From 085dbd88dc5ac7f55ad888e6729ab7c075b4e384 Mon Sep 17 00:00:00 2001 From: Drew Folta Date: Tue, 27 Nov 2012 13:06:29 -0800 Subject: [PATCH] whitelist raw comboSep in yui config --- lib/app/addons/ac/deploy.server.js | 3 + .../lib/app/addons/ac/test-deploy.server.js | 65 +++++++++++++++++++ 2 files changed, 68 insertions(+) diff --git a/lib/app/addons/ac/deploy.server.js b/lib/app/addons/ac/deploy.server.js index dcec69a83..1a2443b65 100644 --- a/lib/app/addons/ac/deploy.server.js +++ b/lib/app/addons/ac/deploy.server.js @@ -160,6 +160,9 @@ YUI.add('mojito-deploy-addon', function(Y, NAME) { // Unicode escape the various strings in the config data to help // fight against possible script injection attacks. yuiConfigEscaped = Y.mojito.util.cleanse(yuiConfig); + if (yuiConfig.comboSep) { + yuiConfigEscaped.comboSep = yuiConfig.comboSep; + } yuiConfigStr = JSON.stringify(yuiConfigEscaped); clientConfigEscaped = Y.mojito.util.cleanse(clientConfig); clientConfigStr = JSON.stringify(clientConfigEscaped); diff --git a/tests/unit/lib/app/addons/ac/test-deploy.server.js b/tests/unit/lib/app/addons/ac/test-deploy.server.js index 2b862eb9c..7400653e8 100644 --- a/tests/unit/lib/app/addons/ac/test-deploy.server.js +++ b/tests/unit/lib/app/addons/ac/test-deploy.server.js @@ -271,6 +271,71 @@ YUI().use('mojito-deploy-addon', 'test', 'json-parse', function(Y) { A.areSame(2, Object.keys(counts).length, 'too many type:location pairs'); A.areSame(1, counts['js top'], 'wrong number of js:top'); A.areSame(1, counts['blob bottom'], 'wrong number of blob:bottom'); + }, + + + 'test constructMojitoClientRuntime processes yui config correctly': function() { + addon.ac = { + http: { + getHeader: function(h) { + return null; + } + }, + url: { + getRouteMaker: function() { + return { + getComputedRoutes: function() { + return ['routes']; + } + }; + } + } + }; + addon.ac.context = { + lang: 'klingon' + }; + addon.setStore({ + getAppConfig: function() { + return { yui:{ config:{ comboSep:'&' } } }; + }, + serializeClientStore: function() { + return 'clientstore'; + }, + getAllURLs: function() { return {}; }, + getFrameworkConfig: function() { + return { ondemandBaseYuiModules:[] }; + }, + yui: { + getAppSeedFiles: function () { return ['/static/seed.js']; }, + getAppGroupConfig: function() { return {}; }, + getConfigShared: function() { return {}; }, + langs: { klingon: true } + } + }); + + var blobs = []; + var assetHandler = { + addCss: function(path, location) { + // not testing this + return; + }, + addAssets: function(type, location, content) { + // not testing this + return; + }, + addAsset: function(type, location, content) { + if ('blob' === type) { + blobs.push(content); + } + } + }; + var binderMap = {}; + addon.constructMojitoClientRuntime(assetHandler, binderMap); + + var matches = blobs[0].match(/YUI\.applyConfig\((.+?)\);/); + A.isNotUndefined(matches[1], 'failed to find YUI.applyConfig() in blob'); + var config = Y.JSON.parse(matches[1]); + A.areSame('&', config.comboSep, 'comboSep got mangled'); }