Validator roll up (ampproject#19965)

* cl/225092847 Add validator rules for amp-video and amp-yotpo in EXPERIMENTAL. * cl/225106151 "add validator changes to support script templates -alabiaga@" * cl/225388113 Revision bump for ampproject#19854 * cl/225400099 Revision bump for ampproject#19871 * cl/225612473 Remove EXPERIMENTAL from amp-list and amp-state. * cl/225861155 Revision bump for ampproject#19872 * cl/225872246 Revision bump for ampproject#19894 * cl/225876987 Revision bump for ampproject#18700 * cl/226048698 Revision bump for ampproject#19928 * cl/226051527 Revision bump for ampproject#18440
noranazmy · Mar 22, 2019 · b2c5fb2 · b2c5fb2
1 parent 3c23c95
commit b2c5fb2
Show file tree

Hide file tree

Showing 12 changed files with 521 additions and 42 deletions.
diff --git a/extensions/amp-bind/validator-amp-bind.protoascii b/extensions/amp-bind/validator-amp-bind.protoascii
@@ -58,7 +58,6 @@ tags: {  # <amp-state> (json)
 }
 tags: {  # <amp-state>
   html_format: AMP
-  html_format: EXPERIMENTAL
   tag_name: "AMP-STATE"
   spec_name: "amp-state"
   requires_extension: "amp-bind"

diff --git a/extensions/amp-date-picker/0.1/test/validator-amp-date-picker.out b/extensions/amp-date-picker/0.1/test/validator-amp-date-picker.out
@@ -236,4 +236,4 @@ amp-date-picker/0.1/test/validator-amp-date-picker.html:174:2 The attribute 'typ
 amp-date-picker/0.1/test/validator-amp-date-picker.html:177:2 The specified layout 'FIXED_HEIGHT' is not supported by tag 'amp-date-picker[type=single][mode=overlay]'. (see https://www.ampproject.org/docs/reference/components/amp-date-picker) [AMP_LAYOUT_PROBLEM]
 |    </amp-date-picker>
 |  </body>
-|  </html>
+|  </html>
diff --git a/extensions/amp-list/validator-amp-list.protoascii b/extensions/amp-list/validator-amp-list.protoascii
@@ -39,7 +39,6 @@ tags: {  # amp-list
 }
 tags: {  # <amp-list> with mandatory src and/or [src] attr
   html_format: AMP
-  html_format: EXPERIMENTAL
   tag_name: "AMP-LIST"
   requires_extension: "amp-list"
   attrs: {

diff --git a/extensions/amp-mustache/0.1/test/validator-amp-mustache.html b/extensions/amp-mustache/0.1/test/validator-amp-mustache.html
@@ -15,7 +15,7 @@
 -->
 <!--
   Test Description:
-  This tests the logic for <template> tags and mustache variable replacements.
+  This tests the logic for <template> and <script> tags and mustache variable replacements.
 -->
 <!doctype html>
 <html ⚡>
@@ -27,7 +27,7 @@
   <script async src="https://cdn.ampproject.org/v0.js"></script>
 </head>
 <body>
-
+<!-- Template -->
 <template type="amp-mustache">
   <{{not-actually-parsed-as-an-html-tag-so-allowed}}>
   <p title="{{allowed}}">{{allowed}}</p>
@@ -103,10 +103,13 @@
   </div>
 </template>
 
-<!-- Not descendant from a template, so mustache attribute values are OK -->
-<p title="{{{allowed }}}"></p>
-<p title="{{&allowed }}"></p>
-<p title="{{>allowed }}"></p>
+<template type="amp-mustache">
+  <div>
+    <script type="text/plain" template="amp-mustache">
+      Nested Template script tags are not allowed.
+    </script>
+  </div>
+</template>
 
 <!-- Inside a template, attribute value restrictions are relaxed. -->
 <amp-audio src="https://example.com/audio" layout="fixed" autoplay="{{invalid}}">
@@ -121,6 +124,95 @@
 <amp-img src="{{image.url}}" width={{image.width}} height={{image.height}}></amp-img>
 </template>
 
+<!--
+  Script template.
+  Note that no errors are emmited for malformed mustache in script templates as the contents of
+  script elements is interpreted as text as opposed to nodes which is not handled by the validaor.
+-->
+<script type="text/plain" template="amp-mustache">
+  <{{not-actually-parsed-as-an-html-tag-so-allowed}}>
+  <p title="{{allowed}}">{{allowed}}</p>
+  <p {{notallowed}}></p>
+  <p {{notallowed}}=0></p>
+  <p [{{notallowed}}]=0></p>
+  <p data-{notallowed}=0></p>
+  <p data-{{notallowed}}=0></p>
+  <p data-[{{notallowed}}]=0></p>
+  <p data-{{{notallowed}}}=0></p>
+  <p data-{{&notallowed}}=0></p>
+  <p data-{{#notallowed}}=0></p>
+  <p data-{{/notallowed}}=0></p>
+  <p data-{{^notallowed}}=0></p>
+  <p data-{{>notallowed}}=0></p>
+  <p {{#notallowed}}class=foo{{/notallowed}}>
+  <p {{#notallowed}}class{{/notallowed}}>
+  <p title="{{{notallowed}}}"></p>
+  <p title="{{&notallowed}}"></p>
+  <p title="{{>notallowed}}"></p>
+  <p data-title="{{{notallowed}}}"></p>
+  <p data-title="{{&notallowed}}"></p>
+  <p data-title="{{>notallowed}}"></p>
+
+  <!-- now with some whitespace inside the mustache tags -->
+  <{{ not-actually-parsed-as-an-html-tag-so-allowed }}>
+  <p title="{{ allowed }}">{{ allowed }}</p>
+  <p {{ notallowed }}></p>
+  <p {{ notallowed }}=0></p>
+  <p data-{{ notallowed }}=0></p>
+  <p data-{{{ notallowed }}}=0></p>
+  <p data-{{ &notallowed }}=0></p>
+  <p data-{{ #notallowed }}=0></p>
+  <p data-{{ /notallowed }}=0></p>
+  <p data-{{ ^notallowed }}=0></p>
+  <p data-{{ >notallowed }}=0></p>
+  <p {{ #notallowed }}class=foo{{ /notallowed }}>
+  <p {{ #notallowed }}class{{ /notallowed }}>
+  <p title="{{{ notallowed }}}"></p>
+  <p title="{{ &notallowed }}"></p>
+  <p title="{{ >notallowed }}"></p>
+  <p title="{{& notallowed }}"></p>
+  <p title="{{> notallowed }}"></p>
+  <p title="{{ & notallowed }}"></p>
+  <p title="{{ > notallowed }}"></p>
+
+  <!-- Note, this is allowed by the validator, but it is critical that it
+       be sanitized by the runtime. If the runtime allowed this, then after
+       rendering (assuming #off was null) we would have:
+      <a href="javascript:alert('foo')"></a>
+   -->
+  <a href="{{#off}}"></a>
+    {{/off}}javascript:alert('foo'){{#off}}
+  <a href="{{/off}"></a>
+
+  <!-- Allowed by the validator, but could lead to script execution
+       depending on the value. -->
+  <a href="{{foo}}"></a>
+  <a href="java{{foo}}script:alert('foo')"></a>
+
+  <!-- Really tricky example that the validator allows, but the runtime
+       must handle. Essentially if {{foo}} is an empty string, this becomes
+       a <script> tag, otherwise, it's just a harmless comment -->
+  <!-- comment --{{foo}}><script><!-- -->
+
+</script>
+
+<!-- Inside a script template, attribute value restrictions are relaxed. -->
+<amp-audio src="https://example.com/audio" layout="fixed" autoplay="{{invalid}}">
+<script type="text/plain" template="amp-mustache">
+<amp-audio src="https://example.com/audio" layout="fixed" autoplay="{{valid}}">
+</script>
+
+<!-- Since layout calculations follow a different code path, test that layouts
+     validate. -->
+<!-- See https://github.com/ampproject/amphtml/issues/2670 -->
+<script type="text/plain" template="amp-mustache">
+<amp-img src="{{image.url}}" width={{image.width}} height={{image.height}}></amp-img>
+</script>
+
+<!-- Not descendant from a template, so mustache attribute values are OK -->
+<p title="{{{allowed }}}"></p>
+<p title="{{&allowed }}"></p>
+<p title="{{>allowed }}"></p>
 
 </body>
 </html>
diff --git a/extensions/amp-mustache/0.1/test/validator-amp-mustache.out b/extensions/amp-mustache/0.1/test/validator-amp-mustache.out
@@ -16,7 +16,7 @@ FAIL
 |  -->
 |  <!--
 |    Test Description:
-|    This tests the logic for <template> tags and mustache variable replacements.
+|    This tests the logic for <template> and <script> tags and mustache variable replacements.
 |  -->
 |  <!doctype html>
 |  <html ⚡>
@@ -28,7 +28,7 @@ FAIL
 |    <script async src="https://cdn.ampproject.org/v0.js"></script>
 |  </head>
 |  <body>
-|
+|  <!-- Template -->
 |  <template type="amp-mustache">
 >> ^~~~~~~~~
 amp-mustache/0.1/test/validator-amp-mustache.html:31:0 The tag 'template' requires including the 'amp-mustache' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-mustache) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
@@ -236,34 +236,142 @@ amp-mustache/0.1/test/validator-amp-mustache.html:100:4 The tag 'template' requi
 |    </div>
 |  </template>
 |
-|  <!-- Not descendant from a template, so mustache attribute values are OK -->
-|  <p title="{{{allowed }}}"></p>
-|  <p title="{{&allowed }}"></p>
-|  <p title="{{>allowed }}"></p>
+|  <template type="amp-mustache">
+>> ^~~~~~~~~
+amp-mustache/0.1/test/validator-amp-mustache.html:106:0 The tag 'template' requires including the 'amp-mustache' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-mustache) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
+|    <div>
+|      <script type="text/plain" template="amp-mustache">
+>>     ^~~~~~~~~
+amp-mustache/0.1/test/validator-amp-mustache.html:108:4 The tag 'SCRIPT type=text/plain' may not appear as a descendant of tag 'template'. (see https://www.ampproject.org/docs/reference/components/amp-mustache) [AMP_HTML_TEMPLATE_PROBLEM]
+>>     ^~~~~~~~~
+amp-mustache/0.1/test/validator-amp-mustache.html:108:4 The tag 'SCRIPT type=text/plain' requires including the 'amp-mustache' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-mustache) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
+|        Nested Template script tags are not allowed.
+|      </script>
+|    </div>
+|  </template>
 |
 |  <!-- Inside a template, attribute value restrictions are relaxed. -->
 |  <amp-audio src="https://example.com/audio" layout="fixed" autoplay="{{invalid}}">
 >> ^~~~~~~~~
-amp-mustache/0.1/test/validator-amp-mustache.html:112:0 The attribute 'autoplay' in tag 'amp-audio' is set to the invalid value '{{invalid}}'. (see https://www.ampproject.org/docs/reference/components/amp-audio) [DISALLOWED_HTML]
+amp-mustache/0.1/test/validator-amp-mustache.html:115:0 The attribute 'autoplay' in tag 'amp-audio' is set to the invalid value '{{invalid}}'. (see https://www.ampproject.org/docs/reference/components/amp-audio) [DISALLOWED_HTML]
 >> ^~~~~~~~~
-amp-mustache/0.1/test/validator-amp-mustache.html:112:0 The tag 'amp-audio' requires including the 'amp-audio' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-audio) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
+amp-mustache/0.1/test/validator-amp-mustache.html:115:0 The tag 'amp-audio' requires including the 'amp-audio' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-audio) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
 |  <template type="amp-mustache">
 >> ^~~~~~~~~
-amp-mustache/0.1/test/validator-amp-mustache.html:113:0 The tag 'template' requires including the 'amp-mustache' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-mustache) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
+amp-mustache/0.1/test/validator-amp-mustache.html:116:0 The tag 'template' requires including the 'amp-mustache' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-mustache) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
 |  <amp-audio src="https://example.com/audio" layout="fixed" autoplay="{{valid}}">
 >> ^~~~~~~~~
-amp-mustache/0.1/test/validator-amp-mustache.html:114:0 The tag 'amp-audio' requires including the 'amp-audio' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-audio) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
+amp-mustache/0.1/test/validator-amp-mustache.html:117:0 The tag 'amp-audio' requires including the 'amp-audio' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-audio) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
 |  </template>
 |
 |  <!-- Since layout calculations follow a different code path, test that layouts
 |       validate. -->
 |  <!-- See https://github.com/ampproject/amphtml/issues/2670 -->
 |  <template type="amp-mustache">
 >> ^~~~~~~~~
-amp-mustache/0.1/test/validator-amp-mustache.html:120:0 The tag 'template' requires including the 'amp-mustache' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-mustache) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
+amp-mustache/0.1/test/validator-amp-mustache.html:123:0 The tag 'template' requires including the 'amp-mustache' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-mustache) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
 |  <amp-img src="{{image.url}}" width={{image.width}} height={{image.height}}></amp-img>
 |  </template>
 |
+|  <!--
+|    Script template.
+|    Note that no errors are emmited for malformed mustache in script templates as the contents of
+|    script elements is interpreted as text as opposed to nodes which is not handled by the validaor.
+|  -->
+|  <script type="text/plain" template="amp-mustache">
+>> ^~~~~~~~~
+amp-mustache/0.1/test/validator-amp-mustache.html:132:0 The tag 'SCRIPT type=text/plain' requires including the 'amp-mustache' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-mustache) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
+|    <{{not-actually-parsed-as-an-html-tag-so-allowed}}>
+|    <p title="{{allowed}}">{{allowed}}</p>
+|    <p {{notallowed}}></p>
+|    <p {{notallowed}}=0></p>
+|    <p [{{notallowed}}]=0></p>
+|    <p data-{notallowed}=0></p>
+|    <p data-{{notallowed}}=0></p>
+|    <p data-[{{notallowed}}]=0></p>
+|    <p data-{{{notallowed}}}=0></p>
+|    <p data-{{&notallowed}}=0></p>
+|    <p data-{{#notallowed}}=0></p>
+|    <p data-{{/notallowed}}=0></p>
+|    <p data-{{^notallowed}}=0></p>
+|    <p data-{{>notallowed}}=0></p>
+|    <p {{#notallowed}}class=foo{{/notallowed}}>
+|    <p {{#notallowed}}class{{/notallowed}}>
+|    <p title="{{{notallowed}}}"></p>
+|    <p title="{{&notallowed}}"></p>
+|    <p title="{{>notallowed}}"></p>
+|    <p data-title="{{{notallowed}}}"></p>
+|    <p data-title="{{&notallowed}}"></p>
+|    <p data-title="{{>notallowed}}"></p>
+|
+|    <!-- now with some whitespace inside the mustache tags -->
+|    <{{ not-actually-parsed-as-an-html-tag-so-allowed }}>
+|    <p title="{{ allowed }}">{{ allowed }}</p>
+|    <p {{ notallowed }}></p>
+|    <p {{ notallowed }}=0></p>
+|    <p data-{{ notallowed }}=0></p>
+|    <p data-{{{ notallowed }}}=0></p>
+|    <p data-{{ &notallowed }}=0></p>
+|    <p data-{{ #notallowed }}=0></p>
+|    <p data-{{ /notallowed }}=0></p>
+|    <p data-{{ ^notallowed }}=0></p>
+|    <p data-{{ >notallowed }}=0></p>
+|    <p {{ #notallowed }}class=foo{{ /notallowed }}>
+|    <p {{ #notallowed }}class{{ /notallowed }}>
+|    <p title="{{{ notallowed }}}"></p>
+|    <p title="{{ &notallowed }}"></p>
+|    <p title="{{ >notallowed }}"></p>
+|    <p title="{{& notallowed }}"></p>
+|    <p title="{{> notallowed }}"></p>
+|    <p title="{{ & notallowed }}"></p>
+|    <p title="{{ > notallowed }}"></p>
+|
+|    <!-- Note, this is allowed by the validator, but it is critical that it
+|         be sanitized by the runtime. If the runtime allowed this, then after
+|         rendering (assuming #off was null) we would have:
+|        <a href="javascript:alert('foo')"></a>
+|     -->
+|    <a href="{{#off}}"></a>
+|      {{/off}}javascript:alert('foo'){{#off}}
+|    <a href="{{/off}"></a>
+|
+|    <!-- Allowed by the validator, but could lead to script execution
+|         depending on the value. -->
+|    <a href="{{foo}}"></a>
+|    <a href="java{{foo}}script:alert('foo')"></a>
+|
+|    <!-- Really tricky example that the validator allows, but the runtime
+|         must handle. Essentially if {{foo}} is an empty string, this becomes
+|         a <script> tag, otherwise, it's just a harmless comment -->
+|    <!-- comment --{{foo}}><script><!-- -->
+|
+|  </script>
+|
+|  <!-- Inside a script template, attribute value restrictions are relaxed. -->
+|  <amp-audio src="https://example.com/audio" layout="fixed" autoplay="{{invalid}}">
+>> ^~~~~~~~~
+amp-mustache/0.1/test/validator-amp-mustache.html:200:0 The attribute 'autoplay' in tag 'amp-audio' is set to the invalid value '{{invalid}}'. (see https://www.ampproject.org/docs/reference/components/amp-audio) [DISALLOWED_HTML]
+>> ^~~~~~~~~
+amp-mustache/0.1/test/validator-amp-mustache.html:200:0 The tag 'amp-audio' requires including the 'amp-audio' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-audio) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
+|  <script type="text/plain" template="amp-mustache">
+>> ^~~~~~~~~
+amp-mustache/0.1/test/validator-amp-mustache.html:201:0 The tag 'SCRIPT type=text/plain' requires including the 'amp-mustache' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-mustache) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
+|  <amp-audio src="https://example.com/audio" layout="fixed" autoplay="{{valid}}">
+|  </script>
+|
+|  <!-- Since layout calculations follow a different code path, test that layouts
+|       validate. -->
+|  <!-- See https://github.com/ampproject/amphtml/issues/2670 -->
+|  <script type="text/plain" template="amp-mustache">
+>> ^~~~~~~~~
+amp-mustache/0.1/test/validator-amp-mustache.html:208:0 The tag 'SCRIPT type=text/plain' requires including the 'amp-mustache' extension JavaScript. (see https://www.ampproject.org/docs/reference/components/amp-mustache) [MANDATORY_AMP_TAG_MISSING_OR_INCORRECT]
+|  <amp-img src="{{image.url}}" width={{image.width}} height={{image.height}}></amp-img>
+|  </script>
+|
+|  <!-- Not descendant from a template, so mustache attribute values are OK -->
+|  <p title="{{{allowed }}}"></p>
+|  <p title="{{&allowed }}"></p>
+|  <p title="{{>allowed }}"></p>
 |
 |  </body>
 |  </html>