From 2e6df0ee0db72b1d395fcb438dea0f09acec2d58 Mon Sep 17 00:00:00 2001 From: Kevin Schaaf Date: Mon, 11 Jun 2018 17:57:56 -0700 Subject: [PATCH] Implement opt-in `strictTemplatePolicy` (flag TBD) - disable dom-bind - disable dom-module template lookup - disable templatizer of templates not stamped in trusted polymer template --- lib/elements/dom-bind.js | 3 +++ lib/elements/dom-module.js | 4 ++++ lib/legacy/class.js | 2 +- lib/mixins/element-mixin.js | 4 ++-- lib/utils/templatize.js | 3 +++ 5 files changed, 13 insertions(+), 3 deletions(-) diff --git a/lib/elements/dom-bind.js b/lib/elements/dom-bind.js index 512e01c973..818a3c7950 100644 --- a/lib/elements/dom-bind.js +++ b/lib/elements/dom-bind.js @@ -50,6 +50,9 @@ export class DomBind extends domBindBase { constructor() { super(); + if (window.strictTemplatePolicy) { + throw new Error(`strictTemplatePolicy: dom-bind not allowed`); + } this.root = null; this.$ = null; this.__children = null; diff --git a/lib/elements/dom-module.js b/lib/elements/dom-module.js index ae35fe99bb..9558b90735 100644 --- a/lib/elements/dom-module.js +++ b/lib/elements/dom-module.js @@ -121,6 +121,10 @@ export class DomModule extends HTMLElement { register(id) { id = id || this.id; if (id) { + if (window.strictTemplatePolicy && findModule(id)) { + modules[id] = lcModules[id.toLowerCase()] = null; + throw new Error(`strictTemplatePolicy: dom-module ${id} registered twice`); + } this.id = id; // store id separate from lowercased id so that // in all cases mixedCase id will stored distinctly diff --git a/lib/legacy/class.js b/lib/legacy/class.js index e9ebc474d2..5439a445f0 100644 --- a/lib/legacy/class.js +++ b/lib/legacy/class.js @@ -156,7 +156,7 @@ function GenerateClassFromInfo(info, Base) { // get template first from any imperative set in `info._template` return info._template || // next look in dom-module associated with this element's is. - DomModule && DomModule.import(this.is, 'template') || + (!window.strictTemplatePolicy && (DomModule && DomModule.import(this.is, 'template'))) || // next look for superclass template (note: use superclass symbol // to ensure correct `this.is`) Base.template || diff --git a/lib/mixins/element-mixin.js b/lib/mixins/element-mixin.js index c0b9b6d051..42b23f2367 100644 --- a/lib/mixins/element-mixin.js +++ b/lib/mixins/element-mixin.js @@ -378,8 +378,8 @@ export const ElementMixin = dedupingMixin(base => { */ static get template() { if (!this.hasOwnProperty(JSCompiler_renameProperty('_template', this))) { - this._template = DomModule && DomModule.import( - /** @type {PolymerElementConstructor}*/ (this).is, 'template') || + this._template = (!window.strictTemplatePolicy && DomModule && DomModule.import( + /** @type {PolymerElementConstructor}*/ (this).is, 'template')) || // note: implemented so a subclass can retrieve the super // template; call the super impl this way so that `this` points // to the superclass. diff --git a/lib/utils/templatize.js b/lib/utils/templatize.js index 986a22334c..ebf6b740c9 100644 --- a/lib/utils/templatize.js +++ b/lib/utils/templatize.js @@ -495,6 +495,9 @@ and this string can then be deleted`; * @suppress {invalidCasts} */ export function templatize(template, owner, options) { + if (window.strictTemplatePolicy && !owner._methodHost) { + throw new Error('strictTemplatePolicy: template owner not trusted'); + } options = /** @type {!TemplatizeOptions} */(options || {}); if (template.__templatizeOwner) { throw new Error('A