diff --git a/js/src/tools/sanitizer.js b/js/src/tools/sanitizer.js index 3878a43655..261db35d81 100644 --- a/js/src/tools/sanitizer.js +++ b/js/src/tools/sanitizer.js @@ -57,7 +57,7 @@ export const DefaultWhitelist = { * * Shoutout to Angular 7 https://github.com/angular/angular/blob/7.2.4/packages/core/src/sanitization/url_sanitizer.ts */ -const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^#&/:?]*(?:[#/?]|$))/gi +const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^#&/:?]*(?:[#/?]|$))/i /** * A pattern that matches safe data URLs. Only matches image, video and audio types. diff --git a/js/tests/unit/tooltip.js b/js/tests/unit/tooltip.js index 3c2423921d..0f924c47d4 100644 --- a/js/tests/unit/tooltip.js +++ b/js/tests/unit/tooltip.js @@ -1333,4 +1333,24 @@ $(function () { assert.strictEqual(tooltip.hasClass('a b'), true) assert.strictEqual(tooltip.hasClass('tooltip fade bs-tooltip-top show'), true) }) + + QUnit.test('HTML content can be passed through sanitation multiple times', function (assert) { + assert.expect(2) + + // Add the same tooltip twice, so the template will be sanitized twice as well. + for (var i = 0; i <= 1; i++) { + $('') + .appendTo('#qunit-fixture') + .bootstrapTooltip({ + html: true + }) + .bootstrapTooltip('show') + } + + var tooltip1Image = $('.tooltip:first img') + var tooltip2Image = $('.tooltip:last img') + + assert.strictEqual(tooltip1Image.attr('src'), 'test.jpg') + assert.strictEqual(tooltip2Image.attr('src'), 'test.jpg') + }) })