-
Notifications
You must be signed in to change notification settings - Fork 5
/
polymer-resin.js
134 lines (122 loc) · 4.87 KB
/
polymer-resin.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
/**
* @license
* Copyright (c) 2017 The Polymer Project Authors. All rights reserved.
* This code may only be used under the BSD style license found at
* http://polymer.github.io/LICENSE.txt
* The complete set of authors may be found at
* http://polymer.github.io/AUTHORS.txt
* The complete set of contributors may be found at
* http://polymer.github.io/CONTRIBUTORS.txt
* Code distributed by Google as part of the polymer project is also
* subject to an additional IP rights grant found at
* http://polymer.github.io/PATENTS.txt
*/
"use strict";
/**
* @fileoverview
* Mitigates XSS in Polymer applications by intercepting and vetting
* results of data binding expressions before they reach browser internals.
*/
goog.provide('security.polymer_resin');
goog.require('security.polymer_resin.hintUsesDeprecatedRegisterElement');
goog.require('security.polymer_resin.sanitizer');
/** @const */
security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER =
security.polymer_resin.sanitizer.CONSOLE_LOGGING_REPORT_HANDLER;
/** @typedef {security.polymer_resin.sanitizer.Configuration} */
security.polymer_resin.Configuration;
/**
* Start polymer resin.
* This must be done before the first application element is instantiated
* (see getting-started.md for details).
*
* @param {?security.polymer_resin.Configuration=} opt_config
* An optional configuration object.
*/
security.polymer_resin.install = function(opt_config) {
var sanitize =
security.polymer_resin.sanitizer.makeSanitizer(opt_config || {});
// Now, install the sanitizer.
// There are two code-paths below for Polymer V1 and V2.
// The code could be consolidated, except that
// 1. In both cases I want to first delegate to any previously
// registered handler.
// 2. If I tried to express the V1 logic in terms of V2, I would need
// to thread the info object through somehow hacky.
// 3. I don't want to express the V2 logic in terms of V1 since the V1
// will hopefully eventually go away entirely.
// So I just duplicate the logic which goes through these steps:
// 1. fetch any previously declared function
// 2. define an adapter
// 3. install the adapter
// 4. sanity check that the adapter was installed.
if (/^1\./.test(Polymer.version)) {
// In Polymer v1, the Polymer(...) method uses the deprecated
// document.registerElement instead of window.customElements.
security.polymer_resin.hintUsesDeprecatedRegisterElement();
// sanitizeDOMValue is not defined for v1.
// See https://github.com/Polymer/polymer/issues/4138
var origCompute = Polymer.Base._computeFinalAnnotationValue;
var computeFinalAnnotationSafeValue = function computeFinalAnnotationValue(
node, property, value, info) {
var finalValue = origCompute.call(this, node, property, value, info);
var type = 'property';
var name;
if (info && info.propertyName) {
name = info.propertyName;
} else {
name = property;
type = info && info.kind || 'property';
}
return sanitize(node, name, type, finalValue);
};
Polymer.Base._computeFinalAnnotationValue =
computeFinalAnnotationSafeValue;
if (Polymer.Base._computeFinalAnnotationValue !==
computeFinalAnnotationSafeValue) {
// We're in use strict, so assignment should fail-fast, but
// this is cheap.
throw new Error(
'Cannot replace _computeFinalAnnotationValue. Is Polymer frozen?');
}
} else {
var origSanitize = Polymer.sanitizeDOMValue || (
Polymer.Settings && Polymer.Settings.sanitizeDOMValue);
var sanitizeDOMValue =
/**
* @param {*} value
* @param {string} name
* @param {string} type
* @param {!Node|null} node
* @return {*}
*/
function sanitizeDOMValue(value, name, type, node) {
var origSanitizedValue = origSanitize
? origSanitize.call(Polymer, value, name, type, node)
: value;
var safeValue = node ?
sanitize(node, name, type, origSanitizedValue) :
security.polymer_resin.sanitizer.INNOCUOUS_STRING;
return safeValue;
};
if (Polymer.Settings && Polymer.Settings.setSanitizeDOMValue) {
Polymer.Settings.setSanitizeDOMValue(sanitizeDOMValue);
} else {
Polymer.sanitizeDOMValue = sanitizeDOMValue;
if (Polymer.sanitizeDOMValue !== sanitizeDOMValue) {
// We're in use strict, so assignment should fail-fast, but
// this is cheap.
throw new Error(
'Cannot install sanitizeDOMValue. Is Polymer frozen?');
}
}
}
};
if (security.polymer_resin.STANDALONE) {
goog.exportSymbol(
'security.polymer_resin.install',
security.polymer_resin.install);
goog.exportSymbol(
'security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER',
security.polymer_resin.CONSOLE_LOGGING_REPORT_HANDLER);
}