Merge branch 'release/3.13.2'

NEWS

@@ -1,3 +1,10 @@
+3.13.2 (07//04//2015)
+* Fix double escaping on infowindows
+* Fix a-tag's target attribute not working
+
+3.13.1 (06//04//2015)
+* Allows to request a Static Map of a password protected visualization
+
 3.13.0 (31//03//2015)
 * Breaking Changes
   - Sanitize output by default (#2972), see doc change and example below how to override:

RELEASING.md

@@ -13,7 +13,7 @@
 - Create a new branch to prepare the release:
 
 ```
-git flow release start 3.12.15
+git flow release start 3.13.2
 ```
 
 - Build CartoDB.js files, choosing the new version:
@@ -25,7 +25,7 @@ grunt build
 - Update the NEWS file and commit the changes. Take into account that new CartoDB.js version will be replaced in ```API.md```, ```RELEASING.md```, ```README.md```, ```package.json```, ```cartodb.js``` and ```examples``` files.
 
 ```
-git commit -am "Files changed for version 3.12.15"
+git commit -am "Files changed for version 3.13.2"
 ```
 
 - Release it.
@@ -36,8 +36,8 @@ grunt publish
 
 - Check if those files have been updated in the CDN:
 ```
-http://libs.cartocdn.com.s3.amazonaws.com/cartodb.js/v3/3.12.15/cartodb.js
-http://libs.cartocdn.com/cartodb.js/v3/3.12.15/cartodb.js
+http://libs.cartocdn.com.s3.amazonaws.com/cartodb.js/v3/3.13.2/cartodb.js
+http://libs.cartocdn.com/cartodb.js/v3/3.13.2/cartodb.js
 http://libs.cartocdn.com.s3.amazonaws.com/cartodb.js/v3/3.12/cartodb.js
 http://libs.cartocdn.com/cartodb.js/v3/3.12/cartodb.js
 ```
@@ -46,7 +46,7 @@ http://libs.cartocdn.com/cartodb.js/v3/3.12/cartodb.js
 - And to finish: close the release and push it.
 
 ```
-git flow release finish 3.12.15
+git flow release finish 3.13.2
 git push --all
 git push --tags
 ```
@@ -69,7 +69,7 @@ grunt build
 grunt publish
 ```
 
-For example, if we are in 3.12.15 and we want to go back to 3.12.14
+For example, if we are in 3.13.2 and we want to go back to 3.12.14
 
 ```
 git checkout 3.12.14

package.json

@@ -1,6 +1,6 @@
 {
     "name": "cartodb.js",
-    "version": "3.13.0",
+    "version": "3.13.2",
     "description": "CartoDB javascript library",
     "repository": {
       "type": "git",

src/cartodb.js

@@ -5,7 +5,7 @@
 
     var cdb = root.cdb = {};
 
-    cdb.VERSION = "3.13.0";
+    cdb.VERSION = "3.13.2";
     cdb.DEBUG = false;
 
     cdb.CARTOCSS_VERSIONS = {

src/geo/ui/infowindow.js

@@ -190,7 +190,7 @@ cdb.geo.ui.InfowindowModel = Backbone.Model.extend({
       if(options.empty_fields || (value !== undefined && value !== null)) {
         render_fields.push({
           title: field.title ? field.name : null,
-          value: cdb.core.sanitize.html(attributes[field.name]),
+          value: attributes[field.name],
           index: j
         });
       }
@@ -298,7 +298,7 @@ cdb.geo.ui.Infowindow = cdb.core.View.extend({
       if ($jscrollpane.length > 0 && $jscrollpane.data() != null) {
         $jscrollpane.data().jsp && $jscrollpane.data().jsp.destroy();
       }
-      
+
       // Clone fields and template name
       var fields = _.map(this.model.attributes.content.fields, function(field){
         return _.clone(field);
@@ -328,7 +328,9 @@ cdb.geo.ui.Infowindow = cdb.core.View.extend({
           }
         },values);
 
-      this.$el.html(this.template(obj));
+      this.$el.html(
+        cdb.core.sanitize.html(this.template(obj), this.model.get('sanitizeTemplate'))
+      );
 
       // Set width and max-height from the model only
       // If there is no width set, we don't force our infowindow
@@ -389,7 +391,7 @@ cdb.geo.ui.Infowindow = cdb.core.View.extend({
 
     if(typeof(template) !== 'function') {
       this.template = new cdb.core.Template({
-        template: cdb.core.sanitize.html(template, this.model.get('sanitizeTemplate')),
+        template: template,
         type: this.model.get('template_type') || 'mustache'
       }).asFunction()
     } else {

src/vis/image.js

@@ -1,6 +1,6 @@
 (function() {
 
-  function Queue() {
+  Queue = function() {
 
     // callback storage
     this._methods = [];
@@ -52,7 +52,7 @@
 
   };
 
-  var Image = function() {
+  StaticImage = function() {
 
     Map.call(this, this); 
 
@@ -75,7 +75,7 @@
 
   };
 
-  Image.prototype = _.extend({}, Map.prototype, {
+  StaticImage.prototype = _.extend({}, Map.prototype, {
 
     load: function(vizjson, options) {
 
@@ -132,6 +132,8 @@
           this.options.user_name = dataLayer.options.user_name;
         }
 
+        this.auth_tokens = data.auth_tokens;
+
         this._setupTilerConfiguration(dataLayer.options.tiler_protocol, dataLayer.options.tiler_domain, dataLayer.options.tiler_port);
 
         this.endPoint = "/api/v1/map";
@@ -365,10 +367,17 @@
 
       var layerDefinition = new NamedMap(options.named_map, options);
 
-      return { type: "named",
-        options: {
-          name: layerDefinition.named_map.name
-        }
+      var options = {
+        name: layerDefinition.named_map.name
+      };
+
+      if (this.auth_tokens && this.auth_tokens.length > 0) {
+        options.auth_tokens = this.auth_tokens;
+      }
+
+      return {
+        type: "named",
+        options: options
       }
 
     },
@@ -521,7 +530,7 @@
 
     if (!options) options = {};
 
-    var image = new Image();
+    var image = new StaticImage();
 
     if (typeof data === 'string') {
       image.load(data, options);

test/spec/core/image.spec.js

@@ -433,4 +433,35 @@ describe("Image", function() {
 
   });
 
+  it("should send the auth_tokens", function(done) {
+
+    var vizjson = "http://documentation.cartodb.com/api/v2/viz/e11db0aa-d77e-11e4-9039-0e853d047bba/viz.json"
+    var json = {"id":"e11db0aa-d77e-11e4-9039-0e853d047bba","version":"0.1.0","title":"password_protected_map","likes":0,"description":null,"scrollwheel":false,"legends":true,"url":null,"map_provider":"leaflet","bounds":[[0.0,0.0],[0.0,0.0]],"center":"[30, 0]","zoom":3,"updated_at":"2015-03-31T08:21:18+00:00","layers":[{"options":{"visible":true,"type":"Tiled","urlTemplate":"http://{s}.basemaps.cartocdn.com/light_all/{z}/{x}/{y}.png","subdomains":"1234","name":"Positron","className":"positron_rainbow","attribution":"\u00a9 <a href=\"http://www.openstreetmap.org/copyright\">OpenStreetMap</a> contributors \u00a9 <a href=\"http://cartodb.com/attributions#basemaps\">CartoDB</a>"},"infowindow":null,"tooltip":null,"id":"c850d654-ab61-441d-9860-b3c2e42424fb","order":0,"parent_id":null,"children":[],"type":"tiled"},{"type":"namedmap","order":1,"options":{"type":"namedmap","user_name":"documentation","tiler_protocol":"https","tiler_domain":"cartodb.com","tiler_port":"443","cdn_url":{"http":"api.cartocdn.com","https":"cartocdn.global.ssl.fastly.net"},"dynamic_cdn":false,"named_map":{"name":"tpl_e11db0aa_d77e_11e4_9039_0e853d047bba","stat_tag":"e11db0aa-d77e-11e4-9039-0e853d047bba","params":{"layer0":1},"layers":[{"layer_name":"untitled_table_5","interactivity":"cartodb_id","visible":true}]}}}],"overlays":[{"type":"logo","order":9,"options":{"display":true,"x":10,"y":40},"template":""},{"type":"loader","order":8,"options":{"display":true,"x":20,"y":150},"template":"<div class=\"loader\" original-title=\"\"></div>"},{"type":"zoom","order":6,"options":{"display":true,"x":20,"y":20},"template":"<a href=\"#zoom_in\" class=\"zoom_in\">+</a> <a href=\"#zoom_out\" class=\"zoom_out\">-</a>"},{"type":"search","order":3,"options":{"display":true,"x":60,"y":20},"template":""},{"type":"share","order":2,"options":{"display":true,"x":20,"y":20},"template":""}],"prev":null,"next":null,"transition_options":{"time":0},"auth_tokens":["e900fe76cc3c1eed4fc018d027d82c8b0e59b2c484d1941954f34b4818a5d660"]}
+
+    StaticImage.prototype.load = function(vizjson, options) {
+
+      this.queue = new Queue;
+
+      this.no_cdn = options.no_cdn;
+
+      this.userOptions = options;
+
+      options = _.defaults({ vizjson: vizjson, temp_id: "s" + this._getUUID() }, this.defaults);
+
+      this.imageOptions = options;
+
+      this._onVisLoaded(json); // do the callback
+
+    };
+
+    var image = cartodb.Image(vizjson).size(400, 300);
+
+    image.getUrl(function(err, url) {
+      expect(image.options.layers.layers[1].options.auth_tokens.length > 0).toBe(true);
+      expect(image.options.layers.layers[1].options.auth_tokens[0]).toBe("e900fe76cc3c1eed4fc018d027d82c8b0e59b2c484d1941954f34b4818a5d660");
+      done();
+    });
+
+  });
+
 });

test/spec/core/sanitize.spec.js

@@ -10,6 +10,10 @@ describe("core.core.sanitize", function() {
         expect(cdb.core.sanitize.html('<img src="fail.png" onerror="document.body.appendChild(document.createElement(\'script\')).src=\'http://localhost/xss.js\'" /> nono')).toEqual('<img src="fail.png"> nono');
         expect(cdb.core.sanitize.html('nono <scrip src="ext.js"></script>')).toEqual('nono ');
       });
+
+      it('should allow target attributes for links', function() {
+        expect(cdb.core.sanitize.html('<a href="http://cartodb.com/" target="_blank">cartodb.com</a>')).toEqual('<a href="http://cartodb.com/" target="_blank">cartodb.com</a>');
+      });
     });
 
     describe('when given an 2nd param with a function', function() {

vendor/html-css-sanitizer-bundle.js

@@ -11,6 +11,7 @@
 // Additional changes after the built file above:
 // - Added: This header
 // - Modified: `sanitizeAttribs` at end, to allow "data-*"" attributes (lines ~4750-4760)
+// - changed policy for a::target attribute to be allowed (html4.ATTRIBS: { 'a::target': ... changed value from 10 to 0)
 // -------------------------------------------------------------------------------------------------------------------
 
 /* Copyright Google Inc.
@@ -3205,7 +3206,7 @@ html4.ATTRIBS = {
   'a::onblur': 2,
   'a::onfocus': 2,
   'a::shape': 0,
-  'a::target': 10,
+  'a::target': 0,
   'a::type': 0,
   'area::accesskey': 0,
   'area::alt': 0,