fix(compiler): move detection of unsafe properties for binding to ElementSchemaRegistry (#11378)

2016-09-28 02:10:02 +02:00
parent 3a5b4882bc
commit 61129fa12d
8 changed files with 1512 additions and 1395 deletions
--- a/modules/@angular/compiler/src/schema/dom_element_schema_registry.ts
+++ b/modules/@angular/compiler/src/schema/dom_element_schema_registry.ts
@ -344,4 +344,26 @@ export class DomElementSchemaRegistry extends ElementSchemaRegistry {
  getMappedPropName(propName: string): string { return _ATTR_TO_PROP[propName] || propName; }

  getDefaultComponentElementName(): string { return 'ng-component'; }
+
+  validateProperty(name: string): {error: boolean, msg?: string} {
+    if (name.toLowerCase().startsWith('on')) {
+      const msg = `Binding to event property '${name}' is disallowed for security reasons, ` +
+          `please use (${name.slice(2)})=...` +
+          `\nIf '${name}' is a directive input, make sure the directive is imported by the` +
+          ` current module.`;
+      return {error: true, msg: msg};
+    } else {
+      return {error: false};
+    }
+  }
+
+  validateAttribute(name: string): {error: boolean, msg?: string} {
+    if (name.toLowerCase().startsWith('on')) {
+      const msg = `Binding to event attribute '${name}' is disallowed for security reasons, ` +
+          `please use (${name.slice(2)})=...`;
+      return {error: true, msg: msg};
+    } else {
+      return {error: false};
+    }
+  }
 }
--- a/modules/@angular/compiler/src/schema/element_schema_registry.ts
+++ b/modules/@angular/compiler/src/schema/element_schema_registry.ts
@ -14,4 +14,6 @@ export abstract class ElementSchemaRegistry {
  abstract securityContext(tagName: string, propName: string): any;
  abstract getMappedPropName(propName: string): string;
  abstract getDefaultComponentElementName(): string;
+  abstract validateProperty(name: string): {error: boolean, msg?: string};
+  abstract validateAttribute(name: string): {error: boolean, msg?: string};
 }