fixup! fix($sanitize): prevent clobbered elements from freezing the browser

gkalpak · gkalpak · commit 082135587130 · 2017-02-10T17:37:52.000+02:00
diff --git a/src/ngSanitize/sanitize.js b/src/ngSanitize/sanitize.js
@@ -18,6 +18,7 @@ var forEach;
 var isDefined;
 var lowercase;
 var noop;
+var nodeContains;
 var htmlParser;
 var htmlSanitizeWriter;
 
@@ -218,6 +219,11 @@ function $SanitizeProvider() {
   htmlParser = htmlParserImpl;
   htmlSanitizeWriter = htmlSanitizeWriterImpl;
 
+  nodeContains = window.Node.prototype.contains || /** @this */ function(arg) {
+    // eslint-disable-next-line no-bitwise
+    return !!(this.compareDocumentPosition(arg) & 16);
+  };
+
   // Regular Expressions for parsing tags and attributes
   var SURROGATE_PAIR_REGEXP = /[\uD800-\uDBFF][\uDC00-\uDFFF]/g,
     // Match everything outside of normal chars and " (quote character)
@@ -381,12 +387,12 @@ function $SanitizeProvider() {
         if (node.nodeType === 1) {
           handler.end(node.nodeName.toLowerCase());
         }
-        nextNode = getNextSibling(node);
+        nextNode = getNonDescendant('nextSibling', node);
         if (!nextNode) {
           while (nextNode == null) {
-            node = node.parentNode;
+            node = getNonDescendant('parentNode', node);
             if (node === inertBodyElement) break;
-            nextNode = getNextSibling(node);
+            nextNode = getNonDescendant('nextSibling', node);
             if (node.nodeType === 1) {
               handler.end(node.nodeName.toLowerCase());
             }
@@ -518,17 +524,17 @@ function $SanitizeProvider() {
         stripCustomNsAttrs(nextNode);
       }
 
-      node = getNextSibling(node);
+      node = getNonDescendant('nextSibling', node);
     }
   }
 
-  function getNextSibling(node) {
-    // An element is clobbered if its `nextSibling` property points to one of its children
-    var nextNode = node.nextSibling;
-    if (nextNode && nextNode.parentNode === node) {
+  function getNonDescendant(propName, node) {
+    // An element is clobbered if its `propName` property points to one of its descendants
+    var nextNode = node[propName];
+    if (nodeContains.call(node, nextNode)) {
       throw $sanitizeMinErr('elclob', 'Failed to sanitize html because the element is clobbered: {0}', node.outerHTML || node.outerText);
     }
-    return node.nextSibling;
+    return nextNode;
   }
 }
 
diff --git a/test/ngSanitize/sanitizeSpec.js b/test/ngSanitize/sanitizeSpec.js
@@ -20,10 +20,6 @@ describe('HTML', function() {
   describe('htmlParser', function() {
     /* global htmlParser */
 
-    beforeEach(inject(function($sanitize) {
-      // We actually need to inject $sanitize to set up the htmlParser object
-    }));
-
     var handler, start, text, comment;
     beforeEach(function() {
       text = '';
@@ -253,7 +249,19 @@ describe('HTML', function() {
   it('should remove clobbered elements', function() {
     inject(function($sanitize) {
       expect(function() {
-        $sanitize('<form><input name=nextSibling></form>');
+        $sanitize('<form><input name="parentNode" /></form>');
+      }).toThrowMinErr('$sanitize', 'elclob');
+
+      expect(function() {
+        $sanitize('<form><div><div><input name="parentNode" /></div></div></form>');
+      }).toThrowMinErr('$sanitize', 'elclob');
+
+      expect(function() {
+        $sanitize('<form><input name="nextSibling" /></form>');
+      }).toThrowMinErr('$sanitize', 'elclob');
+
+      expect(function() {
+        $sanitize('<form><div><div><input name="nextSibling" /></div></div></form>');
       }).toThrowMinErr('$sanitize', 'elclob');
     });
   });
