[Glimmer 2] Unskip tests related to inline styles and unsafe hrefs

Part of emberjs#13644
chadhietala · Jul 17, 2016 · fd367c6 · fd367c6
1 parent 62d0a35
commit fd367c6
Show file tree

Hide file tree

Showing 7 changed files with 44 additions and 16 deletions.
diff --git a/package.json b/package.json
@@ -37,7 +37,7 @@
     "express": "^4.5.0",
     "finalhandler": "^0.4.0",
     "github": "^0.2.3",
-    "glimmer-engine": "tildeio/glimmer#b618846",
+    "glimmer-engine": "tildeio/glimmer#d2feca1",
     "glob": "^5.0.13",
     "htmlbars": "0.14.24",
     "mocha": "^2.4.5",

diff --git a/packages/ember-glimmer/lib/environment.js b/packages/ember-glimmer/lib/environment.js
@@ -1,15 +1,18 @@
 import lookupPartial, { hasPartial } from 'ember-views/system/lookup_partial';
 import {
   Environment as GlimmerEnvironment,
-  HelperSyntax
+  HelperSyntax,
+  AttributeChangeList,
+  isSafeString
 } from 'glimmer-runtime';
 import Dict from 'ember-metal/empty_object';
-import { assert } from 'ember-metal/debug';
+import { assert, warn } from 'ember-metal/debug';
 import { CurlyComponentSyntax, CurlyComponentDefinition } from './syntax/curly-component';
 import { DynamicComponentSyntax } from './syntax/dynamic-component';
 import { RenderSyntax } from './syntax/render';
 import { OutletSyntax } from './syntax/outlet';
 import lookupComponent from 'ember-views/utils/lookup-component';
+import { STYLE_WARNING } from 'ember-views/system/utils';
 import createIterable from './utils/iterable';
 import {
   ConditionalReference,
@@ -53,6 +56,22 @@ function buildTextFieldSyntax({ args, templates }, getDefinition) {
   return new CurlyComponentSyntax({ args, definition, templates });
 }
 
+const StyleAttributeChangeList = {
+  setAttribute(dom, element, attr, value) {
+    warn(STYLE_WARNING, (() => {
+      if (value === null || value === undefined || isSafeString(value)) {
+        return true;
+      }
+      return false;
+    })(), { id: 'ember-htmlbars.style-xss-warning' });
+    AttributeChangeList.setAttribute(...arguments);
+  },
+
+  updateAttribute() {
+    this.setAttribute(...arguments);
+  }
+};
+
 const builtInDynamicComponents = {
   input({ key, args, templates }, getDefinition) {
     if (args.named.has('type')) {
@@ -245,6 +264,14 @@ export default class Environment extends GlimmerEnvironment {
     return hasPartial(this, name[0]);
   }
 
+  attributeFor(element, attr, reference, isTrusting) {
+    if (attr === 'style' && !isTrusting) {
+      return StyleAttributeChangeList;
+    }
+
+    return super.attributeFor(...arguments);
+  }
+
   lookupPartial(name) {
     let partial = {
       template: lookupPartial(this, name[0]).spec

diff --git a/packages/ember-glimmer/tests/integration/components/attribute-bindings-test.js b/packages/ember-glimmer/tests/integration/components/attribute-bindings-test.js
@@ -452,7 +452,7 @@ moduleFor('Attribute bindings integration', class extends RenderingTest {
     }, /You cannot use class as an attributeBinding, use classNameBindings instead./i);
   }
 
-  ['@htmlbars blacklists href bindings based on protocol']() {
+  ['@test blacklists href bindings based on protocol']() {
     /* jshint scripturl:true */
 
     let FooBarComponent = Component.extend({

diff --git a/packages/ember-glimmer/tests/integration/content-test.js b/packages/ember-glimmer/tests/integration/content-test.js
@@ -7,7 +7,7 @@ import EmberObject from 'ember-runtime/system/object';
 import ObjectProxy from 'ember-runtime/system/object_proxy';
 import { classes } from '../utils/test-helpers';
 import { getDebugFunction, setDebugFunction } from 'ember-metal/debug';
-import { styleWarning } from 'ember-htmlbars/morphs/attr-morph';
+import { STYLE_WARNING } from 'ember-views/system/utils';
 import { Component } from '../utils/helpers';
 import { SafeString } from 'ember-htmlbars/utils/string';
 
@@ -939,7 +939,7 @@ moduleFor('Dynamic content tests (integration)', class extends RenderingTest {
 if (!EmberDev.runningProdBuild) {
   let warnings, originalWarn;
 
-  moduleFor('@htmlbars Inline style tests', class extends RenderingTest {
+  moduleFor('Inline style tests', class extends RenderingTest {
     constructor() {
       super(...arguments);
       warnings = [];
@@ -961,7 +961,7 @@ if (!EmberDev.runningProdBuild) {
         userValue: 'width: 42px'
       });
 
-      assert.deepEqual(warnings, [styleWarning]);
+      assert.deepEqual(warnings, [STYLE_WARNING]);
     }
 
     ['@test specifying `attributeBindings: ["style"]` generates a warning'](assert) {
@@ -975,7 +975,7 @@ if (!EmberDev.runningProdBuild) {
         userValue: 'width: 42px'
       });
 
-      assert.deepEqual(warnings, [styleWarning]);
+      assert.deepEqual(warnings, [STYLE_WARNING]);
     }
 
     ['@test specifying `<div style={{{userValue}}}></div>` works properly without a warning'](assert) {

diff --git a/packages/ember-glimmer/tests/integration/helpers/unbound-test.js b/packages/ember-glimmer/tests/integration/helpers/unbound-test.js
@@ -95,7 +95,7 @@ moduleFor('Helpers test: {{unbound}}', class extends RenderingTest {
     this.assertHTML('<a href="BORK"></a>');
   }
 
-  ['@htmlbars should property escape unsafe hrefs']() {
+  ['@test should property escape unsafe hrefs']() {
     let unsafeUrls = emberA([
       {
         name: 'Bob',

diff --git a/packages/ember-htmlbars/lib/morphs/attr-morph.js b/packages/ember-htmlbars/lib/morphs/attr-morph.js
@@ -1,15 +1,10 @@
 import { warn, debugSeal } from 'ember-metal/debug';
 import DOMHelper from 'dom-helper';
 import isNone from 'ember-metal/is_none';
+import { STYLE_WARNING } from 'ember-views/system/utils';
 
 const HTMLBarsAttrMorph = DOMHelper.prototype.AttrMorphClass;
 
-export var styleWarning = '' +
-  'Binding style attributes may introduce cross-site scripting vulnerabilities; ' +
-  'please ensure that values being bound are properly escaped. For more information, ' +
-  'including how to disable this warning, see ' +
-  'http://emberjs.com/deprecations/v1.x/#toc_binding-style-attributes.';
-
 let proto = HTMLBarsAttrMorph.prototype;
 
 proto.didInit = function() {
@@ -20,7 +15,7 @@ proto.didInit = function() {
 
 function deprecateEscapedStyle(morph, value) {
   warn(
-    styleWarning,
+    STYLE_WARNING,
     (function(name, value, escaped) {
       // SafeString
       if (isNone(value) || (value && value.toHTML)) {

diff --git a/packages/ember-views/lib/system/utils.js b/packages/ember-views/lib/system/utils.js
@@ -10,6 +10,12 @@ export function isSimpleClick(event) {
   return !modifier && !secondaryClick;
 }
 
+export const STYLE_WARNING = '' +
+  'Binding style attributes may introduce cross-site scripting vulnerabilities; ' +
+  'please ensure that values being bound are properly escaped. For more information, ' +
+  'including how to disable this warning, see ' +
+  'http://emberjs.com/deprecations/v1.x/#toc_binding-style-attributes.';
+
 /**
   @private
   @method getViewRange