Merge pull request #70 from PolymerElements/remote-src-sanitization

Allows disabling of remote src markdown
PolymerElements · Jul 10, 2017 · ae2aab9 · ae2aab9
2 parents 2f13de2 + 5bd87e3
commit ae2aab9
Show file tree

Hide file tree

Showing 3 changed files with 72 additions and 1 deletion.
diff --git a/marked-element.html b/marked-element.html
@@ -148,6 +148,17 @@
         type: Boolean,
         value: false
       },
+      /**
+       * If true, disables the default sanitization of any markdown received by
+       * a request and allows fetched unsanitized markdown
+       *
+       * e.g. fetching markdown via `src` that has HTML.
+       * Note: this value overrides `sanitize` if a request is made.
+       */
+      disableRemoteSanitization: {
+        type: Boolean,
+        value: false
+      },
       /**
        * Use "smart" typographic punctuation for things like quotes and dashes.
        */
@@ -323,7 +334,7 @@
         // Note: if we are using the file:// protocol, the status code will be 0
         // for all outcomes (successful or otherwise).
         if (status === 0 || (status >= 200 && status < 300)) {
-          this.sanitize = true;
+          this.sanitize = !this.disableRemoteSanitization;
           this.markdown = e.target.response;
         } else {
           this._handleError(e);

diff --git a/test/marked-element.html b/test/marked-element.html
@@ -158,6 +158,24 @@
     </template>
   </test-fixture>
 
+  <test-fixture id="SanitizedRemoteContent">
+    <template>
+      <marked-element>
+        <div id="output" slot="markdown-html"></div>
+        <script type="text/markdown" src="remoteSanitization.md"></script>
+      </marked-element>
+    </template>
+  </test-fixture>
+
+  <test-fixture id="UnsanitizedRemoteContent">
+    <template>
+      <marked-element disable-remote-sanitization>
+        <div id="output" slot="markdown-html"></div>
+        <script type="text/markdown" src="remoteSanitization.md"></script>
+      </marked-element>
+    </template>
+  </test-fixture>
+
   <script>
     'use strict';
 
@@ -492,6 +510,47 @@
           })
         });
       });
+
+      suite('sanitizing remote content', function() {
+        suite('sanitized', function() {
+          setup(function() {
+            markedElement = fixture('SanitizedRemoteContent');
+          });
+
+          test('sanitizes remote content', function(done) {
+            outputElement = markedElement.querySelector('#output');
+            proofElement = document.createElement('div');
+            proofElement.innerHTML = '<p>&lt;div&gt;&lt;/div&gt;</p>\n';
+
+            markedElement.addEventListener('marked-loadend', function() {
+              assert.isTrue(markedElement.sanitize);
+              assert.isNotTrue(markedElement.disableRemoteSanitization);
+              expect(outputElement.innerHTML).to.equal(proofElement.innerHTML);
+              done();
+            });
+          });
+        });
+
+        suite('unsanitized', function() {
+          setup(function() {
+            markedElement = fixture('UnsanitizedRemoteContent');
+          });
+
+          test('does not sanitize remote content', function(done) {
+            outputElement = markedElement.querySelector('#output');
+            proofElement = document.createElement('div');
+            var div = document.createElement('div');
+            proofElement.innerHTML = '<div></div>';
+
+            markedElement.addEventListener('marked-loadend', function() {
+              assert.isNotTrue(markedElement.sanitize);
+              assert.isTrue(markedElement.disableRemoteSanitization);
+              expect(outputElement.innerHTML).to.equal(proofElement.innerHTML);
+              done();
+            });
+          });
+        });
+      });
     });
 
     suite('events', function() {

diff --git a/test/remoteSanitization.md b/test/remoteSanitization.md
@@ -0,0 +1 @@
+<div></div>