Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUGFIX release] Ember.String.htmlSafe() should return a instance of SafeString for null / undefined #12464

Merged
merged 1 commit into from
Oct 9, 2015

Conversation

tricknotes
Copy link
Member

Currently, Ember.String.htmlSafe() returns a just String, not HTML Safe.
We expect it is a safe string.

I think this behavior has no problem in the most of case, but it shows warning when it is bound to style property.


For example:

App = Ember.Application.create();

App.Router.map(function() {
});

App.IndexController = Ember.Controller.extend({
  style: Ember.computed(function() {
    return Ember.String.htmlSafe(
      /* Some property will be given, but it may be `null` or `undefined`. */
    );
  })
});
{{! index.hbs}}
<span style={{style}}>Hi, Tomster!</span>

http://emberjs.jsbin.com/ficesumeju/2

The above code shows the following warning:

WARNING: Binding style attributes may introduce cross-site scripting vulnerabilities; please ensure that values being bound are properly escaped. For more information, including how to disable this warning, see http://emberjs.com/deprecations/v1.x/#toc_binding-style-attributes.

…f SafeString for `null` / `undefined`

Currently, `Ember.String.htmlSafe()` returns a just String, not HTML Safe.
We expect it is a safe string.
@stefanpenner
Copy link
Member

LGTM – this explains some of the phantom warnings we have been seeing.

rwjblue added a commit that referenced this pull request Oct 9, 2015
[BUGFIX release] `Ember.String.htmlSafe()` should return a instance of SafeString for `null` / `undefined`
@rwjblue rwjblue merged commit 2816388 into emberjs:master Oct 9, 2015
@rwjblue
Copy link
Member

rwjblue commented Oct 9, 2015

Thank you!

@tricknotes tricknotes deleted the html-safe branch October 9, 2015 15:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants