Skip to content
This repository was archived by the owner on Apr 12, 2024. It is now read-only.

Commit 19bc521

Browse files
petebacondarwinpetebacondarwin
committed
fix(Angular): do not autobootstrap if the src exists but is empty
In Chrome an empty `src` attribute will be ignored, but in Firefox it seems happy to prepend the `base[href]` and try to load whatever that is.
1 parent 4f69d38 commit 19bc521

File tree

2 files changed

+13
-8
lines changed

2 files changed

+13
-8
lines changed

src/Angular.js

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1543,15 +1543,19 @@ function allowAutoBootstrap(document) {
15431543
return false;
15441544
}
15451545

1546-
var srcs = [script.getAttribute('src'), script.getAttribute('href'), script.getAttribute('xlink:href')];
1546+
var attributes = script.attributes;
1547+
var srcs = [attributes.getNamedItem('src'), attributes.getNamedItem('href'), attributes.getNamedItem('xlink:href')];
15471548

15481549
return srcs.every(function(src) {
15491550
if (!src) {
15501551
return true;
15511552
}
1553+
if (!src.value) {
1554+
return false;
1555+
}
15521556

15531557
var link = document.createElement('a');
1554-
link.href = src;
1558+
link.href = src.value;
15551559

15561560
if (document.location.origin === link.origin) {
15571561
// Same-origin resources are always allowed, even for non-whitelisted schemes.

test/AngularSpec.js

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1752,16 +1752,17 @@ describe('angular', function() {
17521752
expect(allowAutoBootstrap(createFakeDoc({src: protocol + '//something-else'}, protocol))).toBe(false);
17531753
});
17541754

1755-
it('should bootstrap from a script with empty or no source (e.g. src, href or xlink:href attributes)', function() {
1755+
it('should bootstrap from a script with no source (e.g. src, href or xlink:href attributes)', function() {
17561756

17571757
expect(allowAutoBootstrap(createFakeDoc({src: null}))).toBe(true);
1758-
expect(allowAutoBootstrap(createFakeDoc({src: ''}))).toBe(true);
1759-
17601758
expect(allowAutoBootstrap(createFakeDoc({href: null}))).toBe(true);
1761-
expect(allowAutoBootstrap(createFakeDoc({href: ''}))).toBe(true);
1762-
17631759
expect(allowAutoBootstrap(createFakeDoc({'xlink:href': null}))).toBe(true);
1764-
expect(allowAutoBootstrap(createFakeDoc({'xlink:href': ''}))).toBe(true);
1760+
});
1761+
1762+
it('should not bootstrap from a script with an empty source (e.g. `src=""`)', function() {
1763+
expect(allowAutoBootstrap(createFakeDoc({src: ''}))).toBe(false);
1764+
expect(allowAutoBootstrap(createFakeDoc({href: ''}))).toBe(false);
1765+
expect(allowAutoBootstrap(createFakeDoc({'xlink:href': ''}))).toBe(false);
17651766
});
17661767

17671768

0 commit comments

Comments
 (0)