fix(compiler): strip <script> tag from templates

Fixes #2766 Closes #3486
2015-08-05 16:35:59 +02:00 · 2015-08-05 16:35:59 +02:00 · 748c2d6c97
parent 339071cb07
commit 748c2d6c97
3 changed files with 39 additions and 2 deletions
--- a/modules/angular2/src/render/dom/compiler/compiler.ts
+++ b/modules/angular2/src/render/dom/compiler/compiler.ts
@ -82,8 +82,8 @@ export class DomCompiler extends RenderCompiler {
    var pipeline = new CompilePipeline(this._stepFactory.createSteps(viewDef));

    var compiledStyles = pipeline.processStyles(templateAndStyles.styles);
-    var compileElements = pipeline.processElements(DOM.createTemplate(templateAndStyles.template),
-                                                   protoViewType, viewDef);
+    var compileElements = pipeline.processElements(
+        this._createTemplateElm(templateAndStyles.template), protoViewType, viewDef);
    if (viewDef.encapsulation === ViewEncapsulation.NATIVE) {
      prependAll(DOM.content(compileElements[0].element),
                 compiledStyles.map(style => DOM.createStyleElement(style)));
@ -95,6 +95,17 @@ export class DomCompiler extends RenderCompiler {
        compileElements[0].inheritedProtoView.build(this._schemaRegistry, this._templateCloner));
  }

+  _createTemplateElm(template: string) {
+    var templateElm = DOM.createTemplate(template);
+    var scriptTags = DOM.querySelectorAll(DOM.templateAwareRoot(templateElm), 'script');
+
+    for (var i = 0; i < scriptTags.length; i++) {
+      DOM.remove(scriptTags[i]);
+    }
+
+    return templateElm;
+  }
+
  _normalizeViewEncapsulationIfThereAreNoStyles(viewDef: ViewDefinition): ViewDefinition {
    if (viewDef.encapsulation === ViewEncapsulation.EMULATED) {
      return new ViewDefinition({
--- a/modules/angular2/test/core/compiler/integration_spec.ts
+++ b/modules/angular2/test/core/compiler/integration_spec.ts
@ -1130,6 +1130,22 @@ export function main() {
         }));
    });

+    describe("corner cases", () => {
+      it('should remove script tags from templates',
+         inject([TestComponentBuilder, AsyncTestCompleter], (tcb: TestComponentBuilder, async) => {
+           tcb.overrideView(MyComp, new viewAnn.View({
+                template: `
+            <script>alert("Ooops");</script>
+            <div>before<script>alert("Ooops");</script><span>inside</span>after</div>`
+              }))
+               .createAsync(MyComp)
+               .then((rootTC) => {
+                 expect(DOM.querySelectorAll(rootTC.nativeElement, 'script').length).toEqual(0);
+                 async.done();
+               });
+         }));
+    });
+
    describe("error handling", () => {
      it('should report a meaningful error when a directive is missing annotation',
         inject([TestComponentBuilder, AsyncTestCompleter], (tcb: TestComponentBuilder, async) => {
--- a/modules/angular2/test/render/dom/compiler/compiler_common_tests.ts
+++ b/modules/angular2/test/render/dom/compiler/compiler_common_tests.ts
@ -131,6 +131,16 @@ export function runCompilerCommonTests() {
               });
         }));

+      it('should remove script tags from templates', inject([AsyncTestCompleter], (async) => {
+           var compiler = createCompiler(EMPTY_STEP);
+           compiler.compile(new ViewDefinition(
+                                {componentId: 'someId', template: '<div></div><script></script>'}))
+               .then((protoView) => {
+                 expect(DOM.getInnerHTML(templateRoot(protoView))).toEqual('<div></div>');
+                 async.done();
+               });
+         }));
+
      it('should report loading errors', inject([AsyncTestCompleter], (async) => {
           var compiler = createCompiler(EMPTY_STEP, null, new Map());
           PromiseWrapper.catchError(