RubyGems - ember-source - Versions diffs - 1.9.0 → 1.9.1 - Mend

ember-source 1.9.0 → 1.9.1

Potentially problematic release.

This version of ember-source might be problematic. Click here for more details.

Files changed (10) hide show

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 052a33bf10608f0891d002cb22da0449771e6ee4
-  data.tar.gz: 95242bb387162aad053a261983d7e21afadf8c43
+  metadata.gz: 83ee192c23c80bc7f965ca53c3ccc7db0c4904da
+  data.tar.gz: 07d2fca0d32dc20170ba591f488b298d52368f7e
 SHA512:
-  metadata.gz: 9666eda04adfed94fb303c9a9e0dbc3440a4baf0c615f82d85b754f6d60fa561d07f494ab5268692c48a9422427b009e04385d12182875aae36551be14a25c6d
-  data.tar.gz: 4446210ec7e20ca347fda37bc7eddbacd011e4dee854e0661e695acc9ead25462e676005326f40acbc1b3e64ee6c3a02e81f5ac1cc0f0e4f9e547f861a539005
+  metadata.gz: b8b71dcc9d2667cf2c559dd70b44e8d7e59b7a9759bc0868e3a5dd19194d400b85c6abeb86ce9a4af54a1a43cc77352ea8b1fc70efa90951ca3fecb3b7e88f28
+  data.tar.gz: fc80c14a5c87b591c34323b0a22b44245acc2585ac2b311f25658e3cd089bb62c1aa606e2fdf2a918fcad0c6db274de1e0654ade335c9c677ab2eddfaa9b6d26

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 1.9.0
1	+ 1.9.1

data/dist/ember-runtime.js CHANGED

@@ -5,7 +5,7 @@
  *            Portions Copyright 2008-2011 Apple Inc. All rights reserved.
  * @license   Licensed under MIT license
  *            See https://raw.github.com/emberjs/ember.js/master/LICENSE
- * @version   1.9.0
+ * @version   1.9.1
  */
 (function() {
@@ -4811,7 +4811,7 @@ define("ember-metal/core",
       @class Ember
       @static
-      @version 1.9.0
+      @version 1.9.1
     */
     if ('undefined' === typeof Ember) {
@@ -4838,10 +4838,10 @@ define("ember-metal/core",
     /**
       @property VERSION
       @type String
-      @default '1.9.0'
+      @default '1.9.1'
       @static
     */
-    Ember.VERSION = '1.9.0';
+    Ember.VERSION = '1.9.1';
     /**
       Standard environmental variables. You can define these in a global `EmberENV`

data/dist/ember-testing.js CHANGED

@@ -5,7 +5,7 @@
  *            Portions Copyright 2008-2011 Apple Inc. All rights reserved.
  * @license   Licensed under MIT license
  *            See https://raw.github.com/emberjs/ember.js/master/LICENSE
- * @version   1.9.0
+ * @version   1.9.1
  */
 (function() {

data/dist/ember-tests.js CHANGED

@@ -5,7 +5,7 @@
  *            Portions Copyright 2008-2011 Apple Inc. All rights reserved.
  * @license   Licensed under MIT license
  *            See https://raw.github.com/emberjs/ember.js/master/LICENSE
- * @version   1.9.0
+ * @version   1.9.1
  */
 (function() {
@@ -11394,6 +11394,115 @@ enifed("ember-handlebars/tests/helpers/partial_test.jshint",
       ok(true, 'ember-handlebars/tests/helpers/partial_test.js should pass jshint.');
     });
   });
+enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test",
+  ["ember-views/views/view","ember-handlebars","ember-metal/run_loop"],
+  function(__dependency1__, __dependency2__, __dependency3__) {
+    "use strict";
+    /* jshint scripturl:true */
+    var EmberView = __dependency1__["default"];
+    var EmberHandlebars = __dependency2__["default"];
+    var run = __dependency3__["default"];
+    function compile(str) {
+      return EmberHandlebars.compile(str);
+    }
+    var SafeString = EmberHandlebars.SafeString;
+    function runAppend(view) {
+      run(view, view.append);
+    }
+    function runDestroy(view) {
+      run(view, view.destroy);
+    }
+    var view;
+    QUnit.module("ember-handlebars: sanitized attribute", {
+      teardown: function(){
+        runDestroy(view);
+      }
+    });
+    var badTags = [
+      { tag: 'a', attr: 'href',
+        template: compile('<a {{bind-attr href=view.badValue}}></a>') },
+      { tag: 'link', attr: 'href',
+        template: compile('<link {{bind-attr href=view.badValue}}>') },
+      { tag: 'img', attr: 'src',
+        template: compile('<img {{bind-attr src=view.badValue}}>') },
+      { tag: 'iframe', attr: 'src',
+        template: compile('<iframe {{bind-attr src=view.badValue}}></iframe>') }
+    ];
+    for (var i=0, l=badTags.length; i<l; i++) {
+      (function(){
+        var tagName = badTags[i].tag;
+        var attr = badTags[i].attr;
+        var template = badTags[i].template;
+        test("XSS - should not bind unsafe "+tagName+" "+attr+" values", function() {
+          view = EmberView.create({
+            template: template,
+            badValue: "javascript:alert('XSS')"
+          });
+          runAppend(view);
+          equal( view.element.firstChild.getAttribute(attr),
+                 "unsafe:javascript:alert('XSS')",
+                 "attribute is output" );
+        });
+        test("XSS - should not bind unsafe "+tagName+" "+attr+" values on rerender", function() {
+          view = EmberView.create({
+            template: template,
+            badValue: "/sunshine/and/rainbows"
+          });
+          runAppend(view);
+          equal( view.element.firstChild.getAttribute(attr),
+                 "/sunshine/and/rainbows",
+                 "attribute is output" );
+          run(view, 'set', 'badValue', "javascript:alert('XSS')");
+          equal( view.element.firstChild.getAttribute(attr),
+                 "unsafe:javascript:alert('XSS')",
+                 "attribute is output" );
+        });
+        test("should bind unsafe "+tagName+" "+attr+" values if they are SafeString", function() {
+          view = EmberView.create({
+            template: template,
+            badValue: new SafeString("javascript:alert('XSS')")
+          });
+          try {
+            runAppend(view);
+            equal( view.element.firstChild.getAttribute(attr),
+                   "javascript:alert('XSS')",
+                   "attribute is output" );
+          } catch(e) {
+            // IE does not allow javascript: to be set on img src
+            ok(true, 'caught exception '+e);
+          }
+        });
+      })(); //jshint ignore:line
+    }
+  });
+enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test.jshint",
+  [],
+  function() {
+    "use strict";
+    module('JSHint - ember-handlebars/tests/helpers');
+    test('ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint', function() {
+      ok(true, 'ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint.');
+    });
+  });
 enifed("ember-handlebars/tests/helpers/template_test",
   ["ember-metal/run_loop","ember-views/views/view","ember-runtime/system/object","ember-views/system/jquery","ember-runtime/system/container","ember-handlebars-compiler"],
   function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
@@ -11784,14 +11893,15 @@ enifed("ember-handlebars/tests/helpers/unbound_test.jshint",
     });
   });
 enifed("ember-handlebars/tests/helpers/view_test",
-  ["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery"],
-  function(__dependency1__, __dependency2__, __dependency3__, __dependency4__) {
+  ["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery","ember-runtime/system/object"],
+  function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
     "use strict";
     /*globals EmberDev */
     var EmberView = __dependency1__["default"];
     var Container = __dependency2__["default"];
     var run = __dependency3__["default"];
     var jQuery = __dependency4__["default"];
+    var EmberObject = __dependency5__["default"];
     var view, originalLookup;
@@ -12049,6 +12159,92 @@ enifed("ember-handlebars/tests/helpers/view_test",
       ok(jQuery('#foo').hasClass('foo'), "Always applies classbinding without condition");
     });
+    test('{{view}} should be able to point to a local instance of view', function() {
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view view.common}}"),
+        common: EmberView.create({
+          template: Ember.Handlebars.compile("common")
+        })
+      });
+      run(view, 'appendTo', '#qunit-fixture');
+      equal(view.$().text(), "common", "tries to look up view name locally");
+    });
+    test("{{view}} should be able to point to a local instance of subclass of view", function() {
+      var MyView = EmberView.extend();
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view view.subclassed}}"),
+        subclassed: MyView.create({
+          template: Ember.Handlebars.compile("subclassed")
+        })
+      });
+      run(view, 'appendTo', '#qunit-fixture');
+      equal(view.$().text(), "subclassed", "tries to look up view name locally");
+    });
+    test("{{view}} asserts that a view class is present", function() {
+      var MyView = EmberObject.extend();
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view view.notView}}"),
+        notView: MyView.extend({
+          template: Ember.Handlebars.compile("notView")
+        })
+      });
+      expectAssertion(function(){
+        run(view, 'appendTo', '#qunit-fixture');
+      }, /must be a subclass or an instance of Ember.View/);
+    });
+    test("{{view}} asserts that a view class is present off controller", function() {
+      var MyView = EmberObject.extend();
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view notView}}"),
+        controller: EmberObject.create({
+          notView: MyView.extend({
+            template: Ember.Handlebars.compile("notView")
+          })
+        })
+      });
+      expectAssertion(function(){
+        run(view, 'appendTo', '#qunit-fixture');
+      }, /must be a subclass or an instance of Ember.View/);
+    });
+    test("{{view}} asserts that a view instance is present", function() {
+      var MyView = EmberObject.extend();
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view view.notView}}"),
+        notView: MyView.create({
+          template: Ember.Handlebars.compile("notView")
+        })
+      });
+      expectAssertion(function(){
+        run(view, 'appendTo', '#qunit-fixture');
+      }, /must be a subclass or an instance of Ember.View/);
+    });
+    test("{{view}} asserts that a view subclass instance is present off controller", function() {
+      var MyView = EmberObject.extend();
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view notView}}"),
+        controller: EmberObject.create({
+          notView: MyView.create({
+            template: Ember.Handlebars.compile("notView")
+          })
+        })
+      });
+      expectAssertion(function(){
+        run(view, 'appendTo', '#qunit-fixture');
+      }, /must be a subclass or an instance of Ember.View/);
+    });
   });
 enifed("ember-handlebars/tests/helpers/view_test.jshint",
   [],
@@ -47215,6 +47411,15 @@ enifed("ember-views/system/renderer.jshint",
       ok(true, 'ember-views/system/renderer.js should pass jshint.');
     });
   });
+enifed("ember-views/system/sanitize_attribute_value.jshint",
+  [],
+  function() {
+    "use strict";
+    module('JSHint - ember-views/system');
+    test('ember-views/system/sanitize_attribute_value.js should pass jshint', function() {
+      ok(true, 'ember-views/system/sanitize_attribute_value.js should pass jshint.');
+    });
+  });
 enifed("ember-views/system/utils.jshint",
   [],
   function() {
@@ -48112,6 +48317,74 @@ enifed("ember-views/tests/system/render_buffer_test.jshint",
       ok(true, 'ember-views/tests/system/render_buffer_test.js should pass jshint.');
     });
   });
+enifed("ember-views/tests/system/sanitize_attribute_value_test",
+  ["ember-views/system/sanitize_attribute_value","ember-handlebars-compiler"],
+  function(__dependency1__, __dependency2__) {
+    "use strict";
+    var sanitizeAttributeValue = __dependency1__["default"];
+    var EmberHandlebars = __dependency2__["default"];
+    QUnit.module('ember-views: sanitizeAttributeValue(null, "href")');
+    var goodProtocols = [ 'https', 'http', 'ftp', 'tel', 'file'];
+    for (var i = 0, l = goodProtocols.length; i < l; i++) {
+      buildProtocolTest(goodProtocols[i]);
+    }
+    function buildProtocolTest(protocol) {
+      test('allows ' + protocol + ' protocol when element is not provided', function() {
+        expect(1);
+        var expected = protocol + '://foo.com';
+        var actual = sanitizeAttributeValue(null, 'href', expected);
+        equal(actual, expected, 'protocol not escaped');
+      });
+    }
+    test('blocks javascript: protocol', function() {
+      /* jshint scripturl:true */
+      expect(1);
+      var expected = 'javascript:alert("foo")';
+      var actual = sanitizeAttributeValue(null, 'href', expected);
+      equal(actual, 'unsafe:' + expected, 'protocol escaped');
+    });
+    test('blocks vbscript: protocol', function() {
+      /* jshint scripturl:true */
+      expect(1);
+      var expected = 'vbscript:alert("foo")';
+      var actual = sanitizeAttributeValue(null, 'href', expected);
+      equal(actual, 'unsafe:' + expected, 'protocol escaped');
+    });
+    test('does not block SafeStrings', function() {
+      /* jshint scripturl:true */
+      expect(1);
+      var expected = 'javascript:alert("foo")';
+      var actual = sanitizeAttributeValue(null, 'href', new EmberHandlebars.SafeString(expected));
+      equal(actual, expected, 'protocol unescaped');
+    });
+  });
+enifed("ember-views/tests/system/sanitize_attribute_value_test.jshint",
+  [],
+  function() {
+    "use strict";
+    module('JSHint - ember-views/tests/system');
+    test('ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint', function() {
+      ok(true, 'ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint.');
+    });
+  });
 enifed("ember-views/tests/system/view_utils_test",
   ["ember-metal/run_loop","ember-views/views/view"],
   function(__dependency1__, __dependency2__) {
@@ -50480,8 +50753,8 @@ enifed("ember-views/tests/views/view/append_to_test.jshint",
     });
   });
 enifed("ember-views/tests/views/view/attribute_bindings_test",
-  ["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view"],
-  function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
+  ["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view","ember-handlebars-compiler"],
+  function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
     "use strict";
     var Ember = __dependency1__["default"];
     var run = __dependency2__["default"];
@@ -50489,6 +50762,7 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
     var changeProperties = __dependency4__.changeProperties;
     var EmberView = __dependency5__["default"];
+    var EmberHandlebars = __dependency6__["default"];
     var originalLookup = Ember.lookup;
     var lookup, view;
@@ -50786,6 +51060,25 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
         appendView();
       }, 'You cannot use class as an attributeBinding, use classNameBindings instead.');
     });
+    test("blacklists href bindings based on protocol", function() {
+      /* jshint scripturl:true */
+      view = EmberView.create({
+        attributeBindings: ['href'],
+        href: "javascript:alert('foo')"
+      });
+      appendView();
+      equal(view.$().attr('href'), "unsafe:javascript:alert('foo')", "value property sanitized");
+      run(function() {
+        view.set('href', new EmberHandlebars.SafeString(view.get('href')));
+      });
+      equal(view.$().attr('href'), "javascript:alert('foo')", "value is not defined");
+    });
   });
 enifed("ember-views/tests/views/view/attribute_bindings_test.jshint",
   [],

data/dist/ember-tests.prod.js CHANGED

@@ -5,7 +5,7 @@
  *            Portions Copyright 2008-2011 Apple Inc. All rights reserved.
  * @license   Licensed under MIT license
  *            See https://raw.github.com/emberjs/ember.js/master/LICENSE
- * @version   1.9.0
+ * @version   1.9.1
  */
 (function() {
@@ -11394,6 +11394,115 @@ enifed("ember-handlebars/tests/helpers/partial_test.jshint",
       ok(true, 'ember-handlebars/tests/helpers/partial_test.js should pass jshint.');
     });
   });
+enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test",
+  ["ember-views/views/view","ember-handlebars","ember-metal/run_loop"],
+  function(__dependency1__, __dependency2__, __dependency3__) {
+    "use strict";
+    /* jshint scripturl:true */
+    var EmberView = __dependency1__["default"];
+    var EmberHandlebars = __dependency2__["default"];
+    var run = __dependency3__["default"];
+    function compile(str) {
+      return EmberHandlebars.compile(str);
+    }
+    var SafeString = EmberHandlebars.SafeString;
+    function runAppend(view) {
+      run(view, view.append);
+    }
+    function runDestroy(view) {
+      run(view, view.destroy);
+    }
+    var view;
+    QUnit.module("ember-handlebars: sanitized attribute", {
+      teardown: function(){
+        runDestroy(view);
+      }
+    });
+    var badTags = [
+      { tag: 'a', attr: 'href',
+        template: compile('<a {{bind-attr href=view.badValue}}></a>') },
+      { tag: 'link', attr: 'href',
+        template: compile('<link {{bind-attr href=view.badValue}}>') },
+      { tag: 'img', attr: 'src',
+        template: compile('<img {{bind-attr src=view.badValue}}>') },
+      { tag: 'iframe', attr: 'src',
+        template: compile('<iframe {{bind-attr src=view.badValue}}></iframe>') }
+    ];
+    for (var i=0, l=badTags.length; i<l; i++) {
+      (function(){
+        var tagName = badTags[i].tag;
+        var attr = badTags[i].attr;
+        var template = badTags[i].template;
+        test("XSS - should not bind unsafe "+tagName+" "+attr+" values", function() {
+          view = EmberView.create({
+            template: template,
+            badValue: "javascript:alert('XSS')"
+          });
+          runAppend(view);
+          equal( view.element.firstChild.getAttribute(attr),
+                 "unsafe:javascript:alert('XSS')",
+                 "attribute is output" );
+        });
+        test("XSS - should not bind unsafe "+tagName+" "+attr+" values on rerender", function() {
+          view = EmberView.create({
+            template: template,
+            badValue: "/sunshine/and/rainbows"
+          });
+          runAppend(view);
+          equal( view.element.firstChild.getAttribute(attr),
+                 "/sunshine/and/rainbows",
+                 "attribute is output" );
+          run(view, 'set', 'badValue', "javascript:alert('XSS')");
+          equal( view.element.firstChild.getAttribute(attr),
+                 "unsafe:javascript:alert('XSS')",
+                 "attribute is output" );
+        });
+        test("should bind unsafe "+tagName+" "+attr+" values if they are SafeString", function() {
+          view = EmberView.create({
+            template: template,
+            badValue: new SafeString("javascript:alert('XSS')")
+          });
+          try {
+            runAppend(view);
+            equal( view.element.firstChild.getAttribute(attr),
+                   "javascript:alert('XSS')",
+                   "attribute is output" );
+          } catch(e) {
+            // IE does not allow javascript: to be set on img src
+            ok(true, 'caught exception '+e);
+          }
+        });
+      })(); //jshint ignore:line
+    }
+  });
+enifed("ember-handlebars/tests/helpers/sanitized_bind_attr_test.jshint",
+  [],
+  function() {
+    "use strict";
+    module('JSHint - ember-handlebars/tests/helpers');
+    test('ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint', function() {
+      ok(true, 'ember-handlebars/tests/helpers/sanitized_bind_attr_test.js should pass jshint.');
+    });
+  });
 enifed("ember-handlebars/tests/helpers/template_test",
   ["ember-metal/run_loop","ember-views/views/view","ember-runtime/system/object","ember-views/system/jquery","ember-runtime/system/container","ember-handlebars-compiler"],
   function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
@@ -11784,14 +11893,15 @@ enifed("ember-handlebars/tests/helpers/unbound_test.jshint",
     });
   });
 enifed("ember-handlebars/tests/helpers/view_test",
-  ["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery"],
-  function(__dependency1__, __dependency2__, __dependency3__, __dependency4__) {
+  ["ember-views/views/view","container/container","ember-metal/run_loop","ember-views/system/jquery","ember-runtime/system/object"],
+  function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
     "use strict";
     /*globals EmberDev */
     var EmberView = __dependency1__["default"];
     var Container = __dependency2__["default"];
     var run = __dependency3__["default"];
     var jQuery = __dependency4__["default"];
+    var EmberObject = __dependency5__["default"];
     var view, originalLookup;
@@ -12049,6 +12159,92 @@ enifed("ember-handlebars/tests/helpers/view_test",
       ok(jQuery('#foo').hasClass('foo'), "Always applies classbinding without condition");
     });
+    test('{{view}} should be able to point to a local instance of view', function() {
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view view.common}}"),
+        common: EmberView.create({
+          template: Ember.Handlebars.compile("common")
+        })
+      });
+      run(view, 'appendTo', '#qunit-fixture');
+      equal(view.$().text(), "common", "tries to look up view name locally");
+    });
+    test("{{view}} should be able to point to a local instance of subclass of view", function() {
+      var MyView = EmberView.extend();
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view view.subclassed}}"),
+        subclassed: MyView.create({
+          template: Ember.Handlebars.compile("subclassed")
+        })
+      });
+      run(view, 'appendTo', '#qunit-fixture');
+      equal(view.$().text(), "subclassed", "tries to look up view name locally");
+    });
+    test("{{view}} asserts that a view class is present", function() {
+      var MyView = EmberObject.extend();
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view view.notView}}"),
+        notView: MyView.extend({
+          template: Ember.Handlebars.compile("notView")
+        })
+      });
+      expectAssertion(function(){
+        run(view, 'appendTo', '#qunit-fixture');
+      }, /must be a subclass or an instance of Ember.View/);
+    });
+    test("{{view}} asserts that a view class is present off controller", function() {
+      var MyView = EmberObject.extend();
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view notView}}"),
+        controller: EmberObject.create({
+          notView: MyView.extend({
+            template: Ember.Handlebars.compile("notView")
+          })
+        })
+      });
+      expectAssertion(function(){
+        run(view, 'appendTo', '#qunit-fixture');
+      }, /must be a subclass or an instance of Ember.View/);
+    });
+    test("{{view}} asserts that a view instance is present", function() {
+      var MyView = EmberObject.extend();
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view view.notView}}"),
+        notView: MyView.create({
+          template: Ember.Handlebars.compile("notView")
+        })
+      });
+      expectAssertion(function(){
+        run(view, 'appendTo', '#qunit-fixture');
+      }, /must be a subclass or an instance of Ember.View/);
+    });
+    test("{{view}} asserts that a view subclass instance is present off controller", function() {
+      var MyView = EmberObject.extend();
+      view = EmberView.create({
+        template: Ember.Handlebars.compile("{{view notView}}"),
+        controller: EmberObject.create({
+          notView: MyView.create({
+            template: Ember.Handlebars.compile("notView")
+          })
+        })
+      });
+      expectAssertion(function(){
+        run(view, 'appendTo', '#qunit-fixture');
+      }, /must be a subclass or an instance of Ember.View/);
+    });
   });
 enifed("ember-handlebars/tests/helpers/view_test.jshint",
   [],
@@ -47126,6 +47322,15 @@ enifed("ember-views/system/renderer.jshint",
       ok(true, 'ember-views/system/renderer.js should pass jshint.');
     });
   });
+enifed("ember-views/system/sanitize_attribute_value.jshint",
+  [],
+  function() {
+    "use strict";
+    module('JSHint - ember-views/system');
+    test('ember-views/system/sanitize_attribute_value.js should pass jshint', function() {
+      ok(true, 'ember-views/system/sanitize_attribute_value.js should pass jshint.');
+    });
+  });
 enifed("ember-views/system/utils.jshint",
   [],
   function() {
@@ -48023,6 +48228,74 @@ enifed("ember-views/tests/system/render_buffer_test.jshint",
       ok(true, 'ember-views/tests/system/render_buffer_test.js should pass jshint.');
     });
   });
+enifed("ember-views/tests/system/sanitize_attribute_value_test",
+  ["ember-views/system/sanitize_attribute_value","ember-handlebars-compiler"],
+  function(__dependency1__, __dependency2__) {
+    "use strict";
+    var sanitizeAttributeValue = __dependency1__["default"];
+    var EmberHandlebars = __dependency2__["default"];
+    QUnit.module('ember-views: sanitizeAttributeValue(null, "href")');
+    var goodProtocols = [ 'https', 'http', 'ftp', 'tel', 'file'];
+    for (var i = 0, l = goodProtocols.length; i < l; i++) {
+      buildProtocolTest(goodProtocols[i]);
+    }
+    function buildProtocolTest(protocol) {
+      test('allows ' + protocol + ' protocol when element is not provided', function() {
+        expect(1);
+        var expected = protocol + '://foo.com';
+        var actual = sanitizeAttributeValue(null, 'href', expected);
+        equal(actual, expected, 'protocol not escaped');
+      });
+    }
+    test('blocks javascript: protocol', function() {
+      /* jshint scripturl:true */
+      expect(1);
+      var expected = 'javascript:alert("foo")';
+      var actual = sanitizeAttributeValue(null, 'href', expected);
+      equal(actual, 'unsafe:' + expected, 'protocol escaped');
+    });
+    test('blocks vbscript: protocol', function() {
+      /* jshint scripturl:true */
+      expect(1);
+      var expected = 'vbscript:alert("foo")';
+      var actual = sanitizeAttributeValue(null, 'href', expected);
+      equal(actual, 'unsafe:' + expected, 'protocol escaped');
+    });
+    test('does not block SafeStrings', function() {
+      /* jshint scripturl:true */
+      expect(1);
+      var expected = 'javascript:alert("foo")';
+      var actual = sanitizeAttributeValue(null, 'href', new EmberHandlebars.SafeString(expected));
+      equal(actual, expected, 'protocol unescaped');
+    });
+  });
+enifed("ember-views/tests/system/sanitize_attribute_value_test.jshint",
+  [],
+  function() {
+    "use strict";
+    module('JSHint - ember-views/tests/system');
+    test('ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint', function() {
+      ok(true, 'ember-views/tests/system/sanitize_attribute_value_test.js should pass jshint.');
+    });
+  });
 enifed("ember-views/tests/system/view_utils_test",
   ["ember-metal/run_loop","ember-views/views/view"],
   function(__dependency1__, __dependency2__) {
@@ -50391,8 +50664,8 @@ enifed("ember-views/tests/views/view/append_to_test.jshint",
     });
   });
 enifed("ember-views/tests/views/view/attribute_bindings_test",
-  ["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view"],
-  function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__) {
+  ["ember-metal/core","ember-metal/run_loop","ember-metal/observer","ember-metal/property_events","ember-views/views/view","ember-handlebars-compiler"],
+  function(__dependency1__, __dependency2__, __dependency3__, __dependency4__, __dependency5__, __dependency6__) {
     "use strict";
     var Ember = __dependency1__["default"];
     var run = __dependency2__["default"];
@@ -50400,6 +50673,7 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
     var changeProperties = __dependency4__.changeProperties;
     var EmberView = __dependency5__["default"];
+    var EmberHandlebars = __dependency6__["default"];
     var originalLookup = Ember.lookup;
     var lookup, view;
@@ -50697,6 +50971,25 @@ enifed("ember-views/tests/views/view/attribute_bindings_test",
         appendView();
       }, 'You cannot use class as an attributeBinding, use classNameBindings instead.');
     });
+    test("blacklists href bindings based on protocol", function() {
+      /* jshint scripturl:true */
+      view = EmberView.create({
+        attributeBindings: ['href'],
+        href: "javascript:alert('foo')"
+      });
+      appendView();
+      equal(view.$().attr('href'), "unsafe:javascript:alert('foo')", "value property sanitized");
+      run(function() {
+        view.set('href', new EmberHandlebars.SafeString(view.get('href')));
+      });
+      equal(view.$().attr('href'), "javascript:alert('foo')", "value is not defined");
+    });
   });
 enifed("ember-views/tests/views/view/attribute_bindings_test.jshint",
   [],