fix(interpolate): sanitize non-interpolated expressions for URL contexts

The MEDIA_URL and URL $sce contexts are used to describe URLs that can be used in
anchor links and image sources, etc.

The previous commit introduced new behaviour where we did not sanitize URL expressions
if they did not contain an interpolation.  This meant that hard coded `ng-href`
attributes would not be sanitized.  This change forces the `$interpolate` service
to check the trust (and so run sanitization) for all expressions that require the `URL`
or `MEDIA_URL` trusted contexts.

Author: petebacondarwin

src/ng/interpolate.js

@@ -238,16 +238,21 @@ function $InterpolateProvider() {
      * - `context`: evaluation context for all expressions embedded in the interpolated text
      */
     function $interpolate(text, mustHaveExpression, trustedContext, allOrNothing) {
+      var contextAllowsConcatenation = trustedContext === $sce.URL || trustedContext === $sce.MEDIA_URL;
+
       // Provide a quick exit and simplified result function for text with no interpolation
       if (!text.length || text.indexOf(startSymbol) === -1) {
-        var constantInterp;
-        if (!mustHaveExpression) {
-          var unescapedText = unescapeText(text);
-          constantInterp = valueFn(unescapedText);
-          constantInterp.exp = text;
-          constantInterp.expressions = [];
-          constantInterp.$$watchDelegate = constantWatchDelegate;
+        if (mustHaveExpression && !contextAllowsConcatenation) return;
+
+        var unescapedText = unescapeText(text);
+        if (contextAllowsConcatenation) {
+          unescapedText = $sce.getTrusted(trustedContext, unescapedText);
         }
+        var constantInterp = valueFn(unescapedText);
+        constantInterp.exp = text;
+        constantInterp.expressions = [];
+        constantInterp.$$watchDelegate = constantWatchDelegate;
+
         return constantInterp;
       }
 
@@ -261,8 +266,8 @@ function $InterpolateProvider() {
           exp,
           concat = [],
           expressionPositions = [],
-          singleExpression,
-          contextAllowsConcatenation = trustedContext === $sce.URL || trustedContext === $sce.MEDIA_URL;
+          singleExpression;
+
 
       while (index < textLength) {
         if (((startIndex = text.indexOf(startSymbol, index)) !== -1) &&

test/ng/compileSpec.js

@@ -3414,6 +3414,15 @@ describe('$compile', function() {
         })
     );
 
+    it('should interpolate a multi-part expression for regular attributes', inject(function($compile, $rootScope) {
+      element = $compile('<div foo="some/{{id}}"></div>')($rootScope);
+      $rootScope.$digest();
+      expect(element.attr('foo')).toBe('some/');
+      $rootScope.$apply(function() {
+        $rootScope.id = 1;
+      });
+      expect(element.attr('foo')).toEqual('some/1');
+    }));
 
     it('should process attribute interpolation in pre-linking phase at priority 100', function() {
       module(function() {

test/ng/directive/booleanAttrsSpec.js

@@ -118,221 +118,3 @@ describe('boolean attr directives', function() {
     }));
   });
 });
-
-
-describe('ngSrc', function() {
-  it('should interpolate the expression and bind to src with raw same-domain value',
-      inject(function($compile, $rootScope) {
-        var element = $compile('<img ng-src="{{id}}"></img>')($rootScope);
-
-        $rootScope.$digest();
-        expect(element.attr('src')).toBeUndefined();
-
-        $rootScope.$apply(function() {
-          $rootScope.id = '/somewhere/here';
-        });
-        expect(element.attr('src')).toEqual('/somewhere/here');
-
-        dealoc(element);
-      }));
-
-
-  it('should interpolate the expression and bind to src with a trusted value', inject(function($compile, $rootScope, $sce) {
-    var element = $compile('<iframe ng-src="{{id}}"></iframe>')($rootScope);
-
-    $rootScope.$digest();
-    expect(element.attr('src')).toBeUndefined();
-
-    $rootScope.$apply(function() {
-      $rootScope.id = $sce.trustAsResourceUrl('http://somewhere');
-    });
-    expect(element.attr('src')).toEqual('http://somewhere');
-
-    dealoc(element);
-  }));
-
-
-  it('should NOT interpolate a multi-part expression in a `src` attribute that requires a non-MEDIA_URL context', inject(function($compile, $rootScope) {
-    expect(function() {
-      var element = $compile('<iframe ng-src="some/{{id}}"></iframe>')($rootScope);
-      $rootScope.$apply(function() {
-        $rootScope.id = 1;
-      });
-      dealoc(element);
-    }).toThrowMinErr(
-          '$interpolate', 'noconcat', 'Error while interpolating: some/{{id}}\nStrict ' +
-          'Contextual Escaping disallows interpolations that concatenate multiple expressions ' +
-          'when a trusted value is required.  See http://docs.angularjs.org/api/ng.$sce');
-  }));
-
-  it('should interpolate a multi-part expression for img src attribute (which requires the MEDIA_URL context)', inject(function($compile, $rootScope) {
-    var element = $compile('<img ng-src="some/{{id}}"></img>')($rootScope);
-    expect(element.attr('src')).toBe(undefined);  // URL concatenations are all-or-nothing
-    $rootScope.$apply(function() {
-      $rootScope.id = 1;
-    });
-    expect(element.attr('src')).toEqual('some/1');
-  }));
-
-
-  it('should interpolate a multi-part expression for regular attributes', inject(function($compile, $rootScope) {
-    var element = $compile('<div foo="some/{{id}}"></div>')($rootScope);
-    $rootScope.$digest();
-    expect(element.attr('foo')).toBe('some/');
-    $rootScope.$apply(function() {
-      $rootScope.id = 1;
-    });
-    expect(element.attr('foo')).toEqual('some/1');
-  }));
-
-
-  it('should NOT interpolate a wrongly typed expression', inject(function($compile, $rootScope, $sce) {
-    expect(function() {
-      var element = $compile('<iframe ng-src="{{id}}"></iframe>')($rootScope);
-      $rootScope.$apply(function() {
-        $rootScope.id = $sce.trustAsUrl('http://somewhere');
-      });
-      element.attr('src');
-    }).toThrowMinErr(
-            '$interpolate', 'interr', 'Can\'t interpolate: {{id}}\nError: [$sce:insecurl] Blocked ' +
-                'loading resource from url not allowed by $sceDelegate policy.  URL: http://somewhere');
-  }));
-
-
-  // Support: IE 9-11 only
-  if (msie) {
-    it('should update the element property as well as the attribute', inject(
-        function($compile, $rootScope, $sce) {
-          // on IE, if "ng:src" directive declaration is used and "src" attribute doesn't exist
-          // then calling element.setAttribute('src', 'foo') doesn't do anything, so we need
-          // to set the property as well to achieve the desired effect
-
-          var element = $compile('<img ng-src="{{id}}"></img>')($rootScope);
-
-          $rootScope.$digest();
-          expect(element.prop('src')).toBe('');
-          dealoc(element);
-
-          element = $compile('<img ng-src="some/"></img>')($rootScope);
-
-          $rootScope.$digest();
-          expect(element.prop('src')).toMatch('/some/$');
-          dealoc(element);
-
-          element = $compile('<img ng-src="{{id}}"></img>')($rootScope);
-          $rootScope.$apply(function() {
-            $rootScope.id = $sce.trustAsResourceUrl('http://somewhere/abc');
-          });
-          expect(element.prop('src')).toEqual('http://somewhere/abc');
-
-          dealoc(element);
-        }));
-  }
-});
-
-
-describe('ngSrcset', function() {
-  it('should interpolate the expression and bind to srcset', inject(function($compile, $rootScope) {
-    var element = $compile('<img ng-srcset="some/{{id}} 2x"></div>')($rootScope);
-
-    $rootScope.$digest();
-    expect(element.attr('srcset')).toBeUndefined();
-
-    $rootScope.$apply(function() {
-      $rootScope.id = 1;
-    });
-    expect(element.attr('srcset')).toEqual('some/1 2x');
-
-    dealoc(element);
-  }));
-});
-
-
-describe('ngHref', function() {
-  var element;
-
-  afterEach(function() {
-    dealoc(element);
-  });
-
-
-  it('should interpolate the expression and bind to href', inject(function($compile, $rootScope) {
-    element = $compile('<a ng-href="some/{{id}}"></div>')($rootScope);
-    $rootScope.$digest();
-    expect(element.attr('href')).toEqual('some/');
-
-    $rootScope.$apply(function() {
-      $rootScope.id = 1;
-    });
-    expect(element.attr('href')).toEqual('some/1');
-  }));
-
-
-  it('should bind href and merge with other attrs', inject(function($rootScope, $compile) {
-    element = $compile('<a ng-href="{{url}}" rel="{{rel}}"></a>')($rootScope);
-    $rootScope.url = 'http://server';
-    $rootScope.rel = 'REL';
-    $rootScope.$digest();
-    expect(element.attr('href')).toEqual('http://server');
-    expect(element.attr('rel')).toEqual('REL');
-  }));
-
-
-  it('should bind href even if no interpolation', inject(function($rootScope, $compile) {
-    element = $compile('<a ng-href="http://server"></a>')($rootScope);
-    $rootScope.$digest();
-    expect(element.attr('href')).toEqual('http://server');
-  }));
-
-  it('should not set the href if ng-href is empty', inject(function($rootScope, $compile) {
-    $rootScope.url = null;
-    element = $compile('<a ng-href="{{url}}">')($rootScope);
-    $rootScope.$digest();
-    expect(element.attr('href')).toEqual(undefined);
-  }));
-
-  it('should remove the href if ng-href changes to empty', inject(function($rootScope, $compile) {
-    $rootScope.url = 'http://www.google.com/';
-    element = $compile('<a ng-href="{{url}}">')($rootScope);
-    $rootScope.$digest();
-
-    $rootScope.url = null;
-    $rootScope.$digest();
-    expect(element.attr('href')).toEqual(undefined);
-  }));
-
-  // Support: IE 9-11 only, Edge 12-15+
-  if (msie || /\bEdge\/[\d.]+\b/.test(window.navigator.userAgent)) {
-    // IE/Edge fail when setting a href to a URL containing a % that isn't a valid escape sequence
-    // See https://github.com/angular/angular.js/issues/13388
-    it('should throw error if ng-href contains a non-escaped percent symbol', inject(function($rootScope, $compile) {
-      expect(function() {
-        element = $compile('<a ng-href="http://www.google.com/{{\'a%link\'}}">')($rootScope);
-      }).toThrow();
-    }));
-  }
-
-  if (isDefined(window.SVGElement)) {
-    describe('SVGAElement', function() {
-      it('should interpolate the expression and bind to xlink:href', inject(function($compile, $rootScope) {
-        element = $compile('<svg><a ng-href="some/{{id}}"></a></svg>')($rootScope);
-        var child = element.children('a');
-        $rootScope.$digest();
-        expect(child.attr('xlink:href')).toEqual('some/');
-
-        $rootScope.$apply(function() {
-          $rootScope.id = 1;
-        });
-        expect(child.attr('xlink:href')).toEqual('some/1');
-      }));
-
-
-      it('should bind xlink:href even if no interpolation', inject(function($rootScope, $compile) {
-        element = $compile('<svg><a ng-href="http://server"></a></svg>')($rootScope);
-        var child = element.children('a');
-        $rootScope.$digest();
-        expect(child.attr('xlink:href')).toEqual('http://server');
-      }));
-    });
-  }
-});

test/ng/directive/ngHrefSpec.js

@@ -0,0 +1,105 @@
+'use strict';
+
+describe('ngHref', function() {
+  var element;
+
+  afterEach(function() {
+    dealoc(element);
+  });
+
+
+  it('should interpolate the expression and bind to href', inject(function($compile, $rootScope) {
+    element = $compile('<a ng-href="some/{{id}}"></div>')($rootScope);
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual('some/');
+
+    $rootScope.$apply(function() {
+      $rootScope.id = 1;
+    });
+    expect(element.attr('href')).toEqual('some/1');
+  }));
+
+
+  it('should bind href and merge with other attrs', inject(function($rootScope, $compile) {
+    element = $compile('<a ng-href="{{url}}" rel="{{rel}}"></a>')($rootScope);
+    $rootScope.url = 'http://server';
+    $rootScope.rel = 'REL';
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual('http://server');
+    expect(element.attr('rel')).toEqual('REL');
+  }));
+
+
+  it('should bind href even if no interpolation', inject(function($rootScope, $compile) {
+    element = $compile('<a ng-href="http://server"></a>')($rootScope);
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual('http://server');
+  }));
+
+  it('should not set the href if ng-href is empty', inject(function($rootScope, $compile) {
+    $rootScope.url = null;
+    element = $compile('<a ng-href="{{url}}">')($rootScope);
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual(undefined);
+  }));
+
+  it('should remove the href if ng-href changes to empty', inject(function($rootScope, $compile) {
+    $rootScope.url = 'http://www.google.com/';
+    element = $compile('<a ng-href="{{url}}">')($rootScope);
+    $rootScope.$digest();
+
+    $rootScope.url = null;
+    $rootScope.$digest();
+    expect(element.attr('href')).toEqual(undefined);
+  }));
+
+  it('should sanitize interpolated url', inject(function($rootScope, $compile) {
+    /* eslint no-script-url: "off" */
+    $rootScope.imageUrl = 'javascript:alert(1);';
+    element = $compile('<a ng-href="{{imageUrl}}">')($rootScope);
+    $rootScope.$digest();
+    expect(element.attr('href')).toBe('unsafe:javascript:alert(1);');
+  }));
+
+  it('should sanitize non-interpolated url', inject(function($rootScope, $compile) {
+    element = $compile('<a ng-href="javascript:alert(1);">')($rootScope);
+    $rootScope.$digest();
+    expect(element.attr('href')).toBe('unsafe:javascript:alert(1);');
+  }));
+
+
+  // Support: IE 9-11 only, Edge 12-15+
+  if (msie || /\bEdge\/[\d.]+\b/.test(window.navigator.userAgent)) {
+    // IE/Edge fail when setting a href to a URL containing a % that isn't a valid escape sequence
+    // See https://github.com/angular/angular.js/issues/13388
+    it('should throw error if ng-href contains a non-escaped percent symbol', inject(function($rootScope, $compile) {
+      expect(function() {
+        element = $compile('<a ng-href="http://www.google.com/{{\'a%link\'}}">')($rootScope);
+      }).toThrow();
+    }));
+  }
+
+  if (isDefined(window.SVGElement)) {
+    describe('SVGAElement', function() {
+      it('should interpolate the expression and bind to xlink:href', inject(function($compile, $rootScope) {
+        element = $compile('<svg><a ng-href="some/{{id}}"></a></svg>')($rootScope);
+        var child = element.children('a');
+        $rootScope.$digest();
+        expect(child.attr('xlink:href')).toEqual('some/');
+
+        $rootScope.$apply(function() {
+          $rootScope.id = 1;
+        });
+        expect(child.attr('xlink:href')).toEqual('some/1');
+      }));
+
+
+      it('should bind xlink:href even if no interpolation', inject(function($rootScope, $compile) {
+        element = $compile('<svg><a ng-href="http://server"></a></svg>')($rootScope);
+        var child = element.children('a');
+        $rootScope.$digest();
+        expect(child.attr('xlink:href')).toEqual('http://server');
+      }));
+    });
+  }
+});