Moved the inline script tag for the server data to a data attribute o…

…n the

body.

Prevents some XSS attacks.
Also moved the now required parsing to it's own module query/serverData.

We should prevent most XSS-Attacks now.

Closes #151

src/modules/Request.js

@@ -1,7 +1,8 @@
 define([
   '../core',
-  '../modules/uniqueId'
-], function (blocks, uniqueId) {
+  '../modules/uniqueId',
+  '../query/serverData'
+], function (blocks, uniqueId, serverData) {
   function Request(options) {
     this.options = blocks.extend({}, Request.Defaults, options);
     this.execute();
@@ -56,7 +57,6 @@
   Request.prototype = {
     execute: function () {
       var options = this.options;
-      var serverData = window.__blocksServerData__;
 
       if (options.type == 'GET' && options.data) {
         this.appendDataToUrl(options.data);

src/mvc/Application.js

@@ -7,8 +7,9 @@ define([
   './Collection',
   './View',
   './Property',
-  './bindContext'
-], function (blocks, clonePrototype, Router, History, Model, Collection, View, Property, bindContext) {
+  './bindContext',
+  '../query/serverData'
+], function (blocks, clonePrototype, Router, History, Model, Collection, View, Property, bindContext, serverData) {
 
   var application;
   blocks.Application = function (options) {
@@ -292,7 +293,7 @@ define([
     start: function (element) {
       if (!this._started) {
         this._started = true;
-        this._serverData = window.__blocksServerData__;
+        this._serverData = serverData;
 
         if (this._serverData && this._serverData.baseUrl) {
           this._router._setBaseUrl(this._serverData.baseUrl);
@@ -319,7 +320,6 @@ define([
     },
 
     _ready: function (element) {
-      this._serverData = window.__blocksServerData__;
       this._startHistory();
       blocks.query(this, element);
       this._viewsReady(this._views);

src/node/ServerEnv.js

@@ -44,43 +44,43 @@ define([
 
     _ready: function () {
       var node = this._node;
-      
+
       while (this.isReady()) {
         if (!node.isRoot) {
-          node.callback();  
+          node.callback();
         }
         this._node = node = this._next(node);
-        
+
         if (node === this._root) {
           break;
         }
       }
     },
-    
+
     _next: function (node) {
       var parent = node;
       var next;
-      
+
       while (!next && parent) {
         next = parent.nodes.pop();
         parent = parent.parent;
       }
-      
+
       return next || this._root;
     },
-    
+
     _createBubbleNode: function (parent, callback) {
       var node = {
         isRoot: !parent,
         parent: parent,
         callback: callback,
         nodes: []
       };
-      
+
       if (parent) {
         parent.nodes.unshift(node);
       }
-      
+
       return node;
     }
   };

src/node/executePageScripts.js

@@ -60,7 +60,7 @@ define([
     if (application) {
       application._createViews();
       application._startHistory();
-      
+
       server.await(function () {
         blocks.query(application);
         blocks.each(application._views, function (view) {
@@ -70,10 +70,10 @@ define([
           if (view.isActive()) {
             hasActive = true;
           }
-        });  
+        });
       });
     }
-    
+
     server.await(function () {
       if (hasRoute && !hasActive) {
         callback('not found', null);

src/node/overrides.js

@@ -5,8 +5,9 @@ define([
   '../query/DomQuery',
   '../query/VirtualElement',
   '../mvc/Application',
-  './parseToVirtual'
-], function (blocks, Request, dataIdAttr, DomQuery, VirtualElement, Application, parseToVirtual) {
+  './parseToVirtual',
+  '../modules/Escape'
+], function (blocks, Request, dataIdAttr, DomQuery, VirtualElement, Application, parseToVirtual, Escape) {
   var eachQuery = blocks.queries.each.preprocess;
 
   blocks.queries.each.preprocess = function (domQuery, collection) {
@@ -48,11 +49,11 @@ define([
 
     server.await(function () {
       if (head) {
-        head.children().splice(0, 0, getServerDataScript());
         if (server.options.baseTag) {
           head.children().splice(0, 0, getBaseTag());
         }
       }
+      body.attr('data-blocks-server-data', JSON.stringify(server.data));
       server.rendered = root.renderChildren();
     });
   }
@@ -79,17 +80,13 @@ define([
     return VirtualElement('base').attr('href', baseUrl);
   }
 
-  function getServerDataScript() {
-    return VirtualElement('script').html('window.__blocksServerData__ = ' + JSON.stringify(server.data)).render();
-  }
-
   var executeExpressionValue = Expression.Execute;
   var commentRegEx = /^<!-- ([0-9]+):/;
-  
+
   Expression.Execute = function (context, elementData, expressionData, entireExpression) {
     var value = executeExpressionValue(context, elementData, expressionData, entireExpression);
     var regExResult = commentRegEx.exec(value);
-    
+
     if (regExResult) {
       elementData = ElementsData.byId(regExResult[1]);
     }
@@ -149,11 +146,11 @@ define([
 
   blocks.observable.fn.array.reset = function (array) {
     this.removeAll();
-    
+
     if (arguments.length > 0) {
       this.addMany(blocks.unwrap(array));
     }
-    
+
     return this;
   };
 
@@ -173,7 +170,7 @@ define([
     }
 
     if (blocks.startsWith(url, 'http') || blocks.startsWith(url, 'www')) {
-
+      // TODO implement
     } else {
       relativeUrl = path.join(server.options.static, url);
       if (this.options.isView) {

src/node/parseToVirtual.js

@@ -83,7 +83,7 @@ define([
       var newParent = parent._parent;
 
       if (parent && parent.tagName() !== tagName.toLowerCase()) {
-        //@todo Improve with adding information about the location inside the file.
+        //TODO Improve with adding information about the location inside the file.
         console.warn('tag missmatch found closing tag for ' + tagName + ' while expecting to close ' + parent.tagName() + '!');
       }
 

src/query/createVirtual.js

@@ -4,10 +4,10 @@ define([
   './browser',
   './Expression',
   './VirtualElement',
-  './VirtualComment'
-], function (trimRegExp, dataQueryAttr, browser, Expression, VirtualElement, VirtualComment) {
+  './VirtualComment',
+  './serverData'
+], function (trimRegExp, dataQueryAttr, browser, Expression, VirtualElement, VirtualComment, serverData) {
   function createVirtual(htmlElement, parentElement) {
-    var serverData = window.__blocksServerData__;
     var elements = [];
     var element;
     var tagName;

src/query/methods.js

@@ -5,8 +5,9 @@ define([
   './createVirtual',
   './DomQuery',
   './VirtualElement',
-  './ElementsData'
-], function (blocks, dataQueryAttr, OBSERVABLE, createVirtual, DomQuery, VirtualElement, ElementsData) {
+  './ElementsData',
+  './serverData'
+], function (blocks, dataQueryAttr, OBSERVABLE, createVirtual, DomQuery, VirtualElement, ElementsData, serverData) {
   /**
    * Performs a query operation on the DOM. Executes all data-query attributes
    * and renders the html result to the specified HTMLElement if not specified
@@ -36,7 +37,6 @@ define([
 
         var domQuery = new DomQuery();
         var rootElement = createVirtual(element)[0];
-        var serverData = window.__blocksServerData__;
 
         domQuery.pushContext(model);
         domQuery._serverData = serverData;

src/query/serverData.js

@@ -0,0 +1,13 @@
+define([
+], function () {
+	var serverData = null;
+	if (document && document.body) {
+		var data = document.body.getAttribute('data-blocks-server-data');
+		if (data) {
+			document.body.removeAttribute('data-blocks-server-data');
+			/* global JSON */
+			serverData = JSON.parse(data.replace('"', '"'));
+		}
+	}
+	return serverData;
+});