Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit b68c23a

Browse files
author
Alister Stevens
committed
Ensure core inline styling is always loaded with AngularJS. Fix the bootstrap process not consistently working due to eagerly removed load event listener
1 parent 7b394f3 commit b68c23a

File tree

7 files changed

+25
-292
lines changed

7 files changed

+25
-292
lines changed

css/angular-scenario.css

Lines changed: 0 additions & 247 deletions
This file was deleted.

css/angular.css

Lines changed: 0 additions & 19 deletions
This file was deleted.

src/Angular.js

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1154,13 +1154,11 @@ var csp = function() {
11541154
var ngCspAttribute = ngCspElement.getAttribute('ng-csp') ||
11551155
ngCspElement.getAttribute('data-ng-csp');
11561156
csp.rules = {
1157-
noUnsafeEval: !ngCspAttribute || (ngCspAttribute.includes('no-unsafe-eval')),
1158-
noInlineStyle: !ngCspAttribute || (ngCspAttribute.includes('no-inline-style'))
1157+
noUnsafeEval: !ngCspAttribute || (ngCspAttribute.includes('no-unsafe-eval'))
11591158
};
11601159
} else {
11611160
csp.rules = {
1162-
noUnsafeEval: noUnsafeEval(),
1163-
noInlineStyle: false
1161+
noUnsafeEval: noUnsafeEval()
11641162
};
11651163
}
11661164
}
@@ -1532,6 +1530,10 @@ function getNgAttribute(element, ngAttr) {
15321530

15331531
function allowAutoBootstrap(document) {
15341532
var script = document.currentScript;
1533+
if (!script) {
1534+
return true;
1535+
}
1536+
15351537
// If the `currentScript` property has been clobbered just return false, since this indicates a probable attack
15361538
if (!(script instanceof window.HTMLScriptElement || script instanceof window.SVGScriptElement)) {
15371539
return false;

src/jqLite.js

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -553,6 +553,7 @@ function jqLiteDocumentLoaded(action, win) {
553553
function jqLiteReady(fn) {
554554
function trigger() {
555555
window.document.removeEventListener('DOMContentLoaded', trigger);
556+
window.removeEventListener('load', trigger);
556557
fn();
557558
}
558559

@@ -561,6 +562,7 @@ function jqLiteReady(fn) {
561562
window.setTimeout(fn);
562563
} else {
563564
window.document.addEventListener('DOMContentLoaded', trigger);
565+
window.addEventListener('load', trigger);
564566
}
565567
}
566568

src/ng/injectStyles.js

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
angular.element(document.head).prepend(
2+
'<style type="text/css">' +
3+
'@charset "UTF-8";' +
4+
'[ng-cloak],[data-ng-cloak],[x-ng-cloak],.ng-cloak,.x-ng-cloak,.ng-hide:not(.ng-hide-animate){display:none !important;}' +
5+
'.ng-animate-shim{visibility:hidden;}' +
6+
'.ng-anchor{position:absolute;}' +
7+
'</style>'
8+
);

test/AngularSpec.js

Lines changed: 6 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -1055,52 +1055,43 @@ describe('angular', function() {
10551055

10561056

10571057
it('should return the false for all rules when CSP is not enabled (the default)', function() {
1058-
expect(angular.$$csp()).toEqual({ noUnsafeEval: false, noInlineStyle: false });
1058+
expect(angular.$$csp()).toEqual({ noUnsafeEval: false });
10591059
});
10601060

10611061

10621062
it('should return true for noUnsafeEval if eval causes a CSP security policy error', function() {
10631063
window.Function.mockImplementation(function() { throw new Error('CSP test'); });
1064-
expect(angular.$$csp()).toEqual({ noUnsafeEval: true, noInlineStyle: false });
1064+
expect(angular.$$csp()).toEqual({ noUnsafeEval: true });
10651065
expect(window.Function).toHaveBeenCalledWith('');
10661066
});
10671067

10681068

10691069
it('should return true for all rules when CSP is enabled manually via empty `ng-csp` attribute', function() {
10701070
var spy = mockCspElement('ng-csp');
1071-
expect(angular.$$csp()).toEqual({ noUnsafeEval: true, noInlineStyle: true });
1071+
expect(angular.$$csp()).toEqual({ noUnsafeEval: true });
10721072
expect(spy).toHaveBeenCalledWith('[ng-csp]');
10731073
expect(window.Function).not.toHaveBeenCalled();
10741074
});
10751075

10761076

10771077
it('should return true when CSP is enabled manually via [data-ng-csp]', function() {
10781078
var spy = mockCspElement('data-ng-csp');
1079-
expect(angular.$$csp()).toEqual({ noUnsafeEval: true, noInlineStyle: true });
1079+
expect(angular.$$csp()).toEqual({ noUnsafeEval: true });
10801080
expect(spy).toHaveBeenCalledWith('[data-ng-csp]');
10811081
expect(window.Function).not.toHaveBeenCalled();
10821082
});
10831083

10841084

10851085
it('should return true for noUnsafeEval if it is specified in the `ng-csp` attribute value', function() {
10861086
var spy = mockCspElement('ng-csp', 'no-unsafe-eval');
1087-
expect(angular.$$csp()).toEqual({ noUnsafeEval: true, noInlineStyle: false });
1087+
expect(angular.$$csp()).toEqual({ noUnsafeEval: true });
10881088
expect(spy).toHaveBeenCalledWith('[ng-csp]');
10891089
expect(window.Function).not.toHaveBeenCalled();
10901090
});
10911091

1092-
1093-
it('should return true for noInlineStyle if it is specified in the `ng-csp` attribute value', function() {
1094-
var spy = mockCspElement('ng-csp', 'no-inline-style');
1095-
expect(angular.$$csp()).toEqual({ noUnsafeEval: false, noInlineStyle: true });
1096-
expect(spy).toHaveBeenCalledWith('[ng-csp]');
1097-
expect(window.Function).not.toHaveBeenCalled();
1098-
});
1099-
1100-
11011092
it('should return true for all styles if they are all specified in the `ng-csp` attribute value', function() {
11021093
var spy = mockCspElement('ng-csp', 'no-inline-style;no-unsafe-eval');
1103-
expect(angular.$$csp()).toEqual({ noUnsafeEval: true, noInlineStyle: true });
1094+
expect(angular.$$csp()).toEqual({ noUnsafeEval: true });
11041095
expect(spy).toHaveBeenCalledWith('[ng-csp]');
11051096
expect(window.Function).not.toHaveBeenCalled();
11061097
});

0 commit comments

Comments
 (0)