Merge pull request #10695 from stefanpenner/update

<base href and <embed src data: need to be escaped
emberjs · Mar 23, 2015 · 60f53a3 · 60f53a3
2 parents 73b4060 + 4a82e72
commit 60f53a3
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 113 deletions.
diff --git a/package.json b/package.json
@@ -22,7 +22,7 @@
     "express": "^4.5.0",
     "github": "^0.2.3",
     "glob": "~4.3.2",
-    "htmlbars": "0.11.1",
+    "htmlbars": "0.11.2",
     "qunit-extras": "^1.3.0",
     "qunitjs": "^1.16.0",
     "route-recognizer": "0.1.5",

diff --git a/packages/ember-htmlbars/lib/hooks/attribute.js b/packages/ember-htmlbars/lib/hooks/attribute.js
@@ -6,7 +6,7 @@
 import AttrNode from "ember-views/attr_nodes/attr_node";
 import EmberError from "ember-metal/error";
 import { isStream } from "ember-metal/streams/utils";
-import sanitizeAttributeValue from "ember-views/system/sanitize_attribute_value";
+import sanitizeAttributeValue from "morph-attr/sanitize-attribute-value";
 
 var boundAttributesEnabled = false;
 

diff --git a/packages/ember-htmlbars/tests/attr_nodes/sanitized_test.js b/packages/ember-htmlbars/tests/attr_nodes/sanitized_test.js
@@ -16,24 +16,39 @@ QUnit.module("ember-htmlbars: sanitized attribute", {
 
 if (Ember.FEATURES.isEnabled('ember-htmlbars-attribute-syntax')) {
 // jscs:disable validateIndentation
+// jscs:disable disallowTrailingWhitespace
 
 var badTags = [
   { tag: 'a', attr: 'href',
     unquotedTemplate: compile("<a href={{url}}></a>"),
     quotedTemplate: compile("<a href='{{url}}'></a>"),
     multipartTemplate: compile("<a href='{{protocol}}{{path}}'></a>") },
+
+  { tag: 'base', attr: 'href',
+    unquotedTemplate: compile("<base href={{url}} />"),
+    quotedTemplate: compile("<base href='{{url}}'/>"),
+    multipartTemplate: compile("<base href='{{protocol}}{{path}}'/>") },
+
+  { tag: 'embed', attr: 'src',
+    unquotedTemplate: compile("<embed src={{url}} />"),
+    quotedTemplate: compile("<embed src='{{url}}'/>"),
+    multipartTemplate: compile("<embed src='{{protocol}}{{path}}'/>") },
+
   { tag: 'body', attr: 'background',
     unquotedTemplate: compile("<body background={{url}}></body>"),
     quotedTemplate: compile("<body background='{{url}}'></body>"),
     multipartTemplate: compile("<body background='{{protocol}}{{path}}'></body>") },
+
   { tag: 'link', attr: 'href',
     unquotedTemplate: compile("<link href={{url}}>"),
     quotedTemplate: compile("<link href='{{url}}'>"),
     multipartTemplate: compile("<link href='{{protocol}}{{path}}'>") },
+
   { tag: 'img', attr: 'src',
     unquotedTemplate: compile("<img src={{url}}>"),
     quotedTemplate: compile("<img src='{{url}}'>"),
     multipartTemplate: compile("<img src='{{protocol}}{{path}}'>") },
+
   { tag: 'iframe', attr: 'src',
     // Setting an iframe with a bad protocol results in the browser
     // being redirected. in IE8. Skip the iframe tests on that platform.

diff --git a/packages/ember-views/lib/system/sanitize_attribute_value.js b/packages/ember-views/lib/system/sanitize_attribute_value.js
diff --git a/packages/ember-views/tests/system/sanitize_attribute_value_test.js b/packages/ember-views/tests/system/sanitize_attribute_value_test.js