Use goog.dom.safeHtmlToNode instead of deprecated htmlToDocumentFragm…

…ent. goog.dom.htmlToDocumentFragment is going to be removed in cl/115473302. It is removed because its usage can cause XSS. RELNOTES: Deprecate goog.dom.htmlToDocumentFragment. ------------- Created by MOE: https://github.com/google/moe MOE_MIGRATED_REVID=117173215
google · Mar 15, 2016 · 55b8dcb · 55b8dcb
1 parent edc12a7
commit 55b8dcb
Show file tree

Hide file tree

Showing 6 changed files with 27 additions and 14 deletions.
diff --git a/closure/goog/deps.js b/closure/goog/deps.js
diff --git a/closure/goog/dom/browserrange/browserrange_test.js b/closure/goog/dom/browserrange/browserrange_test.js
@@ -21,6 +21,7 @@ goog.require('goog.dom.Range');
 goog.require('goog.dom.RangeEndpoint');
 goog.require('goog.dom.TagName');
 goog.require('goog.dom.browserrange');
+goog.require('goog.html.testing');
 goog.require('goog.testing.dom');
 goog.require('goog.testing.jsunit');
 goog.require('goog.userAgent');
@@ -207,7 +208,8 @@ function testDiv() {
 function testEmptyNodeHtmlInsert() {
   var range = goog.dom.browserrange.createRangeFromNodeContents(empty);
   var html = '<b>hello</b>';
-  range.insertNode(goog.dom.htmlToDocumentFragment(html));
+  range.insertNode(goog.dom.safeHtmlToNode(
+      goog.html.testing.newSafeHtmlForTest(html)));
   assertEquals(
       'Html is not inserted correctly', html, normalizeHtml(empty.innerHTML));
   goog.dom.removeChildren(empty);

diff --git a/closure/goog/ui/control_test.js b/closure/goog/ui/control_test.js
@@ -24,6 +24,7 @@ goog.require('goog.dom.classlist');
 goog.require('goog.events');
 goog.require('goog.events.BrowserEvent');
 goog.require('goog.events.KeyCodes');
+goog.require('goog.html.testing');
 goog.require('goog.object');
 goog.require('goog.string');
 goog.require('goog.style');
@@ -895,7 +896,9 @@ function testGetCaption() {
       control.getCaption());
 
   var arrayContent = goog.array.clone(
-      goog.dom.htmlToDocumentFragment(' <b> foo</b><i>  bar</i> ').childNodes);
+      goog.dom.safeHtmlToNode(
+          goog.html.testing.newSafeHtmlForTest(
+              ' <b> foo</b><i>  bar</i> ')).childNodes);
   control.setContent(arrayContent);
   assertEquals(
       'whitespaces must be normalized in the caption', 'foo bar',

diff --git a/closure/goog/ui/editor/linkdialog.js b/closure/goog/ui/editor/linkdialog.js
@@ -37,6 +37,7 @@ goog.require('goog.events.Event');
 goog.require('goog.events.EventHandler');
 goog.require('goog.events.InputHandler');
 goog.require('goog.html.SafeHtml');
+goog.require('goog.html.SafeHtmlFormatter');
 goog.require('goog.string');
 goog.require('goog.string.Unicode');
 goog.require('goog.style');
@@ -562,13 +563,17 @@ goog.ui.editor.LinkDialog.prototype.buildOpenInNewWindowDiv_ = function() {
  * @private
  */
 goog.ui.editor.LinkDialog.prototype.buildRelNoFollowDiv_ = function() {
+  var formatter = new goog.html.SafeHtmlFormatter();
   /** @desc Checkbox text for adding 'rel=nofollow' attribute to a link. */
   var MSG_ADD_REL_NOFOLLOW_ATTR = goog.getMsg(
       "Add '{$relNoFollow}' attribute ({$linkStart}Learn more{$linkEnd})", {
         'relNoFollow': 'rel=nofollow',
-        'linkStart': '<a href="http://support.google.com/webmasters/bin/' +
-            'answer.py?hl=en&answer=96569" target="_blank">',
-        'linkEnd': '</a>'
+        'linkStart': formatter.startTag('a', {
+          'href': 'http://support.google.com/webmasters/bin/' +
+              'answer.py?hl=en&answer=96569',
+          'target': '_blank'
+        }),
+        'linkEnd': formatter.endTag('a')
       });
 
   this.relNoFollowCheckbox_ = /** @type {!HTMLInputElement} */ (
@@ -578,7 +583,8 @@ goog.ui.editor.LinkDialog.prototype.buildRelNoFollowDiv_ = function() {
       goog.dom.TagName.DIV, null,
       this.dom.createDom(
           goog.dom.TagName.LABEL, null, this.relNoFollowCheckbox_,
-          goog.dom.htmlToDocumentFragment(MSG_ADD_REL_NOFOLLOW_ATTR)));
+          goog.dom.safeHtmlToNode(
+              formatter.format(MSG_ADD_REL_NOFOLLOW_ATTR))));
 };
 
 

diff --git a/closure/goog/ui/menuitem_test.js b/closure/goog/ui/menuitem_test.js
@@ -23,6 +23,7 @@ goog.require('goog.dom.NodeType');
 goog.require('goog.dom.TagName');
 goog.require('goog.dom.classlist');
 goog.require('goog.events.KeyCodes');
+goog.require('goog.html.testing');
 goog.require('goog.math.Coordinate');
 goog.require('goog.testing.events');
 goog.require('goog.testing.jsunit');
@@ -145,8 +146,8 @@ function testGetSetCaptionAfterCreateDom() {
   assertEquals('Caption must have expected value', 'Foo', item.getCaption());
 
   var arrayContent = goog.array.clone(
-      goog.dom.htmlToDocumentFragment(' <b> \xa0foo</b><i>  bar</i> ')
-          .childNodes);
+      goog.dom.safeHtmlToNode(goog.html.testing.newSafeHtmlForTest(
+          ' <b> \xa0foo</b><i>  bar</i> ')).childNodes);
   item.setContent(arrayContent);
   assertEquals(
       'whitespaces must be normalized in the caption', '\xa0foo bar',

diff --git a/closure/goog/ui/paletterenderer_test.js b/closure/goog/ui/paletterenderer_test.js
@@ -21,6 +21,7 @@ goog.require('goog.a11y.aria.State');
 goog.require('goog.array');
 goog.require('goog.dom');
 goog.require('goog.dom.TagName');
+goog.require('goog.html.testing');
 goog.require('goog.testing.jsunit');
 goog.require('goog.ui.Palette');
 goog.require('goog.ui.PaletteRenderer');
@@ -38,7 +39,7 @@ var palette;
 function setUp() {
   sandbox = goog.dom.getElement('sandbox');
   itemEls = goog.array.map(items, function(item, index, a) {
-    return goog.dom.htmlToDocumentFragment(item);
+    return goog.dom.safeHtmlToNode(goog.html.testing.newSafeHtmlForTest(item));
   });
   renderer = new goog.ui.PaletteRenderer();
   palette = new goog.ui.Palette(itemEls, renderer);