diff --git a/a-tag-test.js b/a-tag-test.js index 0101cdd..d1a84ee 100644 --- a/a-tag-test.js +++ b/a-tag-test.js @@ -28,7 +28,7 @@ suite( }); function getA(id) { - return toCheck.querySelector('#' + id); + return toCheck.$$('#' + id); } test('innocuous_string', function() { diff --git a/attr-property-aliasing-test.js b/attr-property-aliasing-test.js index dce44c5..57163a3 100644 --- a/attr-property-aliasing-test.js +++ b/attr-property-aliasing-test.js @@ -28,11 +28,11 @@ suite( setup(function () { buttons = fixture('attr-property-aliasing-fixture'); - propertyButton = buttons.querySelector('.property-button'); - attributeButton = buttons.querySelector('.attribute-button'); + propertyButton = buttons.$$('.property-button'); + attributeButton = buttons.$$('.attribute-button'); customButton = buttons - .querySelector('.custom-button') - .querySelector('button'); + .$$('.custom-button') + .$$('button'); }); diff --git a/computed-value-test.js b/computed-value-test.js index 41ce0f7..a2c7bc4 100644 --- a/computed-value-test.js +++ b/computed-value-test.js @@ -28,16 +28,21 @@ suite( function () { var computedValueFixture; + var links; setup(function (done) { computedValueFixture = fixture('computed-value-fixture'); - computedValueFixture.links = links; - flush(done); // Don't run tests until dom-repeat terminates + computedValueFixture.links = linkContent; + flush(function () { + // Don't run tests until dom-repeat terminates + links = Polymer.dom(computedValueFixture.root).querySelectorAll('a'); + done(); + }); }); - var links = [ - { "url": "http://example.com/#frag", text: "example" }, - { "url": "javascript:alert(1)", text: "XSS" } + var linkContent = [ + { url: "http://example.com/#frag", text: "example" }, + { url: "javascript:alert(1)", text: "XSS" } ]; function trim(s) { @@ -45,14 +50,12 @@ suite( } test('urls', function() { - var links = computedValueFixture.querySelectorAll('a'); assert.equal(2, links.length); assert.equal('http://example.com/', links[0].href); assert.equal(goog.html.SafeUrl.INNOCUOUS_STRING, links[1].href); }); test('text', function() { - var links = computedValueFixture.querySelectorAll('a'); assert.equal(2, links.length); assert.equal('example (example.com)', trim(links[0].textContent)); assert.equal('XSS ()', trim(links[1].textContent)); diff --git a/custom-element-test.js b/custom-element-test.js index 32fa43e..365adef 100644 --- a/custom-element-test.js +++ b/custom-element-test.js @@ -45,11 +45,11 @@ suite( // Grab elements from under the given 's shadow root // so that the tests below can easily inspect their attributes // and properties. - var links = customTag.querySelectorAll('a'); + var links = Polymer.dom(customTag.root).querySelectorAll('a'); decomposed = { - outerDiv: customTag.querySelector('div'), + outerDiv: customTag.$$('div'), dynLink: links[0], // The ([[...]]) - img: customTag.querySelector('img'), + img: customTag.$$('img'), staticLink: links[1] // The fixed text }; }); diff --git a/enum-attribute-test.js b/enum-attribute-test.js index 86cf874..4b70826 100644 --- a/enum-attribute-test.js +++ b/enum-attribute-test.js @@ -25,14 +25,14 @@ suite( }); test('blank', function() { - var link = enumAttrFixture.querySelector('a'); + var link = enumAttrFixture.$$('a'); enumAttrFixture.x = '_blank'; assert.equal('_blank', link.target); }); test('evil_payload', function() { - var link = enumAttrFixture.querySelector('a'); + var link = enumAttrFixture.$$('a'); enumAttrFixture.x = 'login-form'; assert.equal('zClosurez', link.target); diff --git a/identifier-test.js b/identifier-test.js index 7511f6e..a47a3f3 100644 --- a/identifier-test.js +++ b/identifier-test.js @@ -26,8 +26,8 @@ suite( setup(function () { identifierFixture = fixture('identifier-test-fixture'); - input = identifierFixture.querySelector('input'); - label = identifierFixture.querySelector('label'); + input = identifierFixture.$$('input'); + label = identifierFixture.$$('label'); }); function assertId(want, inputValue) { diff --git a/one-attr-binding-test.js b/one-attr-binding-test.js index e8d353a..6ecee11 100644 --- a/one-attr-binding-test.js +++ b/one-attr-binding-test.js @@ -28,14 +28,14 @@ suite( }); test('innocuous_string', function() { - var link = oneAttrFixture.querySelector('a'); + var link = oneAttrFixture.$$('a'); oneAttrFixture.x = 'http://example.com/foo'; assert.equal('http://example.com/foo', link.href); }); test('safe_url', function() { - var link = oneAttrFixture.querySelector('a'); + var link = oneAttrFixture.$$('a'); oneAttrFixture.x = goog.html.SafeUrl.fromConstant( goog.string.Const.from('javascript:safe()')); @@ -43,7 +43,7 @@ suite( }); test('evil_payload', function() { - var link = oneAttrFixture.querySelector('a'); + var link = oneAttrFixture.$$('a'); oneAttrFixture.x = 'javascript:evil()'; assert.equal( diff --git a/one-late-attr-binding-test.js b/one-late-attr-binding-test.js index 1abc9b9..b0c14ed 100644 --- a/one-late-attr-binding-test.js +++ b/one-late-attr-binding-test.js @@ -31,7 +31,7 @@ suite( oneLateAttrFixture.items = ['http://example.com/foo']; flush( function () { - var link = oneLateAttrFixture.querySelector('a'); + var link = oneLateAttrFixture.$$('a'); assert.equal('http://example.com/foo', link.href); done(); }); @@ -44,7 +44,7 @@ suite( ]; flush( function () { - var link = oneLateAttrFixture.querySelector('a'); + var link = oneLateAttrFixture.$$('a'); assert.equal('javascript:safe()', link.href); done(); }); @@ -53,7 +53,7 @@ suite( test('evil_payload', function(done) { oneLateAttrFixture.items = ['javascript:evil()']; flush(function () { - var link = oneLateAttrFixture.querySelector('a'); + var link = oneLateAttrFixture.$$('a'); assert.equal( goog.html.SafeUrl.INNOCUOUS_STRING, link.href); diff --git a/polymer-resin.js b/polymer-resin.js index 6875326..13aa687 100644 --- a/polymer-resin.js +++ b/polymer-resin.js @@ -374,13 +374,13 @@ security.polymer_resin.install = function (opt_config) { // Whitelist and handle text node interpolation by checking // the content type of the parent node. var parentElement = node.parentElement; + var allowText = !parentElement; if (parentElement && parentElement.nodeType === goog.dom.NodeType.ELEMENT) { var parentElementName = parentElement.localName; var parentClassification = security.polymer_resin.classifyElement( parentElementName, /** @type{!Function} */(parentElement.constructor)); - var allowText = false; switch (parentClassification) { case security.polymer_resin.CustomElementClassification.BUILTIN: case security.polymer_resin.CustomElementClassification.LEGACY: @@ -395,13 +395,13 @@ security.polymer_resin.install = function (opt_config) { allowText = true; break; } - if (allowText) { - return ( - !!(value && value.implementsGoogStringTypedString) - ? (/** @type {!goog.string.TypedString} */(value)) - .getTypedStringValue() - : String(value)); - } + } + if (allowText) { + return ( + !!(value && value.implementsGoogStringTypedString) + ? (/** @type {!goog.string.TypedString} */(value)) + .getTypedStringValue() + : String(value)); } } diff --git a/src-attr-as-text-test.html b/src-attr-as-text-test.html index 56e2a52..84228f5 100644 --- a/src-attr-as-text-test.html +++ b/src-attr-as-text-test.html @@ -20,6 +20,7 @@ + Src Attr As Text Test diff --git a/src-attr-as-text-test.js b/src-attr-as-text-test.js index 0c39c13..b6f440f 100644 --- a/src-attr-as-text-test.js +++ b/src-attr-as-text-test.js @@ -30,14 +30,14 @@ suite( test('innocuous_string', function() { srcAttrAsTextFixture.src = 'Java joe\'s'; assert.equal('I bought a coffee at Java joe\'s then I dropped it.', - srcAttrAsTextFixture.textContent); + Polymer.dom(srcAttrAsTextFixture.root).textContent); }); test('bad_url_as_text', function() { srcAttrAsTextFixture.src = 'javascript:joe(\'s\')'; assert.equal( 'I bought a coffee at javascript:joe(\'s\') then I dropped it.', - srcAttrAsTextFixture.textContent); + Polymer.dom(srcAttrAsTextFixture.root).textContent); }); test('typed_string_is_unwrapped', function() { @@ -48,7 +48,7 @@ suite( // computeFinalAnnotationValue. This seems different from that // seen by other test cases. Why is it? // assert.equal('I bought a coffee at safe/value then I dropped it.', -// srcAttrAsTextFixture.textContent); +// Polymer.dom(srcAttrAsTextFixture.root).textContent); }); }); diff --git a/standalone/polymer-resin-debug.js b/standalone/polymer-resin-debug.js index 7debb41..2b18dff 100644 --- a/standalone/polymer-resin-debug.js +++ b/standalone/polymer-resin-debug.js @@ -2950,9 +2950,9 @@ security.polymer_resin.install = function(opt_config) { var nodeType = node.nodeType; if (nodeType !== goog.dom.NodeType.ELEMENT) { if (nodeType === goog.dom.NodeType.TEXT) { - var parentElement = node.parentElement; + var parentElement = node.parentElement, allowText = !parentElement; if (parentElement && parentElement.nodeType === goog.dom.NodeType.ELEMENT) { - var parentElementName = parentElement.localName, allowText = !1; + var parentElementName = parentElement.localName; switch(security.polymer_resin.classifyElement(parentElementName, parentElement.constructor)) { case security.polymer_resin.CustomElementClassification.BUILTIN: case security.polymer_resin.CustomElementClassification.LEGACY: @@ -2962,9 +2962,9 @@ security.polymer_resin.install = function(opt_config) { case security.polymer_resin.CustomElementClassification.CUSTOM: allowText = !0; } - if (allowText) { - return value && value.implementsGoogStringTypedString ? value.getTypedStringValue() : String(value); - } + } + if (allowText) { + return value && value.implementsGoogStringTypedString ? value.getTypedStringValue() : String(value); } } security.polymer_resin.reportHandler_ && security.polymer_resin.reportHandler_(!0, "Failed to sanitize %s %s%s node to value %O", node.parentElement && node.parentElement.nodeName, "#text", "", value); diff --git a/text-node-test.js b/text-node-test.js index 0394f21..d6f685e 100644 --- a/text-node-test.js +++ b/text-node-test.js @@ -29,9 +29,9 @@ suite( setup(function () { nodes = fixture('text-node-test'); - divElement = nodes.querySelector('div'); - objectElement = nodes.querySelector('object'); - scriptElement = nodes.querySelector('script'); + divElement = nodes.$$('div'); + objectElement = nodes.$$('object'); + scriptElement = nodes.$$('script'); }); diff --git a/tooltip-test.html b/tooltip-test.html index 455d996..e5c362d 100644 --- a/tooltip-test.html +++ b/tooltip-test.html @@ -20,6 +20,7 @@ + Tooltip Tests diff --git a/tooltip-test.js b/tooltip-test.js index 3152520..971fd2a 100644 --- a/tooltip-test.js +++ b/tooltip-test.js @@ -20,7 +20,6 @@ suite( function () { var testFixture; var spanElement; - var textNode; var evilDone = false; goog.exportSymbol('tooltip_tests.doEvil', function () { @@ -29,7 +28,7 @@ suite( setup(function () { testFixture = fixture('tooltip-test-fixture'); - spanElement = testFixture.querySelector('span'); + spanElement = testFixture.$$('span'); }); @@ -47,7 +46,8 @@ suite( testFixture.content = 'Hello, World!'; var textNodeValue; - for (var child = testFixture.firstChild; child; + for (var child = Polymer.dom(testFixture.root).firstChild; + child; child = child.nextSibling) { if (child.nodeType == Node.TEXT_NODE && /\S/.test(child.nodeValue)) {