npm - @angular/compiler - Versions diffs - 19.2.16 → 19.2.17 - Mend

@angular/compiler 19.2.16 → 19.2.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/fesm2022/compiler.mjs CHANGED Viewed

@@ -1,5 +1,5 @@
 /**
- * @license Angular v19.2.16
+ * @license Angular v19.2.17
  * (c) 2010-2025 Google LLC. https://angular.io/
  * License: MIT
  */
@@ -440,6 +440,7 @@ var SecurityContext;
     SecurityContext[SecurityContext["SCRIPT"] = 3] = "SCRIPT";
     SecurityContext[SecurityContext["URL"] = 4] = "URL";
     SecurityContext[SecurityContext["RESOURCE_URL"] = 5] = "RESOURCE_URL";
+    SecurityContext[SecurityContext["ATTRIBUTE_NO_BINDING"] = 6] = "ATTRIBUTE_NO_BINDING";
 })(SecurityContext || (SecurityContext = {}));
 var MissingTranslationStrategy;
 (function (MissingTranslationStrategy) {
@@ -3100,6 +3101,10 @@ class Identifiers {
     // sanitization-related functions
     static sanitizeHtml = { name: 'ɵɵsanitizeHtml', moduleName: CORE };
     static sanitizeStyle = { name: 'ɵɵsanitizeStyle', moduleName: CORE };
+    static validateAttribute = {
+        name: 'ɵɵvalidateAttribute',
+        moduleName: CORE,
+    };
     static sanitizeResourceUrl = {
         name: 'ɵɵsanitizeResourceUrl',
         moduleName: CORE,
@@ -3115,10 +3120,6 @@ class Identifiers {
         name: 'ɵɵtrustConstantResourceUrl',
         moduleName: CORE,
     };
-    static validateIframeAttribute = {
-        name: 'ɵɵvalidateIframeAttribute',
-        moduleName: CORE,
-    };
     // type-checking
     static InputSignalBrandWriteType = { name: 'ɵINPUT_SIGNAL_BRAND_WRITE_TYPE', moduleName: CORE };
     static UnwrapDirectiveSignalInputs = { name: 'ɵUnwrapDirectiveSignalInputs', moduleName: CORE };
@@ -19479,7 +19480,6 @@ function interleave(left, right) {
 // =================================================================================================
 //
 //        DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW!
-//                               Reach out to mprobst for details.
 //
 // =================================================================================================
 /** Map from tagName|propertyName to SecurityContext. Properties applying to all tags use '*'. */
@@ -19497,6 +19497,7 @@ function SECURITY_SCHEMA() {
             'area|ping',
             'audio|src',
             'a|href',
+            'a|xlink:href',
             'a|ping',
             'blockquote|cite',
             'body|background',
@@ -19510,6 +19511,74 @@ function SECURITY_SCHEMA() {
             'track|src',
             'video|poster',
             'video|src',
+            // MathML namespace
+            // https://crsrc.org/c/third_party/blink/renderer/core/sanitizer/sanitizer.cc;l=753-768;drc=b3eb16372dcd3317d65e9e0265015e322494edcd;bpv=1;bpt=1
+            'annotation|href',
+            'annotation|xlink:href',
+            'annotation-xml|href',
+            'annotation-xml|xlink:href',
+            'maction|href',
+            'maction|xlink:href',
+            'malignmark|href',
+            'malignmark|xlink:href',
+            'math|href',
+            'math|xlink:href',
+            'mroot|href',
+            'mroot|xlink:href',
+            'msqrt|href',
+            'msqrt|xlink:href',
+            'merror|href',
+            'merror|xlink:href',
+            'mfrac|href',
+            'mfrac|xlink:href',
+            'mglyph|href',
+            'mglyph|xlink:href',
+            'msub|href',
+            'msub|xlink:href',
+            'msup|href',
+            'msup|xlink:href',
+            'msubsup|href',
+            'msubsup|xlink:href',
+            'mmultiscripts|href',
+            'mmultiscripts|xlink:href',
+            'mprescripts|href',
+            'mprescripts|xlink:href',
+            'mi|href',
+            'mi|xlink:href',
+            'mn|href',
+            'mn|xlink:href',
+            'mo|href',
+            'mo|xlink:href',
+            'mpadded|href',
+            'mpadded|xlink:href',
+            'mphantom|href',
+            'mphantom|xlink:href',
+            'mrow|href',
+            'mrow|xlink:href',
+            'ms|href',
+            'ms|xlink:href',
+            'mspace|href',
+            'mspace|xlink:href',
+            'mstyle|href',
+            'mstyle|xlink:href',
+            'mtable|href',
+            'mtable|xlink:href',
+            'mtd|href',
+            'mtd|xlink:href',
+            'mtr|href',
+            'mtr|xlink:href',
+            'mtext|href',
+            'mtext|xlink:href',
+            'mover|href',
+            'mover|xlink:href',
+            'munder|href',
+            'munder|xlink:href',
+            'munderover|href',
+            'munderover|xlink:href',
+            'semantics|href',
+            'semantics|xlink:href',
+            'none|href',
+            'none|xlink:href',
         ]);
         registerContext(SecurityContext.RESOURCE_URL, [
             'applet|code',
@@ -19526,6 +19595,29 @@ function SECURITY_SCHEMA() {
             'object|data',
             'script|src',
         ]);
+        // Keep this in sync with SECURITY_SENSITIVE_ELEMENTS in packages/core/src/sanitization/sanitization.ts
+        // Unknown is the internal tag name for unknown elements example used for host-bindings.
+        // These are unsafe as `attributeName` can be `href` or `xlink:href`
+        // See: http://b/463880509#comment7
+        registerContext(SecurityContext.ATTRIBUTE_NO_BINDING, [
+            'animate|attributeName',
+            'set|attributeName',
+            'animateMotion|attributeName',
+            'animateTransform|attributeName',
+            'unknown|attributeName',
+            'iframe|sandbox',
+            'iframe|allow',
+            'iframe|allowFullscreen',
+            'iframe|referrerPolicy',
+            'iframe|csp',
+            'iframe|fetchPriority',
+            'unknown|sandbox',
+            'unknown|allow',
+            'unknown|allowFullscreen',
+            'unknown|referrerPolicy',
+            'unknown|csp',
+            'unknown|fetchPriority',
+        ]);
     }
     return _SECURITY_SCHEMA;
 }
@@ -19533,32 +19625,6 @@ function registerContext(ctx, specs) {
     for (const spec of specs)
         _SECURITY_SCHEMA[spec.toLowerCase()] = ctx;
 }
-/**
- * The set of security-sensitive attributes of an `<iframe>` that *must* be
- * applied as a static attribute only. This ensures that all security-sensitive
- * attributes are taken into account while creating an instance of an `<iframe>`
- * at runtime.
- *
- * Note: avoid using this set directly, use the `isIframeSecuritySensitiveAttr` function
- * in the code instead.
- */
-const IFRAME_SECURITY_SENSITIVE_ATTRS = new Set([
-    'sandbox',
-    'allow',
-    'allowfullscreen',
-    'referrerpolicy',
-    'csp',
-    'fetchpriority',
-]);
-/**
- * Checks whether a given attribute name might represent a security-sensitive
- * attribute of an <iframe>.
- */
-function isIframeSecuritySensitiveAttr(attrName) {
-    // The `setAttribute` DOM API is case-insensitive, so we lowercase the value
-    // before checking it against a known security-sensitive attributes.
-    return IFRAME_SECURITY_SENSITIVE_ATTRS.has(attrName.toLowerCase());
-}
 class ElementSchemaRegistry {
 }
@@ -24098,6 +24164,7 @@ const sanitizerFns = new Map([
     [SecurityContext.SCRIPT, Identifiers.sanitizeScript],
     [SecurityContext.STYLE, Identifiers.sanitizeStyle],
     [SecurityContext.URL, Identifiers.sanitizeUrl],
+    [SecurityContext.ATTRIBUTE_NO_BINDING, Identifiers.validateAttribute],
 ]);
 /**
  * Map of security contexts to their trusted value function.
@@ -24111,7 +24178,6 @@ const trustedValueFns = new Map([
  */
 function resolveSanitizers(job) {
     for (const unit of job.units) {
-        const elements = createOpXrefMap(unit);
         // For normal element bindings we create trusted values for security sensitive constant
         // attributes. However, for host bindings we skip this step (this matches what
         // TemplateDefinitionBuilder does).
@@ -24132,8 +24198,8 @@ function resolveSanitizers(job) {
                     let sanitizerFn = null;
                     if (Array.isArray(op.securityContext) &&
                         op.securityContext.length === 2 &&
-                        op.securityContext.indexOf(SecurityContext.URL) > -1 &&
-                        op.securityContext.indexOf(SecurityContext.RESOURCE_URL) > -1) {
+                        op.securityContext.includes(SecurityContext.URL) &&
+                        op.securityContext.includes(SecurityContext.RESOURCE_URL)) {
                         // When the host element isn't known, some URL attributes (such as "src" and "href") may
                         // be part of multiple different security contexts. In this case we use special
                         // sanitization function and select the actual sanitizer at runtime based on a tag name
@@ -24144,43 +24210,11 @@ function resolveSanitizers(job) {
                         sanitizerFn = sanitizerFns.get(getOnlySecurityContext(op.securityContext)) ?? null;
                     }
                     op.sanitizer = sanitizerFn !== null ? importExpr(sanitizerFn) : null;
-                    // If there was no sanitization function found based on the security context of an
-                    // attribute/property, check whether this attribute/property is one of the
-                    // security-sensitive <iframe> attributes (and that the current element is actually an
-                    // <iframe>).
-                    if (op.sanitizer === null) {
-                        let isIframe = false;
-                        if (job.kind === CompilationJobKind.Host || op.kind === OpKind.HostProperty) {
-                            // Note: for host bindings defined on a directive, we do not try to find all
-                            // possible places where it can be matched, so we can not determine whether
-                            // the host element is an <iframe>. In this case, we just assume it is and append a
-                            // validation function, which is invoked at runtime and would have access to the
-                            // underlying DOM element to check if it's an <iframe> and if so - run extra checks.
-                            isIframe = true;
-                        }
-                        else {
-                            // For a normal binding we can just check if the element its on is an iframe.
-                            const ownerOp = elements.get(op.target);
-                            if (ownerOp === undefined || !isElementOrContainerOp(ownerOp)) {
-                                throw Error('Property should have an element-like owner');
-                            }
-                            isIframe = isIframeElement(ownerOp);
-                        }
-                        if (isIframe && isIframeSecuritySensitiveAttr(op.name)) {
-                            op.sanitizer = importExpr(Identifiers.validateIframeAttribute);
-                        }
-                    }
                     break;
             }
         }
     }
 }
-/**
- * Checks whether the given op represents an iframe element.
- */
-function isIframeElement(op) {
-    return op.kind === OpKind.ElementStart && op.tag?.toLowerCase() === 'iframe';
-}
 /**
  * Asserts that there is only a single security context and returns it.
  */
@@ -30947,7 +30981,7 @@ function publishFacade(global) {
  * @description
  * Entry point for all public APIs of the compiler package.
  */
-const VERSION = new Version('19.2.16');
+const VERSION = new Version('19.2.17');
 class CompilerConfig {
     defaultEncapsulation;
@@ -32804,7 +32838,7 @@ const MINIMUM_PARTIAL_LINKER_DEFER_SUPPORT_VERSION = '18.0.0';
 function compileDeclareClassMetadata(metadata) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$5));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.17'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', metadata.type);
     definitionMap.set('decorators', metadata.decorators);
@@ -32822,7 +32856,7 @@ function compileComponentDeclareClassMetadata(metadata, dependencies) {
     callbackReturnDefinitionMap.set('ctorParameters', metadata.ctorParameters ?? literal(null));
     callbackReturnDefinitionMap.set('propDecorators', metadata.propDecorators ?? literal(null));
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_DEFER_SUPPORT_VERSION));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.17'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', metadata.type);
     definitionMap.set('resolveDeferredDeps', compileComponentMetadataAsyncResolver(dependencies));
@@ -32917,7 +32951,7 @@ function createDirectiveDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     const minVersion = getMinimumVersionForPartialOutput(meta);
     definitionMap.set('minVersion', literal(minVersion));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.17'));
     // e.g. `type: MyDirective`
     definitionMap.set('type', meta.type.value);
     if (meta.isStandalone !== undefined) {
@@ -33333,7 +33367,7 @@ const MINIMUM_PARTIAL_LINKER_VERSION$4 = '12.0.0';
 function compileDeclareFactoryFunction(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$4));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.17'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.type.value);
     definitionMap.set('deps', compileDependencies(meta.deps));
@@ -33368,7 +33402,7 @@ function compileDeclareInjectableFromMetadata(meta) {
 function createInjectableDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$3));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.17'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.type.value);
     // Only generate providedIn property if it has a non-null value
@@ -33419,7 +33453,7 @@ function compileDeclareInjectorFromMetadata(meta) {
 function createInjectorDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$2));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.17'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.type.value);
     definitionMap.set('providers', meta.providers);
@@ -33452,7 +33486,7 @@ function createNgModuleDefinitionMap(meta) {
         throw new Error('Invalid path! Local compilation mode should not get into the partial compilation path');
     }
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$1));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.17'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.type.value);
     // We only generate the keys in the metadata if the arrays contain values.
@@ -33503,7 +33537,7 @@ function compileDeclarePipeFromMetadata(meta) {
 function createPipeDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.17'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     // e.g. `type: MyPipe`
     definitionMap.set('type', meta.type.value);