Merge pull request #257 from rjackson/update-ember

Update Ember to mitigate CVE-2014-0046.
2014-02-07 17:43:00 -05:00 · 2014-02-07 17:43:00 -05:00 · 738b5a8209
commit 738b5a8209
parent 8e3134d495 10d9317f5f
2 changed files with 73 additions and 47 deletions
--- a/assets/scripts/vendor/ember.js
+++ b/assets/scripts/vendor/ember.js
@ -5,7 +5,7 @@
 *            Portions Copyright 2008-2011 Apple Inc. All rights reserved.
 * @license   Licensed under MIT license
 *            See https://raw.github.com/emberjs/ember.js/master/LICENSE
- * @version   1.3.1
+ * @version   1.3.2
 */


@ -203,7 +203,7 @@ if (!Ember.testing) {
 *            Portions Copyright 2008-2011 Apple Inc. All rights reserved.
 * @license   Licensed under MIT license
 *            See https://raw.github.com/emberjs/ember.js/master/LICENSE
- * @version   1.3.1
+ * @version   1.3.2
 */


@ -286,7 +286,7 @@ var define, requireModule, require, requirejs;

  @class Ember
  @static
-  @version 1.3.1
+  @version 1.3.2
 */

 if ('undefined' === typeof Ember) {
@ -313,10 +313,10 @@ Ember.toString = function() { return "Ember"; };
 /**
  @property VERSION
  @type String
-  @default '1.3.1'
+  @default '1.3.2'
  @static
 */
-Ember.VERSION = '1.3.1';
+Ember.VERSION = '1.3.2';

 /**
  Standard environmental variables. You can define these in a global `EmberENV`
@ -26501,6 +26501,33 @@ var handlebarsGet = Ember.Handlebars.get = function(root, path, options) {
  return value;
 };

+/**
+  This method uses `Ember.Handlebars.get` to lookup a value, then ensures
+  that the value is escaped properly.
+
+  If `unescaped` is a truthy value then the escaping will not be performed.
+
+  @method getEscaped
+  @for Ember.Handlebars
+  @param {Object} root The object to look up the property on
+  @param {String} path The path to be lookedup
+  @param {Object} options The template's option hash
+*/
+Ember.Handlebars.getEscaped = function(root, path, options) {
+  var result = handlebarsGet(root, path, options);
+
+  if (result === null || result === undefined) {
+    result = "";
+  } else if (!(result instanceof Handlebars.SafeString)) {
+    result = String(result);
+  }
+  if (!options.hash.unescaped){
+    result = Handlebars.Utils.escapeExpression(result);
+  }
+
+  return result;
+};
+
 Ember.Handlebars.resolveParams = function(context, params, options) {
  var resolvedParams = [], types = options.types, param, type;

@ -27458,6 +27485,7 @@ Ember._HandlebarsBoundView = Ember._MetamorphView.extend({

 var get = Ember.get, set = Ember.set, fmt = Ember.String.fmt;
 var handlebarsGet = Ember.Handlebars.get, normalizePath = Ember.Handlebars.normalizePath;
+var handlebarsGetEscaped = Ember.Handlebars.getEscaped;
 var forEach = Ember.ArrayPolyfills.forEach;
 var o_create = Ember.create;

@ -27467,20 +27495,6 @@ function exists(value) {
  return !Ember.isNone(value);
 }

-function sanitizedHandlebarsGet(currentContext, property, options) {
-  var result = handlebarsGet(currentContext, property, options);
-  if (result === null || result === undefined) {
-    result = "";
-  } else if (!(result instanceof Handlebars.SafeString)) {
-    result = String(result);
-  }
-  if (!options.hash.unescaped){
-    result = Handlebars.Utils.escapeExpression(result);
-  }
-
-  return result;
-}
-
 // Binds a property into the DOM. This will create a hook in DOM that the
 // KVO system will look for and update if the property changes.
 function bind(property, options, preserveContext, shouldDisplay, valueNormalizer, childProperties) {
@ -27551,7 +27565,7 @@ function bind(property, options, preserveContext, shouldDisplay, valueNormalizer
  } else {
    // The object is not observable, so just render it out and
    // be done with it.
-    data.buffer.push(handlebarsGet(currentContext, property, options));
+    data.buffer.push(handlebarsGetEscaped(currentContext, property, options));
  }
 }

@ -27572,7 +27586,7 @@ function simpleBind(currentContext, property, options) {
        Ember.run.once(view, 'rerender');
      };

-      output = sanitizedHandlebarsGet(currentContext, property, options);
+      output = handlebarsGetEscaped(currentContext, property, options);

      data.buffer.push(output);
    } else {
@ -27598,8 +27612,7 @@ function simpleBind(currentContext, property, options) {
  } else {
    // The object is not observable, so just render it out and
    // be done with it.
-    output = sanitizedHandlebarsGet(currentContext, property, options);
-
+    output = handlebarsGetEscaped(currentContext, property, options);
    data.buffer.push(output);
  }
 }
@ -36169,7 +36182,7 @@ Ember.onLoad('Ember.Handlebars', function(Handlebars) {
      if (linkType === 'ID') {
        options.linkTextPath = linkTitle;
        options.fn = function() {
-          return Ember.Handlebars.get(context, linkTitle, options);
+          return Ember.Handlebars.getEscaped(context, linkTitle, options);
        };
      } else {
        options.fn = function() {
--- a/assets/scripts/vendor/ember.prod.js
+++ b/assets/scripts/vendor/ember.prod.js
@ -5,7 +5,7 @@
 *            Portions Copyright 2008-2011 Apple Inc. All rights reserved.
 * @license   Licensed under MIT license
 *            See https://raw.github.com/emberjs/ember.js/master/LICENSE
- * @version   1.3.1
+ * @version   1.3.2
 */


@ -88,7 +88,7 @@ var define, requireModule, require, requirejs;

  @class Ember
  @static
-  @version 1.3.1
+  @version 1.3.2
 */

 if ('undefined' === typeof Ember) {
@ -115,10 +115,10 @@ Ember.toString = function() { return "Ember"; };
 /**
  @property VERSION
  @type String
-  @default '1.3.1'
+  @default '1.3.2'
  @static
 */
-Ember.VERSION = '1.3.1';
+Ember.VERSION = '1.3.2';

 /**
  Standard environmental variables. You can define these in a global `EmberENV`
@ -26203,6 +26203,33 @@ var handlebarsGet = Ember.Handlebars.get = function(root, path, options) {
  return value;
 };

+/**
+  This method uses `Ember.Handlebars.get` to lookup a value, then ensures
+  that the value is escaped properly.
+
+  If `unescaped` is a truthy value then the escaping will not be performed.
+
+  @method getEscaped
+  @for Ember.Handlebars
+  @param {Object} root The object to look up the property on
+  @param {String} path The path to be lookedup
+  @param {Object} options The template's option hash
+*/
+Ember.Handlebars.getEscaped = function(root, path, options) {
+  var result = handlebarsGet(root, path, options);
+
+  if (result === null || result === undefined) {
+    result = "";
+  } else if (!(result instanceof Handlebars.SafeString)) {
+    result = String(result);
+  }
+  if (!options.hash.unescaped){
+    result = Handlebars.Utils.escapeExpression(result);
+  }
+
+  return result;
+};
+
 Ember.Handlebars.resolveParams = function(context, params, options) {
  var resolvedParams = [], types = options.types, param, type;

@ -27153,6 +27180,7 @@ Ember._HandlebarsBoundView = Ember._MetamorphView.extend({

 var get = Ember.get, set = Ember.set, fmt = Ember.String.fmt;
 var handlebarsGet = Ember.Handlebars.get, normalizePath = Ember.Handlebars.normalizePath;
+var handlebarsGetEscaped = Ember.Handlebars.getEscaped;
 var forEach = Ember.ArrayPolyfills.forEach;
 var o_create = Ember.create;

@ -27162,20 +27190,6 @@ function exists(value) {
  return !Ember.isNone(value);
 }

-function sanitizedHandlebarsGet(currentContext, property, options) {
-  var result = handlebarsGet(currentContext, property, options);
-  if (result === null || result === undefined) {
-    result = "";
-  } else if (!(result instanceof Handlebars.SafeString)) {
-    result = String(result);
-  }
-  if (!options.hash.unescaped){
-    result = Handlebars.Utils.escapeExpression(result);
-  }
-
-  return result;
-}
-
 // Binds a property into the DOM. This will create a hook in DOM that the
 // KVO system will look for and update if the property changes.
 function bind(property, options, preserveContext, shouldDisplay, valueNormalizer, childProperties) {
@ -27246,7 +27260,7 @@ function bind(property, options, preserveContext, shouldDisplay, valueNormalizer
  } else {
    // The object is not observable, so just render it out and
    // be done with it.
-    data.buffer.push(handlebarsGet(currentContext, property, options));
+    data.buffer.push(handlebarsGetEscaped(currentContext, property, options));
  }
 }

@ -27267,7 +27281,7 @@ function simpleBind(currentContext, property, options) {
        Ember.run.once(view, 'rerender');
      };

-      output = sanitizedHandlebarsGet(currentContext, property, options);
+      output = handlebarsGetEscaped(currentContext, property, options);

      data.buffer.push(output);
    } else {
@ -27293,8 +27307,7 @@ function simpleBind(currentContext, property, options) {
  } else {
    // The object is not observable, so just render it out and
    // be done with it.
-    output = sanitizedHandlebarsGet(currentContext, property, options);
-
+    output = handlebarsGetEscaped(currentContext, property, options);
    data.buffer.push(output);
  }
 }
@ -35790,7 +35803,7 @@ Ember.onLoad('Ember.Handlebars', function(Handlebars) {
      if (linkType === 'ID') {
        options.linkTextPath = linkTitle;
        options.fn = function() {
-          return Ember.Handlebars.get(context, linkTitle, options);
+          return Ember.Handlebars.getEscaped(context, linkTitle, options);
        };
      } else {
        options.fn = function() {