fix($sanitize): remove inline style from sanitization Firefox bug det…

…ection Inserting a `style` tag causes a CSP violation when using a strict CSP that doesn't allow inline styles. The `style` tag doesn't seem relevant for the Firefox bug detection, and can be replaced with a `span`, see issue angular#16463 for more details. The related unit test in `sanitizeSpec.js`, "should not allow JavaScript hidden in badly formed HTML to get through sanitization (Firefox bug)", is left untouched and still uses `style` to assert that the behavior hasn't changed in the original scenario. Fixes angular#16463.
peruukki · Apr 14, 2020 · a76cdd2 · a76cdd2
1 parent 418355f
commit a76cdd2
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/ngSanitize/sanitize.js b/src/ngSanitize/sanitize.js
@@ -441,7 +441,7 @@ function $SanitizeProvider() {
       return getInertBodyElement_XHR;
     } else {
       // Check for the Firefox bug - which prevents the inner img JS from being sanitized
-      inertBodyElement.innerHTML = '<svg><p><style><img src="</style><img src=x onerror=alert(1)//">';
+      inertBodyElement.innerHTML = '<svg><p><span><img src="</span><img src=x onerror=alert(1)//">';
       if (inertBodyElement.querySelector('svg img')) {
         return getInertBodyElement_DOMParser;
       } else {