ember-source 1.9.0 → 1.9.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of ember-source might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/dist/ember-runtime.js +4 -4
- data/dist/ember-testing.js +1 -1
- data/dist/ember-tests.js +298 -5
- data/dist/ember-tests.prod.js +298 -5
- data/dist/ember.js +97 -13
- data/dist/ember.min.js +12 -12
- data/dist/ember.prod.js +93 -10
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 83ee192c23c80bc7f965ca53c3ccc7db0c4904da
|
4
|
+
data.tar.gz: 07d2fca0d32dc20170ba591f488b298d52368f7e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b8b71dcc9d2667cf2c559dd70b44e8d7e59b7a9759bc0868e3a5dd19194d400b85c6abeb86ce9a4af54a1a43cc77352ea8b1fc70efa90951ca3fecb3b7e88f28
|
7
|
+
data.tar.gz: fc80c14a5c87b591c34323b0a22b44245acc2585ac2b311f25658e3cd089bb62c1aa606e2fdf2a918fcad0c6db274de1e0654ade335c9c677ab2eddfaa9b6d26
|
data/VERSION
CHANGED
@@ -1 +1 @@
|
|
1
|
-
1.9.
|
1
|
+
1.9.1
|
data/dist/ember-runtime.js
CHANGED
@@ -5,7 +5,7 @@
|
|
5
5
|
* Portions Copyright 2008-2011 Apple Inc. All rights reserved.
|
6
6
|
* @license Licensed under MIT license
|
7
7
|
* See https://raw.github.com/emberjs/ember.js/master/LICENSE
|
8
|
-
* @version 1.9.
|
8
|
+
* @version 1.9.1
|
9
9
|
*/
|
10
10
|
|
11
11
|
(function() {
|
@@ -4811,7 +4811,7 @@ define("ember-metal/core",
|
|
4811
4811
|
|
4812
4812
|
@class Ember
|
4813
4813
|
@static
|
4814
|
-
@version 1.9.
|
4814
|
+
@version 1.9.1
|
4815
4815
|
*/
|
4816
4816
|
|
4817
4817
|
if ('undefined' === typeof Ember) {
|
@@ -4838,10 +4838,10 @@ define("ember-metal/core",
|
|
4838
4838
|
/**
|
4839
4839
|
@property VERSION
|
4840
4840
|
@type String
|
4841
|
-
@default '1.9.
|
4841
|
+
@default '1.9.1'
|
4842
4842
|
@static
|
4843
4843
|
*/
|
4844
|
-
Ember.VERSION = '1.9.
|
4844
|
+
Ember.VERSION = '1.9.1';
|
4845
4845
|
|
4846
4846
|
/**
|
4847
4847
|
Standard environmental variables. You can define these in a global `EmberENV`
|
data/dist/ember-testing.js
CHANGED
data/dist/ember-tests.js
CHANGED
@@ -5,7 +5,7 @@
|
|
5
5
|
* Portions Copyright 2008-2011 Apple Inc. All rights reserved.
|
6
6
|
* @license Licensed under MIT license
|
7
7
|
* See https://raw.github.com/emberjs/ember.js/master/LICENSE
|
8
|
-
* @version 1.9.
|
8
|
+
* @version 1.9.1
|
9
9
|
*/
|
10
10
|
|
11
11
|
(function() {
|
@@ -11394,6 +11394,115 @@ enifed("ember-handlebars/tests/helpers/partial_test.jshint",
|
|
11394
11394
|
ok(true, 'ember-handlebars/tests/helpers/partial_test.js should pass jshint.');
|
11395
11395
|
});
|
11396
11396
|
});
|
11397
|
+
enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test",
|
11398
|
+
["ember-views/views/view","ember-handlebars","ember-metal/run_loop"],
|
11399
|
+
function(__dependency1__, __dependency2__, __dependency3__) {
|
11400
|
+
"use strict";
|
11401
|
+
/* jshint scripturl:true */
|
11402
|
+
|
11403
|
+
var EmberView = __dependency1__["default"];
|
11404
|
+
var EmberHandlebars = __dependency2__["default"];
|
11405
|
+
var run = __dependency3__["default"];
|
11406
|
+
|
11407
|
+
function compile(str) {
|
11408
|
+
return EmberHandlebars.compile(str);
|
11409
|
+
}
|
11410
|
+
var SafeString = EmberHandlebars.SafeString;
|
11411
|
+
|
11412
|
+
function runAppend(view) {
|
11413
|
+
run(view, view.append);
|
11414
|
+
}
|
11415
|
+
|
11416
|
+
function runDestroy(view) {
|
11417
|
+
run(view, view.destroy);
|
11418
|
+
}
|
11419
|
+
|
11420
|
+
var view;
|
11421
|
+
|
11422
|
+
QUnit.module("ember-handlebars: sanitized attribute", {
|
11423
|
+
teardown: function(){
|
11424
|
+
runDestroy(view);
|
11425
|
+
}
|
11426
|
+
});
|
11427
|
+
|
11428
|
+
var badTags = [
|
11429
|
+
{ tag: 'a', attr: 'href',
|
11430
|
+
template: compile('<a {{bind-attr href=view.badValue}}></a>') },
|
11431
|
+
{ tag: 'link', attr: 'href',
|
11432
|
+
template: compile('<link {{bind-attr href=view.badValue}}>') },
|
11433
|
+
{ tag: 'img', attr: 'src',
|
11434
|
+
template: compile('<img {{bind-attr src=view.badValue}}>') },
|
11435
|
+
{ tag: 'iframe', attr: 'src',
|
11436
|
+
template: compile('<iframe {{bind-attr src=view.badValue}}></iframe>') }
|
11437
|
+
];
|
11438
|
+
|
11439
|
+
for (var i=0, l=badTags.length; i<l; i++) {
|
11440
|
+
(function(){
|
11441
|
+
var tagName = badTags[i].tag;
|
11442
|
+
var attr = badTags[i].attr;
|
11443
|
+
var template = badTags[i].template;
|
11444
|
+
|
11445
|
+
test("XSS - should not bind unsafe "+tagName+" "+attr+" values", function() {
|
11446
|
+
view = EmberView.create({
|
11447
|
+
template: template,
|
11448
|
+
badValue: "javascript:alert('XSS')"
|
11449
|
+
});
|
11450
|
+
|
11451
|
+
runAppend(view);
|
11452
|
+
|
11453
|
+
equal( view.element.firstChild.getAttribute(attr),
|
11454
|
+
"unsafe:javascript:alert('XSS')",
|
11455
|
+
"attribute is output" );
|
11456
|
+
});
|
11457
|
+
|
11458
|
+
test("XSS - should not bind unsafe "+tagName+" "+attr+" values on rerender", function() {
|
11459
|
+
view = EmberView.create({
|
11460
|
+
template: template,
|
11461
|
+
badValue: "/sunshine/and/rainbows"
|
11462
|
+
});
|
11463
|
+
|
11464
|
+
runAppend(view);
|
11465
|
+
|
11466
|
+
equal( view.element.firstChild.getAttribute(attr),
|
11467
|
+
"/sunshine/and/rainbows",
|
11468
|
+
"attribute is output" );
|
11469
|
+
|
11470
|
+
run(view, 'set', 'badValue', "javascript:alert('XSS')");
|
11471
|
+
|
11472
|
+
equal( view.element.firstChild.getAttribute(attr),
|
11473
|
+
"unsafe:javascript:alert('XSS')",
|
11474
|
+
"attribute is output" );
|
11475
|
+
});
|
11476
|
+
|
11477
|
+
test("should bind unsafe "+tagName+" "+attr+" values if they are SafeString", function() {
|
11478
|
+
view = EmberView.create({
|
11479
|
+
template: template,
|
11480
|
+
badValue: new SafeString("javascript:alert('XSS')")
|
11481
|
+
});
|
11482
|
+
|
11483
|
+
try {
|
11484
|
+
runAppend(view);
|
11485
|
+
|
11486
|
+
equal( view.element.firstChild.getAttribute(attr),
|
11487
|
+
"javascript:alert('XSS')",
|
11488
|
+
"attribute is output" );
|
11489
|
+
} catch(e) {
|
11490
|
+
// IE does not allow javascript: to be set on img src
|
11491
|
+
ok(true, 'caught exception '+e);
|
11492
|
+
}
|
11493
|
+
});
|
11494
|
+
})(); //jshint ignore:line
|
11495
|
+
}
|
11496
|
+
});
|
11497
|
+
enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test.jshint",
|
11498
|
+
[],
|
11499
|
+
function() {
|
11500
|
+
"use strict";
|
11501
|
+
module('JSHint - ember-handlebars/tests/helpers');
|
11502
|
+
test('ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint', function() {
|
11503
|
+
ok(true, 'ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint.');
|
11504
|
+
});
|
11505
|
+
});
|
11397
11506
|
enifed("ember-handlebars/tests/helpers/template_test",
|
11398
11507
|
["ember-metal/run_loop","ember-views/views/view","ember-runtime/system/object","ember-views/system/jquery","ember-runtime/system/container","ember-handlebars-compiler"],
|
11399
11508
|
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
|
@@ -11784,14 +11893,15 @@ enifed("ember-handlebars/tests/helpers/unbound_test.jshint",
|
|
11784
11893
|
});
|
11785
11894
|
});
|
11786
11895
|
enifed("ember-handlebars/tests/helpers/view_test",
|
11787
|
-
["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery"],
|
11788
|
-
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__) {
|
11896
|
+
["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery","ember-runtime/system/object"],
|
11897
|
+
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
|
11789
11898
|
"use strict";
|
11790
11899
|
/*globals EmberDev */
|
11791
11900
|
var EmberView = __dependency1__["default"];
|
11792
11901
|
var Container = __dependency2__["default"];
|
11793
11902
|
var run = __dependency3__["default"];
|
11794
11903
|
var jQuery = __dependency4__["default"];
|
11904
|
+
var EmberObject = __dependency5__["default"];
|
11795
11905
|
|
11796
11906
|
var view, originalLookup;
|
11797
11907
|
|
@@ -12049,6 +12159,92 @@ enifed("ember-handlebars/tests/helpers/view_test",
|
|
12049
12159
|
|
12050
12160
|
ok(jQuery('#foo').hasClass('foo'), "Always applies classbinding without condition");
|
12051
12161
|
});
|
12162
|
+
|
12163
|
+
test('{{view}} should be able to point to a local instance of view', function() {
|
12164
|
+
view = EmberView.create({
|
12165
|
+
template: Ember.Handlebars.compile("{{view view.common}}"),
|
12166
|
+
|
12167
|
+
common: EmberView.create({
|
12168
|
+
template: Ember.Handlebars.compile("common")
|
12169
|
+
})
|
12170
|
+
});
|
12171
|
+
|
12172
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12173
|
+
equal(view.$().text(), "common", "tries to look up view name locally");
|
12174
|
+
});
|
12175
|
+
|
12176
|
+
test("{{view}} should be able to point to a local instance of subclass of view", function() {
|
12177
|
+
var MyView = EmberView.extend();
|
12178
|
+
view = EmberView.create({
|
12179
|
+
template: Ember.Handlebars.compile("{{view view.subclassed}}"),
|
12180
|
+
subclassed: MyView.create({
|
12181
|
+
template: Ember.Handlebars.compile("subclassed")
|
12182
|
+
})
|
12183
|
+
});
|
12184
|
+
|
12185
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12186
|
+
equal(view.$().text(), "subclassed", "tries to look up view name locally");
|
12187
|
+
});
|
12188
|
+
|
12189
|
+
test("{{view}} asserts that a view class is present", function() {
|
12190
|
+
var MyView = EmberObject.extend();
|
12191
|
+
view = EmberView.create({
|
12192
|
+
template: Ember.Handlebars.compile("{{view view.notView}}"),
|
12193
|
+
notView: MyView.extend({
|
12194
|
+
template: Ember.Handlebars.compile("notView")
|
12195
|
+
})
|
12196
|
+
});
|
12197
|
+
|
12198
|
+
expectAssertion(function(){
|
12199
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12200
|
+
}, /must be a subclass or an instance of Ember.View/);
|
12201
|
+
});
|
12202
|
+
|
12203
|
+
test("{{view}} asserts that a view class is present off controller", function() {
|
12204
|
+
var MyView = EmberObject.extend();
|
12205
|
+
view = EmberView.create({
|
12206
|
+
template: Ember.Handlebars.compile("{{view notView}}"),
|
12207
|
+
controller: EmberObject.create({
|
12208
|
+
notView: MyView.extend({
|
12209
|
+
template: Ember.Handlebars.compile("notView")
|
12210
|
+
})
|
12211
|
+
})
|
12212
|
+
});
|
12213
|
+
|
12214
|
+
expectAssertion(function(){
|
12215
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12216
|
+
}, /must be a subclass or an instance of Ember.View/);
|
12217
|
+
});
|
12218
|
+
|
12219
|
+
test("{{view}} asserts that a view instance is present", function() {
|
12220
|
+
var MyView = EmberObject.extend();
|
12221
|
+
view = EmberView.create({
|
12222
|
+
template: Ember.Handlebars.compile("{{view view.notView}}"),
|
12223
|
+
notView: MyView.create({
|
12224
|
+
template: Ember.Handlebars.compile("notView")
|
12225
|
+
})
|
12226
|
+
});
|
12227
|
+
|
12228
|
+
expectAssertion(function(){
|
12229
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12230
|
+
}, /must be a subclass or an instance of Ember.View/);
|
12231
|
+
});
|
12232
|
+
|
12233
|
+
test("{{view}} asserts that a view subclass instance is present off controller", function() {
|
12234
|
+
var MyView = EmberObject.extend();
|
12235
|
+
view = EmberView.create({
|
12236
|
+
template: Ember.Handlebars.compile("{{view notView}}"),
|
12237
|
+
controller: EmberObject.create({
|
12238
|
+
notView: MyView.create({
|
12239
|
+
template: Ember.Handlebars.compile("notView")
|
12240
|
+
})
|
12241
|
+
})
|
12242
|
+
});
|
12243
|
+
|
12244
|
+
expectAssertion(function(){
|
12245
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12246
|
+
}, /must be a subclass or an instance of Ember.View/);
|
12247
|
+
});
|
12052
12248
|
});
|
12053
12249
|
enifed("ember-handlebars/tests/helpers/view_test.jshint",
|
12054
12250
|
[],
|
@@ -47215,6 +47411,15 @@ enifed("ember-views/system/renderer.jshint",
|
|
47215
47411
|
ok(true, 'ember-views/system/renderer.js should pass jshint.');
|
47216
47412
|
});
|
47217
47413
|
});
|
47414
|
+
enifed("ember-views/system/sanitize_attribute_value.jshint",
|
47415
|
+
[],
|
47416
|
+
function() {
|
47417
|
+
"use strict";
|
47418
|
+
module('JSHint - ember-views/system');
|
47419
|
+
test('ember-views/system/sanitize_attribute_value.js should pass jshint', function() {
|
47420
|
+
ok(true, 'ember-views/system/sanitize_attribute_value.js should pass jshint.');
|
47421
|
+
});
|
47422
|
+
});
|
47218
47423
|
enifed("ember-views/system/utils.jshint",
|
47219
47424
|
[],
|
47220
47425
|
function() {
|
@@ -48112,6 +48317,74 @@ enifed("ember-views/tests/system/render_buffer_test.jshint",
|
|
48112
48317
|
ok(true, 'ember-views/tests/system/render_buffer_test.js should pass jshint.');
|
48113
48318
|
});
|
48114
48319
|
});
|
48320
|
+
enifed("ember-views/tests/system/sanitize_attribute_value_test",
|
48321
|
+
["ember-views/system/sanitize_attribute_value","ember-handlebars-compiler"],
|
48322
|
+
function(__dependency1__, __dependency2__) {
|
48323
|
+
"use strict";
|
48324
|
+
var sanitizeAttributeValue = __dependency1__["default"];
|
48325
|
+
var EmberHandlebars = __dependency2__["default"];
|
48326
|
+
|
48327
|
+
QUnit.module('ember-views: sanitizeAttributeValue(null, "href")');
|
48328
|
+
|
48329
|
+
var goodProtocols = [ 'https', 'http', 'ftp', 'tel', 'file'];
|
48330
|
+
|
48331
|
+
for (var i = 0, l = goodProtocols.length; i < l; i++) {
|
48332
|
+
buildProtocolTest(goodProtocols[i]);
|
48333
|
+
}
|
48334
|
+
|
48335
|
+
function buildProtocolTest(protocol) {
|
48336
|
+
test('allows ' + protocol + ' protocol when element is not provided', function() {
|
48337
|
+
expect(1);
|
48338
|
+
|
48339
|
+
var expected = protocol + '://foo.com';
|
48340
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
48341
|
+
|
48342
|
+
equal(actual, expected, 'protocol not escaped');
|
48343
|
+
});
|
48344
|
+
}
|
48345
|
+
|
48346
|
+
test('blocks javascript: protocol', function() {
|
48347
|
+
/* jshint scripturl:true */
|
48348
|
+
|
48349
|
+
expect(1);
|
48350
|
+
|
48351
|
+
var expected = 'javascript:alert("foo")';
|
48352
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
48353
|
+
|
48354
|
+
equal(actual, 'unsafe:' + expected, 'protocol escaped');
|
48355
|
+
});
|
48356
|
+
|
48357
|
+
test('blocks vbscript: protocol', function() {
|
48358
|
+
/* jshint scripturl:true */
|
48359
|
+
|
48360
|
+
expect(1);
|
48361
|
+
|
48362
|
+
var expected = 'vbscript:alert("foo")';
|
48363
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
48364
|
+
|
48365
|
+
equal(actual, 'unsafe:' + expected, 'protocol escaped');
|
48366
|
+
});
|
48367
|
+
|
48368
|
+
test('does not block SafeStrings', function() {
|
48369
|
+
/* jshint scripturl:true */
|
48370
|
+
|
48371
|
+
expect(1);
|
48372
|
+
|
48373
|
+
var expected = 'javascript:alert("foo")';
|
48374
|
+
var actual = sanitizeAttributeValue(null, 'href', new EmberHandlebars.SafeString(expected));
|
48375
|
+
|
48376
|
+
equal(actual, expected, 'protocol unescaped');
|
48377
|
+
});
|
48378
|
+
});
|
48379
|
+
enifed("ember-views/tests/system/sanitize_attribute_value_test.jshint",
|
48380
|
+
[],
|
48381
|
+
function() {
|
48382
|
+
"use strict";
|
48383
|
+
module('JSHint - ember-views/tests/system');
|
48384
|
+
test('ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint', function() {
|
48385
|
+
ok(true, 'ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint.');
|
48386
|
+
});
|
48387
|
+
});
|
48115
48388
|
enifed("ember-views/tests/system/view_utils_test",
|
48116
48389
|
["ember-metal/run_loop","ember-views/views/view"],
|
48117
48390
|
function(__dependency1__, __dependency2__) {
|
@@ -50480,8 +50753,8 @@ enifed("ember-views/tests/views/view/append_to_test.jshint",
|
|
50480
50753
|
});
|
50481
50754
|
});
|
50482
50755
|
enifed("ember-views/tests/views/view/attribute_bindings_test",
|
50483
|
-
["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view"],
|
50484
|
-
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
|
50756
|
+
["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view","ember-handlebars-compiler"],
|
50757
|
+
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
|
50485
50758
|
"use strict";
|
50486
50759
|
var Ember = __dependency1__["default"];
|
50487
50760
|
var run = __dependency2__["default"];
|
@@ -50489,6 +50762,7 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
|
|
50489
50762
|
var changeProperties = __dependency4__.changeProperties;
|
50490
50763
|
|
50491
50764
|
var EmberView = __dependency5__["default"];
|
50765
|
+
var EmberHandlebars = __dependency6__["default"];
|
50492
50766
|
|
50493
50767
|
var originalLookup = Ember.lookup;
|
50494
50768
|
var lookup, view;
|
@@ -50786,6 +51060,25 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
|
|
50786
51060
|
appendView();
|
50787
51061
|
}, 'You cannot use class as an attributeBinding, use classNameBindings instead.');
|
50788
51062
|
});
|
51063
|
+
|
51064
|
+
test("blacklists href bindings based on protocol", function() {
|
51065
|
+
/* jshint scripturl:true */
|
51066
|
+
|
51067
|
+
view = EmberView.create({
|
51068
|
+
attributeBindings: ['href'],
|
51069
|
+
href: "javascript:alert('foo')"
|
51070
|
+
});
|
51071
|
+
|
51072
|
+
appendView();
|
51073
|
+
|
51074
|
+
equal(view.$().attr('href'), "unsafe:javascript:alert('foo')", "value property sanitized");
|
51075
|
+
|
51076
|
+
run(function() {
|
51077
|
+
view.set('href', new EmberHandlebars.SafeString(view.get('href')));
|
51078
|
+
});
|
51079
|
+
|
51080
|
+
equal(view.$().attr('href'), "javascript:alert('foo')", "value is not defined");
|
51081
|
+
});
|
50789
51082
|
});
|
50790
51083
|
enifed("ember-views/tests/views/view/attribute_bindings_test.jshint",
|
50791
51084
|
[],
|
data/dist/ember-tests.prod.js
CHANGED
@@ -5,7 +5,7 @@
|
|
5
5
|
* Portions Copyright 2008-2011 Apple Inc. All rights reserved.
|
6
6
|
* @license Licensed under MIT license
|
7
7
|
* See https://raw.github.com/emberjs/ember.js/master/LICENSE
|
8
|
-
* @version 1.9.
|
8
|
+
* @version 1.9.1
|
9
9
|
*/
|
10
10
|
|
11
11
|
(function() {
|
@@ -11394,6 +11394,115 @@ enifed("ember-handlebars/tests/helpers/partial_test.jshint",
|
|
11394
11394
|
ok(true, 'ember-handlebars/tests/helpers/partial_test.js should pass jshint.');
|
11395
11395
|
});
|
11396
11396
|
});
|
11397
|
+
enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test",
|
11398
|
+
["ember-views/views/view","ember-handlebars","ember-metal/run_loop"],
|
11399
|
+
function(__dependency1__, __dependency2__, __dependency3__) {
|
11400
|
+
"use strict";
|
11401
|
+
/* jshint scripturl:true */
|
11402
|
+
|
11403
|
+
var EmberView = __dependency1__["default"];
|
11404
|
+
var EmberHandlebars = __dependency2__["default"];
|
11405
|
+
var run = __dependency3__["default"];
|
11406
|
+
|
11407
|
+
function compile(str) {
|
11408
|
+
return EmberHandlebars.compile(str);
|
11409
|
+
}
|
11410
|
+
var SafeString = EmberHandlebars.SafeString;
|
11411
|
+
|
11412
|
+
function runAppend(view) {
|
11413
|
+
run(view, view.append);
|
11414
|
+
}
|
11415
|
+
|
11416
|
+
function runDestroy(view) {
|
11417
|
+
run(view, view.destroy);
|
11418
|
+
}
|
11419
|
+
|
11420
|
+
var view;
|
11421
|
+
|
11422
|
+
QUnit.module("ember-handlebars: sanitized attribute", {
|
11423
|
+
teardown: function(){
|
11424
|
+
runDestroy(view);
|
11425
|
+
}
|
11426
|
+
});
|
11427
|
+
|
11428
|
+
var badTags = [
|
11429
|
+
{ tag: 'a', attr: 'href',
|
11430
|
+
template: compile('<a {{bind-attr href=view.badValue}}></a>') },
|
11431
|
+
{ tag: 'link', attr: 'href',
|
11432
|
+
template: compile('<link {{bind-attr href=view.badValue}}>') },
|
11433
|
+
{ tag: 'img', attr: 'src',
|
11434
|
+
template: compile('<img {{bind-attr src=view.badValue}}>') },
|
11435
|
+
{ tag: 'iframe', attr: 'src',
|
11436
|
+
template: compile('<iframe {{bind-attr src=view.badValue}}></iframe>') }
|
11437
|
+
];
|
11438
|
+
|
11439
|
+
for (var i=0, l=badTags.length; i<l; i++) {
|
11440
|
+
(function(){
|
11441
|
+
var tagName = badTags[i].tag;
|
11442
|
+
var attr = badTags[i].attr;
|
11443
|
+
var template = badTags[i].template;
|
11444
|
+
|
11445
|
+
test("XSS - should not bind unsafe "+tagName+" "+attr+" values", function() {
|
11446
|
+
view = EmberView.create({
|
11447
|
+
template: template,
|
11448
|
+
badValue: "javascript:alert('XSS')"
|
11449
|
+
});
|
11450
|
+
|
11451
|
+
runAppend(view);
|
11452
|
+
|
11453
|
+
equal( view.element.firstChild.getAttribute(attr),
|
11454
|
+
"unsafe:javascript:alert('XSS')",
|
11455
|
+
"attribute is output" );
|
11456
|
+
});
|
11457
|
+
|
11458
|
+
test("XSS - should not bind unsafe "+tagName+" "+attr+" values on rerender", function() {
|
11459
|
+
view = EmberView.create({
|
11460
|
+
template: template,
|
11461
|
+
badValue: "/sunshine/and/rainbows"
|
11462
|
+
});
|
11463
|
+
|
11464
|
+
runAppend(view);
|
11465
|
+
|
11466
|
+
equal( view.element.firstChild.getAttribute(attr),
|
11467
|
+
"/sunshine/and/rainbows",
|
11468
|
+
"attribute is output" );
|
11469
|
+
|
11470
|
+
run(view, 'set', 'badValue', "javascript:alert('XSS')");
|
11471
|
+
|
11472
|
+
equal( view.element.firstChild.getAttribute(attr),
|
11473
|
+
"unsafe:javascript:alert('XSS')",
|
11474
|
+
"attribute is output" );
|
11475
|
+
});
|
11476
|
+
|
11477
|
+
test("should bind unsafe "+tagName+" "+attr+" values if they are SafeString", function() {
|
11478
|
+
view = EmberView.create({
|
11479
|
+
template: template,
|
11480
|
+
badValue: new SafeString("javascript:alert('XSS')")
|
11481
|
+
});
|
11482
|
+
|
11483
|
+
try {
|
11484
|
+
runAppend(view);
|
11485
|
+
|
11486
|
+
equal( view.element.firstChild.getAttribute(attr),
|
11487
|
+
"javascript:alert('XSS')",
|
11488
|
+
"attribute is output" );
|
11489
|
+
} catch(e) {
|
11490
|
+
// IE does not allow javascript: to be set on img src
|
11491
|
+
ok(true, 'caught exception '+e);
|
11492
|
+
}
|
11493
|
+
});
|
11494
|
+
})(); //jshint ignore:line
|
11495
|
+
}
|
11496
|
+
});
|
11497
|
+
enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test.jshint",
|
11498
|
+
[],
|
11499
|
+
function() {
|
11500
|
+
"use strict";
|
11501
|
+
module('JSHint - ember-handlebars/tests/helpers');
|
11502
|
+
test('ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint', function() {
|
11503
|
+
ok(true, 'ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint.');
|
11504
|
+
});
|
11505
|
+
});
|
11397
11506
|
enifed("ember-handlebars/tests/helpers/template_test",
|
11398
11507
|
["ember-metal/run_loop","ember-views/views/view","ember-runtime/system/object","ember-views/system/jquery","ember-runtime/system/container","ember-handlebars-compiler"],
|
11399
11508
|
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
|
@@ -11784,14 +11893,15 @@ enifed("ember-handlebars/tests/helpers/unbound_test.jshint",
|
|
11784
11893
|
});
|
11785
11894
|
});
|
11786
11895
|
enifed("ember-handlebars/tests/helpers/view_test",
|
11787
|
-
["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery"],
|
11788
|
-
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__) {
|
11896
|
+
["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery","ember-runtime/system/object"],
|
11897
|
+
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
|
11789
11898
|
"use strict";
|
11790
11899
|
/*globals EmberDev */
|
11791
11900
|
var EmberView = __dependency1__["default"];
|
11792
11901
|
var Container = __dependency2__["default"];
|
11793
11902
|
var run = __dependency3__["default"];
|
11794
11903
|
var jQuery = __dependency4__["default"];
|
11904
|
+
var EmberObject = __dependency5__["default"];
|
11795
11905
|
|
11796
11906
|
var view, originalLookup;
|
11797
11907
|
|
@@ -12049,6 +12159,92 @@ enifed("ember-handlebars/tests/helpers/view_test",
|
|
12049
12159
|
|
12050
12160
|
ok(jQuery('#foo').hasClass('foo'), "Always applies classbinding without condition");
|
12051
12161
|
});
|
12162
|
+
|
12163
|
+
test('{{view}} should be able to point to a local instance of view', function() {
|
12164
|
+
view = EmberView.create({
|
12165
|
+
template: Ember.Handlebars.compile("{{view view.common}}"),
|
12166
|
+
|
12167
|
+
common: EmberView.create({
|
12168
|
+
template: Ember.Handlebars.compile("common")
|
12169
|
+
})
|
12170
|
+
});
|
12171
|
+
|
12172
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12173
|
+
equal(view.$().text(), "common", "tries to look up view name locally");
|
12174
|
+
});
|
12175
|
+
|
12176
|
+
test("{{view}} should be able to point to a local instance of subclass of view", function() {
|
12177
|
+
var MyView = EmberView.extend();
|
12178
|
+
view = EmberView.create({
|
12179
|
+
template: Ember.Handlebars.compile("{{view view.subclassed}}"),
|
12180
|
+
subclassed: MyView.create({
|
12181
|
+
template: Ember.Handlebars.compile("subclassed")
|
12182
|
+
})
|
12183
|
+
});
|
12184
|
+
|
12185
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12186
|
+
equal(view.$().text(), "subclassed", "tries to look up view name locally");
|
12187
|
+
});
|
12188
|
+
|
12189
|
+
test("{{view}} asserts that a view class is present", function() {
|
12190
|
+
var MyView = EmberObject.extend();
|
12191
|
+
view = EmberView.create({
|
12192
|
+
template: Ember.Handlebars.compile("{{view view.notView}}"),
|
12193
|
+
notView: MyView.extend({
|
12194
|
+
template: Ember.Handlebars.compile("notView")
|
12195
|
+
})
|
12196
|
+
});
|
12197
|
+
|
12198
|
+
expectAssertion(function(){
|
12199
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12200
|
+
}, /must be a subclass or an instance of Ember.View/);
|
12201
|
+
});
|
12202
|
+
|
12203
|
+
test("{{view}} asserts that a view class is present off controller", function() {
|
12204
|
+
var MyView = EmberObject.extend();
|
12205
|
+
view = EmberView.create({
|
12206
|
+
template: Ember.Handlebars.compile("{{view notView}}"),
|
12207
|
+
controller: EmberObject.create({
|
12208
|
+
notView: MyView.extend({
|
12209
|
+
template: Ember.Handlebars.compile("notView")
|
12210
|
+
})
|
12211
|
+
})
|
12212
|
+
});
|
12213
|
+
|
12214
|
+
expectAssertion(function(){
|
12215
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12216
|
+
}, /must be a subclass or an instance of Ember.View/);
|
12217
|
+
});
|
12218
|
+
|
12219
|
+
test("{{view}} asserts that a view instance is present", function() {
|
12220
|
+
var MyView = EmberObject.extend();
|
12221
|
+
view = EmberView.create({
|
12222
|
+
template: Ember.Handlebars.compile("{{view view.notView}}"),
|
12223
|
+
notView: MyView.create({
|
12224
|
+
template: Ember.Handlebars.compile("notView")
|
12225
|
+
})
|
12226
|
+
});
|
12227
|
+
|
12228
|
+
expectAssertion(function(){
|
12229
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12230
|
+
}, /must be a subclass or an instance of Ember.View/);
|
12231
|
+
});
|
12232
|
+
|
12233
|
+
test("{{view}} asserts that a view subclass instance is present off controller", function() {
|
12234
|
+
var MyView = EmberObject.extend();
|
12235
|
+
view = EmberView.create({
|
12236
|
+
template: Ember.Handlebars.compile("{{view notView}}"),
|
12237
|
+
controller: EmberObject.create({
|
12238
|
+
notView: MyView.create({
|
12239
|
+
template: Ember.Handlebars.compile("notView")
|
12240
|
+
})
|
12241
|
+
})
|
12242
|
+
});
|
12243
|
+
|
12244
|
+
expectAssertion(function(){
|
12245
|
+
run(view, 'appendTo', '#qunit-fixture');
|
12246
|
+
}, /must be a subclass or an instance of Ember.View/);
|
12247
|
+
});
|
12052
12248
|
});
|
12053
12249
|
enifed("ember-handlebars/tests/helpers/view_test.jshint",
|
12054
12250
|
[],
|
@@ -47126,6 +47322,15 @@ enifed("ember-views/system/renderer.jshint",
|
|
47126
47322
|
ok(true, 'ember-views/system/renderer.js should pass jshint.');
|
47127
47323
|
});
|
47128
47324
|
});
|
47325
|
+
enifed("ember-views/system/sanitize_attribute_value.jshint",
|
47326
|
+
[],
|
47327
|
+
function() {
|
47328
|
+
"use strict";
|
47329
|
+
module('JSHint - ember-views/system');
|
47330
|
+
test('ember-views/system/sanitize_attribute_value.js should pass jshint', function() {
|
47331
|
+
ok(true, 'ember-views/system/sanitize_attribute_value.js should pass jshint.');
|
47332
|
+
});
|
47333
|
+
});
|
47129
47334
|
enifed("ember-views/system/utils.jshint",
|
47130
47335
|
[],
|
47131
47336
|
function() {
|
@@ -48023,6 +48228,74 @@ enifed("ember-views/tests/system/render_buffer_test.jshint",
|
|
48023
48228
|
ok(true, 'ember-views/tests/system/render_buffer_test.js should pass jshint.');
|
48024
48229
|
});
|
48025
48230
|
});
|
48231
|
+
enifed("ember-views/tests/system/sanitize_attribute_value_test",
|
48232
|
+
["ember-views/system/sanitize_attribute_value","ember-handlebars-compiler"],
|
48233
|
+
function(__dependency1__, __dependency2__) {
|
48234
|
+
"use strict";
|
48235
|
+
var sanitizeAttributeValue = __dependency1__["default"];
|
48236
|
+
var EmberHandlebars = __dependency2__["default"];
|
48237
|
+
|
48238
|
+
QUnit.module('ember-views: sanitizeAttributeValue(null, "href")');
|
48239
|
+
|
48240
|
+
var goodProtocols = [ 'https', 'http', 'ftp', 'tel', 'file'];
|
48241
|
+
|
48242
|
+
for (var i = 0, l = goodProtocols.length; i < l; i++) {
|
48243
|
+
buildProtocolTest(goodProtocols[i]);
|
48244
|
+
}
|
48245
|
+
|
48246
|
+
function buildProtocolTest(protocol) {
|
48247
|
+
test('allows ' + protocol + ' protocol when element is not provided', function() {
|
48248
|
+
expect(1);
|
48249
|
+
|
48250
|
+
var expected = protocol + '://foo.com';
|
48251
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
48252
|
+
|
48253
|
+
equal(actual, expected, 'protocol not escaped');
|
48254
|
+
});
|
48255
|
+
}
|
48256
|
+
|
48257
|
+
test('blocks javascript: protocol', function() {
|
48258
|
+
/* jshint scripturl:true */
|
48259
|
+
|
48260
|
+
expect(1);
|
48261
|
+
|
48262
|
+
var expected = 'javascript:alert("foo")';
|
48263
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
48264
|
+
|
48265
|
+
equal(actual, 'unsafe:' + expected, 'protocol escaped');
|
48266
|
+
});
|
48267
|
+
|
48268
|
+
test('blocks vbscript: protocol', function() {
|
48269
|
+
/* jshint scripturl:true */
|
48270
|
+
|
48271
|
+
expect(1);
|
48272
|
+
|
48273
|
+
var expected = 'vbscript:alert("foo")';
|
48274
|
+
var actual = sanitizeAttributeValue(null, 'href', expected);
|
48275
|
+
|
48276
|
+
equal(actual, 'unsafe:' + expected, 'protocol escaped');
|
48277
|
+
});
|
48278
|
+
|
48279
|
+
test('does not block SafeStrings', function() {
|
48280
|
+
/* jshint scripturl:true */
|
48281
|
+
|
48282
|
+
expect(1);
|
48283
|
+
|
48284
|
+
var expected = 'javascript:alert("foo")';
|
48285
|
+
var actual = sanitizeAttributeValue(null, 'href', new EmberHandlebars.SafeString(expected));
|
48286
|
+
|
48287
|
+
equal(actual, expected, 'protocol unescaped');
|
48288
|
+
});
|
48289
|
+
});
|
48290
|
+
enifed("ember-views/tests/system/sanitize_attribute_value_test.jshint",
|
48291
|
+
[],
|
48292
|
+
function() {
|
48293
|
+
"use strict";
|
48294
|
+
module('JSHint - ember-views/tests/system');
|
48295
|
+
test('ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint', function() {
|
48296
|
+
ok(true, 'ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint.');
|
48297
|
+
});
|
48298
|
+
});
|
48026
48299
|
enifed("ember-views/tests/system/view_utils_test",
|
48027
48300
|
["ember-metal/run_loop","ember-views/views/view"],
|
48028
48301
|
function(__dependency1__, __dependency2__) {
|
@@ -50391,8 +50664,8 @@ enifed("ember-views/tests/views/view/append_to_test.jshint",
|
|
50391
50664
|
});
|
50392
50665
|
});
|
50393
50666
|
enifed("ember-views/tests/views/view/attribute_bindings_test",
|
50394
|
-
["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view"],
|
50395
|
-
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
|
50667
|
+
["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view","ember-handlebars-compiler"],
|
50668
|
+
function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
|
50396
50669
|
"use strict";
|
50397
50670
|
var Ember = __dependency1__["default"];
|
50398
50671
|
var run = __dependency2__["default"];
|
@@ -50400,6 +50673,7 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
|
|
50400
50673
|
var changeProperties = __dependency4__.changeProperties;
|
50401
50674
|
|
50402
50675
|
var EmberView = __dependency5__["default"];
|
50676
|
+
var EmberHandlebars = __dependency6__["default"];
|
50403
50677
|
|
50404
50678
|
var originalLookup = Ember.lookup;
|
50405
50679
|
var lookup, view;
|
@@ -50697,6 +50971,25 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
|
|
50697
50971
|
appendView();
|
50698
50972
|
}, 'You cannot use class as an attributeBinding, use classNameBindings instead.');
|
50699
50973
|
});
|
50974
|
+
|
50975
|
+
test("blacklists href bindings based on protocol", function() {
|
50976
|
+
/* jshint scripturl:true */
|
50977
|
+
|
50978
|
+
view = EmberView.create({
|
50979
|
+
attributeBindings: ['href'],
|
50980
|
+
href: "javascript:alert('foo')"
|
50981
|
+
});
|
50982
|
+
|
50983
|
+
appendView();
|
50984
|
+
|
50985
|
+
equal(view.$().attr('href'), "unsafe:javascript:alert('foo')", "value property sanitized");
|
50986
|
+
|
50987
|
+
run(function() {
|
50988
|
+
view.set('href', new EmberHandlebars.SafeString(view.get('href')));
|
50989
|
+
});
|
50990
|
+
|
50991
|
+
equal(view.$().attr('href'), "javascript:alert('foo')", "value is not defined");
|
50992
|
+
});
|
50700
50993
|
});
|
50701
50994
|
enifed("ember-views/tests/views/view/attribute_bindings_test.jshint",
|
50702
50995
|
[],
|