Fix #2424 (#2450)

* Fix #2424

* Add PR ref

render/render.js

@@ -123,10 +123,7 @@ module.exports = function($window) {
 
 		insertNode(parent, element, nextSibling)
 
-		if (attrs != null && attrs.contenteditable != null) {
-			setContentEditable(vnode)
-		}
-		else {
+		if (!maybeSetContentEditable(vnode)) {
 			if (vnode.text != null) {
 				if (vnode.text !== "") element.textContent = vnode.text
 				else vnode.children = [Vnode("#", undefined, undefined, vnode.text, undefined, undefined)]
@@ -496,16 +493,15 @@ module.exports = function($window) {
 			}
 		}
 		updateAttrs(vnode, old.attrs, vnode.attrs, ns)
-		if (vnode.attrs != null && vnode.attrs.contenteditable != null) {
-			setContentEditable(vnode)
-		}
-		else if (old.text != null && vnode.text != null && vnode.text !== "") {
-			if (old.text.toString() !== vnode.text.toString()) old.dom.firstChild.nodeValue = vnode.text
-		}
-		else {
-			if (old.text != null) old.children = [Vnode("#", undefined, undefined, old.text, undefined, old.dom.firstChild)]
-			if (vnode.text != null) vnode.children = [Vnode("#", undefined, undefined, vnode.text, undefined, undefined)]
-			updateNodes(element, old.children, vnode.children, hooks, null, ns)
+		if (!maybeSetContentEditable(vnode)) {
+			if (old.text != null && vnode.text != null && vnode.text !== "") {
+				if (old.text.toString() !== vnode.text.toString()) old.dom.firstChild.nodeValue = vnode.text
+			}
+			else {
+				if (old.text != null) old.children = [Vnode("#", undefined, undefined, old.text, undefined, old.dom.firstChild)]
+				if (vnode.text != null) vnode.children = [Vnode("#", undefined, undefined, vnode.text, undefined, undefined)]
+				updateNodes(element, old.children, vnode.children, hooks, null, ns)
+			}
 		}
 	}
 	function updateComponent(parent, old, vnode, hooks, nextSibling, ns) {
@@ -613,7 +609,11 @@ module.exports = function($window) {
 		else parent.appendChild(dom)
 	}
 
-	function setContentEditable(vnode) {
+	function maybeSetContentEditable(vnode) {
+		if (vnode.attrs == null || (
+			vnode.attrs.contenteditable == null && // attribute
+			vnode.attrs.contentEditable == null // property
+		)) return
 		var children = vnode.children
 		if (children != null && children.length === 1 && children[0].tag === "<") {
 			var content = children[0].children

render/tests/test-attributes.js

@@ -648,7 +648,7 @@ o.spec("attributes", function() {
 			o(d.dom.value).equals("2")
 		})
 	})
-	o.spec("contenteditable throws on untrusted children", function() {
+	o.spec("contenteditable attr throws on untrusted children", function() {
 		o("including text nodes", function() {
 			var div = {tag: "div", attrs: {contenteditable: true}, text: ""}
 			var succeeded = false
@@ -699,6 +699,60 @@ o.spec("attributes", function() {
 			}
 			catch(e){/* ignore */}
 
+			o(succeeded).equals(true)
+		})
+	})
+	o.spec("contentEditable prop throws on untrusted children", function() {
+		o("including text nodes", function() {
+			var div = {tag: "div", attrs: {contentEditable: true}, text: ""}
+			var succeeded = false
+
+			try {
+				render(root, div)
+
+				succeeded = true
+			}
+			catch(e){/* ignore */}
+
+			o(succeeded).equals(false)
+		})
+		o("including elements", function() {
+			var div = {tag: "div", attrs: {contentEditable: true}, children: [{tag: "script", attrs: {src: "http://evil.com"}}]}
+			var succeeded = false
+
+			try {
+				render(root, div)
+
+				succeeded = true
+			}
+			catch(e){/* ignore */}
+
+			o(succeeded).equals(false)
+		})
+		o("tolerating empty children", function() {
+			var div = {tag: "div", attrs: {contentEditable: true}, children: []}
+			var succeeded = false
+
+			try {
+				render(root, div)
+
+				succeeded = true
+			}
+			catch(e){/* ignore */}
+
+			o(succeeded).equals(true)
+		})
+		o("tolerating trusted content", function() {
+			var div = {tag: "div", attrs: {contentEditable: true}, children: [{tag: "<", children: "<a></a>"}]}
+			var succeeded = false
+
+			try {
+				render(root, div)
+
+				succeeded = true
+			}
+			catch(e){/* ignore */}
+
 			o(succeeded).equals(true)
 		})
 	})