X Tutup
Skip to content

Commit cc8755c

Browse files
lgalfasolgalfaso
committed
fix(sanitize): handle newline characters inside special tags
Handle newlines characters when they are present inside <script> and <style> tags. Closes angular#10943
1 parent 7b7b56d commit cc8755c

File tree

2 files changed

+9
-1
lines changed

2 files changed

+9
-1
lines changed

src/ngSanitize/sanitize.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -336,7 +336,7 @@ function htmlParser(html, handler) {
336336
}
337337

338338
} else {
339-
html = html.replace(new RegExp("(.*)<\\s*\\/\\s*" + stack.last() + "[^>]*>", 'i'),
339+
html = html.replace(new RegExp("([^]*)<\\s*\\/\\s*" + stack.last() + "[^>]*>", 'i'),
340340
function(all, text) {
341341
text = text.replace(COMMENT_REGEXP, "$1").replace(CDATA_REGEXP, "$1");
342342

test/ngSanitize/sanitizeSpec.js

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,10 @@ describe('HTML', function() {
140140
expectHTML('a<SCRIPT>evil< / scrIpt >c.').toEqual('ac.');
141141
});
142142

143+
it('should remove script that has newline characters', function() {
144+
expectHTML('a<SCRIPT\n>\n\revil\n\r< / scrIpt\n >c.').toEqual('ac.');
145+
});
146+
143147
it('should remove DOCTYPE header', function() {
144148
expectHTML('<!DOCTYPE html>').toEqual('');
145149
expectHTML('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"\n"http://www.w3.org/TR/html4/strict.dtd">').toEqual('');
@@ -160,6 +164,10 @@ describe('HTML', function() {
160164
expectHTML('a<STyle>evil</stYle>c.').toEqual('ac.');
161165
});
162166

167+
it('should remove style that has newline characters', function() {
168+
expectHTML('a<STyle \n>\n\revil\n\r</stYle\n>c.').toEqual('ac.');
169+
});
170+
163171
it('should remove script and style', function() {
164172
expectHTML('a<STyle>evil<script></script></stYle>c.').toEqual('ac.');
165173
});

0 commit comments

Comments
 (0)
X Tutup