Add BlessStringAsTrustedResourceUrlForLegacy escaping directive. For more details refer:

1. https://docs.google.com[]document/d/13Eu-tLawTt8LsSU4Vyr41c1QU8BFqDEKnDfWp_uSfmM/edit?usp=sharing
2. https://docs.google.com[]document/d/1o75ucvux0_Y7m4FLYpyeLfqQdvURQvadhUX-FbDXzio/edit?usp=sharing
-------------
Created by MOE: https://github.com/google/moe
MOE_MIGRATED_REVID=105018708

Author: smkarwa

java/src/com/google/template/soy/basicdirectives/BasicDirectivesModule.java

@@ -60,6 +60,7 @@ public class BasicDirectivesModule extends AbstractModule {
     soyDirectivesSetBinder.addBinding().to(CleanHtmlDirective.class);
     soyDirectivesSetBinder.addBinding().to(FilterImageDataUriDirective.class);
     soyDirectivesSetBinder.addBinding().to(FilterTrustedResourceUriDirective.class);
+    soyDirectivesSetBinder.addBinding().to(BlessStringAsTrustedResourceUrlForLegacyDirective.class);
   }
 
 }

java/src/com/google/template/soy/basicdirectives/BlessStringAsTrustedResourceUrlForLegacyDirective.java

@@ -0,0 +1,80 @@
+/*
+ * Copyright 2015 Google Inc.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.template.soy.basicdirectives;
+
+import com.google.common.collect.ImmutableSet;
+import com.google.template.soy.data.SoyValue;
+import com.google.template.soy.jssrc.restricted.JsExpr;
+import com.google.template.soy.jssrc.restricted.SoyJsSrcPrintDirective;
+import com.google.template.soy.pysrc.restricted.PyExpr;
+import com.google.template.soy.pysrc.restricted.SoyPySrcPrintDirective;
+import com.google.template.soy.shared.restricted.Sanitizers;
+import com.google.template.soy.shared.restricted.SoyJavaPrintDirective;
+import com.google.template.soy.shared.restricted.SoyPurePrintDirective;
+
+import java.util.List;
+import java.util.Set;
+
+import javax.inject.Inject;
+import javax.inject.Singleton;
+
+/**
+ * Implements the |blessStringAsTrustedResourceUrlForLegacy directive, which accepts resource
+ * URIs like script src and blesses them as TrustedResourceUri.
+ *
+ * <p>
+ * Note that this directive is not autoescape cancelling, and can thus be used in strict templates.
+ * The directive returns its result as an object of type SoyValue.
+ */
+@Singleton
+@SoyPurePrintDirective
+final class BlessStringAsTrustedResourceUrlForLegacyDirective implements SoyJavaPrintDirective,
+    SoyJsSrcPrintDirective, SoyPySrcPrintDirective {
+
+  private static final Set<Integer> VALID_ARGS_SIZES = ImmutableSet.of(0);
+
+  @Inject
+  public BlessStringAsTrustedResourceUrlForLegacyDirective() {}
+
+  @Override public String getName() {
+    return "|blessStringAsTrustedResourceUrlForLegacy";
+  }
+
+  @Override public final Set<Integer> getValidArgsSizes() {
+    return VALID_ARGS_SIZES;
+  }
+
+  @Override public boolean shouldCancelAutoescape() {
+    return false;
+  }
+
+  @Override public SoyValue applyForJava(SoyValue value, List<SoyValue> args) {
+    return Sanitizers.blessStringAsTrustedResourceUrlForLegacy(value);
+  }
+
+  @Override public JsExpr applyForJsSrc(JsExpr value, List<JsExpr> args) {
+    return new JsExpr("soy.$$blessStringAsTrustedResourceUrlForLegacy(" + value.getText() + ")",
+        Integer.MAX_VALUE);
+  }
+
+  @Override public PyExpr applyForPySrc(PyExpr value, List<PyExpr> args) {
+    return new PyExpr(
+        "sanitize.bless_string_as_trusted_resource_url_for_legacy(" + value.getText() + ")",
+        Integer.MAX_VALUE);
+  }
+
+}

java/src/com/google/template/soy/basicdirectives/FilterTrustedResourceUriDirective.java

@@ -42,8 +42,8 @@
  */
 @Singleton
 @SoyPurePrintDirective
-public class FilterTrustedResourceUriDirective  implements SoyJavaPrintDirective,
-    SoyJsSrcPrintDirective, SoyPySrcPrintDirective{
+final class FilterTrustedResourceUriDirective implements SoyJavaPrintDirective,
+    SoyJsSrcPrintDirective, SoyPySrcPrintDirective {
 
   private static final Set<Integer> VALID_ARGS_SIZES = ImmutableSet.of(0);
 

java/src/com/google/template/soy/parsepasses/contextautoesc/EscapingMode.java

@@ -132,7 +132,14 @@ public enum EscapingMode {
    * Makes sure there URIs are trusted and not input variables. Currently used only for script
    * sources.
    */
-  FILTER_TRUSTED_RESOURCE_URI(false, ContentKind.TRUSTED_RESOURCE_URI),
+  // TODO(shwetakarwa): Change second argument when function is implemented.
+  FILTER_TRUSTED_RESOURCE_URI(false, null),
+
+  /**
+   * Makes sure that legacy resource URI are not filtered for being not marked as trusted.
+   */
+  // TODO(shwetakarwa): Change second argument when function is implemented.
+  BLESS_STRING_AS_TRUSTED_RESOURCE_URL_FOR_LEGACY(false, null),
 
   /**
    * The explicit rejection of escaping.
@@ -154,7 +161,7 @@ public enum EscapingMode {
   public final boolean isHtmlEmbeddable;
 
   /** The kind of content produced by the escaping directive associated with this escaping mode. */
-  public final @Nullable ContentKind contentKind;
+  @Nullable public final ContentKind contentKind;
 
   /** Whether this directive is only for internal use by the contextual autoescaper. */
   public final boolean isInternalOnly;
@@ -175,7 +182,7 @@ public enum EscapingMode {
   /**
    * The escaping mode corresponding to the given directive or null.
    */
-  public static @Nullable EscapingMode fromDirective(String directiveName) {
+  @Nullable public static EscapingMode fromDirective(String directiveName) {
     return DIRECTIVE_TO_ESCAPING_MODE.get(directiveName);
   }
 

java/src/com/google/template/soy/shared/restricted/Sanitizers.java

@@ -454,8 +454,8 @@ public static String filterNormalizeMediaUri(String value) {
 
 
   /**
-   * This is supposed to make sure the the given input is an instance of either trustedResourceUrl
-   * or trustedString. But for now only calls filterNormalizeUri.
+   * This is supposed to make sure the given input is an instance of either trustedResourceUrl
+   * or trustedString. But for now only return the value coerced to string.
    */
   public static SoyValue filterTrustedResourceUri(SoyValue value) {
     // TODO(shwetakarwa): This needs to be changed once all the legacy URLs are taken care of.
@@ -464,15 +464,35 @@ public static SoyValue filterTrustedResourceUri(SoyValue value) {
 
 
   /**
-   * Makes sure that the given input doesn't specify a dangerous protocol and also
-   * {@link #normalizeUri normalizes} it.
+   * For string inputs this function just returns the input string itself change to SoyValue.
    */
   public static SoyValue filterTrustedResourceUri(String value) {
     // TODO(shwetakarwa): This needs to be changed once all the legacy URLs are taken care of. Will
     // probably need to return string.
     return StringData.forValue(value);
   }
 
+  /**
+   * For any resource string/variable which has
+   * |blessStringAsTrustedResuorceUrlForLegacy directive unsafely changes it to
+   * sanitizedContent of kind TRUSTED_RESOURCE_URI.
+   */
+  public static SoyValue blessStringAsTrustedResourceUrlForLegacy(SoyValue value) {
+    // TODO(shwetakarwa): Implement this while implementing filterTrustedResourceUri.
+    return value;
+  }
+
+
+  /**
+   * For any resource string/variable which has
+   * |blessStringAsTrustedResuorceUrlForLegacy directive unsafely changes it to
+   * sanitizedContent of kind TRUSTED_RESOURCE_URI.
+   */
+  public static SoyValue blessStringAsTrustedResourceUrlForLegacy(String value) {
+    // TODO(shwetakarwa): Implement this while implementing filterTrustedResourceUri.
+    return StringData.forValue(value);
+  }
+
 
   /**
    * Makes sure that the given input is a data URI corresponding to an image.

javascript/soyutils_usegoog.js

@@ -1508,6 +1508,12 @@ soy.$$filterNormalizeUri = function(value) {
     goog.asserts.assert(value.constructor === soydata.SanitizedUri);
     return soy.$$normalizeUri(value);
   }
+  if (soydata.isContentKind(value,
+      soydata.SanitizedContentKind.TRUSTED_RESOURCE_URI)) {
+    goog.asserts.assert(
+        value.constructor === soydata.SanitizedTrustedResourceUri);
+    return soy.$$normalizeUri(value);
+  }
   if (value instanceof goog.html.SafeUrl) {
     return soy.$$normalizeUri(goog.html.SafeUrl.unwrap(value));
   }
@@ -1527,10 +1533,18 @@ soy.$$filterNormalizeUri = function(value) {
  */
 soy.$$filterNormalizeMediaUri = function(value) {
   // Image URIs are filtered strictly more loosely than other types of URIs.
+  // TODO(shwetakarwa): Add tests for this in soyutils_test_helper while adding
+  // tests for filterTrustedResourceUri.
   if (soydata.isContentKind(value, soydata.SanitizedContentKind.URI)) {
     goog.asserts.assert(value.constructor === soydata.SanitizedUri);
     return soy.$$normalizeUri(value);
   }
+  if (soydata.isContentKind(value,
+      soydata.SanitizedContentKind.TRUSTED_RESOURCE_URI)) {
+    goog.asserts.assert(
+        value.constructor === soydata.SanitizedTrustedResourceUri);
+    return soy.$$normalizeUri(value);
+  }
   if (value instanceof goog.html.SafeUrl) {
     return soy.$$normalizeUri(goog.html.SafeUrl.unwrap(value));
   }
@@ -1544,8 +1558,7 @@ soy.$$filterNormalizeMediaUri = function(value) {
 /**
  * Vets a URI for usage as a resource.
  *
- * @param {*} value The value to filter. Might not be a string, but the value
- *     will be coerced to a string.
+ * @param {*} value The value to filter.
  * @return {*} current just the value.
  */
 soy.$$filterTrustedResourceUri = function(value) {
@@ -1557,6 +1570,21 @@ soy.$$filterTrustedResourceUri = function(value) {
 };
 
 
+/**
+ * For any resource string/variable which has
+ * |blessStringAsTrustedResuorceUrlForLegacy directive unsafely change it to
+ * sanitizedContent of kind TRUSTED_RESOURCE_URI.
+ *
+ * @param {*} value The value to be blessed. Might not be a string
+ * @return {*} current just the value.
+ */
+soy.$$blessStringAsTrustedResourceUrlForLegacy = function(value) {
+  // TODO(shwetakarwa): Implement this while implementing
+  // filterTrustedResourceUri.
+  return value;
+};
+
+
 /**
  * Allows only data-protocol image URI's.
  *

python/sanitize.py

@@ -251,6 +251,12 @@ def filter_trusted_resource_uri(value):
   return value
 
 
+def bless_string_as_trusted_resource_url_for_legacy(value):
+  # TODO(shwetakarwa): Change this to sanitized content of kind
+  # TRUSTED_RESOURCE_URI.
+  return value
+
+
 def normalize_html(value):
   return generated_sanitize.normalize_html_helper(value)