@angular/compiler 13.3.11 → 13.3.12

package/fesm2015/testing.mjs

@@ -1,5 +1,5 @@
 /**
- * @license Angular v13.3.11
+ * @license Angular v13.3.12
  * (c) 2010-2022 Google LLC. https://angular.io/
  * License: MIT
  */

package/fesm2020/compiler.mjs

@@ -1,5 +1,5 @@
 /**
- * @license Angular v13.3.11
+ * @license Angular v13.3.12
  * (c) 2010-2022 Google LLC. https://angular.io/
  * License: MIT
  */
@@ -2933,6 +2933,7 @@ Identifiers.sanitizeUrl = { name: 'ɵɵsanitizeUrl', moduleName: CORE };
 Identifiers.sanitizeUrlOrResourceUrl = { name: 'ɵɵsanitizeUrlOrResourceUrl', moduleName: CORE };
 Identifiers.trustConstantHtml = { name: 'ɵɵtrustConstantHtml', moduleName: CORE };
 Identifiers.trustConstantResourceUrl = { name: 'ɵɵtrustConstantResourceUrl', moduleName: CORE };
+Identifiers.validateIframeAttribute = { name: 'ɵɵvalidateIframeAttribute', moduleName: CORE };
 
 /**
  * @license
@@ -7665,6 +7666,84 @@ class BuiltinFunctionCall extends Call {
     }
 }
 
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.io/license
+ */
+// =================================================================================================
+// =================================================================================================
+// =========== S T O P   -  S T O P   -  S T O P   -  S T O P   -  S T O P   -  S T O P  ===========
+// =================================================================================================
+// =================================================================================================
+//
+//        DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW!
+//                               Reach out to mprobst for details.
+//
+// =================================================================================================
+/** Map from tagName|propertyName to SecurityContext. Properties applying to all tags use '*'. */
+let _SECURITY_SCHEMA;
+function SECURITY_SCHEMA() {
+    if (!_SECURITY_SCHEMA) {
+        _SECURITY_SCHEMA = {};
+        // Case is insignificant below, all element and attribute names are lower-cased for lookup.
+        registerContext(SecurityContext.HTML, [
+            'iframe|srcdoc',
+            '*|innerHTML',
+            '*|outerHTML',
+        ]);
+        registerContext(SecurityContext.STYLE, ['*|style']);
+        // NB: no SCRIPT contexts here, they are never allowed due to the parser stripping them.
+        registerContext(SecurityContext.URL, [
+            '*|formAction', 'area|href', 'area|ping', 'audio|src', 'a|href',
+            'a|ping', 'blockquote|cite', 'body|background', 'del|cite', 'form|action',
+            'img|src', 'img|srcset', 'input|src', 'ins|cite', 'q|cite',
+            'source|src', 'source|srcset', 'track|src', 'video|poster', 'video|src',
+        ]);
+        registerContext(SecurityContext.RESOURCE_URL, [
+            'applet|code',
+            'applet|codebase',
+            'base|href',
+            'embed|src',
+            'frame|src',
+            'head|profile',
+            'html|manifest',
+            'iframe|src',
+            'link|href',
+            'media|src',
+            'object|codebase',
+            'object|data',
+            'script|src',
+        ]);
+    }
+    return _SECURITY_SCHEMA;
+}
+function registerContext(ctx, specs) {
+    for (const spec of specs)
+        _SECURITY_SCHEMA[spec.toLowerCase()] = ctx;
+}
+/**
+ * The set of security-sensitive attributes of an `<iframe>` that *must* be
+ * applied as a static attribute only. This ensures that all security-sensitive
+ * attributes are taken into account while creating an instance of an `<iframe>`
+ * at runtime.
+ *
+ * Note: avoid using this set directly, use the `isIframeSecuritySensitiveAttr` function
+ * in the code instead.
+ */
+const IFRAME_SECURITY_SENSITIVE_ATTRS = new Set(['sandbox', 'allow', 'allowfullscreen', 'referrerpolicy', 'csp', 'fetchpriority']);
+/**
+ * Checks whether a given attribute name might represent a security-sensitive
+ * attribute of an <iframe>.
+ */
+function isIframeSecuritySensitiveAttr(attrName) {
+    // The `setAttribute` DOM API is case-insensitive, so we lowercase the value
+    // before checking it against a known security-sensitive attributes.
+    return IFRAME_SECURITY_SENSITIVE_ATTRS.has(attrName.toLowerCase());
+}
+
 /**
  * @license
  * Copyright Google LLC All Rights Reserved.
@@ -14488,65 +14567,6 @@ function mapLiteral(obj, quoted = false) {
     })));
 }
 
-/**
- * @license
- * Copyright Google LLC All Rights Reserved.
- *
- * Use of this source code is governed by an MIT-style license that can be
- * found in the LICENSE file at https://angular.io/license
- */
-// =================================================================================================
-// =================================================================================================
-// =========== S T O P   -  S T O P   -  S T O P   -  S T O P   -  S T O P   -  S T O P  ===========
-// =================================================================================================
-// =================================================================================================
-//
-//        DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW!
-//                               Reach out to mprobst for details.
-//
-// =================================================================================================
-/** Map from tagName|propertyName to SecurityContext. Properties applying to all tags use '*'. */
-let _SECURITY_SCHEMA;
-function SECURITY_SCHEMA() {
-    if (!_SECURITY_SCHEMA) {
-        _SECURITY_SCHEMA = {};
-        // Case is insignificant below, all element and attribute names are lower-cased for lookup.
-        registerContext(SecurityContext.HTML, [
-            'iframe|srcdoc',
-            '*|innerHTML',
-            '*|outerHTML',
-        ]);
-        registerContext(SecurityContext.STYLE, ['*|style']);
-        // NB: no SCRIPT contexts here, they are never allowed due to the parser stripping them.
-        registerContext(SecurityContext.URL, [
-            '*|formAction', 'area|href', 'area|ping', 'audio|src', 'a|href',
-            'a|ping', 'blockquote|cite', 'body|background', 'del|cite', 'form|action',
-            'img|src', 'img|srcset', 'input|src', 'ins|cite', 'q|cite',
-            'source|src', 'source|srcset', 'track|src', 'video|poster', 'video|src',
-        ]);
-        registerContext(SecurityContext.RESOURCE_URL, [
-            'applet|code',
-            'applet|codebase',
-            'base|href',
-            'embed|src',
-            'frame|src',
-            'head|profile',
-            'html|manifest',
-            'iframe|src',
-            'link|href',
-            'media|src',
-            'object|codebase',
-            'object|data',
-            'script|src',
-        ]);
-    }
-    return _SECURITY_SCHEMA;
-}
-function registerContext(ctx, specs) {
-    for (const spec of specs)
-        _SECURITY_SCHEMA[spec.toLowerCase()] = ctx;
-}
-
 /**
  * @license
  * Copyright Google LLC All Rights Reserved.
@@ -17543,9 +17563,19 @@ class TemplateDefinitionBuilder {
                     const params = [];
                     const [attrNamespace, attrName] = splitNsName(input.name);
                     const isAttributeBinding = inputType === 1 /* Attribute */;
-                    const sanitizationRef = resolveSanitizationFn(input.securityContext, isAttributeBinding);
-                    if (sanitizationRef)
+                    let sanitizationRef = resolveSanitizationFn(input.securityContext, isAttributeBinding);
+                    if (!sanitizationRef) {
+                        // If there was no sanitization function found based on the security context
+                        // of an attribute/property - check whether this attribute/property is
+                        // one of the security-sensitive <iframe> attributes (and that the current
+                        // element is actually an <iframe>).
+                        if (isIframeElement(element.name) && isIframeSecuritySensitiveAttr(input.name)) {
+                            sanitizationRef = importExpr(Identifiers.validateIframeAttribute);
+                        }
+                    }
+                    if (sanitizationRef) {
                         params.push(sanitizationRef);
+                    }
                     if (attrNamespace) {
                         const namespaceLiteral = literal(attrNamespace);
                         if (sanitizationRef) {
@@ -18611,6 +18641,9 @@ function isSingleElementTemplate(children) {
 function isTextNode(node) {
     return node instanceof Text$3 || node instanceof BoundText || node instanceof Icu$1;
 }
+function isIframeElement(tagName) {
+    return tagName.toLowerCase() === 'iframe';
+}
 function hasTextChildrenOnly(children) {
     return children.every(isTextNode);
 }
@@ -19078,6 +19111,20 @@ function createHostBindingsFunction(hostBindingsMetadata, typeSourceSpan, bindin
         if (sanitizerFn) {
             instructionParams.push(sanitizerFn);
         }
+        else {
+            // If there was no sanitization function found based on the security context
+            // of an attribute/property binding - check whether this attribute/property is
+            // one of the security-sensitive <iframe> attributes.
+            // Note: for host bindings defined on a directive, we do not try to find all
+            // possible places where it can be matched, so we can not determine whether
+            // the host element is an <iframe>. In this case, if an attribute/binding
+            // name is in the `IFRAME_SECURITY_SENSITIVE_ATTRS` set - append a validation
+            // function, which would be invoked at runtime and would have access to the
+            // underlying DOM element, check if it's an <iframe> and if so - runs extra checks.
+            if (isIframeSecuritySensitiveAttr(bindingName)) {
+                instructionParams.push(importExpr(Identifiers.validateIframeAttribute));
+            }
+        }
         updateVariables.push(...bindingExpr.stmts);
         if (instruction === Identifiers.hostProperty) {
             propertyBindings.push(instructionParams);
@@ -19783,7 +19830,7 @@ function publishFacade(global) {
  * Use of this source code is governed by an MIT-style license that can be
  * found in the LICENSE file at https://angular.io/license
  */
-const VERSION = new Version('13.3.11');
+const VERSION = new Version('13.3.12');
 
 /**
  * @license
@@ -21824,7 +21871,7 @@ const MINIMUM_PARTIAL_LINKER_VERSION$6 = '12.0.0';
 function compileDeclareClassMetadata(metadata) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$6));
-    definitionMap.set('version', literal('13.3.11'));
+    definitionMap.set('version', literal('13.3.12'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', metadata.type);
     definitionMap.set('decorators', metadata.decorators);
@@ -21941,7 +21988,7 @@ function compileDeclareDirectiveFromMetadata(meta) {
 function createDirectiveDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$5));
-    definitionMap.set('version', literal('13.3.11'));
+    definitionMap.set('version', literal('13.3.12'));
     // e.g. `type: MyDirective`
     definitionMap.set('type', meta.internalType);
     // e.g. `selector: 'some-dir'`
@@ -22162,7 +22209,7 @@ const MINIMUM_PARTIAL_LINKER_VERSION$4 = '12.0.0';
 function compileDeclareFactoryFunction(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$4));
-    definitionMap.set('version', literal('13.3.11'));
+    definitionMap.set('version', literal('13.3.12'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.internalType);
     definitionMap.set('deps', compileDependencies(meta.deps));
@@ -22204,7 +22251,7 @@ function compileDeclareInjectableFromMetadata(meta) {
 function createInjectableDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$3));
-    definitionMap.set('version', literal('13.3.11'));
+    definitionMap.set('version', literal('13.3.12'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.internalType);
     // Only generate providedIn property if it has a non-null value
@@ -22262,7 +22309,7 @@ function compileDeclareInjectorFromMetadata(meta) {
 function createInjectorDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$2));
-    definitionMap.set('version', literal('13.3.11'));
+    definitionMap.set('version', literal('13.3.12'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.internalType);
     definitionMap.set('providers', meta.providers);
@@ -22299,7 +22346,7 @@ function compileDeclareNgModuleFromMetadata(meta) {
 function createNgModuleDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$1));
-    definitionMap.set('version', literal('13.3.11'));
+    definitionMap.set('version', literal('13.3.12'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.internalType);
     // We only generate the keys in the metadata if the arrays contain values.
@@ -22357,7 +22404,7 @@ function compileDeclarePipeFromMetadata(meta) {
 function createPipeDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION));
-    definitionMap.set('version', literal('13.3.11'));
+    definitionMap.set('version', literal('13.3.12'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     // e.g. `type: MyPipe`
     definitionMap.set('type', meta.internalType);