From c6185196d3122aea92a2a345c0987522936bf2e9 Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Mon, 21 May 2012 14:53:30 -0700
Subject: [PATCH 1/8] resources/static/lib/underscore-min.js: upgrade from
 1.1.7 to 1.3.3

Specifically to get _.escape()
---
 resources/static/lib/underscore-min.js | 49 ++++++++++++++------------
 1 file changed, 27 insertions(+), 22 deletions(-)

diff --git a/resources/static/lib/underscore-min.js b/resources/static/lib/underscore-min.js
index 5983694cf..5a0cb3b00 100644
--- a/resources/static/lib/underscore-min.js
+++ b/resources/static/lib/underscore-min.js
@@ -1,27 +1,32 @@
-// Underscore.js 1.1.7
-// (c) 2011 Jeremy Ashkenas, DocumentCloud Inc.
+// Underscore.js 1.3.3
+// (c) 2009-2012 Jeremy Ashkenas, DocumentCloud Inc.
 // Underscore is freely distributable under the MIT license.
 // Portions of Underscore are inspired or borrowed from Prototype,
 // Oliver Steele's Functional, and John Resig's Micro-Templating.
 // For all details and documentation:
 // http://documentcloud.github.com/underscore
-(function(){var p=this,C=p._,m={},i=Array.prototype,n=Object.prototype,f=i.slice,D=i.unshift,E=n.toString,l=n.hasOwnProperty,s=i.forEach,t=i.map,u=i.reduce,v=i.reduceRight,w=i.filter,x=i.every,y=i.some,o=i.indexOf,z=i.lastIndexOf;n=Array.isArray;var F=Object.keys,q=Function.prototype.bind,b=function(a){return new j(a)};typeof module!=="undefined"&&module.exports?(module.exports=b,b._=b):p._=b;b.VERSION="1.1.7";var h=b.each=b.forEach=function(a,c,b){if(a!=null)if(s&&a.forEach===s)a.forEach(c,b);else if(a.length===
-+a.length)for(var e=0,k=a.length;e<k;e++){if(e in a&&c.call(b,a[e],e,a)===m)break}else for(e in a)if(l.call(a,e)&&c.call(b,a[e],e,a)===m)break};b.map=function(a,c,b){var e=[];if(a==null)return e;if(t&&a.map===t)return a.map(c,b);h(a,function(a,g,G){e[e.length]=c.call(b,a,g,G)});return e};b.reduce=b.foldl=b.inject=function(a,c,d,e){var k=d!==void 0;a==null&&(a=[]);if(u&&a.reduce===u)return e&&(c=b.bind(c,e)),k?a.reduce(c,d):a.reduce(c);h(a,function(a,b,f){k?d=c.call(e,d,a,b,f):(d=a,k=!0)});if(!k)throw new TypeError("Reduce of empty array with no initial value");
-return d};b.reduceRight=b.foldr=function(a,c,d,e){a==null&&(a=[]);if(v&&a.reduceRight===v)return e&&(c=b.bind(c,e)),d!==void 0?a.reduceRight(c,d):a.reduceRight(c);a=(b.isArray(a)?a.slice():b.toArray(a)).reverse();return b.reduce(a,c,d,e)};b.find=b.detect=function(a,c,b){var e;A(a,function(a,g,f){if(c.call(b,a,g,f))return e=a,!0});return e};b.filter=b.select=function(a,c,b){var e=[];if(a==null)return e;if(w&&a.filter===w)return a.filter(c,b);h(a,function(a,g,f){c.call(b,a,g,f)&&(e[e.length]=a)});return e};
-b.reject=function(a,c,b){var e=[];if(a==null)return e;h(a,function(a,g,f){c.call(b,a,g,f)||(e[e.length]=a)});return e};b.every=b.all=function(a,c,b){var e=!0;if(a==null)return e;if(x&&a.every===x)return a.every(c,b);h(a,function(a,g,f){if(!(e=e&&c.call(b,a,g,f)))return m});return e};var A=b.some=b.any=function(a,c,d){c=c||b.identity;var e=!1;if(a==null)return e;if(y&&a.some===y)return a.some(c,d);h(a,function(a,b,f){if(e|=c.call(d,a,b,f))return m});return!!e};b.include=b.contains=function(a,c){var b=
-!1;if(a==null)return b;if(o&&a.indexOf===o)return a.indexOf(c)!=-1;A(a,function(a){if(b=a===c)return!0});return b};b.invoke=function(a,c){var d=f.call(arguments,2);return b.map(a,function(a){return(c.call?c||a:a[c]).apply(a,d)})};b.pluck=function(a,c){return b.map(a,function(a){return a[c]})};b.max=function(a,c,d){if(!c&&b.isArray(a))return Math.max.apply(Math,a);var e={computed:-Infinity};h(a,function(a,b,f){b=c?c.call(d,a,b,f):a;b>=e.computed&&(e={value:a,computed:b})});return e.value};b.min=function(a,
-c,d){if(!c&&b.isArray(a))return Math.min.apply(Math,a);var e={computed:Infinity};h(a,function(a,b,f){b=c?c.call(d,a,b,f):a;b<e.computed&&(e={value:a,computed:b})});return e.value};b.sortBy=function(a,c,d){return b.pluck(b.map(a,function(a,b,f){return{value:a,criteria:c.call(d,a,b,f)}}).sort(function(a,b){var c=a.criteria,d=b.criteria;return c<d?-1:c>d?1:0}),"value")};b.groupBy=function(a,b){var d={};h(a,function(a,f){var g=b(a,f);(d[g]||(d[g]=[])).push(a)});return d};b.sortedIndex=function(a,c,d){d||
-(d=b.identity);for(var e=0,f=a.length;e<f;){var g=e+f>>1;d(a[g])<d(c)?e=g+1:f=g}return e};b.toArray=function(a){if(!a)return[];if(a.toArray)return a.toArray();if(b.isArray(a))return f.call(a);if(b.isArguments(a))return f.call(a);return b.values(a)};b.size=function(a){return b.toArray(a).length};b.first=b.head=function(a,b,d){return b!=null&&!d?f.call(a,0,b):a[0]};b.rest=b.tail=function(a,b,d){return f.call(a,b==null||d?1:b)};b.last=function(a){return a[a.length-1]};b.compact=function(a){return b.filter(a,
-function(a){return!!a})};b.flatten=function(a){return b.reduce(a,function(a,d){if(b.isArray(d))return a.concat(b.flatten(d));a[a.length]=d;return a},[])};b.without=function(a){return b.difference(a,f.call(arguments,1))};b.uniq=b.unique=function(a,c){return b.reduce(a,function(a,e,f){if(0==f||(c===!0?b.last(a)!=e:!b.include(a,e)))a[a.length]=e;return a},[])};b.union=function(){return b.uniq(b.flatten(arguments))};b.intersection=b.intersect=function(a){var c=f.call(arguments,1);return b.filter(b.uniq(a),
-function(a){return b.every(c,function(c){return b.indexOf(c,a)>=0})})};b.difference=function(a,c){return b.filter(a,function(a){return!b.include(c,a)})};b.zip=function(){for(var a=f.call(arguments),c=b.max(b.pluck(a,"length")),d=Array(c),e=0;e<c;e++)d[e]=b.pluck(a,""+e);return d};b.indexOf=function(a,c,d){if(a==null)return-1;var e;if(d)return d=b.sortedIndex(a,c),a[d]===c?d:-1;if(o&&a.indexOf===o)return a.indexOf(c);d=0;for(e=a.length;d<e;d++)if(a[d]===c)return d;return-1};b.lastIndexOf=function(a,
-b){if(a==null)return-1;if(z&&a.lastIndexOf===z)return a.lastIndexOf(b);for(var d=a.length;d--;)if(a[d]===b)return d;return-1};b.range=function(a,b,d){arguments.length<=1&&(b=a||0,a=0);d=arguments[2]||1;for(var e=Math.max(Math.ceil((b-a)/d),0),f=0,g=Array(e);f<e;)g[f++]=a,a+=d;return g};b.bind=function(a,b){if(a.bind===q&&q)return q.apply(a,f.call(arguments,1));var d=f.call(arguments,2);return function(){return a.apply(b,d.concat(f.call(arguments)))}};b.bindAll=function(a){var c=f.call(arguments,1);
-c.length==0&&(c=b.functions(a));h(c,function(c){a[c]=b.bind(a[c],a)});return a};b.memoize=function(a,c){var d={};c||(c=b.identity);return function(){var b=c.apply(this,arguments);return l.call(d,b)?d[b]:d[b]=a.apply(this,arguments)}};b.delay=function(a,b){var d=f.call(arguments,2);return setTimeout(function(){return a.apply(a,d)},b)};b.defer=function(a){return b.delay.apply(b,[a,1].concat(f.call(arguments,1)))};var B=function(a,b,d){var e;return function(){var f=this,g=arguments,h=function(){e=null;
-a.apply(f,g)};d&&clearTimeout(e);if(d||!e)e=setTimeout(h,b)}};b.throttle=function(a,b){return B(a,b,!1)};b.debounce=function(a,b){return B(a,b,!0)};b.once=function(a){var b=!1,d;return function(){if(b)return d;b=!0;return d=a.apply(this,arguments)}};b.wrap=function(a,b){return function(){var d=[a].concat(f.call(arguments));return b.apply(this,d)}};b.compose=function(){var a=f.call(arguments);return function(){for(var b=f.call(arguments),d=a.length-1;d>=0;d--)b=[a[d].apply(this,b)];return b[0]}};b.after=
-function(a,b){return function(){if(--a<1)return b.apply(this,arguments)}};b.keys=F||function(a){if(a!==Object(a))throw new TypeError("Invalid object");var b=[],d;for(d in a)l.call(a,d)&&(b[b.length]=d);return b};b.values=function(a){return b.map(a,b.identity)};b.functions=b.methods=function(a){var c=[],d;for(d in a)b.isFunction(a[d])&&c.push(d);return c.sort()};b.extend=function(a){h(f.call(arguments,1),function(b){for(var d in b)b[d]!==void 0&&(a[d]=b[d])});return a};b.defaults=function(a){h(f.call(arguments,
-1),function(b){for(var d in b)a[d]==null&&(a[d]=b[d])});return a};b.clone=function(a){return b.isArray(a)?a.slice():b.extend({},a)};b.tap=function(a,b){b(a);return a};b.isEqual=function(a,c){if(a===c)return!0;var d=typeof a;if(d!=typeof c)return!1;if(a==c)return!0;if(!a&&c||a&&!c)return!1;if(a._chain)a=a._wrapped;if(c._chain)c=c._wrapped;if(a.isEqual)return a.isEqual(c);if(c.isEqual)return c.isEqual(a);if(b.isDate(a)&&b.isDate(c))return a.getTime()===c.getTime();if(b.isNaN(a)&&b.isNaN(c))return!1;
-if(b.isRegExp(a)&&b.isRegExp(c))return a.source===c.source&&a.global===c.global&&a.ignoreCase===c.ignoreCase&&a.multiline===c.multiline;if(d!=="object")return!1;if(a.length&&a.length!==c.length)return!1;d=b.keys(a);var e=b.keys(c);if(d.length!=e.length)return!1;for(var f in a)if(!(f in c)||!b.isEqual(a[f],c[f]))return!1;return!0};b.isEmpty=function(a){if(b.isArray(a)||b.isString(a))return a.length===0;for(var c in a)if(l.call(a,c))return!1;return!0};b.isElement=function(a){return!!(a&&a.nodeType==
-1)};b.isArray=n||function(a){return E.call(a)==="[object Array]"};b.isObject=function(a){return a===Object(a)};b.isArguments=function(a){return!(!a||!l.call(a,"callee"))};b.isFunction=function(a){return!(!a||!a.constructor||!a.call||!a.apply)};b.isString=function(a){return!!(a===""||a&&a.charCodeAt&&a.substr)};b.isNumber=function(a){return!!(a===0||a&&a.toExponential&&a.toFixed)};b.isNaN=function(a){return a!==a};b.isBoolean=function(a){return a===!0||a===!1};b.isDate=function(a){return!(!a||!a.getTimezoneOffset||
-!a.setUTCFullYear)};b.isRegExp=function(a){return!(!a||!a.test||!a.exec||!(a.ignoreCase||a.ignoreCase===!1))};b.isNull=function(a){return a===null};b.isUndefined=function(a){return a===void 0};b.noConflict=function(){p._=C;return this};b.identity=function(a){return a};b.times=function(a,b,d){for(var e=0;e<a;e++)b.call(d,e)};b.mixin=function(a){h(b.functions(a),function(c){H(c,b[c]=a[c])})};var I=0;b.uniqueId=function(a){var b=I++;return a?a+b:b};b.templateSettings={evaluate:/<%([\s\S]+?)%>/g,interpolate:/<%=([\s\S]+?)%>/g};
-b.template=function(a,c){var d=b.templateSettings;d="var __p=[],print=function(){__p.push.apply(__p,arguments);};with(obj||{}){__p.push('"+a.replace(/\\/g,"\\\\").replace(/'/g,"\\'").replace(d.interpolate,function(a,b){return"',"+b.replace(/\\'/g,"'")+",'"}).replace(d.evaluate||null,function(a,b){return"');"+b.replace(/\\'/g,"'").replace(/[\r\n\t]/g," ")+"__p.push('"}).replace(/\r/g,"\\r").replace(/\n/g,"\\n").replace(/\t/g,"\\t")+"');}return __p.join('');";d=new Function("obj",d);return c?d(c):d};
-var j=function(a){this._wrapped=a};b.prototype=j.prototype;var r=function(a,c){return c?b(a).chain():a},H=function(a,c){j.prototype[a]=function(){var a=f.call(arguments);D.call(a,this._wrapped);return r(c.apply(b,a),this._chain)}};b.mixin(b);h(["pop","push","reverse","shift","sort","splice","unshift"],function(a){var b=i[a];j.prototype[a]=function(){b.apply(this._wrapped,arguments);return r(this._wrapped,this._chain)}});h(["concat","join","slice"],function(a){var b=i[a];j.prototype[a]=function(){return r(b.apply(this._wrapped,
-arguments),this._chain)}});j.prototype.chain=function(){this._chain=!0;return this};j.prototype.value=function(){return this._wrapped}})();
+(function(){function r(a,c,d){if(a===c)return 0!==a||1/a==1/c;if(null==a||null==c)return a===c;a._chain&&(a=a._wrapped);c._chain&&(c=c._wrapped);if(a.isEqual&&b.isFunction(a.isEqual))return a.isEqual(c);if(c.isEqual&&b.isFunction(c.isEqual))return c.isEqual(a);var e=l.call(a);if(e!=l.call(c))return!1;switch(e){case "[object String]":return a==""+c;case "[object Number]":return a!=+a?c!=+c:0==a?1/a==1/c:a==+c;case "[object Date]":case "[object Boolean]":return+a==+c;case "[object RegExp]":return a.source==
+c.source&&a.global==c.global&&a.multiline==c.multiline&&a.ignoreCase==c.ignoreCase}if("object"!=typeof a||"object"!=typeof c)return!1;for(var f=d.length;f--;)if(d[f]==a)return!0;d.push(a);var f=0,g=!0;if("[object Array]"==e){if(f=a.length,g=f==c.length)for(;f--&&(g=f in a==f in c&&r(a[f],c[f],d)););}else{if("constructor"in a!="constructor"in c||a.constructor!=c.constructor)return!1;for(var h in a)if(b.has(a,h)&&(f++,!(g=b.has(c,h)&&r(a[h],c[h],d))))break;if(g){for(h in c)if(b.has(c,h)&&!f--)break;
+g=!f}}d.pop();return g}var s=this,I=s._,o={},k=Array.prototype,p=Object.prototype,i=k.slice,J=k.unshift,l=p.toString,K=p.hasOwnProperty,y=k.forEach,z=k.map,A=k.reduce,B=k.reduceRight,C=k.filter,D=k.every,E=k.some,q=k.indexOf,F=k.lastIndexOf,p=Array.isArray,L=Object.keys,t=Function.prototype.bind,b=function(a){return new m(a)};"undefined"!==typeof exports?("undefined"!==typeof module&&module.exports&&(exports=module.exports=b),exports._=b):s._=b;b.VERSION="1.3.3";var j=b.each=b.forEach=function(a,
+c,d){if(a!=null)if(y&&a.forEach===y)a.forEach(c,d);else if(a.length===+a.length)for(var e=0,f=a.length;e<f;e++){if(e in a&&c.call(d,a[e],e,a)===o)break}else for(e in a)if(b.has(a,e)&&c.call(d,a[e],e,a)===o)break};b.map=b.collect=function(a,c,b){var e=[];if(a==null)return e;if(z&&a.map===z)return a.map(c,b);j(a,function(a,g,h){e[e.length]=c.call(b,a,g,h)});if(a.length===+a.length)e.length=a.length;return e};b.reduce=b.foldl=b.inject=function(a,c,d,e){var f=arguments.length>2;a==null&&(a=[]);if(A&&
+a.reduce===A){e&&(c=b.bind(c,e));return f?a.reduce(c,d):a.reduce(c)}j(a,function(a,b,i){if(f)d=c.call(e,d,a,b,i);else{d=a;f=true}});if(!f)throw new TypeError("Reduce of empty array with no initial value");return d};b.reduceRight=b.foldr=function(a,c,d,e){var f=arguments.length>2;a==null&&(a=[]);if(B&&a.reduceRight===B){e&&(c=b.bind(c,e));return f?a.reduceRight(c,d):a.reduceRight(c)}var g=b.toArray(a).reverse();e&&!f&&(c=b.bind(c,e));return f?b.reduce(g,c,d,e):b.reduce(g,c)};b.find=b.detect=function(a,
+c,b){var e;G(a,function(a,g,h){if(c.call(b,a,g,h)){e=a;return true}});return e};b.filter=b.select=function(a,c,b){var e=[];if(a==null)return e;if(C&&a.filter===C)return a.filter(c,b);j(a,function(a,g,h){c.call(b,a,g,h)&&(e[e.length]=a)});return e};b.reject=function(a,c,b){var e=[];if(a==null)return e;j(a,function(a,g,h){c.call(b,a,g,h)||(e[e.length]=a)});return e};b.every=b.all=function(a,c,b){var e=true;if(a==null)return e;if(D&&a.every===D)return a.every(c,b);j(a,function(a,g,h){if(!(e=e&&c.call(b,
+a,g,h)))return o});return!!e};var G=b.some=b.any=function(a,c,d){c||(c=b.identity);var e=false;if(a==null)return e;if(E&&a.some===E)return a.some(c,d);j(a,function(a,b,h){if(e||(e=c.call(d,a,b,h)))return o});return!!e};b.include=b.contains=function(a,c){var b=false;if(a==null)return b;if(q&&a.indexOf===q)return a.indexOf(c)!=-1;return b=G(a,function(a){return a===c})};b.invoke=function(a,c){var d=i.call(arguments,2);return b.map(a,function(a){return(b.isFunction(c)?c||a:a[c]).apply(a,d)})};b.pluck=
+function(a,c){return b.map(a,function(a){return a[c]})};b.max=function(a,c,d){if(!c&&b.isArray(a)&&a[0]===+a[0])return Math.max.apply(Math,a);if(!c&&b.isEmpty(a))return-Infinity;var e={computed:-Infinity};j(a,function(a,b,h){b=c?c.call(d,a,b,h):a;b>=e.computed&&(e={value:a,computed:b})});return e.value};b.min=function(a,c,d){if(!c&&b.isArray(a)&&a[0]===+a[0])return Math.min.apply(Math,a);if(!c&&b.isEmpty(a))return Infinity;var e={computed:Infinity};j(a,function(a,b,h){b=c?c.call(d,a,b,h):a;b<e.computed&&
+(e={value:a,computed:b})});return e.value};b.shuffle=function(a){var b=[],d;j(a,function(a,f){d=Math.floor(Math.random()*(f+1));b[f]=b[d];b[d]=a});return b};b.sortBy=function(a,c,d){var e=b.isFunction(c)?c:function(a){return a[c]};return b.pluck(b.map(a,function(a,b,c){return{value:a,criteria:e.call(d,a,b,c)}}).sort(function(a,b){var c=a.criteria,d=b.criteria;return c===void 0?1:d===void 0?-1:c<d?-1:c>d?1:0}),"value")};b.groupBy=function(a,c){var d={},e=b.isFunction(c)?c:function(a){return a[c]};
+j(a,function(a,b){var c=e(a,b);(d[c]||(d[c]=[])).push(a)});return d};b.sortedIndex=function(a,c,d){d||(d=b.identity);for(var e=0,f=a.length;e<f;){var g=e+f>>1;d(a[g])<d(c)?e=g+1:f=g}return e};b.toArray=function(a){return!a?[]:b.isArray(a)||b.isArguments(a)?i.call(a):a.toArray&&b.isFunction(a.toArray)?a.toArray():b.values(a)};b.size=function(a){return b.isArray(a)?a.length:b.keys(a).length};b.first=b.head=b.take=function(a,b,d){return b!=null&&!d?i.call(a,0,b):a[0]};b.initial=function(a,b,d){return i.call(a,
+0,a.length-(b==null||d?1:b))};b.last=function(a,b,d){return b!=null&&!d?i.call(a,Math.max(a.length-b,0)):a[a.length-1]};b.rest=b.tail=function(a,b,d){return i.call(a,b==null||d?1:b)};b.compact=function(a){return b.filter(a,function(a){return!!a})};b.flatten=function(a,c){return b.reduce(a,function(a,e){if(b.isArray(e))return a.concat(c?e:b.flatten(e));a[a.length]=e;return a},[])};b.without=function(a){return b.difference(a,i.call(arguments,1))};b.uniq=b.unique=function(a,c,d){var d=d?b.map(a,d):a,
+e=[];a.length<3&&(c=true);b.reduce(d,function(d,g,h){if(c?b.last(d)!==g||!d.length:!b.include(d,g)){d.push(g);e.push(a[h])}return d},[]);return e};b.union=function(){return b.uniq(b.flatten(arguments,true))};b.intersection=b.intersect=function(a){var c=i.call(arguments,1);return b.filter(b.uniq(a),function(a){return b.every(c,function(c){return b.indexOf(c,a)>=0})})};b.difference=function(a){var c=b.flatten(i.call(arguments,1),true);return b.filter(a,function(a){return!b.include(c,a)})};b.zip=function(){for(var a=
+i.call(arguments),c=b.max(b.pluck(a,"length")),d=Array(c),e=0;e<c;e++)d[e]=b.pluck(a,""+e);return d};b.indexOf=function(a,c,d){if(a==null)return-1;var e;if(d){d=b.sortedIndex(a,c);return a[d]===c?d:-1}if(q&&a.indexOf===q)return a.indexOf(c);d=0;for(e=a.length;d<e;d++)if(d in a&&a[d]===c)return d;return-1};b.lastIndexOf=function(a,b){if(a==null)return-1;if(F&&a.lastIndexOf===F)return a.lastIndexOf(b);for(var d=a.length;d--;)if(d in a&&a[d]===b)return d;return-1};b.range=function(a,b,d){if(arguments.length<=
+1){b=a||0;a=0}for(var d=arguments[2]||1,e=Math.max(Math.ceil((b-a)/d),0),f=0,g=Array(e);f<e;){g[f++]=a;a=a+d}return g};var H=function(){};b.bind=function(a,c){var d,e;if(a.bind===t&&t)return t.apply(a,i.call(arguments,1));if(!b.isFunction(a))throw new TypeError;e=i.call(arguments,2);return d=function(){if(!(this instanceof d))return a.apply(c,e.concat(i.call(arguments)));H.prototype=a.prototype;var b=new H,g=a.apply(b,e.concat(i.call(arguments)));return Object(g)===g?g:b}};b.bindAll=function(a){var c=
+i.call(arguments,1);c.length==0&&(c=b.functions(a));j(c,function(c){a[c]=b.bind(a[c],a)});return a};b.memoize=function(a,c){var d={};c||(c=b.identity);return function(){var e=c.apply(this,arguments);return b.has(d,e)?d[e]:d[e]=a.apply(this,arguments)}};b.delay=function(a,b){var d=i.call(arguments,2);return setTimeout(function(){return a.apply(null,d)},b)};b.defer=function(a){return b.delay.apply(b,[a,1].concat(i.call(arguments,1)))};b.throttle=function(a,c){var d,e,f,g,h,i,j=b.debounce(function(){h=
+g=false},c);return function(){d=this;e=arguments;f||(f=setTimeout(function(){f=null;h&&a.apply(d,e);j()},c));g?h=true:i=a.apply(d,e);j();g=true;return i}};b.debounce=function(a,b,d){var e;return function(){var f=this,g=arguments;d&&!e&&a.apply(f,g);clearTimeout(e);e=setTimeout(function(){e=null;d||a.apply(f,g)},b)}};b.once=function(a){var b=false,d;return function(){if(b)return d;b=true;return d=a.apply(this,arguments)}};b.wrap=function(a,b){return function(){var d=[a].concat(i.call(arguments,0));
+return b.apply(this,d)}};b.compose=function(){var a=arguments;return function(){for(var b=arguments,d=a.length-1;d>=0;d--)b=[a[d].apply(this,b)];return b[0]}};b.after=function(a,b){return a<=0?b():function(){if(--a<1)return b.apply(this,arguments)}};b.keys=L||function(a){if(a!==Object(a))throw new TypeError("Invalid object");var c=[],d;for(d in a)b.has(a,d)&&(c[c.length]=d);return c};b.values=function(a){return b.map(a,b.identity)};b.functions=b.methods=function(a){var c=[],d;for(d in a)b.isFunction(a[d])&&
+c.push(d);return c.sort()};b.extend=function(a){j(i.call(arguments,1),function(b){for(var d in b)a[d]=b[d]});return a};b.pick=function(a){var c={};j(b.flatten(i.call(arguments,1)),function(b){b in a&&(c[b]=a[b])});return c};b.defaults=function(a){j(i.call(arguments,1),function(b){for(var d in b)a[d]==null&&(a[d]=b[d])});return a};b.clone=function(a){return!b.isObject(a)?a:b.isArray(a)?a.slice():b.extend({},a)};b.tap=function(a,b){b(a);return a};b.isEqual=function(a,b){return r(a,b,[])};b.isEmpty=
+function(a){if(a==null)return true;if(b.isArray(a)||b.isString(a))return a.length===0;for(var c in a)if(b.has(a,c))return false;return true};b.isElement=function(a){return!!(a&&a.nodeType==1)};b.isArray=p||function(a){return l.call(a)=="[object Array]"};b.isObject=function(a){return a===Object(a)};b.isArguments=function(a){return l.call(a)=="[object Arguments]"};b.isArguments(arguments)||(b.isArguments=function(a){return!(!a||!b.has(a,"callee"))});b.isFunction=function(a){return l.call(a)=="[object Function]"};
+b.isString=function(a){return l.call(a)=="[object String]"};b.isNumber=function(a){return l.call(a)=="[object Number]"};b.isFinite=function(a){return b.isNumber(a)&&isFinite(a)};b.isNaN=function(a){return a!==a};b.isBoolean=function(a){return a===true||a===false||l.call(a)=="[object Boolean]"};b.isDate=function(a){return l.call(a)=="[object Date]"};b.isRegExp=function(a){return l.call(a)=="[object RegExp]"};b.isNull=function(a){return a===null};b.isUndefined=function(a){return a===void 0};b.has=function(a,
+b){return K.call(a,b)};b.noConflict=function(){s._=I;return this};b.identity=function(a){return a};b.times=function(a,b,d){for(var e=0;e<a;e++)b.call(d,e)};b.escape=function(a){return(""+a).replace(/&/g,"&amp;").replace(/</g,"&lt;").replace(/>/g,"&gt;").replace(/"/g,"&quot;").replace(/'/g,"&#x27;").replace(/\//g,"&#x2F;")};b.result=function(a,c){if(a==null)return null;var d=a[c];return b.isFunction(d)?d.call(a):d};b.mixin=function(a){j(b.functions(a),function(c){M(c,b[c]=a[c])})};var N=0;b.uniqueId=
+function(a){var b=N++;return a?a+b:b};b.templateSettings={evaluate:/<%([\s\S]+?)%>/g,interpolate:/<%=([\s\S]+?)%>/g,escape:/<%-([\s\S]+?)%>/g};var u=/.^/,n={"\\":"\\","'":"'",r:"\r",n:"\n",t:"\t",u2028:"\u2028",u2029:"\u2029"},v;for(v in n)n[n[v]]=v;var O=/\\|'|\r|\n|\t|\u2028|\u2029/g,P=/\\(\\|'|r|n|t|u2028|u2029)/g,w=function(a){return a.replace(P,function(a,b){return n[b]})};b.template=function(a,c,d){d=b.defaults(d||{},b.templateSettings);a="__p+='"+a.replace(O,function(a){return"\\"+n[a]}).replace(d.escape||
+u,function(a,b){return"'+\n_.escape("+w(b)+")+\n'"}).replace(d.interpolate||u,function(a,b){return"'+\n("+w(b)+")+\n'"}).replace(d.evaluate||u,function(a,b){return"';\n"+w(b)+"\n;__p+='"})+"';\n";d.variable||(a="with(obj||{}){\n"+a+"}\n");var a="var __p='';var print=function(){__p+=Array.prototype.join.call(arguments, '')};\n"+a+"return __p;\n",e=new Function(d.variable||"obj","_",a);if(c)return e(c,b);c=function(a){return e.call(this,a,b)};c.source="function("+(d.variable||"obj")+"){\n"+a+"}";return c};
+b.chain=function(a){return b(a).chain()};var m=function(a){this._wrapped=a};b.prototype=m.prototype;var x=function(a,c){return c?b(a).chain():a},M=function(a,c){m.prototype[a]=function(){var a=i.call(arguments);J.call(a,this._wrapped);return x(c.apply(b,a),this._chain)}};b.mixin(b);j("pop,push,reverse,shift,sort,splice,unshift".split(","),function(a){var b=k[a];m.prototype[a]=function(){var d=this._wrapped;b.apply(d,arguments);var e=d.length;(a=="shift"||a=="splice")&&e===0&&delete d[0];return x(d,
+this._chain)}});j(["concat","join","slice"],function(a){var b=k[a];m.prototype[a]=function(){return x(b.apply(this._wrapped,arguments),this._chain)}});m.prototype.chain=function(){this._chain=true;return this};m.prototype.value=function(){return this._wrapped}}).call(this);

From b22a4f8f1b3f7a81011099bda9e9fc7e2ec31825 Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Mon, 21 May 2012 16:44:03 -0700
Subject: [PATCH 2/8] dialog.js: improved parameter-escaping

---
 resources/static/dialog/controllers/dialog.js | 24 +++++++++++++------
 1 file changed, 17 insertions(+), 7 deletions(-)

diff --git a/resources/static/dialog/controllers/dialog.js b/resources/static/dialog/controllers/dialog.js
index 1d3e57b87..0e369ee4f 100644
--- a/resources/static/dialog/controllers/dialog.js
+++ b/resources/static/dialog/controllers/dialog.js
@@ -86,6 +86,7 @@ BrowserID.Modules.Dialog = (function() {
     if (/^http/.test(url)) u = URLParse(url);
     else if (/^\//.test(url)) u = URLParse(origin + url);
     else throw "relative urls not allowed: (" + url + ")";
+    // encodeURI limits our return value to [a-z0-9:/?%], excluding <script>
     return encodeURI(u.validate().normalize().toString());
   }
 
@@ -111,7 +112,7 @@ BrowserID.Modules.Dialog = (function() {
       return this.get(origin_url, {}, success, error);
     },
 
-    get: function(origin_url, params, success, error) {
+    get: function(origin_url, paramsFromRP, success, error) {
       var self=this,
           hash = win.location.hash;
 
@@ -120,23 +121,32 @@ BrowserID.Modules.Dialog = (function() {
       var actions = startActions.call(self, success, error);
       startStateMachine.call(self, actions);
 
-      params = params || {};
+      // Security Note: paramsFromRP is the output of a JSON.parse on an
+      // RP-controlled string. Most of these fields are expected to be simple
+      // printable strings (hostnames, usernames, and URLs), but we cannot
+      // rely upon the RP to do that. In particular we must guard against
+      // these strings containing <script> tags. We will populate a new
+      // object ("params") with suitably type-checked properties.
+      params = {};
       params.hostname = user.getHostname();
 
       // verify params
-      if (params.tosURL && params.privacyURL) {
+      if (paramsFromRP.tosURL && paramsFromRP.privacyURL) {
         try {
-          params.tosURL = fixupURL(origin_url, params.tosURL);
-          params.privacyURL = fixupURL(origin_url, params.privacyURL);
+          params.tosURL = fixupURL(origin_url, paramsFromRP.tosURL);
+          params.privacyURL = fixupURL(origin_url, paramsFromRP.privacyURL);
         } catch(e) {
+          // note: renderError accepts HTML and cheerfully injects it into a
+          // frame with a powerful origin. So convert 'e' first.
           return self.renderError("error", {
             action: {
-              title: "error in " + origin_url,
-              message: "improper usage of API: " + e
+              title: "error in " + _.escape(origin_url),
+              message: "improper usage of API: " + _.escape(e)
             }
           });
         }
       }
+      // after this point, "params" can be relied upon to contain safe data
 
       // XXX Perhaps put this into the state machine.
       self.bind(win, "unload", onWindowUnload);

From 91b7e6e2a1d8f2711951cb7605357830d1246b5c Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Mon, 21 May 2012 21:54:51 -0700
Subject: [PATCH 3/8] dialog.js: oops, 'var'ify that accidental global

---
 resources/static/dialog/controllers/dialog.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/resources/static/dialog/controllers/dialog.js b/resources/static/dialog/controllers/dialog.js
index 0e369ee4f..febe54823 100644
--- a/resources/static/dialog/controllers/dialog.js
+++ b/resources/static/dialog/controllers/dialog.js
@@ -127,7 +127,7 @@ BrowserID.Modules.Dialog = (function() {
       // rely upon the RP to do that. In particular we must guard against
       // these strings containing <script> tags. We will populate a new
       // object ("params") with suitably type-checked properties.
-      params = {};
+      var params = {};
       params.hostname = user.getHostname();
 
       // verify params

From 5afa0b4d6214f3c8214c80d6da65a8fe0dc28365 Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Tue, 22 May 2012 09:21:55 -0700
Subject: [PATCH 4/8] dialog.js: pass requiredEmail (unchecked) through to
 params

---
 resources/static/dialog/controllers/dialog.js | 23 ++++++++++---------
 1 file changed, 12 insertions(+), 11 deletions(-)

diff --git a/resources/static/dialog/controllers/dialog.js b/resources/static/dialog/controllers/dialog.js
index febe54823..8517051de 100644
--- a/resources/static/dialog/controllers/dialog.js
+++ b/resources/static/dialog/controllers/dialog.js
@@ -131,20 +131,21 @@ BrowserID.Modules.Dialog = (function() {
       params.hostname = user.getHostname();
 
       // verify params
-      if (paramsFromRP.tosURL && paramsFromRP.privacyURL) {
-        try {
+      try {
+        params.requiredEmail = paramsFromRP.requiredEmail;
+        if (paramsFromRP.tosURL && paramsFromRP.privacyURL) {
           params.tosURL = fixupURL(origin_url, paramsFromRP.tosURL);
           params.privacyURL = fixupURL(origin_url, paramsFromRP.privacyURL);
-        } catch(e) {
-          // note: renderError accepts HTML and cheerfully injects it into a
-          // frame with a powerful origin. So convert 'e' first.
-          return self.renderError("error", {
-            action: {
-              title: "error in " + _.escape(origin_url),
-              message: "improper usage of API: " + _.escape(e)
-            }
-          });
         }
+      } catch(e) {
+        // note: renderError accepts HTML and cheerfully injects it into a
+        // frame with a powerful origin. So convert 'e' first.
+        return self.renderError("error", {
+          action: {
+            title: "error in " + _.escape(origin_url),
+            message: "improper usage of API: " + _.escape(e)
+          }
+        });
       }
       // after this point, "params" can be relied upon to contain safe data
 

From 80d838317ba88df58275923b153e5fc605b04f47 Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Tue, 22 May 2012 17:32:45 -0700
Subject: [PATCH 5/8] Move requiredEmail validation from state.js to dialog.js
 . Tests fail.

Since validation is done earlier, invalid addresses are reported as with
renderError() instead of startAction("doError"). So the tests which
watch for doError are now failing (the frontend tests named
"resources/state: start with invalid requiredEmail - print error screen"
and "resources/state: start with empty requiredEmail - prints error
screen". I don't know how to make them watch for renderError() instead.

One upside of this patch is that @stomlinson told me the three-argument
to startAction("doError"..) in state.js was a bug, as it only accepts
two real arguments. Removing it is even easier than fixing it.
---
 resources/static/dialog/controllers/dialog.js | 6 +++++-
 resources/static/dialog/resources/state.js    | 6 +-----
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/resources/static/dialog/controllers/dialog.js b/resources/static/dialog/controllers/dialog.js
index 8517051de..8fbc31ce6 100644
--- a/resources/static/dialog/controllers/dialog.js
+++ b/resources/static/dialog/controllers/dialog.js
@@ -132,7 +132,11 @@ BrowserID.Modules.Dialog = (function() {
 
       // verify params
       try {
-        params.requiredEmail = paramsFromRP.requiredEmail;
+        if (typeof(paramsFromRP.requiredEmail) !== "undefined") {
+          if (!bid.verifyEmail(paramsFromRP.requiredEmail))
+            throw "invalid requiredEmail: ("+paramsFromRP.requiredEmail+")";
+          params.requiredEmail = paramsFromRP.requiredEmail;
+        }
         if (paramsFromRP.tosURL && paramsFromRP.privacyURL) {
           params.tosURL = fixupURL(origin_url, paramsFromRP.tosURL);
           params.privacyURL = fixupURL(origin_url, paramsFromRP.privacyURL);
diff --git a/resources/static/dialog/resources/state.js b/resources/static/dialog/resources/state.js
index 288dd0e08..6ef339ce5 100644
--- a/resources/static/dialog/resources/state.js
+++ b/resources/static/dialog/resources/state.js
@@ -46,11 +46,7 @@ BrowserID.State = (function() {
       self.tosURL = info.tosURL;
       requiredEmail = info.requiredEmail;
 
-      if ((typeof(requiredEmail) !== "undefined") && (!bid.verifyEmail(requiredEmail))) {
-        // Invalid format
-        startAction("doError", "invalid_required_email", {email: requiredEmail});
-      }
-      else if (info.email && info.type === "primary") {
+      if (info.email && info.type === "primary") {
         primaryVerificationInfo = info;
         redirectToState("primary_user", info);
       }

From 4ddbd3fa0272668150eb06101d31a28425a0d033 Mon Sep 17 00:00:00 2001
From: Shane Tomlinson <stomlinson@mozilla.com>
Date: Wed, 23 May 2012 10:02:59 +0100
Subject: [PATCH 6/8] Move the requiredEmail checks from resources/state.js to
 controllers/dialog.js. Add more tests.

* Add the startExternalDependencies option when initializing the dialog controller, if set to false, no external dependencies are loaded.  Used for testing.
* Add a new test to check for script containing emails.
* Add unit tests for tosURL and privacyURL.
* Add a testHelpers.testErrorNotVisible
* Removed the actions.js->doError and its tests, it is no longer used.
---
 .../static/dialog/controllers/actions.js      |  14 -
 resources/static/dialog/controllers/dialog.js |  35 +-
 .../static/test/cases/controllers/actions.js  |  24 --
 .../static/test/cases/controllers/dialog.js   | 304 ++++++++++++++++--
 .../static/test/cases/resources/state.js      |  22 --
 resources/static/test/testHelpers/helpers.js  |   4 +
 resources/views/test.ejs                      |   1 +
 7 files changed, 314 insertions(+), 90 deletions(-)

diff --git a/resources/static/dialog/controllers/actions.js b/resources/static/dialog/controllers/actions.js
index 322749710..abef40d6f 100644
--- a/resources/static/dialog/controllers/actions.js
+++ b/resources/static/dialog/controllers/actions.js
@@ -56,20 +56,6 @@ BrowserID.Modules.Actions = (function() {
       if(data.ready) _.defer(data.ready);
     },
 
-    /**
-     * Show an error message
-     * @method doError
-     * @param {string} [template] - template to use, if not given, use "error"
-     * @param {object} [info] - info to send to template
-     */
-    doError: function(template, info) {
-      if(!info) {
-        info = template;
-        template = "error";
-      }
-      this.renderError(template, info);
-    },
-
     doCancel: function() {
       if(onsuccess) onsuccess(null);
     },
diff --git a/resources/static/dialog/controllers/dialog.js b/resources/static/dialog/controllers/dialog.js
index 8fbc31ce6..25236e5db 100644
--- a/resources/static/dialog/controllers/dialog.js
+++ b/resources/static/dialog/controllers/dialog.js
@@ -13,6 +13,7 @@ BrowserID.Modules.Dialog = (function() {
       errors = bid.Errors,
       dom = bid.DOM,
       win = window,
+      startExternalDependencies = true,
       channel,
       sc;
 
@@ -83,7 +84,7 @@ BrowserID.Modules.Dialog = (function() {
 
   function fixupURL(origin, url) {
     var u;
-    if (/^http/.test(url)) u = URLParse(url);
+    if (/^http(s)?:\/\//.test(url)) u = URLParse(url);
     else if (/^\//.test(url)) u = URLParse(origin + url);
     else throw "relative urls not allowed: (" + url + ")";
     // encodeURI limits our return value to [a-z0-9:/?%], excluding <script>
@@ -98,8 +99,23 @@ BrowserID.Modules.Dialog = (function() {
 
       win = options.window || window;
 
+      // startExternalDependencies is used in unit testing and can only be set
+      // by the creator/starter of this module.  If startExternalDependencies
+      // is set to false, the channel, state machine, and actions controller
+      // are not started.  These dependencies can interfere with the ability to
+      // unit test this module because they can throw exceptions and show error
+      // messages.
+      startExternalDependencies = true;
+      if (typeof options.startExternalDependencies === "boolean") {
+        startExternalDependencies = options.startExternalDependencies;
+      }
+
       sc.start.call(self, options);
-      startChannel.call(self);
+
+      if (startExternalDependencies) {
+        startChannel.call(self);
+      }
+
       options.ready && _.defer(options.ready);
     },
 
@@ -118,8 +134,11 @@ BrowserID.Modules.Dialog = (function() {
 
       setOrigin(origin_url);
 
-      var actions = startActions.call(self, success, error);
-      startStateMachine.call(self, actions);
+
+      if (startExternalDependencies) {
+        var actions = startActions.call(self, success, error);
+        startStateMachine.call(self, actions);
+      }
 
       // Security Note: paramsFromRP is the output of a JSON.parse on an
       // RP-controlled string. Most of these fields are expected to be simple
@@ -132,9 +151,9 @@ BrowserID.Modules.Dialog = (function() {
 
       // verify params
       try {
-        if (typeof(paramsFromRP.requiredEmail) !== "undefined") {
+        if (paramsFromRP.requiredEmail) {
           if (!bid.verifyEmail(paramsFromRP.requiredEmail))
-            throw "invalid requiredEmail: ("+paramsFromRP.requiredEmail+")";
+            throw "invalid requiredEmail: (" + paramsFromRP.requiredEmail + ")";
           params.requiredEmail = paramsFromRP.requiredEmail;
         }
         if (paramsFromRP.tosURL && paramsFromRP.privacyURL) {
@@ -144,12 +163,14 @@ BrowserID.Modules.Dialog = (function() {
       } catch(e) {
         // note: renderError accepts HTML and cheerfully injects it into a
         // frame with a powerful origin. So convert 'e' first.
-        return self.renderError("error", {
+        self.renderError("error", {
           action: {
             title: "error in " + _.escape(origin_url),
             message: "improper usage of API: " + _.escape(e)
           }
         });
+
+        return e;
       }
       // after this point, "params" can be relied upon to contain safe data
 
diff --git a/resources/static/test/cases/controllers/actions.js b/resources/static/test/cases/controllers/actions.js
index 11c58cd96..8d90d69f8 100644
--- a/resources/static/test/cases/controllers/actions.js
+++ b/resources/static/test/cases/controllers/actions.js
@@ -47,30 +47,6 @@
     }
   });
 
-  asyncTest("doError with no template - display default error screen", function() {
-    createController({
-      ready: function() {
-        equal(testHelpers.errorVisible(), false, "Error is not yet visible");
-        controller.doError({});
-        ok(testHelpers.errorVisible(), "Error is visible");
-        equal($("#defaultError").length, 1, "default error screen is shown");
-        start();
-      }
-    });
-  });
-
-  asyncTest("doError with with template - display error screen", function() {
-    createController({
-      ready: function() {
-        equal(testHelpers.errorVisible(), false, "Error is not yet visible");
-        controller.doError("invalid_required_email", {email: "email"});
-        equal($("#invalidRequiredEmail").length, 1, "default error screen is shown");
-        ok(testHelpers.errorVisible(), "Error is visible");
-        start();
-      }
-    });
-  });
-
   asyncTest("doProvisionPrimaryUser - start the provision_primary_user service", function() {
     testActionStartsModule("doProvisionPrimaryUser", {email: TEST_EMAIL},
       "provision_primary_user");
diff --git a/resources/static/test/cases/controllers/dialog.js b/resources/static/test/cases/controllers/dialog.js
index ee944e7d4..58fd61406 100644
--- a/resources/static/test/cases/controllers/dialog.js
+++ b/resources/static/test/cases/controllers/dialog.js
@@ -11,15 +11,18 @@
       network = bid.Network,
       mediator = bid.Mediator,
       testHelpers = bid.TestHelpers,
+      testErrorVisible = testHelpers.testErrorVisible,
+      testErrorNotVisible = testHelpers.testErrorNotVisible,
+      screens = bid.Screens,
       xhr = bid.Mocks.xhr,
+      HTTP_TEST_DOMAIN = "http://testdomain.org",
+      HTTPS_TEST_DOMAIN = "https://testdomain.org",
+      TESTEMAIL = "testuser@testuser.com",
       controller,
       el,
       winMock,
       navMock;
 
-  function reset() {
-  }
-
   function WinMock() {
     this.location.hash = "#1234";
   }
@@ -49,60 +52,59 @@
   };
 
   function createController(config) {
-    var config = $.extend({
-      window: winMock
+    // startExternalDependencies defaults to true, for most of our tests we
+    // want to turn this off to prevent the state machine, channel, and actions
+    // controller from starting up and throwing errors.  This allows us to test
+    // dialog as an individual unit.
+    var options = $.extend({
+      window: winMock,
+      startExternalDependencies: false,
     }, config);
 
     controller = BrowserID.Modules.Dialog.create();
-    controller.start(config);
+    controller.start(options);
   }
 
   module("controllers/dialog", {
     setup: function() {
       winMock = new WinMock();
-      reset();
       testHelpers.setup();
     },
 
     teardown: function() {
       controller.destroy();
-      reset();
       testHelpers.teardown();
     }
   });
 
-  function checkNetworkError() {
-    ok($("#error .contents").text().length, "contents have been written");
-    ok($("#error #action").text().length, "action contents have been written");
-    ok($("#error #network").text().length, "network contents have been written");
-  }
-
   asyncTest("initialization with channel error", function() {
     // Set the hash so that the channel cannot be found.
     winMock.location.hash = "#1235";
     createController({
+      startExternalDependencies: true,
       ready: function() {
-        ok($("#error .contents").text().length, "contents have been written");
+        testErrorVisible();
         start();
       }
     });
   });
 
   asyncTest("initialization with add-on navigator.id.channel", function() {
-    var ok_p = false;
+    var registerControllerCalled = false;
 
     // expect registerController to be called.
     winMock.navigator.id = {
       channel : {
         registerController: function(controller) {
-          ok_p = controller.getVerifiedEmail && controller.get;
+          registerControllerCalled = controller.getVerifiedEmail && controller.get;
         }
       }
     };
 
     createController({
+      startExternalDependencies: true,
       ready: function() {
-        ok(ok_p, "registerController was not called with proper controller");
+        ok(registerControllerCalled, "registerController was not called with proper controller");
         start();
       }
     });
@@ -113,7 +115,7 @@
 
     createController({
       ready: function() {
-        ok($("#error .contents").text().length == 0, "no error should be reported");
+        testErrorNotVisible();
         start();
       }
     });
@@ -125,7 +127,7 @@
 
     createController({
       ready: function() {
-        ok($("#error .contents").text().length == 0, "no error should be reported");
+        testErrorNotVisible();
         start();
       }
     });
@@ -138,7 +140,7 @@
       ready: function() {
         mediator.subscribe("start", function(msg, info) {
           equal(info.type, "primary", "correct type");
-          equal(info.email, "testuser@testuser.com", "email_chosen with correct email");
+          equal(info.email, TESTEMAIL, "email_chosen with correct email");
           equal(info.add, false, "add is not specified with CREATE_EMAIL option");
           start();
         });
@@ -161,7 +163,7 @@
       ready: function() {
         mediator.subscribe("start", function(msg, info) {
           equal(info.type, "primary", "correct type");
-          equal(info.email, "testuser@testuser.com", "email_chosen with correct email");
+          equal(info.email, TESTEMAIL, "email_chosen with correct email");
           equal(info.add, true, "add is specified with ADD_EMAIL option");
           start();
         });
@@ -179,7 +181,6 @@
 
   asyncTest("onWindowUnload", function() {
     createController({
-      requiredEmail: "registered@testuser.com",
       ready: function() {
         var error;
 
@@ -196,6 +197,263 @@
     });
   });
 
+  asyncTest("get with invalid requiredEmail - print error screen", function() {
+    createController({
+      ready: function() {
+        mediator.subscribe("start", function(msg, info) {
+          ok(false, "start should not have been called");
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          requiredEmail: "bademail"
+        });
+        equal(retval, "invalid requiredEmail: (bademail)", "expected error");
+        testErrorVisible();
+        start();
+      }
+    });
+  });
+
+  asyncTest("get with script containing requiredEmail - print error screen", function() {
+    createController({
+      ready: function() {
+        mediator.subscribe("start", function(msg, info) {
+          ok(false, "start should not have been called");
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          requiredEmail: "<script>window.scriptRun=true;</script>testuser@testuser.com"
+        });
+
+        // If requiredEmail is not properly escaped, scriptRun will be true.
+        equal(typeof window.scriptRun, "undefined", "script was not run");
+        equal(retval, "invalid requiredEmail: (<script>window.scriptRun=true;</script>testuser@testuser.com)", "expected error");
+        testErrorVisible();
+        start();
+      }
+    });
+  });
+
+  asyncTest("get with valid requiredEmail - go to start", function() {
+    createController({
+      ready: function() {
+        var startCalled = false;
+        mediator.subscribe("start", function(msg, info) {
+          startCalled = true;
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          requiredEmail: TESTEMAIL
+        });
+
+        equal(typeof retval, "undefined", "no error expected");
+        equal(startCalled, true, "start has been called");
+        start();
+      }
+    });
+  });
+
+  asyncTest("get with relative tosURL & valid privacyURL - print error screen", function() {
+    createController({
+      ready: function() {
+        mediator.subscribe("start", function(msg, info) {
+          ok(false, "start should not have been called");
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          tosURL: "relative.html",
+          privacyURL: "/privacy.html"
+        });
+        equal(retval, "relative urls not allowed: (relative.html)", "expected error");
+        testErrorVisible();
+        start();
+      }
+    });
+  });
+
+  asyncTest("get with script containing tosURL - print error screen", function() {
+    createController({
+      ready: function() {
+        mediator.subscribe("start", function(msg, info) {
+          ok(false, "start should not have been called");
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          tosURL: "relative.html<script>window.scriptRun=true;</script>",
+          privacyURL: "/privacy.html"
+        });
+
+        // If tosURL is not properly escaped, scriptRun will be true.
+        equal(typeof window.scriptRun, "undefined", "script was not run");
+        equal(retval, "relative urls not allowed: (relative.html<script>window.scriptRun=true;</script>)", "expected error");
+        testErrorVisible();
+        start();
+      }
+    });
+  });
+
+  asyncTest("get with valid tosURL & relative privacyURL - print error screen", function() {
+    createController({
+      ready: function() {
+        mediator.subscribe("start", function(msg, info) {
+          ok(false, "start should not have been called");
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          tosURL: "/tos.html",
+          privacyURL: "relative.html"
+        });
+        equal(retval, "relative urls not allowed: (relative.html)", "expected error");
+        testErrorVisible();
+        start();
+      }
+    });
+  });
+
+  asyncTest("get with script containing privacyURL - print error screen", function() {
+    createController({
+      ready: function() {
+        mediator.subscribe("start", function(msg, info) {
+          ok(false, "start should not have been called");
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          tosURL: "/tos.html",
+          privacyURL: "relative.html<script>window.scriptRun=true;</script>"
+        });
+
+        // If privacyURL is not properly escaped, scriptRun will be true.
+        equal(typeof window.scriptRun, "undefined", "script was not run");
+        equal(retval, "relative urls not allowed: (relative.html<script>window.scriptRun=true;</script>)", "expected error");
+        testErrorVisible();
+        start();
+      }
+    });
+  });
+
+  asyncTest("get with privacyURL - print error screen", function() {
+    createController({
+      ready: function() {
+        mediator.subscribe("start", function(msg, info) {
+          ok(false, "start should not have been called");
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          tosURL: "/tos.html",
+          privacyURL: "relative.html<script>window.scriptRun=true;</script>"
+        });
+
+        // If privacyURL is not properly escaped, scriptRun will be true.
+        equal(typeof window.scriptRun, "undefined", "script was not run");
+        equal(retval, "relative urls not allowed: (relative.html<script>window.scriptRun=true;</script>)", "expected error");
+        testErrorVisible();
+        start();
+      }
+    });
+  });
+
+  asyncTest("get with javascript protocol for privacyURL - print error screen", function() {
+    createController({
+      ready: function() {
+        mediator.subscribe("start", function(msg, info) {
+          ok(false, "start should not have been called");
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          tosURL: "/tos.html",
+          privacyURL: "javascript:alert(1)"
+        });
+
+        equal(retval, "relative urls not allowed: (javascript:alert(1))", "expected error");
+        testErrorVisible();
+        start();
+      }
+    });
+  });
+
+  asyncTest("get with invalid httpg protocol for privacyURL - print error screen", function() {
+    createController({
+      ready: function() {
+        mediator.subscribe("start", function(msg, info) {
+          ok(false, "start should not have been called");
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          tosURL: "/tos.html",
+          privacyURL: "httpg://testdomain.com/privacy.html"
+        });
+
+        equal(retval, "relative urls not allowed: (httpg://testdomain.com/privacy.html)", "expected error");
+        testErrorVisible();
+        start();
+      }
+    });
+  });
+
+
+  asyncTest("get with valid absolute tosURL & privacyURL - go to start", function() {
+    createController({
+      ready: function() {
+        var startCalled = false;
+        mediator.subscribe("start", function(msg, info) {
+          startCalled = true;
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          tosURL: "/tos.html",
+          privacyURL: "/privacy.html"
+        });
+
+        equal(typeof retval, "undefined", "no error expected");
+        equal(startCalled, true, "start has been called");
+        testErrorNotVisible();
+        start();
+      }
+    });
+  });
+
+  asyncTest("get with valid fully qualified http tosURL & privacyURL - go to start", function() {
+    createController({
+      ready: function() {
+        var startCalled = false;
+        mediator.subscribe("start", function(msg, info) {
+          startCalled = true;
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          tosURL: HTTP_TEST_DOMAIN + "/tos.html",
+          privacyURL: HTTP_TEST_DOMAIN + "/privacy.html"
+        });
+
+        equal(typeof retval, "undefined", "no error expected");
+        equal(startCalled, true, "start has been called");
+        testErrorNotVisible();
+        start();
+      }
+    });
+  });
+
+
+  asyncTest("get with valid fully qualified https tosURL & privacyURL - go to start", function() {
+    createController({
+      ready: function() {
+        var startCalled = false;
+        mediator.subscribe("start", function(msg, info) {
+          startCalled = true;
+        });
+
+        var retval = controller.get(HTTP_TEST_DOMAIN, {
+          tosURL: HTTPS_TEST_DOMAIN + "/tos.html",
+          privacyURL: HTTPS_TEST_DOMAIN + "/privacy.html"
+        });
+
+        equal(typeof retval, "undefined", "no error expected");
+        equal(startCalled, true, "start has been called");
+        testErrorNotVisible();
+        start();
+      }
+    });
+  });
 
 }());
 
diff --git a/resources/static/test/cases/resources/state.js b/resources/static/test/cases/resources/state.js
index a8d859f19..16b634350 100644
--- a/resources/static/test/cases/resources/state.js
+++ b/resources/static/test/cases/resources/state.js
@@ -376,28 +376,6 @@
     equal(actions.called.doCheckAuth, true, "checking auth on start");
   });
 
-  test("start with invalid requiredEmail - print error screen", function() {
-    mediator.publish("start", {
-      requiredEmail: "bademail"
-    });
-
-    equal(actions.called.doError, true, "error screen is shown");
-  });
-
-  test("start with empty requiredEmail - prints error screen", function() {
-    mediator.publish("start", {
-      requiredEmail: ""
-    });
-
-    equal(actions.called.doError, true, "error screen is shown");
-  });
-
-  test("start with valid requiredEmail - go to doCheckAuth", function() {
-    mediator.publish("start", { requiredEmail: TEST_EMAIL });
-
-    equal(actions.called.doCheckAuth, true, "checking auth on start");
-  });
-
   asyncTest("start to complete successful primary email verification - goto 'primary_user'", function() {
     mediator.subscribe("primary_user", function(msg, info) {
       equal(info.email, TEST_EMAIL, "correct email given");
diff --git a/resources/static/test/testHelpers/helpers.js b/resources/static/test/testHelpers/helpers.js
index 287ba8393..833f31e6e 100644
--- a/resources/static/test/testHelpers/helpers.js
+++ b/resources/static/test/testHelpers/helpers.js
@@ -127,6 +127,10 @@ BrowserID.TestHelpers = (function() {
       equal(TestHelpers.errorVisible(), true, "error screen is visible");
     },
 
+    testErrorNotVisible: function() {
+      equal(TestHelpers.errorVisible(), false, "error screen is not visible");
+    },
+
     waitVisible: function() {
       return screens.wait.visible;
     },
diff --git a/resources/views/test.ejs b/resources/views/test.ejs
index 30c4faf53..bb56772ac 100644
--- a/resources/views/test.ejs
+++ b/resources/views/test.ejs
@@ -76,6 +76,7 @@
     <script src="/lib/hub.js"></script>
     <script src="/lib/module.js"></script>
     <script src="/lib/jschannel.js"></script>
+    <script src="/lib/urlparse.js"></script>
     <script src="mocks/mocks.js"></script>
     <script src="mocks/xhr.js"></script>
     <script src="mocks/templates.js"></script>

From 62043b0fd9c1c2cf8d371fe4d4f690c1ebdc2d5d Mon Sep 17 00:00:00 2001
From: Brian Warner <warner@lothar.com>
Date: Wed, 23 May 2012 11:45:20 -0700
Subject: [PATCH 7/8] strengthen email/URL validation: require the objects to
 be strings

---
 resources/static/dialog/controllers/dialog.js | 2 ++
 resources/static/shared/validation.js         | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/resources/static/dialog/controllers/dialog.js b/resources/static/dialog/controllers/dialog.js
index 25236e5db..62043fbc8 100644
--- a/resources/static/dialog/controllers/dialog.js
+++ b/resources/static/dialog/controllers/dialog.js
@@ -84,6 +84,8 @@ BrowserID.Modules.Dialog = (function() {
 
   function fixupURL(origin, url) {
     var u;
+    if (typeof(url) !== "string")
+      throw "urls must be strings: (" + url + ")";
     if (/^http(s)?:\/\//.test(url)) u = URLParse(url);
     else if (/^\//.test(url)) u = URLParse(origin + url);
     else throw "relative urls not allowed: (" + url + ")";
diff --git a/resources/static/shared/validation.js b/resources/static/shared/validation.js
index e103085a0..d49f82371 100644
--- a/resources/static/shared/validation.js
+++ b/resources/static/shared/validation.js
@@ -7,6 +7,8 @@ BrowserID.Validation = (function() {
       tooltip = bid.Tooltip;
 
   bid.verifyEmail = function(address) {
+    if (typeof(address) !== "string")
+      return false;
     // Original gotten from http://blog.gerv.net/2011/05/html5_email_address_regexp/
     // changed the requirement that there must be a ldh-str because BrowserID
     // is only used on internet based networks.

From 5f6e89f11bb7db1ff976047cf9a202ac04f70137 Mon Sep 17 00:00:00 2001
From: Shane Tomlinson <stomlinson@mozilla.com>
Date: Wed, 23 May 2012 22:21:06 +0100
Subject: [PATCH 8/8] Add additional tests to check whether requiredEmail,
 tosURL and privacyURL parameters are passed to "start" when expected.

---
 .../static/test/cases/controllers/dialog.js   | 38 +++++++++++++------
 1 file changed, 26 insertions(+), 12 deletions(-)

diff --git a/resources/static/test/cases/controllers/dialog.js b/resources/static/test/cases/controllers/dialog.js
index 58fd61406..4190cd915 100644
--- a/resources/static/test/cases/controllers/dialog.js
+++ b/resources/static/test/cases/controllers/dialog.js
@@ -237,17 +237,20 @@
   asyncTest("get with valid requiredEmail - go to start", function() {
     createController({
       ready: function() {
-        var startCalled = false;
+        var startInfo;
         mediator.subscribe("start", function(msg, info) {
-          startCalled = true;
+          startInfo = info;
         });
 
         var retval = controller.get(HTTP_TEST_DOMAIN, {
           requiredEmail: TESTEMAIL
         });
 
+        testHelpers.testObjectValuesEqual(startInfo, {
+          requiredEmail: TESTEMAIL
+        });
         equal(typeof retval, "undefined", "no error expected");
-        equal(startCalled, true, "start has been called");
+        testErrorNotVisible();
         start();
       }
     });
@@ -394,9 +397,9 @@
   asyncTest("get with valid absolute tosURL & privacyURL - go to start", function() {
     createController({
       ready: function() {
-        var startCalled = false;
+        var startInfo;
         mediator.subscribe("start", function(msg, info) {
-          startCalled = true;
+          startInfo = info;
         });
 
         var retval = controller.get(HTTP_TEST_DOMAIN, {
@@ -404,8 +407,12 @@
           privacyURL: "/privacy.html"
         });
 
+        testHelpers.testObjectValuesEqual(startInfo, {
+          tosURL: HTTP_TEST_DOMAIN + "/tos.html",
+          privacyURL: HTTP_TEST_DOMAIN + "/privacy.html"
+        });
+
         equal(typeof retval, "undefined", "no error expected");
-        equal(startCalled, true, "start has been called");
         testErrorNotVisible();
         start();
       }
@@ -415,9 +422,9 @@
   asyncTest("get with valid fully qualified http tosURL & privacyURL - go to start", function() {
     createController({
       ready: function() {
-        var startCalled = false;
+        var startInfo;
         mediator.subscribe("start", function(msg, info) {
-          startCalled = true;
+          startInfo = info;
         });
 
         var retval = controller.get(HTTP_TEST_DOMAIN, {
@@ -425,8 +432,12 @@
           privacyURL: HTTP_TEST_DOMAIN + "/privacy.html"
         });
 
+        testHelpers.testObjectValuesEqual(startInfo, {
+          tosURL: HTTP_TEST_DOMAIN + "/tos.html",
+          privacyURL: HTTP_TEST_DOMAIN + "/privacy.html"
+        });
+
         equal(typeof retval, "undefined", "no error expected");
-        equal(startCalled, true, "start has been called");
         testErrorNotVisible();
         start();
       }
@@ -437,9 +448,9 @@
   asyncTest("get with valid fully qualified https tosURL & privacyURL - go to start", function() {
     createController({
       ready: function() {
-        var startCalled = false;
+        var startInfo;
         mediator.subscribe("start", function(msg, info) {
-          startCalled = true;
+          startInfo = info;
         });
 
         var retval = controller.get(HTTP_TEST_DOMAIN, {
@@ -447,8 +458,11 @@
           privacyURL: HTTPS_TEST_DOMAIN + "/privacy.html"
         });
 
+        testHelpers.testObjectValuesEqual(startInfo, {
+          tosURL: HTTPS_TEST_DOMAIN + "/tos.html",
+          privacyURL: HTTPS_TEST_DOMAIN + "/privacy.html"
+        });
         equal(typeof retval, "undefined", "no error expected");
-        equal(startCalled, true, "start has been called");
         testErrorNotVisible();
         start();
       }