Permalink
Browse files

Make Soy's SanitizedContent constructors more auditable.

Currently it's possible for anyone to easily create Soy's
SanitizedContent objects.  When you make a SanitizedContent object from
a complex language like Javascript, it can be difficult to verify
locally that the content really has any reason to be trusted.  Thus
usages of this should pop out.

Our recommendation for most Soy users is to ban use of these
constructors in their application except from within specialized,
tightly reviewed directorie

I'll send a subsequent set of CL's to switch existing
SanitizedContent users to use the VERY_UNSAFE namespace.

R=kai
DELTA=479  (241 added, 25 deleted, 213 changed)


Revision created by MOE tool push_codebase.
MOE_MIGRATION=5801


git-svn-id: http://closure-library.googlecode.com/svn/trunk@2292 0b95b8e8-c90f-11de-9d4f-f947ee5921c8
  • Loading branch information...
1 parent 64e6ec4 commit 3175079b6b6a74c3c297a50271b837e796794561 gboyer@google.com committed Nov 10, 2012
Showing with 28 additions and 10 deletions.
  1. +9 −7 closure/goog/soy/data.js
  2. +19 −3 closure/goog/soy/soy_test.js
@@ -102,15 +102,10 @@ goog.soy.data.SanitizedContentKind = {
* SanitizedContent that is attacker-controlled and gets evaluated unescaped in
* templates.
*
- * @param {string} content The assumed-sanitized string. Be careful!
* @constructor
*/
-goog.soy.data.SanitizedContent = function(content) {
- /**
- * The textual content.
- * @type {string}
- */
- this.content = content;
+goog.soy.data.SanitizedContent = function() {
+ throw Error('Do not instantiate directly');
};
@@ -121,6 +116,13 @@ goog.soy.data.SanitizedContent = function(content) {
goog.soy.data.SanitizedContent.prototype.contentKind;
+/**
+ * The already-safe content.
+ * @type {string}
+ */
+goog.soy.data.SanitizedContent.prototype.content;
+
+
/** @override */
goog.soy.data.SanitizedContent.prototype.toString = function() {
return this.content;
@@ -26,10 +26,26 @@ goog.require('goog.string');
goog.require('goog.userAgent');
+/**
+ * Instantiable subclass of SanitizedContent.
+ *
+ * This is a spoof for sanitized content that isn't robust enough to get
+ * through Soy's escaping functions but is good enough for the checks here.
+ *
+ * @param {string} content The text.
+ * @param {goog.soy.data.SanitizedContentKind} kind The kind of safe content.
+ * @extends {goog.soy.data.SanitizedContent}
+ */
+function SanitizedContentSubclass(content, kind) {
+ // IMPORTANT! No superclass chaining to avoid exception being thrown.
+ this.content = content;
+ this.contentKind = kind;
+};
+goog.inherits(SanitizedContentSubclass, goog.soy.data.SanitizedContent);
+
+
function makeSanitizedContent(content, kind) {
- var result = new goog.soy.data.SanitizedContent(content);
- result.contentKind = kind;
- return result;
+ return new SanitizedContentSubclass(content, kind);
}

0 comments on commit 3175079

Please sign in to comment.