SQUASH: rename SRC to MEDIA_URL

Author: petebacondarwin

docs/content/error/$compile/srcset.ngdoc

@@ -6,7 +6,7 @@
 This error occurs if you try to programmatically set the `srcset` attribute with a non-string value.
 
 This can be the case if you tried to avoid the automatic sanitization of the `srcset` value by
-passing a "trusted" value provided by calls to `$sce.trustAsSrc(value)`.
+passing a "trusted" value provided by calls to `$sce.trustAsMediaUrl(value)`.
 
 If you want to programmatically set explicitly trusted unsafe URLs, you should use `$sce.trustAsHtml`
 on the whole `img` tag and inject it into the DOM using the `ng-bind-html` directive.

src/ng/compile.js

@@ -1719,7 +1719,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
           // Such values are a bit too complex to handle automatically inside $sce.
           // Instead, we sanitize each of the URIs individually, which works, even dynamically.
 
-          // It's not possible to work around this using `$sce.trustAsSrc`.
+          // It's not possible to work around this using `$sce.trustAsMediaUrl`.
           // If you want to programmatically set explicitly trusted unsafe URLs, you should use
           // `$sce.trustAsHtml` on the whole `img` tag and inject it into the DOM using the
           // `ng-bind-html` directive.
@@ -1740,7 +1740,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
           for (var i = 0; i < nbrUrisWith2parts; i++) {
             var innerIdx = i * 2;
             // sanitize the uri
-            result += $sce.getTrustedSrc(trim(rawUris[innerIdx]));
+            result += $sce.getTrustedMediaUrl(trim(rawUris[innerIdx]));
             // add the descriptor
             result += ' ' + trim(rawUris[innerIdx + 1]);
           }
@@ -1749,7 +1749,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
           var lastTuple = trim(rawUris[i * 2]).split(/\s/);
 
           // sanitize the last uri
-          result += $sce.getTrustedSrc(trim(lastTuple[0]));
+          result += $sce.getTrustedMediaUrl(trim(lastTuple[0]));
 
           // and add the last descriptor if any
           if (lastTuple.length === 2) {
@@ -3275,15 +3275,15 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
       }
       var tag = nodeName_(node);
       // All tags with src attributes require a RESOURCE_URL value, except for
-      // img and various html5 media tags, which require the SRC context.
+      // img and various html5 media tags, which require the MEDIA_URL context.
       if (attrNormalizedName === 'src' || attrNormalizedName === 'ngSrc') {
         if (['img', 'video', 'audio', 'source', 'track'].indexOf(tag) === -1) {
           return $sce.RESOURCE_URL;
         }
-        return $sce.SRC;
+        return $sce.MEDIA_URL;
       } else if (attrNormalizedName === 'xlinkHref') {
         // Some xlink:href are okay, most aren't
-        if (tag === 'image') return $sce.SRC;
+        if (tag === 'image') return $sce.MEDIA_URL;
         if (tag === 'a') return $sce.URL;
         return $sce.RESOURCE_URL;
       } else if (

src/ng/interpolate.js

@@ -120,7 +120,7 @@ function $InterpolateProvider() {
     }
 
     function isConcatenationAllowed(context) {
-      return context === $sce.URL || context === $sce.SRC;
+      return context === $sce.URL || context === $sce.MEDIA_URL;
     }
 
     /**
@@ -300,7 +300,7 @@ function $InterpolateProvider() {
       // that is more testable or make it obvious that you bound the value to some user controlled
       // value.  This helps reduce the load when auditing for XSS issues.
 
-      // Note that URL and SRC $sce contexts do not need this, since `$sce` can sanitize the values
+      // Note that URL and MEDIA_URL $sce contexts do not need this, since `$sce` can sanitize the values
       // passed to it. In that case, `$sce.getTrusted` will be called on either the single expression
       // or on the overall concatenated string (losing trusted types used in the mix, by design).
       // Both these methods will sanitize plain strings. Also, HTML could be included, but since it's

src/ng/sce.js

@@ -23,7 +23,7 @@ var SCE_CONTEXTS = {
   CSS: 'css',
 
   // An URL used in a context where it refers to the source of media such as an image, audio, video, etc.
-  SRC: 'src',
+  MEDIA_URL: 'mediaUrl',
 
   // An URL used in a context where it does not refer to a resource that loads code, this is a superset of
   // urls that can be used as a source for media.
@@ -310,8 +310,8 @@ function $SceDelegateProvider() {
 
     byType[SCE_CONTEXTS.HTML] = generateHolderType(trustedValueHolderBase);
     byType[SCE_CONTEXTS.CSS] = generateHolderType(trustedValueHolderBase);
-    byType[SCE_CONTEXTS.SRC] = generateHolderType(trustedValueHolderBase);
-    byType[SCE_CONTEXTS.URL] = generateHolderType(byType[SCE_CONTEXTS.SRC]);
+    byType[SCE_CONTEXTS.MEDIA_URL] = generateHolderType(trustedValueHolderBase);
+    byType[SCE_CONTEXTS.URL] = generateHolderType(byType[SCE_CONTEXTS.MEDIA_URL]);
     byType[SCE_CONTEXTS.JS] = generateHolderType(trustedValueHolderBase);
     byType[SCE_CONTEXTS.RESOURCE_URL] = generateHolderType(byType[SCE_CONTEXTS.URL]);
 
@@ -396,7 +396,7 @@ function $SceDelegateProvider() {
      * `$sceDelegate.trustAs`} result), or it might try to sanitize the value given, depending on
      * the context and sanitizer availablility.
      *
-     * The contexts that can be sanitized are $sce.SRC, $sce.URL and $sce.HTML. The first two are available
+     * The contexts that can be sanitized are $sce.MEDIA_URL, $sce.URL and $sce.HTML. The first two are available
      * by default, and the second one relies on the $sanitize service (which may be loaded through
      * the ngSanitize module). Furthermore, for $sce.RESOURCE_URL context, a plain string may be
      * accepted if the resource url policy defined by {@link ng.$sceDelegateProvider#resourceUrlWhitelist
@@ -436,7 +436,7 @@ function $SceDelegateProvider() {
       }
 
       // If we get here, then we will either sanitize the value or throw an exception.
-      if (type === SCE_CONTEXTS.SRC) {
+      if (type === SCE_CONTEXTS.MEDIA_URL) {
         return $$sanitizeUri(maybeTrusted, true);
       } else if (type === SCE_CONTEXTS.URL) {
         return $$sanitizeUri(maybeTrusted);
@@ -620,7 +620,7 @@ function $SceDelegateProvider() {
  * |---------------------|----------------|
  * | `$sce.HTML`         | For HTML that's safe to source into the application.  The {@link ng.directive:ngBindHtml ngBindHtml} directive uses this context for bindings. If an unsafe value is encountered and the {@link ngSanitize $sanitize} module is present this will sanitize the value instead of throwing an error. |
  * | `$sce.CSS`          | For CSS that's safe to source into the application.  Currently unused.  Feel free to use it in your own directives. |
- * | `$sce.SRC`          | For URLs that are safe to display as media. Is automatically converted from string by sanitizing when needed. |
+ * | `$sce.MEDIA_URL`    | For URLs that are safe to display as media. Is automatically converted from string by sanitizing when needed. |
  * | `$sce.URL`          | For URLs that are safe to follow as links. Is automatically converted from string by sanitizing when needed. |
  * | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application.  Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.)  <br><br>Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` does and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` are required. |
  * | `$sce.JS`           | For JavaScript that is safe to execute in your application's context.  Currently unused.  Feel free to use it in your own directives. |
@@ -629,7 +629,7 @@ function $SceDelegateProvider() {
  * <div class="alert alert-warning">
  * Be aware that `a[href]` and `img[src]` used to automatically sanitize their URLs and not pass them
  * through {@link ng.$sce#getTrusted $sce.getTrusted}. **As of 1.7.0, this is no longer the case.**
- * Now `getTrusted` will sanitize values for the `$sce.SRC` and `$sce.URL` contexts.
+ * Now `getTrusted` will sanitize values for the `$sce.MEDIA_URL` and `$sce.URL` contexts.
  * </div>
  *
  * There are no CSS or JS context bindings in AngularJS currently, so their corresponding `$sce.trustAs`

test/ng/compileSpec.js

@@ -4236,7 +4236,7 @@ describe('$compile', function() {
       }));
 
       it('should not accept trusted values for img[srcset]', inject(function($compile, $rootScope, $sce) {
-        var trusted = $sce.trustAsSrc('trustme:foo()');
+        var trusted = $sce.trustAsMediaUrl('trustme:foo()');
         element = $compile('<img></img>')($rootScope);
         expect(function() {
           $rootScope.attr.$set('srcset', trusted);
@@ -11096,9 +11096,9 @@ describe('$compile', function() {
         }));
 
         it('should accept trusted values', inject(function($rootScope, $compile, $sce) {
-          // As a SRC URL
+          // As a MEDIA_URL URL
           element = $compile('<' + tag + ' src="{{testUrl}}"></' + tag + '>')($rootScope);
-          $rootScope.testUrl = $sce.trustAsSrc('javascript:foo()');
+          $rootScope.testUrl = $sce.trustAsMediaUrl('javascript:foo()');
           $rootScope.$digest();
           expect(element.attr('src')).toEqual('javascript:foo()');
 
@@ -11132,9 +11132,9 @@ describe('$compile', function() {
         }));
 
         it('should accept trusted values', inject(function($rootScope, $compile, $sce) {
-          // As a SRC URL
+          // As a MEDIA_URL URL
           element = $compile('<video><' + tag + ' src="{{testUrl}}"></' + tag + '></video>')($rootScope);
-          $rootScope.testUrl = $sce.trustAsSrc('javascript:foo()');
+          $rootScope.testUrl = $sce.trustAsMediaUrl('javascript:foo()');
           $rootScope.$digest();
           expect(element.find(tag).attr('src')).toEqual('javascript:foo()');
 
@@ -11158,7 +11158,7 @@ describe('$compile', function() {
 
     it('should accept trusted values', inject(function($rootScope, $compile, $sce) {
       element = $compile('<img src="{{testUrl}}"></img>')($rootScope);
-      $rootScope.testUrl = $sce.trustAsSrc('javascript:foo();');
+      $rootScope.testUrl = $sce.trustAsMediaUrl('javascript:foo();');
       $rootScope.$digest();
       expect(element.attr('src')).toEqual('javascript:foo();');
     }));
@@ -11231,7 +11231,7 @@ describe('$compile', function() {
         element = $compile('<img src="{{testUrl}}"></img>')($rootScope);
         // Assigning javascript:foo to src makes at least IE9-11 complain, so use another
         // protocol name.
-        $rootScope.testUrl = $sce.trustAsSrc('someUnsafeThing:foo();');
+        $rootScope.testUrl = $sce.trustAsMediaUrl('someUnsafeThing:foo();');
         $rootScope.$apply();
         expect(element.attr('src')).toEqual('someUnsafeThing:foo();');
       });

test/ng/sceSpecs.js

@@ -554,21 +554,21 @@ describe('SCE', function() {
 
   describe('URL-context sanitization', function() {
     it('should sanitize values that are not whitelisted', inject(function($sce) {
-      expect($sce.getTrustedSrc('javascript:foo')).toEqual('unsafe:javascript:foo');
+      expect($sce.getTrustedMediaUrl('javascript:foo')).toEqual('unsafe:javascript:foo');
       expect($sce.getTrustedUrl('javascript:foo')).toEqual('unsafe:javascript:foo');
     }));
 
     it('should not sanitize values that are whitelisted', inject(function($sce) {
-      expect($sce.getTrustedSrc('http://example.com')).toEqual('http://example.com');
+      expect($sce.getTrustedMediaUrl('http://example.com')).toEqual('http://example.com');
       expect($sce.getTrustedUrl('http://example.com')).toEqual('http://example.com');
     }));
 
     it('should not sanitize trusted values', inject(function($sce) {
-      expect($sce.getTrustedSrc($sce.trustAsSrc('javascript:foo'))).toEqual('javascript:foo');
-      expect($sce.getTrustedSrc($sce.trustAsUrl('javascript:foo'))).toEqual('javascript:foo');
-      expect($sce.getTrustedSrc($sce.trustAsResourceUrl('javascript:foo'))).toEqual('javascript:foo');
+      expect($sce.getTrustedMediaUrl($sce.trustAsMediaUrl('javascript:foo'))).toEqual('javascript:foo');
+      expect($sce.getTrustedMediaUrl($sce.trustAsUrl('javascript:foo'))).toEqual('javascript:foo');
+      expect($sce.getTrustedMediaUrl($sce.trustAsResourceUrl('javascript:foo'))).toEqual('javascript:foo');
 
-      expect($sce.getTrustedUrl($sce.trustAsSrc('javascript:foo'))).toEqual('unsafe:javascript:foo');
+      expect($sce.getTrustedUrl($sce.trustAsMediaUrl('javascript:foo'))).toEqual('unsafe:javascript:foo');
       expect($sce.getTrustedUrl($sce.trustAsUrl('javascript:foo'))).toEqual('javascript:foo');
       expect($sce.getTrustedUrl($sce.trustAsResourceUrl('javascript:foo'))).toEqual('javascript:foo');
     }));
@@ -579,7 +579,7 @@ describe('SCE', function() {
         $provide.value('$$sanitizeUri', $$sanitizeUri);
       });
       inject(function($sce) {
-        expect($sce.getTrustedSrc('someUrl')).toEqual('someSanitizedUrl');
+        expect($sce.getTrustedMediaUrl('someUrl')).toEqual('someSanitizedUrl');
         expect($$sanitizeUri).toHaveBeenCalledOnceWith('someUrl', true);
 
         $$sanitizeUri.calls.reset();