feat($sanitize): support enhancing white-list

[maksimr]

#5900 fix

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)
Improve functionality of ngSanitize. More information you could find here - #5900

What is the current behavior? (You can also link to an open issue here)
Hardcoded white-list

What is the new behavior (if this is a feature change)?
Allow adding valid elements and attributes

Does this PR introduce a breaking change?

No

Please check if the PR fulfills these requirements

• The commit message follows our guidelines
• Fix/Feature: Docs have been added/updated
• Fix/Feature: Tests have been added; existing tests pass

Other information:

[gkalpak]

If we are doing this (I am not sure how this would affect security), we need to better document what "valid elements/attributes" are and how they are used by $sanitize.

[gkalpak]

This doesn't take into account whether svgEnabled is true or false.

[gkalpak]

Why the =? This is not optional afaict.

[maksimr]

Copy-paste (shame on me)

[gkalpak]

It might be worth documenting that the added attributes will not be treated as URI attributes, i.e. their values will not be sanitized as URIs.

[gkalpak]

We need tests for all supported categories (e.g. blockElements, svgElements).

[gkalpak]

We need a test for passing an array instead of an object.

[gkalpak]

correct --> correctly

[gkalpak]

"should not ignore" is not very straight forward. I would change it to something like "should allow".

[gkalpak]

type is already a valid attribute.

[gkalpak]

Since we treat most categories (except for voidElements and svgElements) the same, I am wondering if it would be more straight forward to use a simpler public API, e.g.:

{
  htmlElements: [...],
  htmlVoidElements: [...],
  svgElements: [...],
}

[maksimr]

Looks good to me

[Narretz]

One problem with this is that theortically any 3rd party module can add a config block that changes the whitelist, possibly allowing things you don't want to have in your app.

[maksimr]

If we are doing this (I am not sure how this would affect security), we need to better document what "valid elements/attributes" are and how they are used by $sanitize

@gkalpak any documentation text welcome

One problem with this is that theortically any 3rd party module can add a config block that changes the whitelist, possibly allowing things you don't want to have in your app.

@Narretz yours suggestions?
Theoretically, any 3rd party module can replace $sanitize service

[Narretz]

It's true that the sanitizer can be replaced completely. Maybe we should add a note about the security implications of this, though.

[maksimr]

@gkalpak is it ok now?

Thanks

[gkalpak]

I would expand a bit on the non-URI part:

[...] The added attributes will not be treated as URI attributes, which means their values will not sanitized as URIs using the aHrefSanitizationWhitelist and imgSrcSanitizationWhitelist of {@link ng.$compileProvider $compileProvider}.

[gkalpak]

Extending svgElements has no effect if called after the service has been instantiated. This can be unintuitive (because theoretically it is possible to use provider methods after a service has been instantiated and in many cases everything works as expected).

I think it would be better to either throw or make it a no-op after instantiation (and document that).

[maksimr]

As I see enableSvg also doesn't work after instantiation.

[maksimr]

@gkalpak

I think it would be better to either throw or make it a no-op after instantiation (and document that).

How can I check that service has been instantiated? (without additional variable)

[gkalpak]

You can't (without additional variable) 😁

[gkalpak]

In order to make sure this test does indeed test what it is supposed to (now and in the future), it might be better to add arbitrary elements (that do not exist in the HTML5 spec) to ensure that they are not already considered valid.

[gkalpak]

There should be a test that this is not allowed as voidElement.

[gkalpak]

There should be a test that this is also allowed as non-void element.

[maksimr]

I have added check

      expectHTML('<input/>').not.toEqual('<input></input>');

[gkalpak]

No, I meant something like expectHTML('<input></input>') (which is accepted atm).

[maksimr]

🤔 I didn't get your point.

There should be a test that this is also allowed as non-void element.

We already have such test
https://github.com/angular/angular.js/pull/16326/files#diff-85da78d5073ece90913c9e733cfcdef4R306

Yes, the test above not about input but I don't think that input tag is something special.
I have renamed input to foo-input to emphasize that name of the tag isn't matter

[gkalpak]

That test is for a custom non-void element.
There should be a test that custom void element can be used as <foo-input></foo-input>.

[maksimr]

🆙 Done

https://github.com/angular/angular.js/pull/16326/files#diff-85da78d5073ece90913c9e733cfcdef4R314

[gkalpak]

Looking good. We're getting close 😃

[gkalpak]

We need more docs (and also mention that it has no effect after the service has been instantiated).

@maksimr, can you take a first stab at documenting what this method does and "valid elements/attributes" are and how they are used by $sanitize?

[gkalpak]

This should mention the "shape" of the Object version.

[gkalpak]

There is no reason for this function to be inside the closure. Move it outside to avoid re-creating it on every invokation.

[gkalpak]

The return value is ignored. You can drop it.
It also seems redundant to join() items only to split them right away (inside toMap()). Can you refactor toMap() to avoid that? Something like:

+function stringToMap(str, lowercaseKeys) {
+  return arrayToMap(str.split(','), lowercaseKeys);
+}

-function toMap(str, lowercaseKeys) {
-  var obj = {}, items = str.split(','), i;
+function arrayToMap(items, lowercaseKeys) {
+  var obj = {}, i;
   for (i = 0; i < items.length; i++) {
     obj[lowercaseKeys ? lowercase(items[i]) : items[i]] = true;
   }
   return obj;
 }

[gkalpak]

Also, use the extend function from the closure here and elsewhere (see below the Private stuff comment).
Do the same for other helpers (isArray, isObject). (Define the ones that are not defined already in "Private stuff".)

[gkalpak]

Let's have this method return this to be inline with what we do with other setter methods (helps with chaining).

[gkalpak]

This needs more docs as well. You could also move most of the param description into the main description of the function.

[gkalpak]

This assertion is unnecessary.

[gkalpak]

This is not a block element. Let's merge into the tests above.

[gkalpak]

This is not necessarily a inline element. Just call it element 😃
And merge it with the above test.

[gkalpak]

Let's change this to:
should allow custom white-listed void element to be used with closing tag

[maksimr]

@gkalpak could you provide documentation for these methods

#16326 (comment)
#16326 (comment)

[maksimr]

@gkalpak ping

[googlebot]

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this State. It's up to you to confirm consent of the commit author(s) and merge this pull request when appropriate.

[googlebot]

So there's good news and bad news.

👍 The good news is that everyone that needs to sign a CLA (the pull request submitter and all commit authors) have done so. Everything is all good there.

😕 The bad news is that it appears that one or more commits were authored by someone other than the pull request submitter. We need to confirm that all authors are ok with their commits being contributed to this project. Please have them confirm that here in the pull request.

Note to project maintainer: This is a terminal state, meaning the cla/google commit status will not change from this State. It's up to you to confirm consent of the commit author(s) and merge this pull request when appropriate.

[gkalpak]

I've rebased this on master, made some small changes and added docs.

[petebacondarwin]

no alphabetic ordering??

[maksimr]

I didn't see any signs of "alphabetic ordering" 🤔
Should I change this code?

[petebacondarwin]

The var declarations at the top of the file are listed in alphabetical order; and @gkalpak is usually a stickler for this kind of thing :-)

[maksimr]

@petebacondarwin looks like @gkalpak fixed it already

1920420#diff-699beb0d8c48a8257d3d70331bf6138dR19

@gkalpak Thanks

[gkalpak]

Ts, ts, ts! How could you think I wouldn't have fixed that, @petebacondarwin 😛
😱 😱 😱 😱 😱 I fixed it in one of two places 😱 😱 😱 😱 😱
Thx, @petebacondarwin ❤️ (Sorry I doubted you 😞)

[gkalpak]

Fixed while merging (and also removed unused isObject var).

[petebacondarwin]

What happens if the element passed in is not empty? E.g. <foo-input>some content</foo-input>

[maksimr]

sanitizer removes closing tag

<foo-input>some content

[petebacondarwin]

That is interesting...

[maksimr]

Yup, but this is how current sanitizer works.

When it meets token <foo-inpupt> it treats this as void element because it's valid case when self-closing element(void) does not have /, after that it meets text some content and we do nothing and finally we meet </foo-input> and because there are no open element before we just remove it.

[gkalpak]

I will make it more explicit in the docs that void elements cannot have content.

[petebacondarwin]

cannot or should not?

[gkalpak]

Cannot and should not 😁
As @maksimr mentioned $sanitize (and browsers) will transform <void-element>foo</void-element> to <void-element>foo (so the content ends up outside the element).

[petebacondarwin]

Is there any difference if the attribute is on a blacklisted element?

[maksimr]

sanitizer just remove a blacklisted element

[petebacondarwin]

I guess it is not possible to have "void svg" elements?

[maksimr]

Yes and No, because in sanitizer no type like "void svg" I didn't add such property, but if you know how works sanitizer you could do something like this:

      $sanitizeProvider.addValidElements({
        htmlVoidElements: ['font-face-uri'],
        svgElements: ['font-face-uri']
      });

[petebacondarwin]

LGTM - a couple of unimportant questions.

[Narretz]

So we don't need an extra notice that this method should be used carefully, because adding more elements can jeopardize the security of the app?

[petebacondarwin]

I assume the purpose of this feature is to support HTML5 custom web elements?

[maksimr]

I assume the purpose of this feature is to support HTML5 custom web elements?

Not only, in our case we want support for checkboxes.

[Narretz]

It can also be used to add elements / attributes where we haven't decided if they should be whitelisted: #13282

[gkalpak]

So we don't need an extra notice that this method should be used carefully, because adding more elements can jeopardize the security of the app?

A good thing is that you can't "overwrite" the blockedElements list. So, even adding script or style (which are currently blocked) will not make them "safe". But you can add other elements and you can definitely add attributes.
I'll add a note to the docs.

Not only, in our case we want support for checkboxes.

@maksimr, can you elaborate? What do you mean by "checkboxes"?

[maksimr]

@gkalpak sure,

"checkboxes" is <input type=checkbox/>

[gkalpak]

Oh, OK. With this change you will have to whitelist all input elements (so be careful 😃).

[gkalpak]

Updated the docs. Will merge once Travis is green.
(If you want to TAL, now is your chance, @petebacondarwin @Narretz 😃)