tpl) || isUndefined($templateCache.get(tpl))) { tpl = $sce.getTrustedResourceUrl(tpl); } diff --git a/src/ng/urlUtils.js b/src/ng/urlUtils.js index 7869fe361a48..cda48a3e6087 100644 --- a/src/ng/urlUtils.js +++ b/src/ng/urlUtils.js @@ -125,20 +125,20 @@ function urlIsSameOriginAsBaseUrl(requestUrl) { } /** - * Create a function that can check a URL's origin against a list of allowed/whitelisted origins. + * Create a function that can check a URL's origin against a list of allowed/trusted origins. * The current location's origin is implicitly trusted. * - * @param {string[]} whitelistedOriginUrls - A list of URLs (strings), whose origins are trusted. + * @param {string[]} trustedOriginUrls - A list of URLs (strings), whose origins are trusted. * * @returns {Function} - A function that receives a URL (string or parsed URL object) and returns * whether it is of an allowed origin. */ -function urlIsAllowedOriginFactory(whitelistedOriginUrls) { - var parsedAllowedOriginUrls = [originUrl].concat(whitelistedOriginUrls.map(urlResolve)); +function urlIsAllowedOriginFactory(trustedOriginUrls) { + var parsedAllowedOriginUrls = [originUrl].concat(trustedOriginUrls.map(urlResolve)); /** * Check whether the specified URL (string or parsed URL object) has an origin that is allowed - * based on a list of whitelisted-origin URLs. The current location's origin is implicitly + * based on a list of trusted-origin URLs. The current location's origin is implicitly * trusted. * * @param {string|Object} requestUrl - The URL to be checked (provided as a string that will be diff --git a/src/ngAria/aria.js b/src/ngAria/aria.js index 2fba21de0faa..37ac2696b3cb 100644 --- a/src/ngAria/aria.js +++ b/src/ngAria/aria.js @@ -64,7 +64,7 @@ var ngAriaModule = angular.module('ngAria', ['ng']). /** * Internal Utilities */ -var nodeBlackList = ['BUTTON', 'A', 'INPUT', 'TEXTAREA', 'SELECT', 'DETAILS', 'SUMMARY']; +var nativeAriaNodeNames = ['BUTTON', 'A', 'INPUT', 'TEXTAREA', 'SELECT', 'DETAILS', 'SUMMARY']; var isNodeOneOf = function(elem, nodeTypeArray) { if (nodeTypeArray.indexOf(elem[0].nodeName) !== -1) { @@ -136,12 +136,12 @@ function $AriaProvider() { config = angular.extend(config, newConfig); }; - function watchExpr(attrName, ariaAttr, nodeBlackList, negate) { + function watchExpr(attrName, ariaAttr, nativeAriaNodeNames, negate) { return function(scope, elem, attr) { if (attr.hasOwnProperty(ARIA_DISABLE_ATTR)) return; var ariaCamelName = attr.$normalize(ariaAttr); - if (config[ariaCamelName] && !isNodeOneOf(elem, nodeBlackList) && !attr[ariaCamelName]) { + if (config[ariaCamelName] && !isNodeOneOf(elem, nativeAriaNodeNames) && !attr[ariaCamelName]) { scope.$watch(attr[attrName], function(boolVal) { // ensure boolean value boolVal = negate ? !boolVal : !!boolVal; @@ -165,7 +165,7 @@ function $AriaProvider() { * *```js * ngAriaModule.directive('ngDisabled', ['$aria', function($aria) { - * return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nodeBlackList, false); + * return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nativeAriaNodeNames, false); * }]) *``` * Shown above, the ngAria module creates a directive with the same signature as the @@ -217,31 +217,31 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) { return $aria.$$watchExpr('ngHide', 'aria-hidden', [], false); }]) .directive('ngValue', ['$aria', function($aria) { - return $aria.$$watchExpr('ngValue', 'aria-checked', nodeBlackList, false); + return $aria.$$watchExpr('ngValue', 'aria-checked', nativeAriaNodeNames, false); }]) .directive('ngChecked', ['$aria', function($aria) { - return $aria.$$watchExpr('ngChecked', 'aria-checked', nodeBlackList, false); + return $aria.$$watchExpr('ngChecked', 'aria-checked', nativeAriaNodeNames, false); }]) .directive('ngReadonly', ['$aria', function($aria) { - return $aria.$$watchExpr('ngReadonly', 'aria-readonly', nodeBlackList, false); + return $aria.$$watchExpr('ngReadonly', 'aria-readonly', nativeAriaNodeNames, false); }]) .directive('ngRequired', ['$aria', function($aria) { - return $aria.$$watchExpr('ngRequired', 'aria-required', nodeBlackList, false); + return $aria.$$watchExpr('ngRequired', 'aria-required', nativeAriaNodeNames, false); }]) .directive('ngModel', ['$aria', function($aria) { - function shouldAttachAttr(attr, normalizedAttr, elem, allowBlacklistEls) { + function shouldAttachAttr(attr, normalizedAttr, elem, allowNonAriaNodes) { return $aria.config(normalizedAttr) && !elem.attr(attr) && - (allowBlacklistEls || !isNodeOneOf(elem, nodeBlackList)) && + (allowNonAriaNodes || !isNodeOneOf(elem, nativeAriaNodeNames)) && (elem.attr('type') !== 'hidden' || elem[0].nodeName !== 'INPUT'); } function shouldAttachRole(role, elem) { // if element does not have role attribute // AND element type is equal to role (if custom element has a type equaling shape) <-- remove? - // AND element is not in nodeBlackList - return !elem.attr('role') && (elem.attr('type') === role) && !isNodeOneOf(elem, nodeBlackList); + // AND element is not in nativeAriaNodeNames + return !elem.attr('role') && (elem.attr('type') === role) && !isNodeOneOf(elem, nativeAriaNodeNames); } function getShape(attr, elem) { @@ -349,7 +349,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) { }; }]) .directive('ngDisabled', ['$aria', function($aria) { - return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nodeBlackList, false); + return $aria.$$watchExpr('ngDisabled', 'aria-disabled', nativeAriaNodeNames, false); }]) .directive('ngMessages', function() { return { @@ -373,7 +373,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) { var fn = $parse(attr.ngClick); return function(scope, elem, attr) { - if (!isNodeOneOf(elem, nodeBlackList)) { + if (!isNodeOneOf(elem, nativeAriaNodeNames)) { if ($aria.config('bindRoleForClick') && !elem.attr('role')) { elem.attr('role', 'button'); @@ -389,7 +389,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) { if (keyCode === 13 || keyCode === 32) { // If the event is triggered on a non-interactive element ... - if (nodeBlackList.indexOf(event.target.nodeName) === -1 && !event.target.isContentEditable) { + if (nativeAriaNodeNames.indexOf(event.target.nodeName) === -1 && !event.target.isContentEditable) { // ... prevent the default browser behavior (e.g. scrolling when pressing spacebar) // See https://github.com/angular/angular.js/issues/16664 event.preventDefault(); @@ -411,7 +411,7 @@ ngAriaModule.directive('ngShow', ['$aria', function($aria) { return function(scope, elem, attr) { if (attr.hasOwnProperty(ARIA_DISABLE_ATTR)) return; - if ($aria.config('tabindex') && !elem.attr('tabindex') && !isNodeOneOf(elem, nodeBlackList)) { + if ($aria.config('tabindex') && !elem.attr('tabindex') && !isNodeOneOf(elem, nativeAriaNodeNames)) { elem.attr('tabindex', 0); } }; diff --git a/src/ngSanitize/sanitize.js b/src/ngSanitize/sanitize.js index ed47fcb2394d..34e0e09ba532 100644 --- a/src/ngSanitize/sanitize.js +++ b/src/ngSanitize/sanitize.js @@ -41,12 +41,12 @@ var htmlSanitizeWriter; * @description * Sanitizes an html string by stripping all potentially dangerous tokens. * - * The input is sanitized by parsing the HTML into tokens. All safe tokens (from a whitelist) are + * The input is sanitized by parsing the HTML into tokens. All safe tokens (from a trusted URI list) are * then serialized back to a properly escaped HTML string. This means that no unsafe input can make * it into the returned string. * - * The whitelist for URL sanitization of attribute values is configured using the functions - * `aHrefSanitizationTrustedUri` and `imgSrcSanitizationTrustedUri` of {@link $compileProvider}. + * The trusted URIs for URL sanitization of attribute values is configured using the functions + * `aHrefSanitizationTrustedUrlList` and `imgSrcSanitizationTrustedUrlList` of {@link $compileProvider}. * * The input may also contain SVG markup if this is enabled via {@link $sanitizeProvider}. * @@ -277,8 +277,8 @@ function $SanitizeProvider() { * **Note**: * The new attributes will not be treated as URI attributes, which means their values will not be * sanitized as URIs using `$compileProvider`'s - * {@link ng.$compileProvider#aHrefSanitizationTrustedUri aHrefSanitizationTrustedUri} and - * {@link ng.$compileProvider#imgSrcSanitizationTrustedUri imgSrcSanitizationTrustedUri}. + * {@link ng.$compileProvider#aHrefSanitizationTrustedUrlList aHrefSanitizationTrustedUrlList} and + * {@link ng.$compileProvider#imgSrcSanitizationTrustedUrlList imgSrcSanitizationTrustedUrlList}. * *
    * This method must be called during the {@link angular.Module#config config} phase. Once the diff --git a/test/ng/compileSpec.js b/test/ng/compileSpec.js index ef6b904b11da..72db615d7d13 100644 --- a/test/ng/compileSpec.js +++ b/test/ng/compileSpec.js @@ -151,30 +151,30 @@ describe('$compile', function() { describe('configuration', function() { - it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationTrustedUri`', function() { + it('should use $$sanitizeUriProvider for reconfiguration of the `aHrefSanitizationTrustedUrlList`', function() { module(function($compileProvider, $$sanitizeUriProvider) { var newRe = /safe:/, returnVal; - expect($compileProvider.aHrefSanitizationTrustedUri()).toBe($$sanitizeUriProvider.aHrefSanitizationTrustedUri()); - returnVal = $compileProvider.aHrefSanitizationTrustedUri(newRe); + expect($compileProvider.aHrefSanitizationTrustedUrlList()).toBe($$sanitizeUriProvider.aHrefSanitizationTrustedUrlList()); + returnVal = $compileProvider.aHrefSanitizationTrustedUrlList(newRe); expect(returnVal).toBe($compileProvider); - expect($$sanitizeUriProvider.aHrefSanitizationTrustedUri()).toBe(newRe); - expect($compileProvider.aHrefSanitizationTrustedUri()).toBe(newRe); + expect($$sanitizeUriProvider.aHrefSanitizationTrustedUrlList()).toBe(newRe); + expect($compileProvider.aHrefSanitizationTrustedUrlList()).toBe(newRe); }); inject(function() { // needed to the module definition above is run... }); }); - it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationTrustedUri`', function() { + it('should use $$sanitizeUriProvider for reconfiguration of the `imgSrcSanitizationTrustedUrlList`', function() { module(function($compileProvider, $$sanitizeUriProvider) { var newRe = /safe:/, returnVal; - expect($compileProvider.imgSrcSanitizationTrustedUri()).toBe($$sanitizeUriProvider.imgSrcSanitizationTrustedUri()); - returnVal = $compileProvider.imgSrcSanitizationTrustedUri(newRe); + expect($compileProvider.imgSrcSanitizationTrustedUrlList()).toBe($$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList()); + returnVal = $compileProvider.imgSrcSanitizationTrustedUrlList(newRe); expect(returnVal).toBe($compileProvider); - expect($$sanitizeUriProvider.imgSrcSanitizationTrustedUri()).toBe(newRe); - expect($compileProvider.imgSrcSanitizationTrustedUri()).toBe(newRe); + expect($$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList()).toBe(newRe); + expect($compileProvider.imgSrcSanitizationTrustedUrlList()).toBe(newRe); }); inject(function() { // needed to the module definition above is run... diff --git a/test/ng/ngPropSpec.js b/test/ng/ngPropSpec.js index ddbe0d36b63a..647ecbb52283 100644 --- a/test/ng/ngPropSpec.js +++ b/test/ng/ngPropSpec.js @@ -250,9 +250,9 @@ describe('ngProp*', function() { // IE9 rejects the `video` / `audio` tags with "Error: Not implemented" if (msie !== 9 || tag === 'img') { describe(tag + '[src] context requirement', function() { - it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) { + it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) { var element = $compile('<' + tag + ' ng-prop-src="testUrl">')($rootScope); - $rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted + $rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted $rootScope.$digest(); expect(element.prop('src')).toEqual('http://example.com/image.mp4'); })); @@ -279,7 +279,7 @@ describe('ngProp*', function() { expect(element.prop('src')).toEqual('untrusted:foo()'); })); - it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) { + it('should sanitize non-trusted values', inject(function($rootScope, $compile, $sce) { // As a MEDIA_URL URL var element = $compile('<' + tag + ' ng-prop-src="testUrl">')($rootScope); // Some browsers complain if you try to write `javascript:` into an `img[src]` @@ -308,9 +308,9 @@ describe('ngProp*', function() { if (msie !== 9) { ['source', 'track'].forEach(function(tag) { describe(tag + '[src]', function() { - it('should NOT require trusted values for whitelisted URIs', inject(function($rootScope, $compile) { + it('should NOT require trusted values for trusted URIs', inject(function($rootScope, $compile) { var element = $compile('')($rootScope); - $rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is whitelisted + $rootScope.testUrl = 'http://example.com/image.mp4'; // `http` is trusted $rootScope.$digest(); expect(element.find(tag).prop('src')).toEqual('http://example.com/image.mp4'); })); @@ -335,7 +335,7 @@ describe('ngProp*', function() { expect(element.find(tag).prop('src')).toEqual('javascript:foo()'); })); - it('should sanitize non-whitelisted values', inject(function($rootScope, $compile, $sce) { + it('should sanitize non-trusted values', inject(function($rootScope, $compile, $sce) { var element = $compile('')($rootScope); $rootScope.testUrl = 'untrusted:foo()'; $rootScope.$digest(); @@ -412,14 +412,14 @@ describe('ngProp*', function() { expect(element.prop('srcset')).toBe(''); })); - it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile, $sce) { + it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile, $sce) { var element = $compile('<' + srcsetElement + ' ng-prop-srcset="testUrl">')($rootScope); - $rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted + $rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted $rootScope.$digest(); expect(element.prop('srcset')).toEqual('http://example.com/image.png'); })); - it('should accept trusted values, if they are also whitelisted', inject(function($rootScope, $compile, $sce) { + it('should accept trusted values, if they are also trusted URIs', inject(function($rootScope, $compile, $sce) { var element = $compile('<' + srcsetElement + ' ng-prop-srcset="testUrl">')($rootScope); $rootScope.testUrl = $sce.trustAsUrl('http://example.com'); $rootScope.$digest(); @@ -506,8 +506,8 @@ describe('ngProp*', function() { }); describe('a[href] sanitization', function() { - it('should NOT require trusted values for whitelisted values', inject(function($rootScope, $compile) { - $rootScope.testUrl = 'http://example.com/image.png'; // `http` is whitelisted + it('should NOT require trusted values for trusted URI values', inject(function($rootScope, $compile) { + $rootScope.testUrl = 'http://example.com/image.png'; // `http` is trusted var element = $compile('')($rootScope); $rootScope.$digest(); expect(element.prop('href')).toEqual('http://example.com/image.png'); @@ -517,8 +517,8 @@ describe('ngProp*', function() { expect(element.prop('href')).toEqual('http://example.com/image.png'); })); - it('should accept trusted values for non-whitelisted values', inject(function($rootScope, $compile, $sce) { - $rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not whitelisted + it('should accept trusted values for non-trusted URI values', inject(function($rootScope, $compile, $sce) { + $rootScope.testUrl = $sce.trustAsUrl('javascript:foo()'); // `javascript` is not trusted var element = $compile('')($rootScope); $rootScope.$digest(); expect(element.prop('href')).toEqual('javascript:foo()'); @@ -528,8 +528,8 @@ describe('ngProp*', function() { expect(element.prop('href')).toEqual('javascript:foo()'); })); - it('should sanitize non-whitelisted values', inject(function($rootScope, $compile) { - $rootScope.testUrl = 'javascript:foo()'; // `javascript` is not whitelisted + it('should sanitize non-trusted values', inject(function($rootScope, $compile) { + $rootScope.testUrl = 'javascript:foo()'; // `javascript` is not trusted var element = $compile('')($rootScope); $rootScope.$digest(); expect(element.prop('href')).toEqual('unsafe:javascript:foo()'); diff --git a/test/ng/sanitizeUriSpec.js b/test/ng/sanitizeUriSpec.js index bd51aa6855e7..d89ae772194b 100644 --- a/test/ng/sanitizeUriSpec.js +++ b/test/ng/sanitizeUriSpec.js @@ -127,8 +127,8 @@ describe('sanitizeUri', function() { it('should allow reconfiguration of the src trusted URIs', function() { var returnVal; - expect(sanitizeUriProvider.imgSrcSanitizationTrustedUri() instanceof RegExp).toBe(true); - returnVal = sanitizeUriProvider.imgSrcSanitizationTrustedUri(/javascript:/); + expect(sanitizeUriProvider.imgSrcSanitizationTrustedUrlList() instanceof RegExp).toBe(true); + returnVal = sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(/javascript:/); expect(returnVal).toBe(sanitizeUriProvider); testUrl = 'javascript:doEvilStuff()'; @@ -228,8 +228,8 @@ describe('sanitizeUri', function() { it('should allow reconfiguration of the href trusted URIs', function() { var returnVal; - expect(sanitizeUriProvider.aHrefSanitizationTrustedUri() instanceof RegExp).toBe(true); - returnVal = sanitizeUriProvider.aHrefSanitizationTrustedUri(/javascript:/); + expect(sanitizeUriProvider.aHrefSanitizationTrustedUrlList() instanceof RegExp).toBe(true); + returnVal = sanitizeUriProvider.aHrefSanitizationTrustedUrlList(/javascript:/); expect(returnVal).toBe(sanitizeUriProvider); testUrl = 'javascript:doEvilStuff()'; diff --git a/test/ng/urlUtilsSpec.js b/test/ng/urlUtilsSpec.js index 1da5605e27be..98d067263866 100644 --- a/test/ng/urlUtilsSpec.js +++ b/test/ng/urlUtilsSpec.js @@ -97,7 +97,7 @@ describe('urlUtils', function() { }); - it('should check against the list of whitelisted origins', function() { + it('should check against the list of trusted origins', function() { expect(urlIsAllowedOrigin('https://foo.com/path')).toBe(true); expect(urlIsAllowedOrigin(origin.protocol + '://bar.com:1337/path')).toBe(true); expect(urlIsAllowedOrigin('https://baz.com:1337/path')).toBe(false); diff --git a/test/ngAria/ariaSpec.js b/test/ngAria/ariaSpec.js index 2f96cb2f0a0a..b648f92f0d4f 100644 --- a/test/ngAria/ariaSpec.js +++ b/test/ngAria/ariaSpec.js @@ -1,6 +1,6 @@ 'use strict'; -/* globals nodeBlackList false */ +/* globals nativeAriaNodeNames false */ describe('$aria', function() { var scope, $compile, element; @@ -1064,7 +1064,7 @@ describe('$aria', function() { ); they('should not prevent default keyboard action if an interactive $type element' + - 'is nested inside ng-click', nodeBlackList, function(elementType) { + 'is nested inside ng-click', nativeAriaNodeNames, function(elementType) { function createHTML(type) { return '<' + type + '>'; }