feat($sce): handle URLs through the $sce service

[petebacondarwin]

Replaces #14250

Thanks to @rjamet for the original work on this feature.

This is a large patch to handle URLs with the $sce service, similarly to HTML context.

However, to keep rough compatibility with existing apps, we need to allow URL-context
concatenation, since previously $sce contexts prevented sanitization. There's now a
set of special contexts (defined in $interpolate) that allow concatenation, in a roughly
intuitive way:

• Trusted types alone are trusted, e.g. "{{safeType}}" will not be sanitized.
• Any concatenation of values results in a non-trusted type that will be handled by
  getTrusted once the concatenation is done, e.g. "{{ 'javascript:foo' }}" and
  "javascript:{{safeType}}" will be sanitized.

This commit also introduces a new SCE context called SRC, which represents a URL
being used as a source for an image, video, audio, etc. The hierarchy is setup
so that the URL context is also a SRC context, in the same way that the RESOURCE_URL
context is also a URL (and now also a SRC) context.

Where we previously sanitized URL attributes inside the compiler, we now only apply
the $sce.URL or $sce.SRC context requirement.

• When calling getTrustedSrc() a value that is not already a trusted SRC will be
  sanitized using the imgSrcSanitizationWhitelist
• When calling getTrustedUrl() a value that is not already a trusted URL will be
  sanitized using the aHrefSanitizationWhitelist

This results in behaviour that closely matches the previous sanitization behaviour.

What kind of change does this PR introduce? (Bug fix, feature, docs update, ...)

feature

What is the current behavior? (You can also link to an open issue here)

URLs are sanitized directly in the compiler or interpolator.

What is the new behavior (if this is a feature change)?

Now that sanitization is done via the SCE service.

Does this PR introduce a breaking change?
Yes

If you use attrs.$set for URL attributes there will be no automated sanitization
of the URL value. This is now in line with other contexts. If you are programmatically
writing URL values to attributes from untrusted input then you must sanitize
it yourself (possibly by calling the private $$sanitizeUri service).

Please check if the PR fulfills these requirements

• The commit message follows our guidelines
• Fix/Feature: Docs have been added/updated
• Fix/Feature: Tests have been added; existing tests pass

Other information:

[jbedard]

Can we remove the initial singleExpression assignment and change this to singleExpression = (concat.length === 1 && expressionPositions.length === 1)?

[jbedard]

Drop this (and the next else) and just fallthru? Could then combine the condition above to trustedContext && concat.length > 1...

[jbedard]

This basically makes parseStringifyInterceptor a noop, can we avoid parseStringifyInterceptor (and any interceptor) completely in that case? Maybe only if that case is common enough that it's worth avoiding interceptors...

[petebacondarwin]

Difficulty is that we assign the interpolator to the parseFn before we have calculated how many items are in contat and expressionPositions so we don't know whether singleExpression is true until we have finished.

[petebacondarwin]

But I managed it...

[jbedard]

If it's difficult or ugly then we can leave it out of this PR and try later since it's not really directly related to this PR

[rjamet]

Could you maybe document that those are used in the $sce.URL sanitization now, so it's reflected in the API docs ? (and same below)

[rjamet]

If you push it a little, iframes and scripts are media. I'd say "to the source of media which are not expected to run scripts such as ..." instead.

[rjamet]

s/second/third/

[rjamet]

"the value not being recognized as safe" instead?

[rjamet]

explicit false as a second argument there ?

[petebacondarwin]

oh, OK then :-) I was saving bytes.

[rjamet]

Below in this file, I would replace the isImage argument with isMediaUrl to be clearer. That shouldn't break anything.

[rjamet]

There's a tiny quirk hiding there, which is probably without consequences: mailto and tel are in the URL whitelist, but not in the MEDIA_URL. This makes sense, but "safe under URL" is supposed to be a subset of "safe under MEDIA_URL" in my interpretation of the subclassing in the $sce. I don't think anyone cares either way.

[petebacondarwin]

Yeah, I wondered about that. One is not really a "super-set" of the other but I needed both to be covered by RESOURCE_URL, so I had to force a hierarchy on them. Given that users can manipulate these whitelists in anyway they like, I don't feel too bad about the defaults not quite aligning.

[rjamet]

This looks wrong to me?

[petebacondarwin]

but no test is failing 😱

[petebacondarwin]

This is because I broke the tests in https://github.com/angular/angular.js/pull/16378/files#diff-85da78d5073ece90913c9e733cfcdef4 !!!

[rjamet]

I think the CI errors you get are due to some browser protections on assigning javascript: to the src attributes of image elements... Those are annoying, I remember hitting these on the IE family before (and that was why I didn't bother with img there).

[petebacondarwin]

Right, I wondered about that. I'll remove the javascript:s

[rjamet]

LGTM overall, nice work!

[jbedard]

Would this be any shorter/nicer doing...

parseFns = expressions.map(function(exp) {
    return $parse(exp, contextAllowsConcatenation && singleExpression ? undefined : parseStringifyInterceptor);
});

[petebacondarwin]

I thought about that. It does mean evaluating that contextAllowsConcatenation && singleExpression for each item in concat. Also I was being cautious in case the $parse was doing parameter counting rather than just a check for undefined. If you feel strongly about it we could change it.

[jbedard]

I think it reads a little nicer but don't feel strongly about it.

Could do var interceptor = ... outside the loop. That might also be a little more readable which I think is most important here (I don't think performance is a major concern since this isn't run per digest or anything like that).

[petebacondarwin]

Done

[Narretz]

As far as I can say, this looks reasonable, although I find it a bit weird that the strategy for sanitizing content that is programmtically written is to use the private $$sanitizeUri service. This feels wrong. Maybe we should make the service public?

The commit message would also be clearer if this section:

Where we previously sanitized URL attributes when setting attribute value inside the
$compile service, we now only apply the $sce.URL or $sce.SRC context requirement,
and leave the $interpolate service to deal with sanitization.

would come immediately after

This is a large patch to handle URLs with the $sce service, similarly to HTML context.

Btw,

we now only apply the $sce.URL or $sce.SRC context requirement

I don't think $sce.SRC is anywhere in this patch, is this line right?

[Narretz]

If > In?

[Narretz]

It's not clear which context applies to what. How about "Now getTrusted will sanitize a[href] for the $sce.URL context, and img[src] for the $sce.MEDIA?URL context.

[petebacondarwin]

This is not strictly related to DOM nodes. What this is saying is that, previously the a[href] and img[src] did not use $sce at all but did their own sanitization and that $sce did not do anything with the $sce.URL (and now also $sce.MEDIA_URL) contexts. Now the a[href] and img[src] do nothing but require the URL or MEDIA_URL context. It is $sce that now does the sanitizing as appropriate.

[Narretz]

Ok, but the paragraph makes it sound like (at least to me) that the second part still refers to a[href] and img[src], and as such it's confusing that the last sentence isn't clear about which context gets applied to them. So I think adding the explicit context matching is a good idea.

[petebacondarwin]

doc comments updated

[Narretz]

Isn't this technically an implementation detail?

[petebacondarwin]

Well I see it as an interface (albeit internal) to the service. Testing it this way means that we are less tied to the implementation of the $$sanitizeUri service.

[gkalpak]

Maybe changing it to ...can also be trusted... would be more accurate.
(It conveys the hierarchy relation without saying it is trusted, because it may not be depending on the whitelists.)

[gkalpak]

AFAICT, "display" does not cover all usecases (e.g. audio) and might be confusing.

[petebacondarwin]

I'm going with render it is vague enough to cover audio IMO.

[gkalpak]

Maybe you could mention MEDIA_URL here or in $sce.URL.

[gkalpak]

jshint???

[petebacondarwin]

:-) picked up from @rjamet's original PR that was written before we moved to eslint. Removed

[gkalpak]

Is this a style-only change, or has the behavior changed?

[petebacondarwin]

The behaviour has changed. The throw is now in the call to $compile.

[gkalpak]

URL to matches --> URL matches
aHrefSanitizationWhitelist --> imgSrcSanitizationWhitelist

[gkalpak]

AFAICT, this changes the current behavior. Previously, even if the URL was the empty string, it might return a non-empty URL (i.e. the current URL). Do I miss something? Is this change intended?

[petebacondarwin]

Hmm, you're right that urlResolve doesn't (mostly) return the empty string when passed an empty string... I need to look again at why I did this. There was definitely a reason.

[petebacondarwin]

I can't remember (or see) why I did this. So I am going to revert that change.

[gkalpak]

Based on the commit message, I thought $set() doesn't sanitize it any more 😕

[petebacondarwin]

We still sanitize img[srcset] when called through $set.

[gkalpak]

So, doesn't this leave people using ng-href/src lessmore vulnerable (unless they use interpolation)?
(Not common to use ng-href/src without interpollation, but possible.)

[petebacondarwin]

I am not sure what you mean here. Do you mean "more" vulnerable?
It is true that if you were programmatically setting the attribute via $set then it is no longer checked, but this is quite a common paradigm, where one has to be responsible for coding against the lower level API.

[gkalpak]

Yeah, I meant "more" (everybody knows "less" is "more" 😛)
The thing is that some of the built-in directives (e.g. ngHref/ngSrc) use $set under the hood.

[petebacondarwin]

I am pretty certain that ngHref and ngSrc are not affected. They only call $set with a value that is passed from $observe, which has already interpolated the value, and so has passed the value through SCE.

[gkalpak]

😱

[gkalpak]

I am a little concerned about #16378 (comment).
Other than that LGTM (as long as Travis is happy 😉)!

[petebacondarwin]

Yes, yes, indentation 😱

[petebacondarwin]

All these tests here and below were in the wrong file. I have moved them to their appropriate places.

[petebacondarwin]

Agh! fdescribe!!

[petebacondarwin]

This is the key new test for this commit

[petebacondarwin]

And this test too.

[gkalpak]

LGTM (as soon as Travis is green)