Adjust `SAFE_URL_PATTERN` regex for use with `test` method. (#33153)

The `test` method on regexes does not behave like `match` on strings
for checks if the regex matches when the global modifier (g) is present.

Also adds a unit test on tooltips for sanitizing the same template twice.

Co-authored-by: XhmikosR <[email protected]>

2 files changed, 21 insertions, 1 deletions

diff --git a/js/src/tools/sanitizer.js b/js/src/tools/sanitizer.js
index 3878a4365..261db35d8 100644
--- a/js/src/tools/sanitizer.js
+++ b/js/src/tools/sanitizer.js
@@ -57,7 +57,7 @@ export const DefaultWhitelist = {
  *
  * Shoutout to Angular 7 https://github.com/angular/angular/blob/7.2.4/packages/core/src/sanitization/url_sanitizer.ts
  */
-const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^#&/:?]*(?:[#/?]|$))/gi
+const SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^#&/:?]*(?:[#/?]|$))/i
 
 /**
  * A pattern that matches safe data URLs. Only matches image, video and audio types.
diff --git a/js/tests/unit/tooltip.js b/js/tests/unit/tooltip.js
index 3c2423921..0f924c47d 100644
--- a/js/tests/unit/tooltip.js
+++ b/js/tests/unit/tooltip.js
@@ -1333,4 +1333,24 @@ $(function () {
     assert.strictEqual(tooltip.hasClass('a b'), true)
     assert.strictEqual(tooltip.hasClass('tooltip fade bs-tooltip-top show'), true)
   })
+
+  QUnit.test('HTML content can be passed through sanitation multiple times', function (assert) {
+    assert.expect(2)
+
+    // Add the same tooltip twice, so the template will be sanitized twice as well.
+    for (var i = 0; i <= 1; i++) {
+      $('<a href="#" rel="tooltip" data-trigger="click" title="<img src=\'test.jpg\'>" />')
+        .appendTo('#qunit-fixture')
+        .bootstrapTooltip({
+          html: true
+        })
+        .bootstrapTooltip('show')
+    }
+
+    var tooltip1Image = $('.tooltip:first img')
+    var tooltip2Image = $('.tooltip:last img')
+
+    assert.strictEqual(tooltip1Image.attr('src'), 'test.jpg')
+    assert.strictEqual(tooltip2Image.attr('src'), 'test.jpg')
+  })
 })