Adjust `SAFE_URL_PATTERN` regex for use with `test` method. (#33153)

The `test` method on regexes does not behave like `match` on strings for checks if the regex matches when the global modifier (g) is present. Also adds a unit test on tooltips for sanitizing the same template twice. Co-authored-by: XhmikosR <xhmikosr@gmail.com>
2021-03-02 16:16:09 +01:00 · 2021-03-02 16:16:09 +01:00 · 7ad0625b8d
parent 8ec32eec44
commit 7ad0625b8d
2 changed files with 21 additions and 1 deletions
--- a/js/src/tools/sanitizer.js
+++ b/js/src/tools/sanitizer.js
@ -57,7 +57,7 @@ export const DefaultWhitelist = {
 *
 * Shoutout to Angular 7 https://github.com/angular/angular/blob/7.2.4/packages/core/src/sanitization/url_sanitizer.ts
 */
-const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^#&/:?]*(?:[#/?]|$))/gi
+const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^#&/:?]*(?:[#/?]|$))/i

 /**
 * A pattern that matches safe data URLs. Only matches image, video and audio types.
--- a/js/tests/unit/tooltip.js
+++ b/js/tests/unit/tooltip.js
@ -1333,4 +1333,24 @@ $(function () {
    assert.strictEqual(tooltip.hasClass('a b'), true)
    assert.strictEqual(tooltip.hasClass('tooltip fade bs-tooltip-top show'), true)
  })
+
+  QUnit.test('HTML content can be passed through sanitation multiple times', function (assert) {
+    assert.expect(2)
+
+    // Add the same tooltip twice, so the template will be sanitized twice as well.
+    for (var i = 0; i <= 1; i++) {
+      $('<a href="#" rel="tooltip" data-trigger="click" title="<img src=\'test.jpg\'>" />')
+        .appendTo('#qunit-fixture')
+        .bootstrapTooltip({
+          html: true
+        })
+        .bootstrapTooltip('show')
+    }
+
+    var tooltip1Image = $('.tooltip:first img')
+    var tooltip2Image = $('.tooltip:last img')
+
+    assert.strictEqual(tooltip1Image.attr('src'), 'test.jpg')
+    assert.strictEqual(tooltip2Image.attr('src'), 'test.jpg')
+  })
 })