kylefang/angular.js
1
0
Fork 0
mirror of https://github.com/zhigang1992/angular.js.git synced 2026-04-24 03:55:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix($parse): forbid __proto__ properties in angular expressions

Browse Source 
__proto__ can be used to mess with global prototypes and it's
deprecated. Therefore, blacklisting it seems like a good idea.

BREAKING CHANGE:
The (deprecated) __proto__ propery does not work inside angular expressions
anymore.
This commit is contained in:
Jann Horn
2014-06-09 00:03:50 +02:00
committed by Igor Minar
parent 89ca859734
commit cb713e6045
2 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
test/ng/parseSpec.js
View File

@@ -1106,6 +1106,22 @@ describe('parser', function() {
});
});
describe('__proto__', function() {
it('should NOT allow access to __proto__', function() {
expect(function() {
scope.$eval('{}.__proto__.foo = 1');
}).toThrowMinErr(
'$parse', 'isecproto', 'Using __proto__ in Angular expressions is disallowed!'+
' Expression: {}.__proto__.foo = 1');
expect(function() {
scope.$eval('{}["__pro"+"to__"].foo = 1');
}).toThrowMinErr(
'$parse', 'isecproto', 'Using __proto__ in Angular expressions is disallowed!'+
' Expression: {}["__pro"+"to__"].foo = 1');
});
});
describe('constant', function() {
it('should mark scalar value expressions as constant', inject(function($parse) {