refactor(misc): remove usages of whitelist and blacklist

Remove miscellaneous usages and references to usages of whitelist and blacklist throughout the repository.
angular · Sep 30, 2020 · 3dd42ce · 3dd42ce
1 parent 7673810
commit 3dd42ce
Show file tree

Hide file tree

Showing 16 changed files with 169 additions and 106 deletions.
diff --git a/.eslintrc-todo.json b/.eslintrc-todo.json
@@ -15,7 +15,7 @@
     // Stylistic issues
     "block-spacing": ["error", "always"],
     "comma-spacing": "error",
-    "id-blacklist": ["error", "event"],
+    "id-denylist": ["error", "event"],
     "indent": ["error", 2],
     "key-spacing": ["error", { "beforeColon": false, "afterColon": true, "mode": "minimum" }],
     "object-curly-spacing": ["error", "never"],

diff --git a/docs/config/processors/versions-data.js b/docs/config/processors/versions-data.js
@@ -13,11 +13,11 @@ module.exports = function generateVersionDocProcessor(gitData) {
   return {
     $runAfter: ['generatePagesDataProcessor'],
     $runBefore: ['rendering-docs'],
-    // the blacklist is to remove rogue builds that are in the npm repository but not on code.angularjs.org
-    blacklist: ['1.3.4-build.3588'],
+    // Remove rogue builds that are in the npm repository but not on code.angularjs.org
+    ignoredBuilds: ['1.3.4-build.3588'],
     $process: function(docs) {
 
-      var blacklist = this.blacklist;
+      var ignoredBuilds = this.ignoredBuilds;
       var currentVersion = require('../../../build/version.json');
       var output = exec('yarn info angular versions --json', { silent: true }).stdout.split('\n')[0];
       var allVersions = processAllVersionsResponse(JSON.parse(output).data);
@@ -57,7 +57,7 @@ module.exports = function generateVersionDocProcessor(gitData) {
 
         versions = versions
             .filter(function(versionStr) {
-              return blacklist.indexOf(versionStr) === -1;
+              return ignoredBuilds.indexOf(versionStr) === -1;
             })
             .map(function(versionStr) {
               return semver.parse(versionStr);

diff --git a/docs/content/guide/accessibility.ngdoc b/docs/content/guide/accessibility.ngdoc
@@ -327,7 +327,7 @@ The default CSS for `ngHide`, the inverse method to `ngShow`, makes ngAria redun
 
 <h2><span id="ngclick">ngClick</span> and <span id="ngdblclick">ngDblclick</span></h2>
 If `ng-click` or `ng-dblclick` is encountered, ngAria will add `tabindex="0"` to any element not in
-a node blacklist:
+the list of built in aria nodes:
 
  * Button
  * Anchor
@@ -337,7 +337,8 @@ a node blacklist:
  * Details/Summary
 
 To fix widespread accessibility problems with `ng-click` on `div` elements, ngAria will
-dynamically bind a keypress event by default as long as the element isn't in the node blacklist.
+dynamically bind a keypress event by default as long as the element isn't in a node from the list of
+built in aria nodes.
 You can turn this functionality on or off with the `bindKeypress` configuration option.
 
 ngAria will also add the `button` role to communicate to users of assistive technologies. This can

diff --git a/docs/content/guide/migration.ngdoc b/docs/content/guide/migration.ngdoc
@@ -276,15 +276,16 @@ statement.
 **Due to [6ccbfa](https://github.com/angular/angular.js/commit/6ccbfa65d60a3dc396d0cf6da21b993ad74653fd)**,
 the `xlink:href` security context for SVG's `a` and `image` elements has been lowered.
 
-In the unlikely case that an app relied on `RESOURCE_URL` whitelisting for the
+In the unlikely case that an app relied on `RESOURCE_URL` trusted list for the
 purpose of binding to the `xlink:href` property of SVG's `<a>` or `<image>`
 elements and if the values do not pass the regular URL sanitization, they will
 break.
 
 To fix this you need to ensure that the values used for binding to the affected
-`xlink:href` contexts are considered safe URLs, e.g. by whitelisting them in
-`$compileProvider`'s `aHrefSanitizationTrustedUri` (for `<a>` elements) or
-`imgSrcSanitizationTrustedUri` (for `<image>` elements).
+`xlink:href` contexts are considered safe URLs, e.g. by trusting them in
+`$compileProvider`'s `aHrefSanitizationWhitelist` (called `aHrefSanitizationTrustedUrlList` form
+1.8.1 onwards) (for `<a>` elements) or `imgSrcSanitizationWhitelist` (called
+`imgSrcSanitizationTrustedUrlList` from 1.8.1 onwards) (for `<image>` elements).
 
 <hr />
 
@@ -1309,7 +1310,7 @@ running at `https://docs.angularjs.org` then the following will fail:
 
 By default, only URLs with the same domain and protocol as the application document are considered
 safe in the `RESOURCE_URL` context. To use URLs from other domains and/or protocols, you may either
-whitelist them or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
+add them to the trusted source URL list or wrap them into a trusted value by calling `$sce.trustAsResourceUrl(url)`.
 
 <hr />
 <minor />
@@ -1387,12 +1388,12 @@ $http.json('other/trusted/url', {jsonpCallbackParam: 'cb'});
 all JSONP requests now require the URL to be trusted as a resource URL. There are two approaches to
 trust a URL:
 
-1. **Setting trusted resource URLs with the `$sceDelegateProvider.trustedResourceUrlList()` method.**
+1. **Setting trusted resource URLs with the `$sceDelegateProvider.resourceUrlWhitelist()` (called `trustedResourceUrlList()` from 1.8.1 onwards) method.**
    You configure this list in a module configuration block:
 
     ```js
     appModule.config(['$sceDelegateProvider', function($sceDelegateProvider) {
-      $sceDelegateProvider.trustedResourceUrlList([
+      $sceDelegateProvider.resourceUrlWhitelist([
         // Allow same origin resource loads.
         'self',
         // Allow JSONP calls that match this pattern
@@ -2207,7 +2208,7 @@ service does not have access to the resource in order to sanitize it.
 Similarly, due to [234053fc](https://github.com/angular/angular.js/commit/234053fc9ad90e0d05be7e8359c6af66be94c094),
 the `$sanitize` service will now also remove instances of the `usemap` attribute from any elements
 passed to it. This attribute is used to reference another element by `name` or `id`. Since the
-`name` and `id` attributes are already blacklisted, a sanitized `usemap` attribute could only
+`name` and `id` attributes are already banned, a sanitized `usemap` attribute could only
 reference unsanitized content, which is a security risk.
 
 Due to [98c2db7f](https://github.com/angular/angular.js/commit/98c2db7f9c2d078a408576e722407d518c7ee10a),
@@ -2662,11 +2663,12 @@ $scope.findTemplate = function(templateName) {
   return templateCache[templateName];
 };
 
-// Alternatively, use `$sceDelegateProvider.trustedResourceUrlList()`, which means you don't
+// Alternatively, use `$sceDelegateProvider..resourceUrlWhitelist()` (called
+// `trustedResourceUrlList()` from 1.8.1 onwards), which means you don't
 // have to use `$sce.trustAsResourceUrl()` at all:
 
 angular.module('myApp', []).config(function($sceDelegateProvider) {
-  $sceDelegateProvider.trustedResourceUrlList(['self', 'https://example.com/templates/**'])
+  $sceDelegateProvider.resourceUrlWhitelist(['self', 'https://example.com/templates/**'])
 });
 ```
 
@@ -3353,7 +3355,7 @@ below should still apply, but you may want to consult the
   <li>{@link guide/migration#directive-priority Directive priority}</li>
   <li>{@link guide/migration#ngscenario ngScenario}</li>
   <li>{@link guide/migration#nginclude-and-ngview-replace-its-entire-element-on-update ngInclude and ngView replace its entire element on update}</li>
-  <li>{@link guide/migration#urls-are-now-sanitized-against-a-whitelist URLs are now sanitized against a whitelist}</li>
+  <li>{@link guide/migration#urls-are-now-sanitized-against-a-trusted-uri-matcher URLs are now sanitized against a trusted URI matcher}</li>
   <li>{@link guide/migration#isolate-scope-only-exposed-to-directives-with-scope-property Isolate scope only exposed to directives with <code>scope</code> property}</li>
   <li>{@link guide/migration#change-to-interpolation-priority Change to interpolation priority}</li>
   <li>{@link guide/migration#underscore-prefixed-suffixed-properties-are-non-bindable Underscore-prefixed/suffixed properties are non-bindable}</li>
@@ -3843,10 +3845,10 @@ See [7d69d52a](https://github.com/angular/angular.js/commit/7d69d52acff8578e0f7d
 [aa2133ad](https://github.com/angular/angular.js/commit/aa2133ad818d2e5c27cbd3933061797096356c8a).
 
 
-### URLs are now sanitized against a whitelist
+### URLs are now sanitized against a trusted URI matcher
 
-A whitelist configured via `$compileProvider` can be used to configure what URLs are considered safe.
-By default all common protocol prefixes are whitelisted including `data:` URIs with mime types `image/*`.
+A trusted URI matcher configured via `$compileProvider` can be used to configure what URLs are considered safe.
+By default all common protocol prefixes are trusted including `data:` URIs with mime types `image/*`.
 This change shouldn't impact apps that don't contain malicious image links.
 
 See [1adf29af](https://github.com/angular/angular.js/commit/1adf29af13890d61286840177607edd552a9df97),

diff --git a/src/ng/compile.js b/src/ng/compile.js
@@ -1698,7 +1698,7 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
 
   /**
    * @ngdoc method
-   * @name $compileProvider#aHrefSanitizationTrustedUri
+   * @name $compileProvider#aHrefSanitizationTrustedUrlList
    * @kind function
    *
    * @description
@@ -1708,28 +1708,48 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
    * The sanitization is a security measure aimed at preventing XSS attacks via html links.
    *
    * Any url about to be assigned to a[href] via data-binding is first normalized and turned into
-   * an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUri`
+   * an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUrlList`
    * regular expression. If a match is found, the original url is written into the dom. Otherwise,
    * the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
    *
    * @param {RegExp=} regexp New regexp to trust urls with.
    * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
    *    chaining otherwise.
    */
-  this.aHrefSanitizationTrustedUri = function(regexp) {
+  this.aHrefSanitizationTrustedUrlList = function(regexp) {
     if (isDefined(regexp)) {
-      $$sanitizeUriProvider.aHrefSanitizationTrustedUri(regexp);
+      $$sanitizeUriProvider.aHrefSanitizationTrustedUrlList(regexp);
       return this;
     } else {
-      return $$sanitizeUriProvider.aHrefSanitizationTrustedUri();
+      return $$sanitizeUriProvider.aHrefSanitizationTrustedUrlList();
     }
   };
-  this.aHrefSanitizationWhitelist = this.aHrefSanitizationTrustedUri;
 
 
   /**
    * @ngdoc method
-   * @name $compileProvider#imgSrcSanitizationTrustedUri
+   * @name $compileProvider#aHrefSanitizationWhitelist
+   * @kind function
+   *
+   * @deprecated
+   * sinceVersion="1.8.1"
+   *
+   * This function is deprecated. Use {@link $compileProvider#aHrefSanitizationTrustedUrlList
+   * aHrefSanitizationTrustedUrlList} instead.
+   */
+  Object.defineProperty(this, 'aHrefSanitizationWhitelist', {
+    get: function() {
+      return this.aHrefSanitizationTrustedUrlList;
+    },
+    set: function(regexp) {
+      this.aHrefSanitizationTrustedUrlList = regexp;
+    }
+  });
+
+
+  /**
+   * @ngdoc method
+   * @name $compileProvider#imgSrcSanitizationTrustedUrlList
    * @kind function
    *
    * @description
@@ -1739,23 +1759,43 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
    * The sanitization is a security measure aimed at prevent XSS attacks via html links.
    *
    * Any url about to be assigned to img[src] via data-binding is first normalized and turned into
-   * an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUri`
+   * an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUrlList`
    * regular expression. If a match is found, the original url is written into the dom. Otherwise,
    * the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
    *
    * @param {RegExp=} regexp New regexp to trust urls with.
    * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
    *    chaining otherwise.
    */
-  this.imgSrcSanitizationTrustedUri = function(regexp) {
+  this.imgSrcSanitizationTrustedUrlList = function(regexp) {
     if (isDefined(regexp)) {
-      $$sanitizeUriProvider.imgSrcSanitizationTrustedUri(regexp);
+      $$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(regexp);
       return this;
     } else {
-      return $$sanitizeUriProvider.imgSrcSanitizationTrustedUri();
+      return $$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList();
     }
   };
-  this.imgSrcSanitizationWhitelist = this.imgSrcSanitizationTrustedUri;
+
+
+  /**
+   * @ngdoc method
+   * @name $compileProvider#imgSrcSanitizationWhitelist
+   * @kind function
+   *
+   * @deprecated
+   * sinceVersion="1.8.1"
+   *
+   * This function is deprecated. Use {@link $compileProvider#imgSrcSanitizationTrustedUrlList
+   * imgSrcSanitizationTrustedUrlList} instead.
+   */
+  Object.defineProperty(this, 'imgSrcSanitizationWhitelist', {
+    get: function() {
+      return this.imgSrcSanitizationTrustedUrlList;
+    },
+    set: function(regexp) {
+      this.imgSrcSanitizationTrustedUrlList = regexp;
+    }
+  });
 
   /**
    * @ngdoc method

diff --git a/src/ng/http.js b/src/ng/http.js
@@ -426,7 +426,27 @@ function $HttpProvider() {
    *   }]);
    * ```
    */
-  var xsrfTrustedOrigins = this.xsrfWhitelistedOrigins = this.xsrfTrustedOrigins = [];
+  var xsrfTrustedOrigins = this.xsrfTrustedOrigins = [];
+
+  /**
+   * @ngdoc property
+   * @name $httpProvider#xsrfWhitelistedOrigins
+   * @description
+   *
+   * @deprecated
+   * sinceVersion="1.8.1"
+   *
+   * This function is deprecated. Use {@link $httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}
+   * instead.
+   */
+  Object.defineProperty(this, 'xsrfWhitelistedOrigins', {
+    get: function() {
+      return this.xsrfTrustedOrigins;
+    },
+    set: function(origins) {
+      this.xsrfTrustedOrigins = origins;
+    }
+  });
 
   this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce',
       function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) {

diff --git a/src/ng/sanitizeUri.js b/src/ng/sanitizeUri.js
@@ -7,8 +7,8 @@
  */
 function $$SanitizeUriProvider() {
 
-  var aHrefSanitizationTrustedUri = /^\s*(https?|s?ftp|mailto|tel|file):/,
-    imgSrcSanitizationTrustedUri = /^\s*((https?|ftp|file|blob):|data:image\/)/;
+  var aHrefSanitizationTrustedUrlList = /^\s*(https?|s?ftp|mailto|tel|file):/,
+    imgSrcSanitizationTrustedUrlList = /^\s*((https?|ftp|file|blob):|data:image\/)/;
 
   /**
    * @description
@@ -21,7 +21,7 @@ function $$SanitizeUriProvider() {
    * the $sce.URL security context. When interpolation occurs a call is made to `$sce.trustAsUrl(url)`
    * which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize the potentially malicious URL.
    *
-   * If the URL matches the `aHrefSanitizationTrustedUri` regular expression, it is returned unchanged.
+   * If the URL matches the `aHrefSanitizationTrustedUrlList` regular expression, it is returned unchanged.
    *
    * If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written
    * to the DOM it is inactive and potentially malicious code will not be executed.
@@ -30,12 +30,12 @@ function $$SanitizeUriProvider() {
    * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
    *    chaining otherwise.
    */
-  this.aHrefSanitizationTrustedUri = function(regexp) {
+  this.aHrefSanitizationTrustedUrlList = function(regexp) {
     if (isDefined(regexp)) {
-      aHrefSanitizationTrustedUri = regexp;
+      aHrefSanitizationTrustedUrlList = regexp;
       return this;
     }
-    return aHrefSanitizationTrustedUri;
+    return aHrefSanitizationTrustedUrlList;
   };
 
 
@@ -61,18 +61,18 @@ function $$SanitizeUriProvider() {
    * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
    *    chaining otherwise.
    */
-  this.imgSrcSanitizationTrustedUri = function(regexp) {
+  this.imgSrcSanitizationTrustedUrlList = function(regexp) {
     if (isDefined(regexp)) {
-      imgSrcSanitizationTrustedUri = regexp;
+      imgSrcSanitizationTrustedUrlList = regexp;
       return this;
     }
-    return imgSrcSanitizationTrustedUri;
+    return imgSrcSanitizationTrustedUrlList;
   };
 
   this.$get = function() {
     return function sanitizeUri(uri, isMediaUrl) {
       // if (!uri) return uri;
-      var regex = isMediaUrl ? imgSrcSanitizationTrustedUri : aHrefSanitizationTrustedUri;
+      var regex = isMediaUrl ? imgSrcSanitizationTrustedUrlList : aHrefSanitizationTrustedUrlList;
       var normalizedVal = urlResolve(uri && uri.trim()).href;
       if (normalizedVal !== '' && !normalizedVal.match(regex)) {
         return 'unsafe:' + normalizedVal;

diff --git a/src/ng/templateRequest.js b/src/ng/templateRequest.js
@@ -73,10 +73,10 @@ function $TemplateRequestProvider() {
         handleRequestFn.totalPendingRequests++;
 
         // We consider the template cache holds only trusted templates, so
-        // there's no need to go through whitelisting again for keys that already
-        // are included in there. This also makes AngularJS accept any script
-        // directive, no matter its name. However, we still need to unwrap trusted
-        // types.
+        // there's no need to go through adding the template again to the trusted
+        // resources for keys that already are included in there. This also makes
+        // AngularJS accept any script directive, no matter its name. However, we
+        // still need to unwrap trusted types.
         if (!isString(tpl) || isUndefined($templateCache.get(tpl))) {
           tpl = $sce.getTrustedResourceUrl(tpl);
         }

diff --git a/src/ng/urlUtils.js b/src/ng/urlUtils.js
@@ -125,20 +125,20 @@ function urlIsSameOriginAsBaseUrl(requestUrl) {
 }
 
 /**
- * Create a function that can check a URL's origin against a list of allowed/whitelisted origins.
+ * Create a function that can check a URL's origin against a list of allowed/trusted origins.
  * The current location's origin is implicitly trusted.
  *
- * @param {string[]} whitelistedOriginUrls - A list of URLs (strings), whose origins are trusted.
+ * @param {string[]} trustedOriginUrls - A list of URLs (strings), whose origins are trusted.
  *
  * @returns {Function} - A function that receives a URL (string or parsed URL object) and returns
  *     whether it is of an allowed origin.
  */
-function urlIsAllowedOriginFactory(whitelistedOriginUrls) {
-  var parsedAllowedOriginUrls = [originUrl].concat(whitelistedOriginUrls.map(urlResolve));
+function urlIsAllowedOriginFactory(trustedOriginUrls) {
+  var parsedAllowedOriginUrls = [originUrl].concat(trustedOriginUrls.map(urlResolve));
 
   /**
    * Check whether the specified URL (string or parsed URL object) has an origin that is allowed
-   * based on a list of whitelisted-origin URLs. The current location's origin is implicitly
+   * based on a list of trusted-origin URLs. The current location's origin is implicitly
    * trusted.
    *
    * @param {string|Object} requestUrl - The URL to be checked (provided as a string that will be