diff --git a/lib/elements/dom-bind.js b/lib/elements/dom-bind.js index 818a3c7950..e24684f501 100644 --- a/lib/elements/dom-bind.js +++ b/lib/elements/dom-bind.js @@ -12,6 +12,7 @@ import '../utils/boot.js'; import { PropertyEffects } from '../mixins/property-effects.js'; import { OptionalMutableData } from '../mixins/mutable-data.js'; import { GestureEventListeners } from '../mixins/gesture-event-listeners.js'; +import { strictTemplatePolicy } from '../utils/settings.js'; /** * @constructor @@ -50,7 +51,7 @@ export class DomBind extends domBindBase { constructor() { super(); - if (window.strictTemplatePolicy) { + if (strictTemplatePolicy) { throw new Error(`strictTemplatePolicy: dom-bind not allowed`); } this.root = null; diff --git a/lib/elements/dom-module.js b/lib/elements/dom-module.js index 9558b90735..cd335d3f53 100644 --- a/lib/elements/dom-module.js +++ b/lib/elements/dom-module.js @@ -10,6 +10,7 @@ subject to an additional IP rights grant found at http://polymer.github.io/PATEN import '../utils/boot.js'; import { resolveUrl, pathFromUrl } from '../utils/resolve-url.js'; +import { strictTemplatePolicy } from '../utils/settings.js'; let modules = {}; let lcModules = {}; @@ -121,7 +122,7 @@ export class DomModule extends HTMLElement { register(id) { id = id || this.id; if (id) { - if (window.strictTemplatePolicy && findModule(id)) { + if (strictTemplatePolicy && findModule(id)) { modules[id] = lcModules[id.toLowerCase()] = null; throw new Error(`strictTemplatePolicy: dom-module ${id} registered twice`); } diff --git a/lib/legacy/class.js b/lib/legacy/class.js index 5439a445f0..0e740046ef 100644 --- a/lib/legacy/class.js +++ b/lib/legacy/class.js @@ -7,9 +7,10 @@ The complete set of contributors may be found at http://polymer.github.io/CONTRI Code distributed by Google as part of the polymer project is also subject to an additional IP rights grant found at http://polymer.github.io/PATENTS.txt */ -import { LegacyElementMixin } from './legacy-element-mixin.js'; +import { LegacyElementMixin } from './legacy-element-mixin.js'; import { DomModule } from '../elements/dom-module.js'; +import { strictTemplatePolicy } from '../utils/settings.js'; let metaProps = { attached: true, @@ -156,7 +157,7 @@ function GenerateClassFromInfo(info, Base) { // get template first from any imperative set in `info._template` return info._template || // next look in dom-module associated with this element's is. - (!window.strictTemplatePolicy && (DomModule && DomModule.import(this.is, 'template'))) || + (!strictTemplatePolicy && (DomModule && DomModule.import(this.is, 'template'))) || // next look for superclass template (note: use superclass symbol // to ensure correct `this.is`) Base.template || diff --git a/lib/mixins/element-mixin.js b/lib/mixins/element-mixin.js index 42b23f2367..ce441f401c 100644 --- a/lib/mixins/element-mixin.js +++ b/lib/mixins/element-mixin.js @@ -16,6 +16,7 @@ import { pathFromUrl, resolveCss, resolveUrl as resolveUrl$0 } from '../utils/re import { DomModule } from '../elements/dom-module.js'; import { PropertyEffects } from './property-effects.js'; import { PropertiesMixin } from './properties-mixin.js'; +import { strictTemplatePolicy } from '../utils/settings.js'; /** * Element class mixin that provides the core API for Polymer's meta-programming @@ -378,7 +379,7 @@ export const ElementMixin = dedupingMixin(base => { */ static get template() { if (!this.hasOwnProperty(JSCompiler_renameProperty('_template', this))) { - this._template = (!window.strictTemplatePolicy && DomModule && DomModule.import( + this._template = (!strictTemplatePolicy && DomModule && DomModule.import( /** @type {PolymerElementConstructor}*/ (this).is, 'template')) || // note: implemented so a subclass can retrieve the super // template; call the super impl this way so that `this` points diff --git a/lib/utils/settings.js b/lib/utils/settings.js index 461bd33b4b..52c4ec2ba2 100644 --- a/lib/utils/settings.js +++ b/lib/utils/settings.js @@ -38,11 +38,10 @@ export const setRootPath = function(path) { }; /** - * A global callback used to sanitize any value before inserting it into the DOM. The callback signature is: + * A global callback used to sanitize any value before inserting it into the DOM. + * The callback signature is: * - * Polymer = { - * sanitizeDOMValue: function(value, name, type, node) { ... } - * } + * function sanitizeDOMValue(value, name, type, node) { ... } * * Where: * @@ -66,6 +65,7 @@ export const setSanitizeDOMValue = function(newSanitizeDOMValue) { sanitizeDOMValue = newSanitizeDOMValue; }; + /** * Globally settable property to make Polymer Gestures use passive TouchEvent listeners when recognizing gestures. * When set to `true`, gestures made from touch will not be able to prevent scrolling, allowing for smoother @@ -83,3 +83,22 @@ export let passiveTouchGestures = false; export const setPassiveTouchGestures = function(usePassive) { passiveTouchGestures = usePassive; }; + +/** + * Setting to ensure Polymer template evaluation only occurs based on tempates + * defined in trusted script. When true, `` based template lookup + * is disabled, `` is disabled, and ``/`` + * templates will only evaluate in the context of a trusted element template. + */ +export let strictTemplatePolicy = false; + +/** + * Sets `strictTemplatePolicy` globally for all elements + * + * @param {boolean} useStrictPolicy enable or disable strict template policy + * globally + * @return {void} + */ +export const setStrictTemplatePolicy = function(useStrictPolicy) { + strictTemplatePolicy = useStrictPolicy; +}; diff --git a/lib/utils/templatize.js b/lib/utils/templatize.js index ebf6b740c9..be09cb0c21 100644 --- a/lib/utils/templatize.js +++ b/lib/utils/templatize.js @@ -11,6 +11,7 @@ import './boot.js'; import { PropertyEffects } from '../mixins/property-effects.js'; import { MutableData } from '../mixins/mutable-data.js'; +import { strictTemplatePolicy } from '../utils/settings.js'; // Base class for HTMLTemplateElement extension that has property effects // machinery for propagating host properties to children. This is an ES5 @@ -495,7 +496,7 @@ and this string can then be deleted`; * @suppress {invalidCasts} */ export function templatize(template, owner, options) { - if (window.strictTemplatePolicy && !owner._methodHost) { + if (strictTemplatePolicy && !owner._methodHost) { throw new Error('strictTemplatePolicy: template owner not trusted'); } options = /** @type {!TemplatizeOptions} */(options || {}); diff --git a/test/unit/strict-template-policy.html b/test/unit/strict-template-policy.html index 225ce574ed..955fdcd799 100644 --- a/test/unit/strict-template-policy.html +++ b/test/unit/strict-template-policy.html @@ -15,8 +15,9 @@