From: Nikon the Third Date: Fri, 19 Feb 2021 08:24:53 +0000 (+0100) Subject: Adjust regex `SAFE_URL_PATTERN` for use with test method of regexes. (#33136) X-Git-Tag: v5.0.0-beta3~87 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e8f08d1802976b8200551de49354757f84e438cf;p=thirdparty%2Fbootstrap.git Adjust regex `SAFE_URL_PATTERN` for use with test method of regexes. (#33136) The test method on regexes behaves different than the match method on strings in the presence of the global modifier. Add a unit test for sanitizing the same template twice. Co-authored-by: XhmikosR --- diff --git a/js/src/util/sanitizer.js b/js/src/util/sanitizer.js index 18ac6f9438..57653a891f 100644 --- a/js/src/util/sanitizer.js +++ b/js/src/util/sanitizer.js @@ -23,7 +23,7 @@ const ARIA_ATTRIBUTE_PATTERN = /^aria-[\w-]*$/i * * Shoutout to Angular 7 https://github.com/angular/angular/blob/7.2.4/packages/core/src/sanitization/url_sanitizer.ts */ -const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^#&/:?]*(?:[#/?]|$))/gi +const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^#&/:?]*(?:[#/?]|$))/i /** * A pattern that matches safe data URLs. Only matches image, video and audio types. diff --git a/js/tests/unit/util/sanitizer.spec.js b/js/tests/unit/util/sanitizer.spec.js index 869b8c5615..7379d221f4 100644 --- a/js/tests/unit/util/sanitizer.spec.js +++ b/js/tests/unit/util/sanitizer.spec.js @@ -66,5 +66,15 @@ describe('Sanitizer', () => { expect(result).toEqual(template) expect(DOMParser.prototype.parseFromString).not.toHaveBeenCalled() }) + + it('should allow multiple sanitation passes of the same template', () => { + const template = '' + + const firstResult = sanitizeHtml(template, DefaultAllowlist, null) + const secondResult = sanitizeHtml(template, DefaultAllowlist, null) + + expect(firstResult).toContain('src') + expect(secondResult).toContain('src') + }) }) })