feat(sanitization): make NodeValidator injectable

Closes #490 Closes #498
dart-archive · Feb 6, 2014 · 47ab48a · zoechi · Feb 19, 2014 · 47ab48a
1 parent e62b269
commit 47ab48a
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 11 deletions.
diff --git a/lib/directive/module.dart b/lib/directive/module.dart
@@ -38,6 +38,7 @@ class NgDirectiveModule extends Module {
     value(NgBindDirective, null);
     value(NgBindTemplateDirective, null);
     value(NgBindHtmlDirective, null);
+    value(dom.NodeValidator, new dom.NodeValidatorBuilder.common());
     value(NgClassDirective, null);
     value(NgClassOddDirective, null);
     value(NgClassEvenDirective, null);

diff --git a/lib/directive/ng_bind_html.dart b/lib/directive/ng_bind_html.dart
@@ -18,19 +18,16 @@ part of angular.directive;
   selector: '[ng-bind-html]',
   map: const {'ngBindHtml': '=>value'})
 class NgBindHtmlDirective {
-  // The default HTML sanitizer.  Eventually, we'll make this configurable or
-  // use an optionally loaded `$sanitize` service.
-  static final dom.NodeValidator validator = new dom.NodeValidatorBuilder.common();
-
   final dom.Element element;
-
-  NgBindHtmlDirective(this.element);
+  final dom.NodeValidator validator;
+
+  NgBindHtmlDirective(this.element, dom.NodeValidator this.validator);
 
   /**
    * Parsed expression from the `ng-bind-html` attribute.  The result of this
    * expression is innerHTML'd according to the rules specified in this class'
-   * documention.
+   * documentation.
    */
   set value(value) => element.setInnerHtml(value == null ? '' : value.toString(),
-                                           validator: validator) ;
+                                           validator: validator);
 }
diff --git a/test/directive/ng_bind_html_spec.dart b/test/directive/ng_bind_html_spec.dart
@@ -1,12 +1,10 @@
 library ng_bind_html_spec;
 
+import 'dart:html' as dom;
 import '../_specs.dart';
 
 main() {
   describe('BindHtmlDirective', () {
-    TestBed _;
-
-    beforeEach(inject((TestBed tb) => _ = tb));
 
     it('should sanitize and set innerHtml and sanitize and set html',
           inject((Scope scope, Injector injector, Compiler compiler, DirectiveMap directives) {
@@ -17,5 +15,28 @@ main() {
       // Sanitization removes the href attribute on the <a> tag.
       expect(element.html()).toEqual('<a><b>Google!</b></a>');
     }));
+
+    it('should use injected NodeValidator and override default sanitize behavior',
+          module((Module module) {
+      module.factory(dom.NodeValidator, (_) {
+        final validator = new NodeValidatorBuilder();
+        validator.allowNavigation(new AnyUriPolicy());
+        validator.allowTextElements();
+        return validator;
+      });
+
+      inject((Scope scope, Injector injector, Compiler compiler, DirectiveMap directives) {
+        var element = $('<div ng-bind-html="htmlVar"></div>');
+        compiler(element, directives)(injector, element);
+        scope.htmlVar = '<a href="http://www.google.com"><b>Google!</b></a>';
+        scope.$digest();
+        // Sanitation allows href attributes per injected sanitizer.
+        expect(element.html()).toEqual('<a href="http://www.google.com"><b>Google!</b></a>');
+      });
+    }));
   });
 }
+
+class AnyUriPolicy implements UriPolicy {
+  bool allowsUri(String uri) => true;
+}