No public description

PiperOrigin-RevId: 649387310

Author: securityMB

src/builders/html_sanitizer/css/sanitizer.ts

@@ -41,7 +41,7 @@ class CssSanitizer {
   constructor(
     private readonly propertyAllowlist: ReadonlySet<string>,
     private readonly functionAllowlist: ReadonlySet<string>,
-    private readonly resourceUrlPolicy: ResourceUrlPolicy,
+    private readonly resourceUrlPolicy: ResourceUrlPolicy | undefined,
     private readonly allowKeyframes: boolean,
     private readonly propertyDiscarders: PropertyDiscarder[],
   ) {}
@@ -142,18 +142,21 @@ class CssSanitizer {
           return null;
         }
         const url = nextToken.value;
-        const sanitizedUrl = this.resourceUrlPolicy(parseUrl(url), {
-          type: calledFromStyleTag
-            ? ResourceUrlPolicyHintsType.STYLE_TAG
-            : ResourceUrlPolicyHintsType.STYLE_ATTRIBUTE,
-          propertyName,
-        });
-        if (!sanitizedUrl) {
+        let parsedUrl: URL | null = parseUrl(url);
+        if (this.resourceUrlPolicy) {
+          parsedUrl = this.resourceUrlPolicy(parseUrl(url), {
+            type: calledFromStyleTag
+              ? ResourceUrlPolicyHintsType.STYLE_TAG
+              : ResourceUrlPolicyHintsType.STYLE_ATTRIBUTE,
+            propertyName,
+          });
+        }
+        if (!parsedUrl) {
           return null;
         }
         tokens[i + 1] = {
           tokenKind: CssTokenKind.STRING,
-          value: sanitizedUrl.toString(),
+          value: parsedUrl.toString(),
         };
 
         // Skip the string token.
@@ -293,7 +296,7 @@ export function sanitizeStyleTag(
   cssText: string,
   propertyAllowlist: ReadonlySet<string>,
   functionAllowlist: ReadonlySet<string>,
-  resourceUrlPolicy: ResourceUrlPolicy,
+  resourceUrlPolicy: ResourceUrlPolicy | undefined,
   allowKeyframes: boolean,
   propertyDiscarders: PropertyDiscarder[],
 ): string {
@@ -316,7 +319,7 @@ export function sanitizeStyleAttribute(
   cssText: string,
   propertyAllowlist: ReadonlySet<string>,
   functionAllowlist: ReadonlySet<string>,
-  resourceUrlPolicy: ResourceUrlPolicy,
+  resourceUrlPolicy: ResourceUrlPolicy | undefined,
   propertyDiscarders: PropertyDiscarder[],
 ): string {
   return new CssSanitizer(

test/builders/html_sanitizer/css/sanitizer_test.ts

@@ -122,6 +122,38 @@ describe('sanitizeStyleTag', () => {
     });
   }
 
+  describe('without a custom resource url policy', () => {
+    it('allows all URLs', () => {
+      const propertyAllowlist = new Set([
+        'background-image',
+        'border-image-source',
+        'cursor',
+      ]);
+      const functionAllowlist = new Set(['url']);
+      const sanitized = sanitizeStyleTag(
+        `
+          body { background-image: url("https://www.google.com") }
+          div { border-image-source: url("file:///etc/passwd") }
+          span { cursor: url(/relative/path), pointer }
+        `,
+        propertyAllowlist,
+        functionAllowlist,
+        undefined, // resourceUrlPolicy
+        false,
+        [],
+      );
+      const relativePath = new URL(
+        '/relative/path',
+        document.baseURI,
+      ).toString();
+      expect(sanitized).toEqual(
+        `body { background-image: url("https://www.google.com/"); }
+div { border-image-source: url("file:///etc/passwd"); }
+span { cursor: url("${relativePath}"), pointer; }`,
+      );
+    });
+  });
+
   describe('with a custom resource url policy', () => {
     it('calls the policy with a valid URL and hints', () => {
       const resourceUrlPolicy = jasmine