Merge pull request #1425 from barneycarroll/contenteditable-childless-fix
Fix #1421
This commit is contained in:
Leo Horie
GitHub
commit
b4ada9284c
2 changed files with 58 additions and 4 deletions
|
|
@ -347,7 +347,7 @@ module.exports = function($window) {
|
||||||
var content = children[0].children
|
var content = children[0].children
|
||||||
if (vnode.dom.innerHTML !== content) vnode.dom.innerHTML = content
|
if (vnode.dom.innerHTML !== content) vnode.dom.innerHTML = content
|
||||||
}
|
}
|
||||||
else if (children != null || vnode.text != null) throw new Error("Child node of a contenteditable must be trusted")
|
else if (vnode.text != null || children != null && children.length !== 0) throw new Error("Child node of a contenteditable must be trusted")
|
||||||
}
|
}
|
||||||
|
|
||||||
//remove
|
//remove
|
||||||
|
|
|
||||||
|
|
@ -95,4 +95,58 @@ o.spec("attributes", function() {
|
||||||
o(a.dom.attributes["class"].nodeValue).equals("test")
|
o(a.dom.attributes["class"].nodeValue).equals("test")
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
o.spec("contenteditable throws on untrusted children", function() {
|
||||||
|
o("including text nodes", function() {
|
||||||
|
var div = {tag: "div", attrs: {contenteditable: true}, text: ''}
|
||||||
|
var succeeded = false
|
||||||
|
|
||||||
|
try {
|
||||||
|
render(root, div)
|
||||||
|
|
||||||
|
succeeded = true
|
||||||
|
}
|
||||||
|
catch(e){}
|
||||||
|
|
||||||
|
o(succeeded).equals(false)
|
||||||
|
})
|
||||||
|
o("including elements", function() {
|
||||||
|
var div = {tag: "div", attrs: {contenteditable: true}, children: [{tag: "script", attrs: {src: "http://evil.com"}}]}
|
||||||
|
var succeeded = false
|
||||||
|
|
||||||
|
try {
|
||||||
|
render(root, div)
|
||||||
|
|
||||||
|
succeeded = true
|
||||||
|
}
|
||||||
|
catch(e){}
|
||||||
|
|
||||||
|
o(succeeded).equals(false)
|
||||||
|
})
|
||||||
|
o("tolerating empty children", function() {
|
||||||
|
var div = {tag: "div", attrs: {contenteditable: true}, children: []}
|
||||||
|
var succeeded = false
|
||||||
|
|
||||||
|
try {
|
||||||
|
render(root, div)
|
||||||
|
|
||||||
|
succeeded = true
|
||||||
|
}
|
||||||
|
catch(e){}
|
||||||
|
|
||||||
|
o(succeeded).equals(true)
|
||||||
|
})
|
||||||
|
o("tolerating trusted content", function() {
|
||||||
|
var div = {tag: "div", attrs: {contenteditable: true}, children: [{tag: "<", children: "<a></a>"}]}
|
||||||
|
var succeeded = false
|
||||||
|
|
||||||
|
try {
|
||||||
|
render(root, div)
|
||||||
|
|
||||||
|
succeeded = true
|
||||||
|
}
|
||||||
|
catch(e){}
|
||||||
|
|
||||||
|
o(succeeded).equals(true)
|
||||||
|
})
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue