@angular/compiler 14.2.11 → 14.3.0

package/fesm2015/testing.mjs

@@ -1,5 +1,5 @@
 /**
- * @license Angular v14.2.11
+ * @license Angular v14.3.0
  * (c) 2010-2022 Google LLC. https://angular.io/
  * License: MIT
  */

package/fesm2020/compiler.mjs

@@ -1,5 +1,5 @@
 /**
- * @license Angular v14.2.11
+ * @license Angular v14.3.0
  * (c) 2010-2022 Google LLC. https://angular.io/
  * License: MIT
  */
@@ -2936,6 +2936,7 @@ Identifiers.sanitizeUrl = { name: 'ɵɵsanitizeUrl', moduleName: CORE };
 Identifiers.sanitizeUrlOrResourceUrl = { name: 'ɵɵsanitizeUrlOrResourceUrl', moduleName: CORE };
 Identifiers.trustConstantHtml = { name: 'ɵɵtrustConstantHtml', moduleName: CORE };
 Identifiers.trustConstantResourceUrl = { name: 'ɵɵtrustConstantResourceUrl', moduleName: CORE };
+Identifiers.validateIframeAttribute = { name: 'ɵɵvalidateIframeAttribute', moduleName: CORE };
 
 /**
  * @license
@@ -7682,6 +7683,98 @@ class BuiltinFunctionCall extends Call {
     }
 }
 
+/**
+ * @license
+ * Copyright Google LLC All Rights Reserved.
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.io/license
+ */
+// =================================================================================================
+// =================================================================================================
+// =========== S T O P   -  S T O P   -  S T O P   -  S T O P   -  S T O P   -  S T O P  ===========
+// =================================================================================================
+// =================================================================================================
+//
+//        DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW!
+//                               Reach out to mprobst for details.
+//
+// =================================================================================================
+/** Map from tagName|propertyName to SecurityContext. Properties applying to all tags use '*'. */
+let _SECURITY_SCHEMA;
+function SECURITY_SCHEMA() {
+    if (!_SECURITY_SCHEMA) {
+        _SECURITY_SCHEMA = {};
+        // Case is insignificant below, all element and attribute names are lower-cased for lookup.
+        registerContext(SecurityContext.HTML, [
+            'iframe|srcdoc',
+            '*|innerHTML',
+            '*|outerHTML',
+        ]);
+        registerContext(SecurityContext.STYLE, ['*|style']);
+        // NB: no SCRIPT contexts here, they are never allowed due to the parser stripping them.
+        registerContext(SecurityContext.URL, [
+            '*|formAction',
+            'area|href',
+            'area|ping',
+            'audio|src',
+            'a|href',
+            'a|ping',
+            'blockquote|cite',
+            'body|background',
+            'del|cite',
+            'form|action',
+            'img|src',
+            'input|src',
+            'ins|cite',
+            'q|cite',
+            'source|src',
+            'track|src',
+            'video|poster',
+            'video|src',
+        ]);
+        registerContext(SecurityContext.RESOURCE_URL, [
+            'applet|code',
+            'applet|codebase',
+            'base|href',
+            'embed|src',
+            'frame|src',
+            'head|profile',
+            'html|manifest',
+            'iframe|src',
+            'link|href',
+            'media|src',
+            'object|codebase',
+            'object|data',
+            'script|src',
+        ]);
+    }
+    return _SECURITY_SCHEMA;
+}
+function registerContext(ctx, specs) {
+    for (const spec of specs)
+        _SECURITY_SCHEMA[spec.toLowerCase()] = ctx;
+}
+/**
+ * The set of security-sensitive attributes of an `<iframe>` that *must* be
+ * applied as a static attribute only. This ensures that all security-sensitive
+ * attributes are taken into account while creating an instance of an `<iframe>`
+ * at runtime.
+ *
+ * Note: avoid using this set directly, use the `isIframeSecuritySensitiveAttr` function
+ * in the code instead.
+ */
+const IFRAME_SECURITY_SENSITIVE_ATTRS = new Set(['sandbox', 'allow', 'allowfullscreen', 'referrerpolicy', 'csp', 'fetchpriority']);
+/**
+ * Checks whether a given attribute name might represent a security-sensitive
+ * attribute of an <iframe>.
+ */
+function isIframeSecuritySensitiveAttr(attrName) {
+    // The `setAttribute` DOM API is case-insensitive, so we lowercase the value
+    // before checking it against a known security-sensitive attributes.
+    return IFRAME_SECURITY_SENSITIVE_ATTRS.has(attrName.toLowerCase());
+}
+
 /**
  * @license
  * Copyright Google LLC All Rights Reserved.
@@ -14494,79 +14587,6 @@ function mapLiteral(obj, quoted = false) {
     })));
 }
 
-/**
- * @license
- * Copyright Google LLC All Rights Reserved.
- *
- * Use of this source code is governed by an MIT-style license that can be
- * found in the LICENSE file at https://angular.io/license
- */
-// =================================================================================================
-// =================================================================================================
-// =========== S T O P   -  S T O P   -  S T O P   -  S T O P   -  S T O P   -  S T O P  ===========
-// =================================================================================================
-// =================================================================================================
-//
-//        DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW!
-//                               Reach out to mprobst for details.
-//
-// =================================================================================================
-/** Map from tagName|propertyName to SecurityContext. Properties applying to all tags use '*'. */
-let _SECURITY_SCHEMA;
-function SECURITY_SCHEMA() {
-    if (!_SECURITY_SCHEMA) {
-        _SECURITY_SCHEMA = {};
-        // Case is insignificant below, all element and attribute names are lower-cased for lookup.
-        registerContext(SecurityContext.HTML, [
-            'iframe|srcdoc',
-            '*|innerHTML',
-            '*|outerHTML',
-        ]);
-        registerContext(SecurityContext.STYLE, ['*|style']);
-        // NB: no SCRIPT contexts here, they are never allowed due to the parser stripping them.
-        registerContext(SecurityContext.URL, [
-            '*|formAction',
-            'area|href',
-            'area|ping',
-            'audio|src',
-            'a|href',
-            'a|ping',
-            'blockquote|cite',
-            'body|background',
-            'del|cite',
-            'form|action',
-            'img|src',
-            'input|src',
-            'ins|cite',
-            'q|cite',
-            'source|src',
-            'track|src',
-            'video|poster',
-            'video|src',
-        ]);
-        registerContext(SecurityContext.RESOURCE_URL, [
-            'applet|code',
-            'applet|codebase',
-            'base|href',
-            'embed|src',
-            'frame|src',
-            'head|profile',
-            'html|manifest',
-            'iframe|src',
-            'link|href',
-            'media|src',
-            'object|codebase',
-            'object|data',
-            'script|src',
-        ]);
-    }
-    return _SECURITY_SCHEMA;
-}
-function registerContext(ctx, specs) {
-    for (const spec of specs)
-        _SECURITY_SCHEMA[spec.toLowerCase()] = ctx;
-}
-
 /**
  * @license
  * Copyright Google LLC All Rights Reserved.
@@ -17630,9 +17650,19 @@ class TemplateDefinitionBuilder {
                     const params = [];
                     const [attrNamespace, attrName] = splitNsName(input.name);
                     const isAttributeBinding = inputType === 1 /* BindingType.Attribute */;
-                    const sanitizationRef = resolveSanitizationFn(input.securityContext, isAttributeBinding);
-                    if (sanitizationRef)
+                    let sanitizationRef = resolveSanitizationFn(input.securityContext, isAttributeBinding);
+                    if (!sanitizationRef) {
+                        // If there was no sanitization function found based on the security context
+                        // of an attribute/property - check whether this attribute/property is
+                        // one of the security-sensitive <iframe> attributes (and that the current
+                        // element is actually an <iframe>).
+                        if (isIframeElement(element.name) && isIframeSecuritySensitiveAttr(input.name)) {
+                            sanitizationRef = importExpr(Identifiers.validateIframeAttribute);
+                        }
+                    }
+                    if (sanitizationRef) {
                         params.push(sanitizationRef);
+                    }
                     if (attrNamespace) {
                         const namespaceLiteral = literal(attrNamespace);
                         if (sanitizationRef) {
@@ -18697,6 +18727,9 @@ function isSingleElementTemplate(children) {
 function isTextNode(node) {
     return node instanceof Text$3 || node instanceof BoundText || node instanceof Icu$1;
 }
+function isIframeElement(tagName) {
+    return tagName.toLowerCase() === 'iframe';
+}
 function hasTextChildrenOnly(children) {
     return children.every(isTextNode);
 }
@@ -19174,6 +19207,20 @@ function createHostBindingsFunction(hostBindingsMetadata, typeSourceSpan, bindin
         if (sanitizerFn) {
             instructionParams.push(sanitizerFn);
         }
+        else {
+            // If there was no sanitization function found based on the security context
+            // of an attribute/property binding - check whether this attribute/property is
+            // one of the security-sensitive <iframe> attributes.
+            // Note: for host bindings defined on a directive, we do not try to find all
+            // possible places where it can be matched, so we can not determine whether
+            // the host element is an <iframe>. In this case, if an attribute/binding
+            // name is in the `IFRAME_SECURITY_SENSITIVE_ATTRS` set - append a validation
+            // function, which would be invoked at runtime and would have access to the
+            // underlying DOM element, check if it's an <iframe> and if so - runs extra checks.
+            if (isIframeSecuritySensitiveAttr(bindingName)) {
+                instructionParams.push(importExpr(Identifiers.validateIframeAttribute));
+            }
+        }
         updateVariables.push(...bindingExpr.stmts);
         if (instruction === Identifiers.hostProperty) {
             propertyBindings.push(instructionParams);
@@ -19918,7 +19965,7 @@ function publishFacade(global) {
  * Use of this source code is governed by an MIT-style license that can be
  * found in the LICENSE file at https://angular.io/license
  */
-const VERSION = new Version('14.2.11');
+const VERSION = new Version('14.3.0');
 
 /**
  * @license
@@ -21951,7 +21998,7 @@ const MINIMUM_PARTIAL_LINKER_VERSION$6 = '12.0.0';
 function compileDeclareClassMetadata(metadata) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$6));
-    definitionMap.set('version', literal('14.2.11'));
+    definitionMap.set('version', literal('14.3.0'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', metadata.type);
     definitionMap.set('decorators', metadata.decorators);
@@ -22068,7 +22115,7 @@ function compileDeclareDirectiveFromMetadata(meta) {
 function createDirectiveDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$5));
-    definitionMap.set('version', literal('14.2.11'));
+    definitionMap.set('version', literal('14.3.0'));
     // e.g. `type: MyDirective`
     definitionMap.set('type', meta.internalType);
     if (meta.isStandalone) {
@@ -22282,7 +22329,7 @@ const MINIMUM_PARTIAL_LINKER_VERSION$4 = '12.0.0';
 function compileDeclareFactoryFunction(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$4));
-    definitionMap.set('version', literal('14.2.11'));
+    definitionMap.set('version', literal('14.3.0'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.internalType);
     definitionMap.set('deps', compileDependencies(meta.deps));
@@ -22324,7 +22371,7 @@ function compileDeclareInjectableFromMetadata(meta) {
 function createInjectableDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$3));
-    definitionMap.set('version', literal('14.2.11'));
+    definitionMap.set('version', literal('14.3.0'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.internalType);
     // Only generate providedIn property if it has a non-null value
@@ -22382,7 +22429,7 @@ function compileDeclareInjectorFromMetadata(meta) {
 function createInjectorDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$2));
-    definitionMap.set('version', literal('14.2.11'));
+    definitionMap.set('version', literal('14.3.0'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.internalType);
     definitionMap.set('providers', meta.providers);
@@ -22419,7 +22466,7 @@ function compileDeclareNgModuleFromMetadata(meta) {
 function createNgModuleDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$1));
-    definitionMap.set('version', literal('14.2.11'));
+    definitionMap.set('version', literal('14.3.0'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.internalType);
     // We only generate the keys in the metadata if the arrays contain values.
@@ -22477,7 +22524,7 @@ function compileDeclarePipeFromMetadata(meta) {
 function createPipeDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION));
-    definitionMap.set('version', literal('14.2.11'));
+    definitionMap.set('version', literal('14.3.0'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     // e.g. `type: MyPipe`
     definitionMap.set('type', meta.internalType);