[SECURITY CVE-2014-0046] Ensure link-to non-block escapes title.

Conflicts:
	packages/ember-routing/lib/helpers/link_to.js
	packages/ember/tests/helpers/link_to_test.js

Author: rwjblue

packages/ember-routing/lib/helpers/link_to.js

@@ -732,7 +732,16 @@ Ember.onLoad('Ember.Handlebars', function(Handlebars) {
         if (linkType === 'ID') {
           options.linkTextPath = linkTitle;
           options.fn = function() {
-            return Ember.Handlebars.get(context, linkTitle, options);
+            var result = Ember.Handlebars.get(context, linkTitle, options);
+            if (result === null || result === undefined) {
+              result = "";
+            } else if (!(result instanceof Handlebars.SafeString)) {
+              result = String(result);
+            }
+            if (!options.hash.unescaped){
+              result = Handlebars.Utils.escapeExpression(result);
+            }
+            return result;
           };
         } else {
           options.fn = function() {

packages/ember/tests/helpers/link_to_test.js

@@ -1140,3 +1140,25 @@ if (Ember.FEATURES.isEnabled('link-to-non-block')) {
     assertEquality('/about');
   });
 }
+
+test("The non-block form {{link-to}} protects against XSS", function() {
+  Ember.TEMPLATES.application = Ember.Handlebars.compile("{{link-to display 'index' id='link'}}");
+
+  App.ApplicationController = Ember.Controller.extend({
+    display: 'blahzorz'
+  });
+
+  bootApplication();
+
+  Ember.run(router, 'handleURL', '/');
+
+  var controller = container.lookup('controller:application');
+
+  equal(Ember.$('#link', '#qunit-fixture').text(), 'blahzorz');
+  Ember.run(function() {
+    controller.set('display', '<b>BLAMMO</b>');
+  });
+
+  equal(Ember.$('#link', '#qunit-fixture').text(), '<b>BLAMMO</b>');
+  equal(Ember.$('b', '#qunit-fixture').length, 0);
+});