test('allows ' + protocol + ' protocol when element is not provided', function() {
expect(1);
var expected = protocol + '://foo.com';
var actual = sanitizeAttributeValue(dom, null, 'href', expected);
equal(actual, expected, 'protocol not escaped');
});
test('does not block SafeStrings', function() {
/* jshint scripturl:true */
expect(1);
var expected = 'javascript:alert("foo")';
var actual = sanitizeAttributeValue(dom, null, 'href', new SafeString(expected));
equal(actual, expected, 'protocol unescaped');
});
test('blocks blacklisted protocols', function() {
/* jshint scripturl:true */
expect(1);
var expected = 'javascript:alert("foo")';
var actual = sanitizeAttributeValue(dom, null, 'href', expected);
equal(actual, 'unsafe:' + expected, 'protocol escaped');
});
export default function attribute(env, morph, element, attrName, attrValue) {
if (boundAttributesEnabled) {
var attrNode = new AttrNode(attrName, attrValue);
attrNode._morph = morph;
env.data.view.appendChild(attrNode);
} else {
if (isStream(attrValue)) {
throw new EmberError('Bound attributes are not yet supported in Ember.js');
} else {
var sanitizedValue = sanitizeAttributeValue(element, attrName, attrValue);
env.dom.setProperty(element, attrName, sanitizedValue);
}
}
}
var sanitizedValue = chainStream(attrValue, function(){
var unsafeValue = read(attrValue);
var safeValue = sanitizeAttributeValue(element, attrName, unsafeValue);
return safeValue;
});