fix(*): Move closer to the old URL sanitization plus misc fixes in tests.

Only apply the $sce.URL context where there was previously sanitization, so
that the final result matches more closely the old behaviors. Also, fix a
few minor mistakes in tests (mismatching tags, wrong expected errors,
differences with the surrounding testing style), and mock out $$sanitizeUri
where it makes sense.

Author: rjamet

src/ng/compile.js

@@ -1321,6 +1321,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
 
         nodeName = nodeName_(this.$$element);
 
+
         // img[srcset] is a bit too weird of a beast to handle through $sce.
         // Instead, for now at least, sanitize each of the URIs individually.
         // That works even dynamically, but it's not bypassable through the $sce.
@@ -2788,12 +2789,11 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
           (tag != "img" && (attrNormalizedName == "src" ||
                             attrNormalizedName == "ngSrc"))) {
         return $sce.RESOURCE_URL;
-      } else if (attrNormalizedName == "src" ||
-          attrNormalizedName == "href" ||
-          attrNormalizedName == "ngHref" ||
-          attrNormalizedName == "ngSrc") {
-        // All that is not a RESOURCE_URL but still a URL. This might be overkill for some
-        // attributes, but the sanitization is permissive, so it should not be troublesome.
+      } else if (tag == "img" && (attrNormalizedName == "src" ||
+                                  attrNormalizedName == "ngSrc") ||
+          tag == "a" && (attrNormalizedName == "href" ||
+                         attrNormalizedName == "xlinkHref" ||
+                         attrNormalizedName == "ngHref")) {
         return $sce.URL;
       }
     }

test/ng/compileSpec.js

@@ -8845,39 +8845,6 @@ describe('$compile', function() {
 
   describe('img[src] sanitization', function() {
 
-    it('should NOT require trusted values for img src', inject(function($rootScope, $compile, $sce) {
-      element = $compile('<img src="{{testUrl}}"></img>')($rootScope);
-      $rootScope.testUrl = 'http://example.com/image.png';
-      $rootScope.$digest();
-      expect(element.attr('src')).toEqual('http://example.com/image.png');
-      // But it should accept trusted values anyway.
-      $rootScope.testUrl = $sce.trustAsUrl('http://example.com/image2.png');
-      $rootScope.$digest();
-      expect(element.attr('src')).toEqual('http://example.com/image2.png');
-    }));
-
-    it('should accept trusted values for img src', inject(function($rootScope, $compile, $sce) {
-      /* jshint scripturl:true */
-      element = $compile('<img src="{{testUrl}}"></img>')($rootScope);
-      $rootScope.testUrl = $sce.trustAsUrl('javascript:foo();');
-      $rootScope.$digest();
-      expect(element.attr('src')).toEqual('javascript:foo();');
-    }));
-
-    it('should sanitize concatenated trusted values for img src', inject(function($rootScope, $compile, $sce) {
-      /* jshint scripturl:true */
-      element = $compile('<img src="{{testUrl}}ponies"></img>')($rootScope);
-      $rootScope.testUrl = $sce.trustAsUrl('javascript:foo();');
-      $rootScope.$digest();
-      expect(element.attr('src')).toEqual('unsafe:javascript:foo();ponies');
-
-      element = $compile('<img src="http://{{testUrl}}"></img>')($rootScope);
-      $rootScope.testUrl = $sce.trustAsUrl('javascript:foo();');
-      $rootScope.$digest();
-      expect(element.attr('src')).toEqual('http://javascript:foo();');
-    }));
-
-
     it('should not sanitize attributes other than src', inject(function($compile, $rootScope) {
       /* jshint scripturl:true */
       element = $compile('<img title="{{testUrl}}"></img>')($rootScope);
@@ -8936,6 +8903,45 @@ describe('$compile', function() {
         expect($$sanitizeUri).toHaveBeenCalledWith($rootScope.testUrl);
       });
     });
+
+
+    it('should sanitize concatenated trusted values', function() {
+      /* jshint scripturl:true */
+      var $$sanitizeUri = jasmine.createSpy('$$sanitizeUri');
+      module(function($provide) {
+        $provide.value('$$sanitizeUri', $$sanitizeUri);
+      });
+      inject(function($compile, $rootScope, $sce) {
+        $$sanitizeUri.and.returnValue('someSanitizedUrl');
+        element = $compile('<img src="{{testUrl}}ponies"></img>')($rootScope);
+        $rootScope.testUrl = $sce.trustAsUrl('javascript:foo();');
+        $rootScope.$digest();
+        expect(element.attr('src')).toEqual('someSanitizedUrl');
+
+        element = $compile('<img src="http://{{testUrl}}"></img>')($rootScope);
+        $rootScope.testUrl = $sce.trustAsUrl('javascript:foo();');
+        $rootScope.$digest();
+        expect(element.attr('src')).toEqual('someSanitizedUrl');
+      });
+    });
+
+    it('should not use $$sanitizeUri with trusted values', function() {
+      /* jshint scripturl:true */
+      var $$sanitizeUri = jasmine.createSpy('$$sanitizeUri');
+      module(function($provide) {
+        $provide.value('$$sanitizeUri', $$sanitizeUri);
+      });
+      inject(function($compile, $rootScope, $sce) {
+
+        element = $compile('<img src="{{testUrl}}"></img>')($rootScope);
+        $rootScope.testUrl = $sce.trustAsUrl('javascript:foo();');
+
+        $$sanitizeUri.and.throwError('Should not have been called');
+        $rootScope.$apply();
+
+        expect(element.attr('src')).toEqual('javascript:foo();');
+      });
+    });
   });
 
   describe('img[srcset] sanitization', function() {
@@ -8984,12 +8990,12 @@ describe('$compile', function() {
 
         element = $compile('<img srcset="{{testUrl}}, {{testUrl}}"></img>')($rootScope);
         $rootScope.testUrl = 'javascript:yay';
-        $rootScope.$digest();
+        $rootScope.$apply();
         expect(element.attr('srcset')).toEqual('someSanitizedUrl ,someSanitizedUrl');
 
         element = $compile('<img srcset="java{{testUrl}}"></img>')($rootScope);
         $rootScope.testUrl = 'script:yay, javascript:nay';
-        $rootScope.$digest();
+        $rootScope.$apply();
         expect(element.attr('srcset')).toEqual('someSanitizedUrl ,someSanitizedUrl');
       });
     });

test/ng/directive/booleanAttrsSpec.js

@@ -118,7 +118,7 @@ describe('boolean attr directives', function() {
 describe('ngSrc', function() {
   it('should interpolate the expression and bind to src with raw same-domain value',
       inject(function($compile, $rootScope) {
-        var element = $compile('<img ng-src="{{id}}"></div>')($rootScope);
+        var element = $compile('<img ng-src="{{id}}"></img>')($rootScope);
 
         $rootScope.$digest();
         expect(element.attr('src')).toBeUndefined();
@@ -133,7 +133,7 @@ describe('ngSrc', function() {
 
 
   it('should interpolate the expression and bind to src with a trusted value', inject(function($compile, $rootScope, $sce) {
-    var element = $compile('<iframe ng-src="{{id}}"></div>')($rootScope);
+    var element = $compile('<iframe ng-src="{{id}}"></iframe>')($rootScope);
 
     $rootScope.$digest();
     expect(element.attr('src')).toBeUndefined();
@@ -181,7 +181,7 @@ describe('ngSrc', function() {
 
   it('should NOT interpolate a wrongly typed expression', inject(function($compile, $rootScope, $sce) {
     expect(function() {
-      var element = $compile('<iframe ng-src="{{id}}"></div>')($rootScope);
+      var element = $compile('<iframe ng-src="{{id}}"></iframe>')($rootScope);
       $rootScope.$apply(function() {
         $rootScope.id = $sce.trustAsUrl('http://somewhere');
       });
@@ -198,19 +198,19 @@ describe('ngSrc', function() {
           // then calling element.setAttribute('src', 'foo') doesn't do anything, so we need
           // to set the property as well to achieve the desired effect
 
-          var element = $compile('<img ng-src="{{id}}"></div>')($rootScope);
+          var element = $compile('<img ng-src="{{id}}"></img>')($rootScope);
 
           $rootScope.$digest();
           expect(element.prop('src')).toBeUndefined();
           dealoc(element);
 
-          element = $compile('<img ng-src="some/"></div>')($rootScope);
+          element = $compile('<img ng-src="some/"></img>')($rootScope);
 
           $rootScope.$digest();
           expect(element.prop('src')).toEqual('some/');
           dealoc(element);
 
-          element = $compile('<img ng-src="{{id}}"></div>')($rootScope);
+          element = $compile('<img ng-src="{{id}}"></img>')($rootScope);
           $rootScope.$apply(function() {
             $rootScope.id = $sce.trustAsResourceUrl('http://somewhere');
           });
@@ -296,9 +296,8 @@ describe('ngHref', function() {
     // IE11/10/Edge fail when setting a href to a URL containing a % that isn't a valid escape sequence
     // See https://github.com/angular/angular.js/issues/13388
     it('should throw error if ng-href contains a non-escaped percent symbol', inject(function($rootScope, $compile) {
-      element = $compile('<a ng-href="http://www.google.com/{{\'a%link\'}}">')($rootScope);
-
       expect(function() {
+        element = $compile('<a ng-href="http://www.google.com/{{\'a%link\'}}">')($rootScope);
         $rootScope.$digest();
       }).toThrow();
     }));

test/ngMessageFormat/messageFormatSpec.js

@@ -537,7 +537,7 @@ describe('$$ngMessageFormat', function() {
         }).toThrowMinErr(
                   "$interpolate", "noconcat", "Error while interpolating: {{foo}}{{bar}}\n" +
                   "Strict Contextual Escaping disallows interpolations that concatenate multiple " +
-                  "expressions when a trusted value is required.  See " +
+                  "expressions in some secure contexts. See " +
                   "http://docs.angularjs.org/api/ng.$sce");
       }));
     });
@@ -626,19 +626,19 @@ describe('$$ngMessageFormat', function() {
           }).toThrowMinErr(
               "$interpolate", "noconcat", "Error while interpolating: constant/{{var}}\nStrict " +
               "Contextual Escaping disallows interpolations that concatenate multiple expressions " +
-              "when a trusted value is required.  See http://docs.angularjs.org/api/ng.$sce");
+              "in some secure contexts. See http://docs.angularjs.org/api/ng.$sce");
         expect(function() {
           $interpolate('{{var}}/constant', true, isTrustedContext);
         }).toThrowMinErr(
             "$interpolate", "noconcat", "Error while interpolating: {{var}}/constant\nStrict " +
               "Contextual Escaping disallows interpolations that concatenate multiple expressions " +
-              "when a trusted value is required.  See http://docs.angularjs.org/api/ng.$sce");
+              "in some secure contexts. See http://docs.angularjs.org/api/ng.$sce");
         expect(function() {
             $interpolate('{{foo}}{{bar}}', true, isTrustedContext);
           }).toThrowMinErr(
               "$interpolate", "noconcat", "Error while interpolating: {{foo}}{{bar}}\nStrict " +
               "Contextual Escaping disallows interpolations that concatenate multiple expressions " +
-              "when a trusted value is required.  See http://docs.angularjs.org/api/ng.$sce");
+              "in some secure contexts. See http://docs.angularjs.org/api/ng.$sce");
       }));
 
       it('should interpolate a multi-part expression when isTrustedContext is false', inject(function($interpolate) {