[BUGFIX beta] Remove DOM Helper monkeypatches

The DOM helper used to require a specially patched version of `protocolForURL` and `setMorphHTML` to work in Node. This commit: 1) Adds a test to verify attributes are correctly sanitized in Node 2) Removes the monkeypatches
emberjs · Dec 8, 2015 · a914541 · a914541
1 parent 3771c93
commit a914541
Show file tree

Hide file tree

Showing 5 changed files with 58 additions and 24 deletions.
diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
diff --git a/package.json b/package.json
@@ -33,7 +33,7 @@
     "finalhandler": "^0.4.0",
     "github": "^0.2.3",
     "glob": "~4.3.2",
-    "htmlbars": "0.14.7",
+    "htmlbars": "0.14.8",
     "qunit-extras": "^1.4.0",
     "qunitjs": "^1.19.0",
     "route-recognizer": "0.1.5",

diff --git a/tests/.jshintrc b/tests/.jshintrc
@@ -0,0 +1,30 @@
+{
+    "esnext": false,
+    "node" : true,
+    "browser" : false,
+
+    "boss" : true,
+    "curly": false,
+    "debug": false,
+    "devel": false,
+    "eqeqeq": true,
+    "evil": true,
+    "forin": false,
+    "immed": false,
+    "laxbreak": false,
+    "newcap": true,
+    "noarg": true,
+    "noempty": false,
+    "nonew": false,
+    "nomen": false,
+    "onevar": false,
+    "plusplus": false,
+    "regexp": false,
+    "undef": true,
+    "sub": true,
+    "strict": false,
+    "white": false,
+    "eqnull": true,
+    "trailing": true,
+    "unused": "vars"
+}
diff --git a/tests/node/helpers/app-module.js b/tests/node/helpers/app-module.js
@@ -9,7 +9,6 @@ var emberPath = path.join(distPath, 'ember.debug.cjs');
 var templateCompilerPath = path.join(distPath, 'ember-template-compiler');
 var features = require(path.join(__dirname, '../../../features.json')).features;
 var SimpleDOM = require('simple-dom');
-var URL = require('url');
 
 /*
  * This helper sets up a QUnit test module with all of the environment and
@@ -108,19 +107,6 @@ module.exports = function(moduleName) {
       this.routes = registerRoutes;
       this.registry = {};
       this.renderToHTML = renderToHTML;
-
-      // TODO: REMOVE ME
-
-      // Patch DOMHelper
-      Ember.HTMLBars.DOMHelper.prototype.protocolForURL = function(url) {
-        var protocol = URL.parse(url).protocol;
-        return (protocol == null) ? ':' : protocol;
-      };
-
-      Ember.HTMLBars.DOMHelper.prototype.setMorphHTML = function(morph, html) {
-        var section = this.document.createRawHTMLSection(html);
-        morph.setNode(section);
-      };
     },
 
     afterEach: function() {

diff --git a/tests/node/visit-test.js b/tests/node/visit-test.js
@@ -10,7 +10,7 @@ function assertHTMLMatches(assert, actualHTML, expectedHTML) {
 function handleError(assert) {
   return function(error) {
     assert.ok(false, error.stack);
-  }
+  };
 }
 
 // This is based on what fastboot-server does
@@ -133,6 +133,24 @@ if (appModule.canRunTests) {
     ]);
   });
 
+  QUnit.test('FastBoot: attributes are sanitized', function(assert) {
+    this.template('application', '<a href={{test}}></a>');
+
+    this.controller('application', {
+      /*jshint scripturl:true*/
+      test: 'javascript:alert("hello")'
+    });
+
+    var App = this.createApplication();
+
+    return RSVP.all([
+      fastbootVisit(App, '/').then(
+        assertFastbootResult(assert, { url: '/', body: '<a href="unsafe:javascript:alert\\(&quot;hello&quot;\\)"></a>' }),
+        handleError(assert)
+      )
+    ]);
+  });
+
   QUnit.test('FastBoot: route error', function(assert) {
     this.routes(function() {
       this.route('a');
@@ -159,7 +177,7 @@ if (appModule.canRunTests) {
     return RSVP.all([
       fastbootVisit(App, '/a').then(
         function(instance) {
-          assert.ok(false, 'It should not render')
+          assert.ok(false, 'It should not render');
           instance.destroy();
         },
         function(error) {
@@ -168,7 +186,7 @@ if (appModule.canRunTests) {
       ),
       fastbootVisit(App, '/b').then(
         function(instance) {
-          assert.ok(false, 'It should not render')
+          assert.ok(false, 'It should not render');
           instance.destroy();
         },
         function(error) {
@@ -203,7 +221,7 @@ if (appModule.canRunTests) {
         return this.network.fetch('/a');
       },
       afterModel: function() {
-        this.replaceWith('b')
+        this.replaceWith('b');
       }
     });
 
@@ -212,7 +230,7 @@ if (appModule.canRunTests) {
         return this.network.fetch('/b');
       },
       afterModel: function() {
-        this.replaceWith('c')
+        this.replaceWith('c');
       }
     });
 
@@ -227,7 +245,7 @@ if (appModule.canRunTests) {
         return this.network.fetch('/d');
       },
       afterModel: function() {
-        this.replaceWith('e')
+        this.replaceWith('e');
       }
     });
 
@@ -283,4 +301,4 @@ if (appModule.canRunTests) {
       assert.strictEqual(xFooInstances, 0, 'it should not create any x-foo components');
     });
   });
-}
+}