Adjust regex SAFE_URL_PATTERN for use with test method of regexes. (#33136)

The test method on regexes behaves different than the match method on strings in the presence of the global modifier. Add a unit test for sanitizing the same template twice. Co-authored-by: XhmikosR <xhmikosr@gmail.com>
2024-12-01 13:24:25 +01:00 · 2021-02-19 09:24:53 +01:00 · 2021-02-19 09:24:53 +01:00 · e8f08d1802
commit e8f08d1802
parent 454d8ae1f4
2 changed files with 11 additions and 1 deletions
--- a/js/src/util/sanitizer.js
+++ b/js/src/util/sanitizer.js
@ -23,7 +23,7 @@ const ARIA_ATTRIBUTE_PATTERN = /^aria-[\w-]*$/i
 *
 * Shoutout to Angular 7 https://github.com/angular/angular/blob/7.2.4/packages/core/src/sanitization/url_sanitizer.ts
 */
-const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^#&/:?]*(?:[#/?]|$))/gi
+const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^#&/:?]*(?:[#/?]|$))/i

 /**
 * A pattern that matches safe data URLs. Only matches image, video and audio types.
--- a/js/tests/unit/util/sanitizer.spec.js
+++ b/js/tests/unit/util/sanitizer.spec.js
@ -66,5 +66,15 @@ describe('Sanitizer', () => {
      expect(result).toEqual(template)
      expect(DOMParser.prototype.parseFromString).not.toHaveBeenCalled()
    })
+
+    it('should allow multiple sanitation passes of the same template', () => {
+      const template = '<img src="test.jpg">'
+
+      const firstResult = sanitizeHtml(template, DefaultAllowlist, null)
+      const secondResult = sanitizeHtml(template, DefaultAllowlist, null)
+
+      expect(firstResult).toContain('src')
+      expect(secondResult).toContain('src')
+    })
  })
 })