@angular/compiler 14.2.11 → 14.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (21) hide show
  1. package/esm2020/src/render3/partial/class_metadata.mjs +1 -1
  2. package/esm2020/src/render3/partial/directive.mjs +1 -1
  3. package/esm2020/src/render3/partial/factory.mjs +1 -1
  4. package/esm2020/src/render3/partial/injectable.mjs +1 -1
  5. package/esm2020/src/render3/partial/injector.mjs +1 -1
  6. package/esm2020/src/render3/partial/ng_module.mjs +1 -1
  7. package/esm2020/src/render3/partial/pipe.mjs +1 -1
  8. package/esm2020/src/render3/r3_identifiers.mjs +2 -1
  9. package/esm2020/src/render3/view/compiler.mjs +16 -1
  10. package/esm2020/src/render3/view/template.mjs +17 -3
  11. package/esm2020/src/schema/dom_security_schema.mjs +20 -1
  12. package/esm2020/src/version.mjs +1 -1
  13. package/fesm2015/compiler.mjs +131 -84
  14. package/fesm2015/compiler.mjs.map +1 -1
  15. package/fesm2015/testing.mjs +1 -1
  16. package/fesm2020/compiler.mjs +131 -84
  17. package/fesm2020/compiler.mjs.map +1 -1
  18. package/fesm2020/testing.mjs +1 -1
  19. package/index.d.ts +2 -1
  20. package/package.json +2 -2
  21. package/testing/index.d.ts +1 -1
package/esm2020/src/schema/dom_security_schema.mjs CHANGED
@@ -71,4 +71,23 @@ function registerContext(ctx, specs) {
71
71
  for (const spec of specs)
72
72
  _SECURITY_SCHEMA[spec.toLowerCase()] = ctx;
73
73
  }
74
- //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZG9tX3NlY3VyaXR5X3NjaGVtYS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uLy4uL3BhY2thZ2VzL2NvbXBpbGVyL3NyYy9zY2hlbWEvZG9tX3NlY3VyaXR5X3NjaGVtYS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7Ozs7O0dBTUc7QUFFSCxPQUFPLEVBQUMsZUFBZSxFQUFDLE1BQU0sU0FBUyxDQUFDO0FBRXhDLG9HQUFvRztBQUNwRyxvR0FBb0c7QUFDcEcsb0dBQW9HO0FBQ3BHLG9HQUFvRztBQUNwRyxvR0FBb0c7QUFDcEcsRUFBRTtBQUNGLDJGQUEyRjtBQUMzRixrRUFBa0U7QUFDbEUsRUFBRTtBQUNGLG9HQUFvRztBQUVwRyxpR0FBaUc7QUFDakcsSUFBSSxnQkFBaUQsQ0FBQztBQUV0RCxNQUFNLFVBQVUsZUFBZTtJQUM3QixJQUFJLENBQUMsZ0JBQWdCLEVBQUU7UUFDckIsZ0JBQWdCLEdBQUcsRUFBRSxDQUFDO1FBQ3RCLDJGQUEyRjtRQUUzRixlQUFlLENBQUMsZUFBZSxDQUFDLElBQUksRUFBRTtZQUNwQyxlQUFlO1lBQ2YsYUFBYTtZQUNiLGFBQWE7U0FDZCxDQUFDLENBQUM7UUFDSCxlQUFlLENBQUMsZUFBZSxDQUFDLEtBQUssRUFBRSxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUM7UUFDcEQsd0ZBQXdGO1FBQ3hGLGVBQWUsQ0FBQyxlQUFlLENBQUMsR0FBRyxFQUFFO1lBQ25DLGNBQWM7WUFDZCxXQUFXO1lBQ1gsV0FBVztZQUNYLFdBQVc7WUFDWCxRQUFRO1lBQ1IsUUFBUTtZQUNSLGlCQUFpQjtZQUNqQixpQkFBaUI7WUFDakIsVUFBVTtZQUNWLGFBQWE7WUFDYixTQUFTO1lBQ1QsV0FBVztZQUNYLFVBQVU7WUFDVixRQUFRO1lBQ1IsWUFBWTtZQUNaLFdBQVc7WUFDWCxjQUFjO1lBQ2QsV0FBVztTQUNaLENBQUMsQ0FBQztRQUNILGVBQWUsQ0FBQyxlQUFlLENBQUMsWUFBWSxFQUFFO1lBQzVDLGFBQWE7WUFDYixpQkFBaUI7WUFDakIsV0FBVztZQUNYLFdBQVc7WUFDWCxXQUFXO1lBQ1gsY0FBYztZQUNkLGVBQWU7WUFDZixZQUFZO1lBQ1osV0FBVztZQUNYLFdBQVc7WUFDWCxpQkFBaUI7WUFDakIsYUFBYTtZQUNiLFlBQVk7U0FDYixDQUFDLENBQUM7S0FDSjtJQUNELE9BQU8sZ0JBQWdCLENBQUM7QUFDMUIsQ0FBQztBQUVELFNBQVMsZUFBZSxDQUFDLEdBQW9CLEVBQUUsS0FBZTtJQUM1RCxLQUFLLE1BQU0sSUFBSSxJQUFJLEtBQUs7UUFBRSxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLENBQUMsR0FBRyxHQUFHLENBQUM7QUFDdkUsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogQGxpY2Vuc2VcbiAqIENvcHlyaWdodCBHb29nbGUgTExDIEFsbCBSaWdodHMgUmVzZXJ2ZWQuXG4gKlxuICogVXNlIG9mIHRoaXMgc291cmNlIGNvZGUgaXMgZ292ZXJuZWQgYnkgYW4gTUlULXN0eWxlIGxpY2Vuc2UgdGhhdCBjYW4gYmVcbiAqIGZvdW5kIGluIHRoZSBMSUNFTlNFIGZpbGUgYXQgaHR0cHM6Ly9hbmd1bGFyLmlvL2xpY2Vuc2VcbiAqL1xuXG5pbXBvcnQge1NlY3VyaXR5Q29udGV4dH0gZnJvbSAnLi4vY29yZSc7XG5cbi8vID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT1cbi8vID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT1cbi8vID09PT09PT09PT09IFMgVCBPIFAgICAtICBTIFQgTyBQICAgLSAgUyBUIE8gUCAgIC0gIFMgVCBPIFAgICAtICBTIFQgTyBQICAgLSAgUyBUIE8gUCAgPT09PT09PT09PT1cbi8vID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT1cbi8vID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT1cbi8vXG4vLyAgICAgICAgRE8gTk9UIEVESVQgVEhJUyBMSVNUIE9GIFNFQ1VSSVRZIFNFTlNJVElWRSBQUk9QRVJUSUVTIFdJVEhPVVQgQSBTRUNVUklUWSBSRVZJRVchXG4vLyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBSZWFjaCBvdXQgdG8gbXByb2JzdCBmb3IgZGV0YWlscy5cbi8vXG4vLyA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09XG5cbi8qKiBNYXAgZnJvbSB0YWdOYW1lfHByb3BlcnR5TmFtZSB0byBTZWN1cml0eUNvbnRleHQuIFByb3BlcnRpZXMgYXBwbHlpbmcgdG8gYWxsIHRhZ3MgdXNlICcqJy4gKi9cbmxldCBfU0VDVVJJVFlfU0NIRU1BIToge1trOiBzdHJpbmddOiBTZWN1cml0eUNvbnRleHR9O1xuXG5leHBvcnQgZnVuY3Rpb24gU0VDVVJJVFlfU0NIRU1BKCk6IHtbazogc3RyaW5nXTogU2VjdXJpdHlDb250ZXh0fSB7XG4gIGlmICghX1NFQ1VSSVRZX1NDSEVNQSkge1xuICAgIF9TRUNVUklUWV9TQ0hFTUEgPSB7fTtcbiAgICAvLyBDYXNlIGlzIGluc2lnbmlmaWNhbnQgYmVsb3csIGFsbCBlbGVtZW50IGFuZCBhdHRyaWJ1dGUgbmFtZXMgYXJlIGxvd2VyLWNhc2VkIGZvciBsb29rdXAuXG5cbiAgICByZWdpc3RlckNvbnRleHQoU2VjdXJpdHlDb250ZXh0LkhUTUwsIFtcbiAgICAgICdpZnJhbWV8c3JjZG9jJyxcbiAgICAgICcqfGlubmVySFRNTCcsXG4gICAgICAnKnxvdXRlckhUTUwnLFxuICAgIF0pO1xuICAgIHJlZ2lzdGVyQ29udGV4dChTZWN1cml0eUNvbnRleHQuU1RZTEUsIFsnKnxzdHlsZSddKTtcbiAgICAvLyBOQjogbm8gU0NSSVBUIGNvbnRleHRzIGhlcmUsIHRoZXkgYXJlIG5ldmVyIGFsbG93ZWQgZHVlIHRvIHRoZSBwYXJzZXIgc3RyaXBwaW5nIHRoZW0uXG4gICAgcmVnaXN0ZXJDb250ZXh0KFNlY3VyaXR5Q29udGV4dC5VUkwsIFtcbiAgICAgICcqfGZvcm1BY3Rpb24nLFxuICAgICAgJ2FyZWF8aHJlZicsXG4gICAgICAnYXJlYXxwaW5nJyxcbiAgICAgICdhdWRpb3xzcmMnLFxuICAgICAgJ2F8aHJlZicsXG4gICAgICAnYXxwaW5nJyxcbiAgICAgICdibG9ja3F1b3RlfGNpdGUnLFxuICAgICAgJ2JvZHl8YmFja2dyb3VuZCcsXG4gICAgICAnZGVsfGNpdGUnLFxuICAgICAgJ2Zvcm18YWN0aW9uJyxcbiAgICAgICdpbWd8c3JjJyxcbiAgICAgICdpbnB1dHxzcmMnLFxuICAgICAgJ2luc3xjaXRlJyxcbiAgICAgICdxfGNpdGUnLFxuICAgICAgJ3NvdXJjZXxzcmMnLFxuICAgICAgJ3RyYWNrfHNyYycsXG4gICAgICAndmlkZW98cG9zdGVyJyxcbiAgICAgICd2aWRlb3xzcmMnLFxuICAgIF0pO1xuICAgIHJlZ2lzdGVyQ29udGV4dChTZWN1cml0eUNvbnRleHQuUkVTT1VSQ0VfVVJMLCBbXG4gICAgICAnYXBwbGV0fGNvZGUnLFxuICAgICAgJ2FwcGxldHxjb2RlYmFzZScsXG4gICAgICAnYmFzZXxocmVmJyxcbiAgICAgICdlbWJlZHxzcmMnLFxuICAgICAgJ2ZyYW1lfHNyYycsXG4gICAgICAnaGVhZHxwcm9maWxlJyxcbiAgICAgICdodG1sfG1hbmlmZXN0JyxcbiAgICAgICdpZnJhbWV8c3JjJyxcbiAgICAgICdsaW5rfGhyZWYnLFxuICAgICAgJ21lZGlhfHNyYycsXG4gICAgICAnb2JqZWN0fGNvZGViYXNlJyxcbiAgICAgICdvYmplY3R8ZGF0YScsXG4gICAgICAnc2NyaXB0fHNyYycsXG4gICAgXSk7XG4gIH1cbiAgcmV0dXJuIF9TRUNVUklUWV9TQ0hFTUE7XG59XG5cbmZ1bmN0aW9uIHJlZ2lzdGVyQ29udGV4dChjdHg6IFNlY3VyaXR5Q29udGV4dCwgc3BlY3M6IHN0cmluZ1tdKSB7XG4gIGZvciAoY29uc3Qgc3BlYyBvZiBzcGVjcykgX1NFQ1VSSVRZX1NDSEVNQVtzcGVjLnRvTG93ZXJDYXNlKCldID0gY3R4O1xufVxuIl19
74
+ /**
75
+ * The set of security-sensitive attributes of an `<iframe>` that *must* be
76
+ * applied as a static attribute only. This ensures that all security-sensitive
77
+ * attributes are taken into account while creating an instance of an `<iframe>`
78
+ * at runtime.
79
+ *
80
+ * Note: avoid using this set directly, use the `isIframeSecuritySensitiveAttr` function
81
+ * in the code instead.
82
+ */
83
+ export const IFRAME_SECURITY_SENSITIVE_ATTRS = new Set(['sandbox', 'allow', 'allowfullscreen', 'referrerpolicy', 'csp', 'fetchpriority']);
84
+ /**
85
+ * Checks whether a given attribute name might represent a security-sensitive
86
+ * attribute of an <iframe>.
87
+ */
88
+ export function isIframeSecuritySensitiveAttr(attrName) {
89
+ // The `setAttribute` DOM API is case-insensitive, so we lowercase the value
90
+ // before checking it against a known security-sensitive attributes.
91
+ return IFRAME_SECURITY_SENSITIVE_ATTRS.has(attrName.toLowerCase());
92
+ }
93
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZG9tX3NlY3VyaXR5X3NjaGVtYS5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uLy4uL3BhY2thZ2VzL2NvbXBpbGVyL3NyYy9zY2hlbWEvZG9tX3NlY3VyaXR5X3NjaGVtYS50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7Ozs7O0dBTUc7QUFFSCxPQUFPLEVBQUMsZUFBZSxFQUFDLE1BQU0sU0FBUyxDQUFDO0FBRXhDLG9HQUFvRztBQUNwRyxvR0FBb0c7QUFDcEcsb0dBQW9HO0FBQ3BHLG9HQUFvRztBQUNwRyxvR0FBb0c7QUFDcEcsRUFBRTtBQUNGLDJGQUEyRjtBQUMzRixrRUFBa0U7QUFDbEUsRUFBRTtBQUNGLG9HQUFvRztBQUVwRyxpR0FBaUc7QUFDakcsSUFBSSxnQkFBaUQsQ0FBQztBQUV0RCxNQUFNLFVBQVUsZUFBZTtJQUM3QixJQUFJLENBQUMsZ0JBQWdCLEVBQUU7UUFDckIsZ0JBQWdCLEdBQUcsRUFBRSxDQUFDO1FBQ3RCLDJGQUEyRjtRQUUzRixlQUFlLENBQUMsZUFBZSxDQUFDLElBQUksRUFBRTtZQUNwQyxlQUFlO1lBQ2YsYUFBYTtZQUNiLGFBQWE7U0FDZCxDQUFDLENBQUM7UUFDSCxlQUFlLENBQUMsZUFBZSxDQUFDLEtBQUssRUFBRSxDQUFDLFNBQVMsQ0FBQyxDQUFDLENBQUM7UUFDcEQsd0ZBQXdGO1FBQ3hGLGVBQWUsQ0FBQyxlQUFlLENBQUMsR0FBRyxFQUFFO1lBQ25DLGNBQWM7WUFDZCxXQUFXO1lBQ1gsV0FBVztZQUNYLFdBQVc7WUFDWCxRQUFRO1lBQ1IsUUFBUTtZQUNSLGlCQUFpQjtZQUNqQixpQkFBaUI7WUFDakIsVUFBVTtZQUNWLGFBQWE7WUFDYixTQUFTO1lBQ1QsV0FBVztZQUNYLFVBQVU7WUFDVixRQUFRO1lBQ1IsWUFBWTtZQUNaLFdBQVc7WUFDWCxjQUFjO1lBQ2QsV0FBVztTQUNaLENBQUMsQ0FBQztRQUNILGVBQWUsQ0FBQyxlQUFlLENBQUMsWUFBWSxFQUFFO1lBQzVDLGFBQWE7WUFDYixpQkFBaUI7WUFDakIsV0FBVztZQUNYLFdBQVc7WUFDWCxXQUFXO1lBQ1gsY0FBYztZQUNkLGVBQWU7WUFDZixZQUFZO1lBQ1osV0FBVztZQUNYLFdBQVc7WUFDWCxpQkFBaUI7WUFDakIsYUFBYTtZQUNiLFlBQVk7U0FDYixDQUFDLENBQUM7S0FDSjtJQUNELE9BQU8sZ0JBQWdCLENBQUM7QUFDMUIsQ0FBQztBQUVELFNBQVMsZUFBZSxDQUFDLEdBQW9CLEVBQUUsS0FBZTtJQUM1RCxLQUFLLE1BQU0sSUFBSSxJQUFJLEtBQUs7UUFBRSxnQkFBZ0IsQ0FBQyxJQUFJLENBQUMsV0FBVyxFQUFFLENBQUMsR0FBRyxHQUFHLENBQUM7QUFDdkUsQ0FBQztBQUVEOzs7Ozs7OztHQVFHO0FBQ0gsTUFBTSxDQUFDLE1BQU0sK0JBQStCLEdBQ3hDLElBQUksR0FBRyxDQUFDLENBQUMsU0FBUyxFQUFFLE9BQU8sRUFBRSxpQkFBaUIsRUFBRSxnQkFBZ0IsRUFBRSxLQUFLLEVBQUUsZUFBZSxDQUFDLENBQUMsQ0FBQztBQUUvRjs7O0dBR0c7QUFDSCxNQUFNLFVBQVUsNkJBQTZCLENBQUMsUUFBZ0I7SUFDNUQsNEVBQTRFO0lBQzVFLG9FQUFvRTtJQUNwRSxPQUFPLCtCQUErQixDQUFDLEdBQUcsQ0FBQyxRQUFRLENBQUMsV0FBVyxFQUFFLENBQUMsQ0FBQztBQUNyRSxDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiLyoqXG4gKiBAbGljZW5zZVxuICogQ29weXJpZ2h0IEdvb2dsZSBMTEMgQWxsIFJpZ2h0cyBSZXNlcnZlZC5cbiAqXG4gKiBVc2Ugb2YgdGhpcyBzb3VyY2UgY29kZSBpcyBnb3Zlcm5lZCBieSBhbiBNSVQtc3R5bGUgbGljZW5zZSB0aGF0IGNhbiBiZVxuICogZm91bmQgaW4gdGhlIExJQ0VOU0UgZmlsZSBhdCBodHRwczovL2FuZ3VsYXIuaW8vbGljZW5zZVxuICovXG5cbmltcG9ydCB7U2VjdXJpdHlDb250ZXh0fSBmcm9tICcuLi9jb3JlJztcblxuLy8gPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PVxuLy8gPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PVxuLy8gPT09PT09PT09PT0gUyBUIE8gUCAgIC0gIFMgVCBPIFAgICAtICBTIFQgTyBQICAgLSAgUyBUIE8gUCAgIC0gIFMgVCBPIFAgICAtICBTIFQgTyBQICA9PT09PT09PT09PVxuLy8gPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PVxuLy8gPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PVxuLy9cbi8vICAgICAgICBETyBOT1QgRURJVCBUSElTIExJU1QgT0YgU0VDVVJJVFkgU0VOU0lUSVZFIFBST1BFUlRJRVMgV0lUSE9VVCBBIFNFQ1VSSVRZIFJFVklFVyFcbi8vICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFJlYWNoIG91dCB0byBtcHJvYnN0IGZvciBkZXRhaWxzLlxuLy9cbi8vID09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT1cblxuLyoqIE1hcCBmcm9tIHRhZ05hbWV8cHJvcGVydHlOYW1lIHRvIFNlY3VyaXR5Q29udGV4dC4gUHJvcGVydGllcyBhcHBseWluZyB0byBhbGwgdGFncyB1c2UgJyonLiAqL1xubGV0IF9TRUNVUklUWV9TQ0hFTUEhOiB7W2s6IHN0cmluZ106IFNlY3VyaXR5Q29udGV4dH07XG5cbmV4cG9ydCBmdW5jdGlvbiBTRUNVUklUWV9TQ0hFTUEoKToge1trOiBzdHJpbmddOiBTZWN1cml0eUNvbnRleHR9IHtcbiAgaWYgKCFfU0VDVVJJVFlfU0NIRU1BKSB7XG4gICAgX1NFQ1VSSVRZX1NDSEVNQSA9IHt9O1xuICAgIC8vIENhc2UgaXMgaW5zaWduaWZpY2FudCBiZWxvdywgYWxsIGVsZW1lbnQgYW5kIGF0dHJpYnV0ZSBuYW1lcyBhcmUgbG93ZXItY2FzZWQgZm9yIGxvb2t1cC5cblxuICAgIHJlZ2lzdGVyQ29udGV4dChTZWN1cml0eUNvbnRleHQuSFRNTCwgW1xuICAgICAgJ2lmcmFtZXxzcmNkb2MnLFxuICAgICAgJyp8aW5uZXJIVE1MJyxcbiAgICAgICcqfG91dGVySFRNTCcsXG4gICAgXSk7XG4gICAgcmVnaXN0ZXJDb250ZXh0KFNlY3VyaXR5Q29udGV4dC5TVFlMRSwgWycqfHN0eWxlJ10pO1xuICAgIC8vIE5COiBubyBTQ1JJUFQgY29udGV4dHMgaGVyZSwgdGhleSBhcmUgbmV2ZXIgYWxsb3dlZCBkdWUgdG8gdGhlIHBhcnNlciBzdHJpcHBpbmcgdGhlbS5cbiAgICByZWdpc3RlckNvbnRleHQoU2VjdXJpdHlDb250ZXh0LlVSTCwgW1xuICAgICAgJyp8Zm9ybUFjdGlvbicsXG4gICAgICAnYXJlYXxocmVmJyxcbiAgICAgICdhcmVhfHBpbmcnLFxuICAgICAgJ2F1ZGlvfHNyYycsXG4gICAgICAnYXxocmVmJyxcbiAgICAgICdhfHBpbmcnLFxuICAgICAgJ2Jsb2NrcXVvdGV8Y2l0ZScsXG4gICAgICAnYm9keXxiYWNrZ3JvdW5kJyxcbiAgICAgICdkZWx8Y2l0ZScsXG4gICAgICAnZm9ybXxhY3Rpb24nLFxuICAgICAgJ2ltZ3xzcmMnLFxuICAgICAgJ2lucHV0fHNyYycsXG4gICAgICAnaW5zfGNpdGUnLFxuICAgICAgJ3F8Y2l0ZScsXG4gICAgICAnc291cmNlfHNyYycsXG4gICAgICAndHJhY2t8c3JjJyxcbiAgICAgICd2aWRlb3xwb3N0ZXInLFxuICAgICAgJ3ZpZGVvfHNyYycsXG4gICAgXSk7XG4gICAgcmVnaXN0ZXJDb250ZXh0KFNlY3VyaXR5Q29udGV4dC5SRVNPVVJDRV9VUkwsIFtcbiAgICAgICdhcHBsZXR8Y29kZScsXG4gICAgICAnYXBwbGV0fGNvZGViYXNlJyxcbiAgICAgICdiYXNlfGhyZWYnLFxuICAgICAgJ2VtYmVkfHNyYycsXG4gICAgICAnZnJhbWV8c3JjJyxcbiAgICAgICdoZWFkfHByb2ZpbGUnLFxuICAgICAgJ2h0bWx8bWFuaWZlc3QnLFxuICAgICAgJ2lmcmFtZXxzcmMnLFxuICAgICAgJ2xpbmt8aHJlZicsXG4gICAgICAnbWVkaWF8c3JjJyxcbiAgICAgICdvYmplY3R8Y29kZWJhc2UnLFxuICAgICAgJ29iamVjdHxkYXRhJyxcbiAgICAgICdzY3JpcHR8c3JjJyxcbiAgICBdKTtcbiAgfVxuICByZXR1cm4gX1NFQ1VSSVRZX1NDSEVNQTtcbn1cblxuZnVuY3Rpb24gcmVnaXN0ZXJDb250ZXh0KGN0eDogU2VjdXJpdHlDb250ZXh0LCBzcGVjczogc3RyaW5nW10pIHtcbiAgZm9yIChjb25zdCBzcGVjIG9mIHNwZWNzKSBfU0VDVVJJVFlfU0NIRU1BW3NwZWMudG9Mb3dlckNhc2UoKV0gPSBjdHg7XG59XG5cbi8qKlxuICogVGhlIHNldCBvZiBzZWN1cml0eS1zZW5zaXRpdmUgYXR0cmlidXRlcyBvZiBhbiBgPGlmcmFtZT5gIHRoYXQgKm11c3QqIGJlXG4gKiBhcHBsaWVkIGFzIGEgc3RhdGljIGF0dHJpYnV0ZSBvbmx5LiBUaGlzIGVuc3VyZXMgdGhhdCBhbGwgc2VjdXJpdHktc2Vuc2l0aXZlXG4gKiBhdHRyaWJ1dGVzIGFyZSB0YWtlbiBpbnRvIGFjY291bnQgd2hpbGUgY3JlYXRpbmcgYW4gaW5zdGFuY2Ugb2YgYW4gYDxpZnJhbWU+YFxuICogYXQgcnVudGltZS5cbiAqXG4gKiBOb3RlOiBhdm9pZCB1c2luZyB0aGlzIHNldCBkaXJlY3RseSwgdXNlIHRoZSBgaXNJZnJhbWVTZWN1cml0eVNlbnNpdGl2ZUF0dHJgIGZ1bmN0aW9uXG4gKiBpbiB0aGUgY29kZSBpbnN0ZWFkLlxuICovXG5leHBvcnQgY29uc3QgSUZSQU1FX1NFQ1VSSVRZX1NFTlNJVElWRV9BVFRSUyA9XG4gICAgbmV3IFNldChbJ3NhbmRib3gnLCAnYWxsb3cnLCAnYWxsb3dmdWxsc2NyZWVuJywgJ3JlZmVycmVycG9saWN5JywgJ2NzcCcsICdmZXRjaHByaW9yaXR5J10pO1xuXG4vKipcbiAqIENoZWNrcyB3aGV0aGVyIGEgZ2l2ZW4gYXR0cmlidXRlIG5hbWUgbWlnaHQgcmVwcmVzZW50IGEgc2VjdXJpdHktc2Vuc2l0aXZlXG4gKiBhdHRyaWJ1dGUgb2YgYW4gPGlmcmFtZT4uXG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBpc0lmcmFtZVNlY3VyaXR5U2Vuc2l0aXZlQXR0cihhdHRyTmFtZTogc3RyaW5nKTogYm9vbGVhbiB7XG4gIC8vIFRoZSBgc2V0QXR0cmlidXRlYCBET00gQVBJIGlzIGNhc2UtaW5zZW5zaXRpdmUsIHNvIHdlIGxvd2VyY2FzZSB0aGUgdmFsdWVcbiAgLy8gYmVmb3JlIGNoZWNraW5nIGl0IGFnYWluc3QgYSBrbm93biBzZWN1cml0eS1zZW5zaXRpdmUgYXR0cmlidXRlcy5cbiAgcmV0dXJuIElGUkFNRV9TRUNVUklUWV9TRU5TSVRJVkVfQVRUUlMuaGFzKGF0dHJOYW1lLnRvTG93ZXJDYXNlKCkpO1xufVxuIl19
package/esm2020/src/version.mjs CHANGED
@@ -11,5 +11,5 @@
11
11
  * Entry point for all public APIs of the compiler package.
12
12
  */
13
13
  import { Version } from './util';
14
- export const VERSION = new Version('14.2.11');
14
+ export const VERSION = new Version('14.3.0');
15
15
  //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidmVyc2lvbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uL3BhY2thZ2VzL2NvbXBpbGVyL3NyYy92ZXJzaW9uLnRzIl0sIm5hbWVzIjpbXSwibWFwcGluZ3MiOiJBQUFBOzs7Ozs7R0FNRztBQUVIOzs7O0dBSUc7QUFFSCxPQUFPLEVBQUMsT0FBTyxFQUFDLE1BQU0sUUFBUSxDQUFDO0FBRS9CLE1BQU0sQ0FBQyxNQUFNLE9BQU8sR0FBRyxJQUFJLE9BQU8sQ0FBQyxtQkFBbUIsQ0FBQyxDQUFDIiwic291cmNlc0NvbnRlbnQiOlsiLyoqXG4gKiBAbGljZW5zZVxuICogQ29weXJpZ2h0IEdvb2dsZSBMTEMgQWxsIFJpZ2h0cyBSZXNlcnZlZC5cbiAqXG4gKiBVc2Ugb2YgdGhpcyBzb3VyY2UgY29kZSBpcyBnb3Zlcm5lZCBieSBhbiBNSVQtc3R5bGUgbGljZW5zZSB0aGF0IGNhbiBiZVxuICogZm91bmQgaW4gdGhlIExJQ0VOU0UgZmlsZSBhdCBodHRwczovL2FuZ3VsYXIuaW8vbGljZW5zZVxuICovXG5cbi8qKlxuICogQG1vZHVsZVxuICogQGRlc2NyaXB0aW9uXG4gKiBFbnRyeSBwb2ludCBmb3IgYWxsIHB1YmxpYyBBUElzIG9mIHRoZSBjb21waWxlciBwYWNrYWdlLlxuICovXG5cbmltcG9ydCB7VmVyc2lvbn0gZnJvbSAnLi91dGlsJztcblxuZXhwb3J0IGNvbnN0IFZFUlNJT04gPSBuZXcgVmVyc2lvbignMC4wLjAtUExBQ0VIT0xERVInKTtcbiJdfQ==
package/fesm2015/compiler.mjs CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- * @license Angular v14.2.11
2
+ * @license Angular v14.3.0
3
3
  * (c) 2010-2022 Google LLC. https://angular.io/
4
4
  * License: MIT
5
5
  */
@@ -2940,6 +2940,7 @@ Identifiers.sanitizeUrl = { name: 'ɵɵsanitizeUrl', moduleName: CORE };
2940
2940
  Identifiers.sanitizeUrlOrResourceUrl = { name: 'ɵɵsanitizeUrlOrResourceUrl', moduleName: CORE };
2941
2941
  Identifiers.trustConstantHtml = { name: 'ɵɵtrustConstantHtml', moduleName: CORE };
2942
2942
  Identifiers.trustConstantResourceUrl = { name: 'ɵɵtrustConstantResourceUrl', moduleName: CORE };
2943
+ Identifiers.validateIframeAttribute = { name: 'ɵɵvalidateIframeAttribute', moduleName: CORE };
2943
2944
 
2944
2945
  /**
2945
2946
  * @license
@@ -7673,6 +7674,98 @@ class BuiltinFunctionCall extends Call {
7673
7674
  }
7674
7675
  }
7675
7676
 
7677
+ /**
7678
+ * @license
7679
+ * Copyright Google LLC All Rights Reserved.
7680
+ *
7681
+ * Use of this source code is governed by an MIT-style license that can be
7682
+ * found in the LICENSE file at https://angular.io/license
7683
+ */
7684
+ // =================================================================================================
7685
+ // =================================================================================================
7686
+ // =========== S T O P - S T O P - S T O P - S T O P - S T O P - S T O P ===========
7687
+ // =================================================================================================
7688
+ // =================================================================================================
7689
+ //
7690
+ // DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW!
7691
+ // Reach out to mprobst for details.
7692
+ //
7693
+ // =================================================================================================
7694
+ /** Map from tagName|propertyName to SecurityContext. Properties applying to all tags use '*'. */
7695
+ let _SECURITY_SCHEMA;
7696
+ function SECURITY_SCHEMA() {
7697
+ if (!_SECURITY_SCHEMA) {
7698
+ _SECURITY_SCHEMA = {};
7699
+ // Case is insignificant below, all element and attribute names are lower-cased for lookup.
7700
+ registerContext(SecurityContext.HTML, [
7701
+ 'iframe|srcdoc',
7702
+ '*|innerHTML',
7703
+ '*|outerHTML',
7704
+ ]);
7705
+ registerContext(SecurityContext.STYLE, ['*|style']);
7706
+ // NB: no SCRIPT contexts here, they are never allowed due to the parser stripping them.
7707
+ registerContext(SecurityContext.URL, [
7708
+ '*|formAction',
7709
+ 'area|href',
7710
+ 'area|ping',
7711
+ 'audio|src',
7712
+ 'a|href',
7713
+ 'a|ping',
7714
+ 'blockquote|cite',
7715
+ 'body|background',
7716
+ 'del|cite',
7717
+ 'form|action',
7718
+ 'img|src',
7719
+ 'input|src',
7720
+ 'ins|cite',
7721
+ 'q|cite',
7722
+ 'source|src',
7723
+ 'track|src',
7724
+ 'video|poster',
7725
+ 'video|src',
7726
+ ]);
7727
+ registerContext(SecurityContext.RESOURCE_URL, [
7728
+ 'applet|code',
7729
+ 'applet|codebase',
7730
+ 'base|href',
7731
+ 'embed|src',
7732
+ 'frame|src',
7733
+ 'head|profile',
7734
+ 'html|manifest',
7735
+ 'iframe|src',
7736
+ 'link|href',
7737
+ 'media|src',
7738
+ 'object|codebase',
7739
+ 'object|data',
7740
+ 'script|src',
7741
+ ]);
7742
+ }
7743
+ return _SECURITY_SCHEMA;
7744
+ }
7745
+ function registerContext(ctx, specs) {
7746
+ for (const spec of specs)
7747
+ _SECURITY_SCHEMA[spec.toLowerCase()] = ctx;
7748
+ }
7749
+ /**
7750
+ * The set of security-sensitive attributes of an `<iframe>` that *must* be
7751
+ * applied as a static attribute only. This ensures that all security-sensitive
7752
+ * attributes are taken into account while creating an instance of an `<iframe>`
7753
+ * at runtime.
7754
+ *
7755
+ * Note: avoid using this set directly, use the `isIframeSecuritySensitiveAttr` function
7756
+ * in the code instead.
7757
+ */
7758
+ const IFRAME_SECURITY_SENSITIVE_ATTRS = new Set(['sandbox', 'allow', 'allowfullscreen', 'referrerpolicy', 'csp', 'fetchpriority']);
7759
+ /**
7760
+ * Checks whether a given attribute name might represent a security-sensitive
7761
+ * attribute of an <iframe>.
7762
+ */
7763
+ function isIframeSecuritySensitiveAttr(attrName) {
7764
+ // The `setAttribute` DOM API is case-insensitive, so we lowercase the value
7765
+ // before checking it against a known security-sensitive attributes.
7766
+ return IFRAME_SECURITY_SENSITIVE_ATTRS.has(attrName.toLowerCase());
7767
+ }
7768
+
7676
7769
  /**
7677
7770
  * @license
7678
7771
  * Copyright Google LLC All Rights Reserved.
@@ -14488,79 +14581,6 @@ function mapLiteral(obj, quoted = false) {
14488
14581
  })));
14489
14582
  }
14490
14583
 
14491
- /**
14492
- * @license
14493
- * Copyright Google LLC All Rights Reserved.
14494
- *
14495
- * Use of this source code is governed by an MIT-style license that can be
14496
- * found in the LICENSE file at https://angular.io/license
14497
- */
14498
- // =================================================================================================
14499
- // =================================================================================================
14500
- // =========== S T O P - S T O P - S T O P - S T O P - S T O P - S T O P ===========
14501
- // =================================================================================================
14502
- // =================================================================================================
14503
- //
14504
- // DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW!
14505
- // Reach out to mprobst for details.
14506
- //
14507
- // =================================================================================================
14508
- /** Map from tagName|propertyName to SecurityContext. Properties applying to all tags use '*'. */
14509
- let _SECURITY_SCHEMA;
14510
- function SECURITY_SCHEMA() {
14511
- if (!_SECURITY_SCHEMA) {
14512
- _SECURITY_SCHEMA = {};
14513
- // Case is insignificant below, all element and attribute names are lower-cased for lookup.
14514
- registerContext(SecurityContext.HTML, [
14515
- 'iframe|srcdoc',
14516
- '*|innerHTML',
14517
- '*|outerHTML',
14518
- ]);
14519
- registerContext(SecurityContext.STYLE, ['*|style']);
14520
- // NB: no SCRIPT contexts here, they are never allowed due to the parser stripping them.
14521
- registerContext(SecurityContext.URL, [
14522
- '*|formAction',
14523
- 'area|href',
14524
- 'area|ping',
14525
- 'audio|src',
14526
- 'a|href',
14527
- 'a|ping',
14528
- 'blockquote|cite',
14529
- 'body|background',
14530
- 'del|cite',
14531
- 'form|action',
14532
- 'img|src',
14533
- 'input|src',
14534
- 'ins|cite',
14535
- 'q|cite',
14536
- 'source|src',
14537
- 'track|src',
14538
- 'video|poster',
14539
- 'video|src',
14540
- ]);
14541
- registerContext(SecurityContext.RESOURCE_URL, [
14542
- 'applet|code',
14543
- 'applet|codebase',
14544
- 'base|href',
14545
- 'embed|src',
14546
- 'frame|src',
14547
- 'head|profile',
14548
- 'html|manifest',
14549
- 'iframe|src',
14550
- 'link|href',
14551
- 'media|src',
14552
- 'object|codebase',
14553
- 'object|data',
14554
- 'script|src',
14555
- ]);
14556
- }
14557
- return _SECURITY_SCHEMA;
14558
- }
14559
- function registerContext(ctx, specs) {
14560
- for (const spec of specs)
14561
- _SECURITY_SCHEMA[spec.toLowerCase()] = ctx;
14562
- }
14563
-
14564
14584
  /**
14565
14585
  * @license
14566
14586
  * Copyright Google LLC All Rights Reserved.
@@ -17630,9 +17650,19 @@ class TemplateDefinitionBuilder {
17630
17650
  const params = [];
17631
17651
  const [attrNamespace, attrName] = splitNsName(input.name);
17632
17652
  const isAttributeBinding = inputType === 1 /* BindingType.Attribute */;
17633
- const sanitizationRef = resolveSanitizationFn(input.securityContext, isAttributeBinding);
17634
- if (sanitizationRef)
17653
+ let sanitizationRef = resolveSanitizationFn(input.securityContext, isAttributeBinding);
17654
+ if (!sanitizationRef) {
17655
+ // If there was no sanitization function found based on the security context
17656
+ // of an attribute/property - check whether this attribute/property is
17657
+ // one of the security-sensitive <iframe> attributes (and that the current
17658
+ // element is actually an <iframe>).
17659
+ if (isIframeElement(element.name) && isIframeSecuritySensitiveAttr(input.name)) {
17660
+ sanitizationRef = importExpr(Identifiers.validateIframeAttribute);
17661
+ }
17662
+ }
17663
+ if (sanitizationRef) {
17635
17664
  params.push(sanitizationRef);
17665
+ }
17636
17666
  if (attrNamespace) {
17637
17667
  const namespaceLiteral = literal(attrNamespace);
17638
17668
  if (sanitizationRef) {
@@ -18698,6 +18728,9 @@ function isSingleElementTemplate(children) {
18698
18728
  function isTextNode(node) {
18699
18729
  return node instanceof Text$3 || node instanceof BoundText || node instanceof Icu$1;
18700
18730
  }
18731
+ function isIframeElement(tagName) {
18732
+ return tagName.toLowerCase() === 'iframe';
18733
+ }
18701
18734
  function hasTextChildrenOnly(children) {
18702
18735
  return children.every(isTextNode);
18703
18736
  }
@@ -19175,6 +19208,20 @@ function createHostBindingsFunction(hostBindingsMetadata, typeSourceSpan, bindin
19175
19208
  if (sanitizerFn) {
19176
19209
  instructionParams.push(sanitizerFn);
19177
19210
  }
19211
+ else {
19212
+ // If there was no sanitization function found based on the security context
19213
+ // of an attribute/property binding - check whether this attribute/property is
19214
+ // one of the security-sensitive <iframe> attributes.
19215
+ // Note: for host bindings defined on a directive, we do not try to find all
19216
+ // possible places where it can be matched, so we can not determine whether
19217
+ // the host element is an <iframe>. In this case, if an attribute/binding
19218
+ // name is in the `IFRAME_SECURITY_SENSITIVE_ATTRS` set - append a validation
19219
+ // function, which would be invoked at runtime and would have access to the
19220
+ // underlying DOM element, check if it's an <iframe> and if so - runs extra checks.
19221
+ if (isIframeSecuritySensitiveAttr(bindingName)) {
19222
+ instructionParams.push(importExpr(Identifiers.validateIframeAttribute));
19223
+ }
19224
+ }
19178
19225
  updateVariables.push(...bindingExpr.stmts);
19179
19226
  if (instruction === Identifiers.hostProperty) {
19180
19227
  propertyBindings.push(instructionParams);
@@ -19877,7 +19924,7 @@ function publishFacade(global) {
19877
19924
  * Use of this source code is governed by an MIT-style license that can be
19878
19925
  * found in the LICENSE file at https://angular.io/license
19879
19926
  */
19880
- const VERSION = new Version('14.2.11');
19927
+ const VERSION = new Version('14.3.0');
19881
19928
 
19882
19929
  /**
19883
19930
  * @license
@@ -21904,7 +21951,7 @@ const MINIMUM_PARTIAL_LINKER_VERSION$6 = '12.0.0';
21904
21951
  function compileDeclareClassMetadata(metadata) {
21905
21952
  const definitionMap = new DefinitionMap();
21906
21953
  definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$6));
21907
- definitionMap.set('version', literal('14.2.11'));
21954
+ definitionMap.set('version', literal('14.3.0'));
21908
21955
  definitionMap.set('ngImport', importExpr(Identifiers.core));
21909
21956
  definitionMap.set('type', metadata.type);
21910
21957
  definitionMap.set('decorators', metadata.decorators);
@@ -22021,7 +22068,7 @@ function compileDeclareDirectiveFromMetadata(meta) {
22021
22068
  function createDirectiveDefinitionMap(meta) {
22022
22069
  const definitionMap = new DefinitionMap();
22023
22070
  definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$5));
22024
- definitionMap.set('version', literal('14.2.11'));
22071
+ definitionMap.set('version', literal('14.3.0'));
22025
22072
  // e.g. `type: MyDirective`
22026
22073
  definitionMap.set('type', meta.internalType);
22027
22074
  if (meta.isStandalone) {
@@ -22235,7 +22282,7 @@ const MINIMUM_PARTIAL_LINKER_VERSION$4 = '12.0.0';
22235
22282
  function compileDeclareFactoryFunction(meta) {
22236
22283
  const definitionMap = new DefinitionMap();
22237
22284
  definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$4));
22238
- definitionMap.set('version', literal('14.2.11'));
22285
+ definitionMap.set('version', literal('14.3.0'));
22239
22286
  definitionMap.set('ngImport', importExpr(Identifiers.core));
22240
22287
  definitionMap.set('type', meta.internalType);
22241
22288
  definitionMap.set('deps', compileDependencies(meta.deps));
@@ -22277,7 +22324,7 @@ function compileDeclareInjectableFromMetadata(meta) {
22277
22324
  function createInjectableDefinitionMap(meta) {
22278
22325
  const definitionMap = new DefinitionMap();
22279
22326
  definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$3));
22280
- definitionMap.set('version', literal('14.2.11'));
22327
+ definitionMap.set('version', literal('14.3.0'));
22281
22328
  definitionMap.set('ngImport', importExpr(Identifiers.core));
22282
22329
  definitionMap.set('type', meta.internalType);
22283
22330
  // Only generate providedIn property if it has a non-null value
@@ -22335,7 +22382,7 @@ function compileDeclareInjectorFromMetadata(meta) {
22335
22382
  function createInjectorDefinitionMap(meta) {
22336
22383
  const definitionMap = new DefinitionMap();
22337
22384
  definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$2));
22338
- definitionMap.set('version', literal('14.2.11'));
22385
+ definitionMap.set('version', literal('14.3.0'));
22339
22386
  definitionMap.set('ngImport', importExpr(Identifiers.core));
22340
22387
  definitionMap.set('type', meta.internalType);
22341
22388
  definitionMap.set('providers', meta.providers);
@@ -22372,7 +22419,7 @@ function compileDeclareNgModuleFromMetadata(meta) {
22372
22419
  function createNgModuleDefinitionMap(meta) {
22373
22420
  const definitionMap = new DefinitionMap();
22374
22421
  definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$1));
22375
- definitionMap.set('version', literal('14.2.11'));
22422
+ definitionMap.set('version', literal('14.3.0'));
22376
22423
  definitionMap.set('ngImport', importExpr(Identifiers.core));
22377
22424
  definitionMap.set('type', meta.internalType);
22378
22425
  // We only generate the keys in the metadata if the arrays contain values.
@@ -22430,7 +22477,7 @@ function compileDeclarePipeFromMetadata(meta) {
22430
22477
  function createPipeDefinitionMap(meta) {
22431
22478
  const definitionMap = new DefinitionMap();
22432
22479
  definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION));
22433
- definitionMap.set('version', literal('14.2.11'));
22480
+ definitionMap.set('version', literal('14.3.0'));
22434
22481
  definitionMap.set('ngImport', importExpr(Identifiers.core));
22435
22482
  // e.g. `type: MyPipe`
22436
22483
  definitionMap.set('type', meta.internalType);