test(security): Ensure xlink:href is not bindable.

The DOM schema does not allow binding any properties to dangerous SVG attributes/properties. This change adds a smoke test to verify that behaviour, by testing that `xlink:href` (a sample dangerous property) is not bindable. Fixes angular#9510.
diptim01 · Jun 23, 2016 · 5ab0534 · 5ab0534
1 parent 5150344
commit 5ab0534
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/modules/@angular/core/test/linker/security_integration_spec.ts b/modules/@angular/core/test/linker/security_integration_spec.ts
@@ -194,6 +194,19 @@ function declareTests({useJit}: {useJit: boolean}) {
                 });
           });
 
+      itAsync(
+          'should escape unsafe SVG attributes',
+          (tcb: TestComponentBuilder, async: AsyncTestCompleter) => {
+            let tpl = `<svg:circle [xlink:href]="ctxProp">Text</svg:circle>`;
+            tcb = tcb.overrideView(
+                SecuredComponent, new ViewMetadata({template: tpl, directives: []}));
+            PromiseWrapper.catchError(tcb.createAsync(SecuredComponent), (e) => {
+              expect(e.message).toContain(`Can't bind to 'xlink:href'`);
+              async.done();
+              return null;
+            });
+          });
+
       itAsync(
           'should escape unsafe HTML values',
           (tcb: TestComponentBuilder, async: AsyncTestCompleter) => {