From ada72d4d833042827b5623c08aaef397bee9b1a7 Mon Sep 17 00:00:00 2001 From: Kevin Schaaf Date: Mon, 11 Jun 2018 17:59:22 -0700 Subject: [PATCH] Implement opt-in `strictTemplatePolicy` (flag TBD) - disable dom-bind - disable dom-module re-registration - require elements with no template to implement null template - disable templatizer of templates not stamped in trusted polymer template --- lib/elements/dom-bind.html | 3 +++ lib/elements/dom-module.html | 4 ++++ lib/legacy/class.html | 9 ++++++++- lib/mixins/element-mixin.html | 6 +++++- lib/utils/templatize.html | 3 +++ 5 files changed, 23 insertions(+), 2 deletions(-) diff --git a/lib/elements/dom-bind.html b/lib/elements/dom-bind.html index 1e7475aaf8..bb51786ef1 100644 --- a/lib/elements/dom-bind.html +++ b/lib/elements/dom-bind.html @@ -56,6 +56,9 @@ constructor() { super(); + if (window.strictTemplatePolicy) { + throw new Error(`strictTemplatePolicy: dom-bind not allowed`); + } this.root = null; this.$ = null; this.__children = null; diff --git a/lib/elements/dom-module.html b/lib/elements/dom-module.html index cb06b25aba..c385cf19ec 100644 --- a/lib/elements/dom-module.html +++ b/lib/elements/dom-module.html @@ -124,6 +124,10 @@ register(id) { id = id || this.id; if (id) { + if (window.strictTemplatePolicy && findModule(id)) { + modules[id] = lcModules[id.toLowerCase()] = null; + throw new Error(`strictTemplatePolicy: dom-module ${id} registered twice`); + } this.id = id; // store id separate from lowercased id so that // in all cases mixedCase id will stored distinctly diff --git a/lib/legacy/class.html b/lib/legacy/class.html index afe838cc57..66ba81326b 100644 --- a/lib/legacy/class.html +++ b/lib/legacy/class.html @@ -157,7 +157,10 @@ */ static get template() { // get template first from any imperative set in `info._template` - return info._template || + if (info._template !== undefined) { + return info._template; + } + const template = info._template || // next look in dom-module associated with this element's is. Polymer.DomModule && Polymer.DomModule.import(this.is, 'template') || // next look for superclass template (note: use superclass symbol @@ -166,6 +169,10 @@ // finally fall back to `_template` in element's prototype. this.prototype._template || null; + if (window.strictTemplatePolicy && !template) { + throw new Error(`strictTemplatePolicy: expecting dom-module or null _template for ${this.is}`); + } + return template; } /** diff --git a/lib/mixins/element-mixin.html b/lib/mixins/element-mixin.html index b0f7fba988..b059f0e216 100644 --- a/lib/mixins/element-mixin.html +++ b/lib/mixins/element-mixin.html @@ -386,12 +386,16 @@ */ static get template() { if (!this.hasOwnProperty(JSCompiler_renameProperty('_template', this))) { - this._template = Polymer.DomModule && Polymer.DomModule.import( + const template = Polymer.DomModule && Polymer.DomModule.import( /** @type {PolymerElementConstructor}*/ (this).is, 'template') || // note: implemented so a subclass can retrieve the super // template; call the super impl this way so that `this` points // to the superclass. Object.getPrototypeOf(/** @type {PolymerElementConstructor}*/ (this).prototype).constructor.template; + if (window.strictTemplatePolicy && this.is && !template) { + throw new Error(`strictTemplatePolicy: expecting dom-module or null template for ${this.is}`); + } + this._template = template; } return this._template; } diff --git a/lib/utils/templatize.html b/lib/utils/templatize.html index 67b4a53179..8f2108c000 100644 --- a/lib/utils/templatize.html +++ b/lib/utils/templatize.html @@ -500,6 +500,9 @@ * @suppress {invalidCasts} */ templatize(template, owner, options) { + if (window.strictTemplatePolicy && !owner._methodHost) { + throw new Error('strictTemplatePolicy: template owner not trusted'); + } options = /** @type {!TemplatizeOptions} */(options || {}); if (template.__templatizeOwner) { throw new Error('A