ember-source 1.9.0 → 1.9.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of ember-source might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/dist/ember-runtime.js +4 -4
- data/dist/ember-testing.js +1 -1
- data/dist/ember-tests.js +298 -5
- data/dist/ember-tests.prod.js +298 -5
- data/dist/ember.js +97 -13
- data/dist/ember.min.js +12 -12
- data/dist/ember.prod.js +93 -10
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 83ee192c23c80bc7f965ca53c3ccc7db0c4904da
|
|
4
|
+
data.tar.gz: 07d2fca0d32dc20170ba591f488b298d52368f7e
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: b8b71dcc9d2667cf2c559dd70b44e8d7e59b7a9759bc0868e3a5dd19194d400b85c6abeb86ce9a4af54a1a43cc77352ea8b1fc70efa90951ca3fecb3b7e88f28
|
|
7
|
+
data.tar.gz: fc80c14a5c87b591c34323b0a22b44245acc2585ac2b311f25658e3cd089bb62c1aa606e2fdf2a918fcad0c6db274de1e0654ade335c9c677ab2eddfaa9b6d26
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
1.9.
|
|
1
|
+
1.9.1
|
data/dist/ember-runtime.js
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
* Portions Copyright 2008-2011 Apple Inc. All rights reserved.
|
|
6
6
|
* @license Licensed under MIT license
|
|
7
7
|
* See https://raw.github.com/emberjs/ember.js/master/LICENSE
|
|
8
|
-
* @version 1.9.
|
|
8
|
+
* @version 1.9.1
|
|
9
9
|
*/
|
|
10
10
|
|
|
11
11
|
(function() {
|
|
@@ -4811,7 +4811,7 @@ define("ember-metal/core",
|
|
|
4811
4811
|
|
|
4812
4812
|
@class Ember
|
|
4813
4813
|
@static
|
|
4814
|
-
@version 1.9.
|
|
4814
|
+
@version 1.9.1
|
|
4815
4815
|
*/
|
|
4816
4816
|
|
|
4817
4817
|
if ('undefined' === typeof Ember) {
|
|
@@ -4838,10 +4838,10 @@ define("ember-metal/core",
|
|
|
4838
4838
|
/**
|
|
4839
4839
|
@property VERSION
|
|
4840
4840
|
@type String
|
|
4841
|
-
@default '1.9.
|
|
4841
|
+
@default '1.9.1'
|
|
4842
4842
|
@static
|
|
4843
4843
|
*/
|
|
4844
|
-
Ember.VERSION = '1.9.
|
|
4844
|
+
Ember.VERSION = '1.9.1';
|
|
4845
4845
|
|
|
4846
4846
|
/**
|
|
4847
4847
|
Standard environmental variables. You can define these in a global `EmberENV`
|
data/dist/ember-testing.js
CHANGED
data/dist/ember-tests.js
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
* Portions Copyright 2008-2011 Apple Inc. All rights reserved.
|
|
6
6
|
* @license Licensed under MIT license
|
|
7
7
|
* See https://raw.github.com/emberjs/ember.js/master/LICENSE
|
|
8
|
-
* @version 1.9.
|
|
8
|
+
* @version 1.9.1
|
|
9
9
|
*/
|
|
10
10
|
|
|
11
11
|
(function() {
|
|
@@ -11394,6 +11394,115 @@ enifed("ember-handlebars/tests/helpers/partial_test.jshint",
|
|
|
11394
11394
|
ok(true, 'ember-handlebars/tests/helpers/partial_test.js should pass jshint.');
|
|
11395
11395
|
});
|
|
11396
11396
|
});
|
|
11397
|
+
enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test",
|
|
11398
|
+
["ember-views/views/view","ember-handlebars","ember-metal/run_loop"],
|
|
11399
|
+
function(__dependency1__, __dependency2__, __dependency3__) {
|
|
11400
|
+
"use strict";
|
|
11401
|
+
/* jshint scripturl:true */
|
|
11402
|
+
|
|
11403
|
+
var EmberView = __dependency1__["default"];
|
|
11404
|
+
var EmberHandlebars = __dependency2__["default"];
|
|
11405
|
+
var run = __dependency3__["default"];
|
|
11406
|
+
|
|
11407
|
+
function compile(str) {
|
|
11408
|
+
return EmberHandlebars.compile(str);
|
|
11409
|
+
}
|
|
11410
|
+
var SafeString = EmberHandlebars.SafeString;
|
|
11411
|
+
|
|
11412
|
+
function runAppend(view) {
|
|
11413
|
+
run(view, view.append);
|
|
11414
|
+
}
|
|
11415
|
+
|
|
11416
|
+
function runDestroy(view) {
|
|
11417
|
+
run(view, view.destroy);
|
|
11418
|
+
}
|
|
11419
|
+
|
|
11420
|
+
var view;
|
|
11421
|
+
|
|
11422
|
+
QUnit.module("ember-handlebars: sanitized attribute", {
|
|
11423
|
+
teardown: function(){
|
|
11424
|
+
runDestroy(view);
|
|
11425
|
+
}
|
|
11426
|
+
});
|
|
11427
|
+
|
|
11428
|
+
var badTags = [
|
|
11429
|
+
{ tag: 'a', attr: 'href',
|
|
11430
|
+
template: compile('<a {{bind-attr href=view.badValue}}></a>') },
|
|
11431
|
+
{ tag: 'link', attr: 'href',
|
|
11432
|
+
template: compile('<link {{bind-attr href=view.badValue}}>') },
|
|
11433
|
+
{ tag: 'img', attr: 'src',
|
|
11434
|
+
template: compile('<img {{bind-attr src=view.badValue}}>') },
|
|
11435
|
+
{ tag: 'iframe', attr: 'src',
|
|
11436
|
+
template: compile('<iframe {{bind-attr src=view.badValue}}></iframe>') }
|
|
11437
|
+
];
|
|
11438
|
+
|
|
11439
|
+
for (var i=0, l=badTags.length; i<l; i++) {
|
|
11440
|
+
(function(){
|
|
11441
|
+
var tagName = badTags[i].tag;
|
|
11442
|
+
var attr = badTags[i].attr;
|
|
11443
|
+
var template = badTags[i].template;
|
|
11444
|
+
|
|
11445
|
+
test("XSS - should not bind unsafe "+tagName+" "+attr+" values", function() {
|
|
11446
|
+
view = EmberView.create({
|
|
11447
|
+
template: template,
|
|
11448
|
+
badValue: "javascript:alert('XSS')"
|
|
11449
|
+
});
|
|
11450
|
+
|
|
11451
|
+
runAppend(view);
|
|
11452
|
+
|
|
11453
|
+
equal( view.element.firstChild.getAttribute(attr),
|
|
11454
|
+
"unsafe:javascript:alert('XSS')",
|
|
11455
|
+
"attribute is output" );
|
|
11456
|
+
});
|
|
11457
|
+
|
|
11458
|
+
test("XSS - should not bind unsafe "+tagName+" "+attr+" values on rerender", function() {
|
|
11459
|
+
view = EmberView.create({
|
|
11460
|
+
template: template,
|
|
11461
|
+
badValue: "/sunshine/and/rainbows"
|
|
11462
|
+
});
|
|
11463
|
+
|
|
11464
|
+
runAppend(view);
|
|
11465
|
+
|
|
11466
|
+
equal( view.element.firstChild.getAttribute(attr),
|
|
11467
|
+
"/sunshine/and/rainbows",
|
|
11468
|
+
"attribute is output" );
|
|
11469
|
+
|
|
11470
|
+
run(view, 'set', 'badValue', "javascript:alert('XSS')");
|
|
11471
|
+
|
|
11472
|
+
equal( view.element.firstChild.getAttribute(attr),
|
|
11473
|
+
"unsafe:javascript:alert('XSS')",
|
|
11474
|
+
"attribute is output" );
|
|
11475
|
+
});
|
|
11476
|
+
|
|
11477
|
+
test("should bind unsafe "+tagName+" "+attr+" values if they are SafeString", function() {
|
|
11478
|
+
view = EmberView.create({
|
|
11479
|
+
template: template,
|
|
11480
|
+
badValue: new SafeString("javascript:alert('XSS')")
|
|
11481
|
+
});
|
|
11482
|
+
|
|
11483
|
+
try {
|
|
11484
|
+
runAppend(view);
|
|
11485
|
+
|
|
11486
|
+
equal( view.element.firstChild.getAttribute(attr),
|
|
11487
|
+
"javascript:alert('XSS')",
|
|
11488
|
+
"attribute is output" );
|
|
11489
|
+
} catch(e) {
|
|
11490
|
+
// IE does not allow javascript: to be set on img src
|
|
11491
|
+
ok(true, 'caught exception '+e);
|
|
11492
|
+
}
|
|
11493
|
+
});
|
|
11494
|
+
})(); //jshint ignore:line
|
|
11495
|
+
}
|
|
11496
|
+
});
|
|
11497
|
+
enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test.jshint",
|
|
11498
|
+
[],
|
|
11499
|
+
function() {
|
|
11500
|
+
"use strict";
|
|
11501
|
+
module('JSHint - ember-handlebars/tests/helpers');
|
|
11502
|
+
test('ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint', function() {
|
|
11503
|
+
ok(true, 'ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint.');
|
|
11504
|
+
});
|
|
11505
|
+
});
|
|
11397
11506
|
enifed("ember-handlebars/tests/helpers/template_test",
|
|
11398
11507
|
["ember-metal/run_loop","ember-views/views/view","ember-runtime/system/object","ember-views/system/jquery","ember-runtime/system/container","ember-handlebars-compiler"],
|
|
11399
11508
|
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
|
|
@@ -11784,14 +11893,15 @@ enifed("ember-handlebars/tests/helpers/unbound_test.jshint",
|
|
|
11784
11893
|
});
|
|
11785
11894
|
});
|
|
11786
11895
|
enifed("ember-handlebars/tests/helpers/view_test",
|
|
11787
|
-
["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery"],
|
|
11788
|
-
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__) {
|
|
11896
|
+
["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery","ember-runtime/system/object"],
|
|
11897
|
+
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
|
|
11789
11898
|
"use strict";
|
|
11790
11899
|
/*globals EmberDev */
|
|
11791
11900
|
var EmberView = __dependency1__["default"];
|
|
11792
11901
|
var Container = __dependency2__["default"];
|
|
11793
11902
|
var run = __dependency3__["default"];
|
|
11794
11903
|
var jQuery = __dependency4__["default"];
|
|
11904
|
+
var EmberObject = __dependency5__["default"];
|
|
11795
11905
|
|
|
11796
11906
|
var view, originalLookup;
|
|
11797
11907
|
|
|
@@ -12049,6 +12159,92 @@ enifed("ember-handlebars/tests/helpers/view_test",
|
|
|
12049
12159
|
|
|
12050
12160
|
ok(jQuery('#foo').hasClass('foo'), "Always applies classbinding without condition");
|
|
12051
12161
|
});
|
|
12162
|
+
|
|
12163
|
+
test('{{view}} should be able to point to a local instance of view', function() {
|
|
12164
|
+
view = EmberView.create({
|
|
12165
|
+
template: Ember.Handlebars.compile("{{view view.common}}"),
|
|
12166
|
+
|
|
12167
|
+
common: EmberView.create({
|
|
12168
|
+
template: Ember.Handlebars.compile("common")
|
|
12169
|
+
})
|
|
12170
|
+
});
|
|
12171
|
+
|
|
12172
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12173
|
+
equal(view.$().text(), "common", "tries to look up view name locally");
|
|
12174
|
+
});
|
|
12175
|
+
|
|
12176
|
+
test("{{view}} should be able to point to a local instance of subclass of view", function() {
|
|
12177
|
+
var MyView = EmberView.extend();
|
|
12178
|
+
view = EmberView.create({
|
|
12179
|
+
template: Ember.Handlebars.compile("{{view view.subclassed}}"),
|
|
12180
|
+
subclassed: MyView.create({
|
|
12181
|
+
template: Ember.Handlebars.compile("subclassed")
|
|
12182
|
+
})
|
|
12183
|
+
});
|
|
12184
|
+
|
|
12185
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12186
|
+
equal(view.$().text(), "subclassed", "tries to look up view name locally");
|
|
12187
|
+
});
|
|
12188
|
+
|
|
12189
|
+
test("{{view}} asserts that a view class is present", function() {
|
|
12190
|
+
var MyView = EmberObject.extend();
|
|
12191
|
+
view = EmberView.create({
|
|
12192
|
+
template: Ember.Handlebars.compile("{{view view.notView}}"),
|
|
12193
|
+
notView: MyView.extend({
|
|
12194
|
+
template: Ember.Handlebars.compile("notView")
|
|
12195
|
+
})
|
|
12196
|
+
});
|
|
12197
|
+
|
|
12198
|
+
expectAssertion(function(){
|
|
12199
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12200
|
+
}, /must be a subclass or an instance of Ember.View/);
|
|
12201
|
+
});
|
|
12202
|
+
|
|
12203
|
+
test("{{view}} asserts that a view class is present off controller", function() {
|
|
12204
|
+
var MyView = EmberObject.extend();
|
|
12205
|
+
view = EmberView.create({
|
|
12206
|
+
template: Ember.Handlebars.compile("{{view notView}}"),
|
|
12207
|
+
controller: EmberObject.create({
|
|
12208
|
+
notView: MyView.extend({
|
|
12209
|
+
template: Ember.Handlebars.compile("notView")
|
|
12210
|
+
})
|
|
12211
|
+
})
|
|
12212
|
+
});
|
|
12213
|
+
|
|
12214
|
+
expectAssertion(function(){
|
|
12215
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12216
|
+
}, /must be a subclass or an instance of Ember.View/);
|
|
12217
|
+
});
|
|
12218
|
+
|
|
12219
|
+
test("{{view}} asserts that a view instance is present", function() {
|
|
12220
|
+
var MyView = EmberObject.extend();
|
|
12221
|
+
view = EmberView.create({
|
|
12222
|
+
template: Ember.Handlebars.compile("{{view view.notView}}"),
|
|
12223
|
+
notView: MyView.create({
|
|
12224
|
+
template: Ember.Handlebars.compile("notView")
|
|
12225
|
+
})
|
|
12226
|
+
});
|
|
12227
|
+
|
|
12228
|
+
expectAssertion(function(){
|
|
12229
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12230
|
+
}, /must be a subclass or an instance of Ember.View/);
|
|
12231
|
+
});
|
|
12232
|
+
|
|
12233
|
+
test("{{view}} asserts that a view subclass instance is present off controller", function() {
|
|
12234
|
+
var MyView = EmberObject.extend();
|
|
12235
|
+
view = EmberView.create({
|
|
12236
|
+
template: Ember.Handlebars.compile("{{view notView}}"),
|
|
12237
|
+
controller: EmberObject.create({
|
|
12238
|
+
notView: MyView.create({
|
|
12239
|
+
template: Ember.Handlebars.compile("notView")
|
|
12240
|
+
})
|
|
12241
|
+
})
|
|
12242
|
+
});
|
|
12243
|
+
|
|
12244
|
+
expectAssertion(function(){
|
|
12245
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12246
|
+
}, /must be a subclass or an instance of Ember.View/);
|
|
12247
|
+
});
|
|
12052
12248
|
});
|
|
12053
12249
|
enifed("ember-handlebars/tests/helpers/view_test.jshint",
|
|
12054
12250
|
[],
|
|
@@ -47215,6 +47411,15 @@ enifed("ember-views/system/renderer.jshint",
|
|
|
47215
47411
|
ok(true, 'ember-views/system/renderer.js should pass jshint.');
|
|
47216
47412
|
});
|
|
47217
47413
|
});
|
|
47414
|
+
enifed("ember-views/system/sanitize_attribute_value.jshint",
|
|
47415
|
+
[],
|
|
47416
|
+
function() {
|
|
47417
|
+
"use strict";
|
|
47418
|
+
module('JSHint - ember-views/system');
|
|
47419
|
+
test('ember-views/system/sanitize_attribute_value.js should pass jshint', function() {
|
|
47420
|
+
ok(true, 'ember-views/system/sanitize_attribute_value.js should pass jshint.');
|
|
47421
|
+
});
|
|
47422
|
+
});
|
|
47218
47423
|
enifed("ember-views/system/utils.jshint",
|
|
47219
47424
|
[],
|
|
47220
47425
|
function() {
|
|
@@ -48112,6 +48317,74 @@ enifed("ember-views/tests/system/render_buffer_test.jshint",
|
|
|
48112
48317
|
ok(true, 'ember-views/tests/system/render_buffer_test.js should pass jshint.');
|
|
48113
48318
|
});
|
|
48114
48319
|
});
|
|
48320
|
+
enifed("ember-views/tests/system/sanitize_attribute_value_test",
|
|
48321
|
+
["ember-views/system/sanitize_attribute_value","ember-handlebars-compiler"],
|
|
48322
|
+
function(__dependency1__, __dependency2__) {
|
|
48323
|
+
"use strict";
|
|
48324
|
+
var sanitizeAttributeValue = __dependency1__["default"];
|
|
48325
|
+
var EmberHandlebars = __dependency2__["default"];
|
|
48326
|
+
|
|
48327
|
+
QUnit.module('ember-views: sanitizeAttributeValue(null, "href")');
|
|
48328
|
+
|
|
48329
|
+
var goodProtocols = [ 'https', 'http', 'ftp', 'tel', 'file'];
|
|
48330
|
+
|
|
48331
|
+
for (var i = 0, l = goodProtocols.length; i < l; i++) {
|
|
48332
|
+
buildProtocolTest(goodProtocols[i]);
|
|
48333
|
+
}
|
|
48334
|
+
|
|
48335
|
+
function buildProtocolTest(protocol) {
|
|
48336
|
+
test('allows ' + protocol + ' protocol when element is not provided', function() {
|
|
48337
|
+
expect(1);
|
|
48338
|
+
|
|
48339
|
+
var expected = protocol + '://foo.com';
|
|
48340
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
|
48341
|
+
|
|
48342
|
+
equal(actual, expected, 'protocol not escaped');
|
|
48343
|
+
});
|
|
48344
|
+
}
|
|
48345
|
+
|
|
48346
|
+
test('blocks javascript: protocol', function() {
|
|
48347
|
+
/* jshint scripturl:true */
|
|
48348
|
+
|
|
48349
|
+
expect(1);
|
|
48350
|
+
|
|
48351
|
+
var expected = 'javascript:alert("foo")';
|
|
48352
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
|
48353
|
+
|
|
48354
|
+
equal(actual, 'unsafe:' + expected, 'protocol escaped');
|
|
48355
|
+
});
|
|
48356
|
+
|
|
48357
|
+
test('blocks vbscript: protocol', function() {
|
|
48358
|
+
/* jshint scripturl:true */
|
|
48359
|
+
|
|
48360
|
+
expect(1);
|
|
48361
|
+
|
|
48362
|
+
var expected = 'vbscript:alert("foo")';
|
|
48363
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
|
48364
|
+
|
|
48365
|
+
equal(actual, 'unsafe:' + expected, 'protocol escaped');
|
|
48366
|
+
});
|
|
48367
|
+
|
|
48368
|
+
test('does not block SafeStrings', function() {
|
|
48369
|
+
/* jshint scripturl:true */
|
|
48370
|
+
|
|
48371
|
+
expect(1);
|
|
48372
|
+
|
|
48373
|
+
var expected = 'javascript:alert("foo")';
|
|
48374
|
+
var actual = sanitizeAttributeValue(null, 'href', new EmberHandlebars.SafeString(expected));
|
|
48375
|
+
|
|
48376
|
+
equal(actual, expected, 'protocol unescaped');
|
|
48377
|
+
});
|
|
48378
|
+
});
|
|
48379
|
+
enifed("ember-views/tests/system/sanitize_attribute_value_test.jshint",
|
|
48380
|
+
[],
|
|
48381
|
+
function() {
|
|
48382
|
+
"use strict";
|
|
48383
|
+
module('JSHint - ember-views/tests/system');
|
|
48384
|
+
test('ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint', function() {
|
|
48385
|
+
ok(true, 'ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint.');
|
|
48386
|
+
});
|
|
48387
|
+
});
|
|
48115
48388
|
enifed("ember-views/tests/system/view_utils_test",
|
|
48116
48389
|
["ember-metal/run_loop","ember-views/views/view"],
|
|
48117
48390
|
function(__dependency1__, __dependency2__) {
|
|
@@ -50480,8 +50753,8 @@ enifed("ember-views/tests/views/view/append_to_test.jshint",
|
|
|
50480
50753
|
});
|
|
50481
50754
|
});
|
|
50482
50755
|
enifed("ember-views/tests/views/view/attribute_bindings_test",
|
|
50483
|
-
["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view"],
|
|
50484
|
-
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
|
|
50756
|
+
["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view","ember-handlebars-compiler"],
|
|
50757
|
+
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
|
|
50485
50758
|
"use strict";
|
|
50486
50759
|
var Ember = __dependency1__["default"];
|
|
50487
50760
|
var run = __dependency2__["default"];
|
|
@@ -50489,6 +50762,7 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
|
|
|
50489
50762
|
var changeProperties = __dependency4__.changeProperties;
|
|
50490
50763
|
|
|
50491
50764
|
var EmberView = __dependency5__["default"];
|
|
50765
|
+
var EmberHandlebars = __dependency6__["default"];
|
|
50492
50766
|
|
|
50493
50767
|
var originalLookup = Ember.lookup;
|
|
50494
50768
|
var lookup, view;
|
|
@@ -50786,6 +51060,25 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
|
|
|
50786
51060
|
appendView();
|
|
50787
51061
|
}, 'You cannot use class as an attributeBinding, use classNameBindings instead.');
|
|
50788
51062
|
});
|
|
51063
|
+
|
|
51064
|
+
test("blacklists href bindings based on protocol", function() {
|
|
51065
|
+
/* jshint scripturl:true */
|
|
51066
|
+
|
|
51067
|
+
view = EmberView.create({
|
|
51068
|
+
attributeBindings: ['href'],
|
|
51069
|
+
href: "javascript:alert('foo')"
|
|
51070
|
+
});
|
|
51071
|
+
|
|
51072
|
+
appendView();
|
|
51073
|
+
|
|
51074
|
+
equal(view.$().attr('href'), "unsafe:javascript:alert('foo')", "value property sanitized");
|
|
51075
|
+
|
|
51076
|
+
run(function() {
|
|
51077
|
+
view.set('href', new EmberHandlebars.SafeString(view.get('href')));
|
|
51078
|
+
});
|
|
51079
|
+
|
|
51080
|
+
equal(view.$().attr('href'), "javascript:alert('foo')", "value is not defined");
|
|
51081
|
+
});
|
|
50789
51082
|
});
|
|
50790
51083
|
enifed("ember-views/tests/views/view/attribute_bindings_test.jshint",
|
|
50791
51084
|
[],
|
data/dist/ember-tests.prod.js
CHANGED
|
@@ -5,7 +5,7 @@
|
|
|
5
5
|
* Portions Copyright 2008-2011 Apple Inc. All rights reserved.
|
|
6
6
|
* @license Licensed under MIT license
|
|
7
7
|
* See https://raw.github.com/emberjs/ember.js/master/LICENSE
|
|
8
|
-
* @version 1.9.
|
|
8
|
+
* @version 1.9.1
|
|
9
9
|
*/
|
|
10
10
|
|
|
11
11
|
(function() {
|
|
@@ -11394,6 +11394,115 @@ enifed("ember-handlebars/tests/helpers/partial_test.jshint",
|
|
|
11394
11394
|
ok(true, 'ember-handlebars/tests/helpers/partial_test.js should pass jshint.');
|
|
11395
11395
|
});
|
|
11396
11396
|
});
|
|
11397
|
+
enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test",
|
|
11398
|
+
["ember-views/views/view","ember-handlebars","ember-metal/run_loop"],
|
|
11399
|
+
function(__dependency1__, __dependency2__, __dependency3__) {
|
|
11400
|
+
"use strict";
|
|
11401
|
+
/* jshint scripturl:true */
|
|
11402
|
+
|
|
11403
|
+
var EmberView = __dependency1__["default"];
|
|
11404
|
+
var EmberHandlebars = __dependency2__["default"];
|
|
11405
|
+
var run = __dependency3__["default"];
|
|
11406
|
+
|
|
11407
|
+
function compile(str) {
|
|
11408
|
+
return EmberHandlebars.compile(str);
|
|
11409
|
+
}
|
|
11410
|
+
var SafeString = EmberHandlebars.SafeString;
|
|
11411
|
+
|
|
11412
|
+
function runAppend(view) {
|
|
11413
|
+
run(view, view.append);
|
|
11414
|
+
}
|
|
11415
|
+
|
|
11416
|
+
function runDestroy(view) {
|
|
11417
|
+
run(view, view.destroy);
|
|
11418
|
+
}
|
|
11419
|
+
|
|
11420
|
+
var view;
|
|
11421
|
+
|
|
11422
|
+
QUnit.module("ember-handlebars: sanitized attribute", {
|
|
11423
|
+
teardown: function(){
|
|
11424
|
+
runDestroy(view);
|
|
11425
|
+
}
|
|
11426
|
+
});
|
|
11427
|
+
|
|
11428
|
+
var badTags = [
|
|
11429
|
+
{ tag: 'a', attr: 'href',
|
|
11430
|
+
template: compile('<a {{bind-attr href=view.badValue}}></a>') },
|
|
11431
|
+
{ tag: 'link', attr: 'href',
|
|
11432
|
+
template: compile('<link {{bind-attr href=view.badValue}}>') },
|
|
11433
|
+
{ tag: 'img', attr: 'src',
|
|
11434
|
+
template: compile('<img {{bind-attr src=view.badValue}}>') },
|
|
11435
|
+
{ tag: 'iframe', attr: 'src',
|
|
11436
|
+
template: compile('<iframe {{bind-attr src=view.badValue}}></iframe>') }
|
|
11437
|
+
];
|
|
11438
|
+
|
|
11439
|
+
for (var i=0, l=badTags.length; i<l; i++) {
|
|
11440
|
+
(function(){
|
|
11441
|
+
var tagName = badTags[i].tag;
|
|
11442
|
+
var attr = badTags[i].attr;
|
|
11443
|
+
var template = badTags[i].template;
|
|
11444
|
+
|
|
11445
|
+
test("XSS - should not bind unsafe "+tagName+" "+attr+" values", function() {
|
|
11446
|
+
view = EmberView.create({
|
|
11447
|
+
template: template,
|
|
11448
|
+
badValue: "javascript:alert('XSS')"
|
|
11449
|
+
});
|
|
11450
|
+
|
|
11451
|
+
runAppend(view);
|
|
11452
|
+
|
|
11453
|
+
equal( view.element.firstChild.getAttribute(attr),
|
|
11454
|
+
"unsafe:javascript:alert('XSS')",
|
|
11455
|
+
"attribute is output" );
|
|
11456
|
+
});
|
|
11457
|
+
|
|
11458
|
+
test("XSS - should not bind unsafe "+tagName+" "+attr+" values on rerender", function() {
|
|
11459
|
+
view = EmberView.create({
|
|
11460
|
+
template: template,
|
|
11461
|
+
badValue: "/sunshine/and/rainbows"
|
|
11462
|
+
});
|
|
11463
|
+
|
|
11464
|
+
runAppend(view);
|
|
11465
|
+
|
|
11466
|
+
equal( view.element.firstChild.getAttribute(attr),
|
|
11467
|
+
"/sunshine/and/rainbows",
|
|
11468
|
+
"attribute is output" );
|
|
11469
|
+
|
|
11470
|
+
run(view, 'set', 'badValue', "javascript:alert('XSS')");
|
|
11471
|
+
|
|
11472
|
+
equal( view.element.firstChild.getAttribute(attr),
|
|
11473
|
+
"unsafe:javascript:alert('XSS')",
|
|
11474
|
+
"attribute is output" );
|
|
11475
|
+
});
|
|
11476
|
+
|
|
11477
|
+
test("should bind unsafe "+tagName+" "+attr+" values if they are SafeString", function() {
|
|
11478
|
+
view = EmberView.create({
|
|
11479
|
+
template: template,
|
|
11480
|
+
badValue: new SafeString("javascript:alert('XSS')")
|
|
11481
|
+
});
|
|
11482
|
+
|
|
11483
|
+
try {
|
|
11484
|
+
runAppend(view);
|
|
11485
|
+
|
|
11486
|
+
equal( view.element.firstChild.getAttribute(attr),
|
|
11487
|
+
"javascript:alert('XSS')",
|
|
11488
|
+
"attribute is output" );
|
|
11489
|
+
} catch(e) {
|
|
11490
|
+
// IE does not allow javascript: to be set on img src
|
|
11491
|
+
ok(true, 'caught exception '+e);
|
|
11492
|
+
}
|
|
11493
|
+
});
|
|
11494
|
+
})(); //jshint ignore:line
|
|
11495
|
+
}
|
|
11496
|
+
});
|
|
11497
|
+
enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test.jshint",
|
|
11498
|
+
[],
|
|
11499
|
+
function() {
|
|
11500
|
+
"use strict";
|
|
11501
|
+
module('JSHint - ember-handlebars/tests/helpers');
|
|
11502
|
+
test('ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint', function() {
|
|
11503
|
+
ok(true, 'ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint.');
|
|
11504
|
+
});
|
|
11505
|
+
});
|
|
11397
11506
|
enifed("ember-handlebars/tests/helpers/template_test",
|
|
11398
11507
|
["ember-metal/run_loop","ember-views/views/view","ember-runtime/system/object","ember-views/system/jquery","ember-runtime/system/container","ember-handlebars-compiler"],
|
|
11399
11508
|
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
|
|
@@ -11784,14 +11893,15 @@ enifed("ember-handlebars/tests/helpers/unbound_test.jshint",
|
|
|
11784
11893
|
});
|
|
11785
11894
|
});
|
|
11786
11895
|
enifed("ember-handlebars/tests/helpers/view_test",
|
|
11787
|
-
["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery"],
|
|
11788
|
-
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__) {
|
|
11896
|
+
["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery","ember-runtime/system/object"],
|
|
11897
|
+
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
|
|
11789
11898
|
"use strict";
|
|
11790
11899
|
/*globals EmberDev */
|
|
11791
11900
|
var EmberView = __dependency1__["default"];
|
|
11792
11901
|
var Container = __dependency2__["default"];
|
|
11793
11902
|
var run = __dependency3__["default"];
|
|
11794
11903
|
var jQuery = __dependency4__["default"];
|
|
11904
|
+
var EmberObject = __dependency5__["default"];
|
|
11795
11905
|
|
|
11796
11906
|
var view, originalLookup;
|
|
11797
11907
|
|
|
@@ -12049,6 +12159,92 @@ enifed("ember-handlebars/tests/helpers/view_test",
|
|
|
12049
12159
|
|
|
12050
12160
|
ok(jQuery('#foo').hasClass('foo'), "Always applies classbinding without condition");
|
|
12051
12161
|
});
|
|
12162
|
+
|
|
12163
|
+
test('{{view}} should be able to point to a local instance of view', function() {
|
|
12164
|
+
view = EmberView.create({
|
|
12165
|
+
template: Ember.Handlebars.compile("{{view view.common}}"),
|
|
12166
|
+
|
|
12167
|
+
common: EmberView.create({
|
|
12168
|
+
template: Ember.Handlebars.compile("common")
|
|
12169
|
+
})
|
|
12170
|
+
});
|
|
12171
|
+
|
|
12172
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12173
|
+
equal(view.$().text(), "common", "tries to look up view name locally");
|
|
12174
|
+
});
|
|
12175
|
+
|
|
12176
|
+
test("{{view}} should be able to point to a local instance of subclass of view", function() {
|
|
12177
|
+
var MyView = EmberView.extend();
|
|
12178
|
+
view = EmberView.create({
|
|
12179
|
+
template: Ember.Handlebars.compile("{{view view.subclassed}}"),
|
|
12180
|
+
subclassed: MyView.create({
|
|
12181
|
+
template: Ember.Handlebars.compile("subclassed")
|
|
12182
|
+
})
|
|
12183
|
+
});
|
|
12184
|
+
|
|
12185
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12186
|
+
equal(view.$().text(), "subclassed", "tries to look up view name locally");
|
|
12187
|
+
});
|
|
12188
|
+
|
|
12189
|
+
test("{{view}} asserts that a view class is present", function() {
|
|
12190
|
+
var MyView = EmberObject.extend();
|
|
12191
|
+
view = EmberView.create({
|
|
12192
|
+
template: Ember.Handlebars.compile("{{view view.notView}}"),
|
|
12193
|
+
notView: MyView.extend({
|
|
12194
|
+
template: Ember.Handlebars.compile("notView")
|
|
12195
|
+
})
|
|
12196
|
+
});
|
|
12197
|
+
|
|
12198
|
+
expectAssertion(function(){
|
|
12199
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12200
|
+
}, /must be a subclass or an instance of Ember.View/);
|
|
12201
|
+
});
|
|
12202
|
+
|
|
12203
|
+
test("{{view}} asserts that a view class is present off controller", function() {
|
|
12204
|
+
var MyView = EmberObject.extend();
|
|
12205
|
+
view = EmberView.create({
|
|
12206
|
+
template: Ember.Handlebars.compile("{{view notView}}"),
|
|
12207
|
+
controller: EmberObject.create({
|
|
12208
|
+
notView: MyView.extend({
|
|
12209
|
+
template: Ember.Handlebars.compile("notView")
|
|
12210
|
+
})
|
|
12211
|
+
})
|
|
12212
|
+
});
|
|
12213
|
+
|
|
12214
|
+
expectAssertion(function(){
|
|
12215
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12216
|
+
}, /must be a subclass or an instance of Ember.View/);
|
|
12217
|
+
});
|
|
12218
|
+
|
|
12219
|
+
test("{{view}} asserts that a view instance is present", function() {
|
|
12220
|
+
var MyView = EmberObject.extend();
|
|
12221
|
+
view = EmberView.create({
|
|
12222
|
+
template: Ember.Handlebars.compile("{{view view.notView}}"),
|
|
12223
|
+
notView: MyView.create({
|
|
12224
|
+
template: Ember.Handlebars.compile("notView")
|
|
12225
|
+
})
|
|
12226
|
+
});
|
|
12227
|
+
|
|
12228
|
+
expectAssertion(function(){
|
|
12229
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12230
|
+
}, /must be a subclass or an instance of Ember.View/);
|
|
12231
|
+
});
|
|
12232
|
+
|
|
12233
|
+
test("{{view}} asserts that a view subclass instance is present off controller", function() {
|
|
12234
|
+
var MyView = EmberObject.extend();
|
|
12235
|
+
view = EmberView.create({
|
|
12236
|
+
template: Ember.Handlebars.compile("{{view notView}}"),
|
|
12237
|
+
controller: EmberObject.create({
|
|
12238
|
+
notView: MyView.create({
|
|
12239
|
+
template: Ember.Handlebars.compile("notView")
|
|
12240
|
+
})
|
|
12241
|
+
})
|
|
12242
|
+
});
|
|
12243
|
+
|
|
12244
|
+
expectAssertion(function(){
|
|
12245
|
+
run(view, 'appendTo', '#qunit-fixture');
|
|
12246
|
+
}, /must be a subclass or an instance of Ember.View/);
|
|
12247
|
+
});
|
|
12052
12248
|
});
|
|
12053
12249
|
enifed("ember-handlebars/tests/helpers/view_test.jshint",
|
|
12054
12250
|
[],
|
|
@@ -47126,6 +47322,15 @@ enifed("ember-views/system/renderer.jshint",
|
|
|
47126
47322
|
ok(true, 'ember-views/system/renderer.js should pass jshint.');
|
|
47127
47323
|
});
|
|
47128
47324
|
});
|
|
47325
|
+
enifed("ember-views/system/sanitize_attribute_value.jshint",
|
|
47326
|
+
[],
|
|
47327
|
+
function() {
|
|
47328
|
+
"use strict";
|
|
47329
|
+
module('JSHint - ember-views/system');
|
|
47330
|
+
test('ember-views/system/sanitize_attribute_value.js should pass jshint', function() {
|
|
47331
|
+
ok(true, 'ember-views/system/sanitize_attribute_value.js should pass jshint.');
|
|
47332
|
+
});
|
|
47333
|
+
});
|
|
47129
47334
|
enifed("ember-views/system/utils.jshint",
|
|
47130
47335
|
[],
|
|
47131
47336
|
function() {
|
|
@@ -48023,6 +48228,74 @@ enifed("ember-views/tests/system/render_buffer_test.jshint",
|
|
|
48023
48228
|
ok(true, 'ember-views/tests/system/render_buffer_test.js should pass jshint.');
|
|
48024
48229
|
});
|
|
48025
48230
|
});
|
|
48231
|
+
enifed("ember-views/tests/system/sanitize_attribute_value_test",
|
|
48232
|
+
["ember-views/system/sanitize_attribute_value","ember-handlebars-compiler"],
|
|
48233
|
+
function(__dependency1__, __dependency2__) {
|
|
48234
|
+
"use strict";
|
|
48235
|
+
var sanitizeAttributeValue = __dependency1__["default"];
|
|
48236
|
+
var EmberHandlebars = __dependency2__["default"];
|
|
48237
|
+
|
|
48238
|
+
QUnit.module('ember-views: sanitizeAttributeValue(null, "href")');
|
|
48239
|
+
|
|
48240
|
+
var goodProtocols = [ 'https', 'http', 'ftp', 'tel', 'file'];
|
|
48241
|
+
|
|
48242
|
+
for (var i = 0, l = goodProtocols.length; i < l; i++) {
|
|
48243
|
+
buildProtocolTest(goodProtocols[i]);
|
|
48244
|
+
}
|
|
48245
|
+
|
|
48246
|
+
function buildProtocolTest(protocol) {
|
|
48247
|
+
test('allows ' + protocol + ' protocol when element is not provided', function() {
|
|
48248
|
+
expect(1);
|
|
48249
|
+
|
|
48250
|
+
var expected = protocol + '://foo.com';
|
|
48251
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
|
48252
|
+
|
|
48253
|
+
equal(actual, expected, 'protocol not escaped');
|
|
48254
|
+
});
|
|
48255
|
+
}
|
|
48256
|
+
|
|
48257
|
+
test('blocks javascript: protocol', function() {
|
|
48258
|
+
/* jshint scripturl:true */
|
|
48259
|
+
|
|
48260
|
+
expect(1);
|
|
48261
|
+
|
|
48262
|
+
var expected = 'javascript:alert("foo")';
|
|
48263
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
|
48264
|
+
|
|
48265
|
+
equal(actual, 'unsafe:' + expected, 'protocol escaped');
|
|
48266
|
+
});
|
|
48267
|
+
|
|
48268
|
+
test('blocks vbscript: protocol', function() {
|
|
48269
|
+
/* jshint scripturl:true */
|
|
48270
|
+
|
|
48271
|
+
expect(1);
|
|
48272
|
+
|
|
48273
|
+
var expected = 'vbscript:alert("foo")';
|
|
48274
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
|
48275
|
+
|
|
48276
|
+
equal(actual, 'unsafe:' + expected, 'protocol escaped');
|
|
48277
|
+
});
|
|
48278
|
+
|
|
48279
|
+
test('does not block SafeStrings', function() {
|
|
48280
|
+
/* jshint scripturl:true */
|
|
48281
|
+
|
|
48282
|
+
expect(1);
|
|
48283
|
+
|
|
48284
|
+
var expected = 'javascript:alert("foo")';
|
|
48285
|
+
var actual = sanitizeAttributeValue(null, 'href', new EmberHandlebars.SafeString(expected));
|
|
48286
|
+
|
|
48287
|
+
equal(actual, expected, 'protocol unescaped');
|
|
48288
|
+
});
|
|
48289
|
+
});
|
|
48290
|
+
enifed("ember-views/tests/system/sanitize_attribute_value_test.jshint",
|
|
48291
|
+
[],
|
|
48292
|
+
function() {
|
|
48293
|
+
"use strict";
|
|
48294
|
+
module('JSHint - ember-views/tests/system');
|
|
48295
|
+
test('ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint', function() {
|
|
48296
|
+
ok(true, 'ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint.');
|
|
48297
|
+
});
|
|
48298
|
+
});
|
|
48026
48299
|
enifed("ember-views/tests/system/view_utils_test",
|
|
48027
48300
|
["ember-metal/run_loop","ember-views/views/view"],
|
|
48028
48301
|
function(__dependency1__, __dependency2__) {
|
|
@@ -50391,8 +50664,8 @@ enifed("ember-views/tests/views/view/append_to_test.jshint",
|
|
|
50391
50664
|
});
|
|
50392
50665
|
});
|
|
50393
50666
|
enifed("ember-views/tests/views/view/attribute_bindings_test",
|
|
50394
|
-
["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view"],
|
|
50395
|
-
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
|
|
50667
|
+
["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view","ember-handlebars-compiler"],
|
|
50668
|
+
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
|
|
50396
50669
|
"use strict";
|
|
50397
50670
|
var Ember = __dependency1__["default"];
|
|
50398
50671
|
var run = __dependency2__["default"];
|
|
@@ -50400,6 +50673,7 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
|
|
|
50400
50673
|
var changeProperties = __dependency4__.changeProperties;
|
|
50401
50674
|
|
|
50402
50675
|
var EmberView = __dependency5__["default"];
|
|
50676
|
+
var EmberHandlebars = __dependency6__["default"];
|
|
50403
50677
|
|
|
50404
50678
|
var originalLookup = Ember.lookup;
|
|
50405
50679
|
var lookup, view;
|
|
@@ -50697,6 +50971,25 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
|
|
|
50697
50971
|
appendView();
|
|
50698
50972
|
}, 'You cannot use class as an attributeBinding, use classNameBindings instead.');
|
|
50699
50973
|
});
|
|
50974
|
+
|
|
50975
|
+
test("blacklists href bindings based on protocol", function() {
|
|
50976
|
+
/* jshint scripturl:true */
|
|
50977
|
+
|
|
50978
|
+
view = EmberView.create({
|
|
50979
|
+
attributeBindings: ['href'],
|
|
50980
|
+
href: "javascript:alert('foo')"
|
|
50981
|
+
});
|
|
50982
|
+
|
|
50983
|
+
appendView();
|
|
50984
|
+
|
|
50985
|
+
equal(view.$().attr('href'), "unsafe:javascript:alert('foo')", "value property sanitized");
|
|
50986
|
+
|
|
50987
|
+
run(function() {
|
|
50988
|
+
view.set('href', new EmberHandlebars.SafeString(view.get('href')));
|
|
50989
|
+
});
|
|
50990
|
+
|
|
50991
|
+
equal(view.$().attr('href'), "javascript:alert('foo')", "value is not defined");
|
|
50992
|
+
});
|
|
50700
50993
|
});
|
|
50701
50994
|
enifed("ember-views/tests/views/view/attribute_bindings_test.jshint",
|
|
50702
50995
|
[],
|