@angular/compiler 19.2.16 → 19.2.18

package/fesm2022/compiler.mjs

@@ -1,5 +1,5 @@
 /**
- * @license Angular v19.2.16
+ * @license Angular v19.2.18
  * (c) 2010-2025 Google LLC. https://angular.io/
  * License: MIT
  */
@@ -440,6 +440,7 @@ var SecurityContext;
     SecurityContext[SecurityContext["SCRIPT"] = 3] = "SCRIPT";
     SecurityContext[SecurityContext["URL"] = 4] = "URL";
     SecurityContext[SecurityContext["RESOURCE_URL"] = 5] = "RESOURCE_URL";
+    SecurityContext[SecurityContext["ATTRIBUTE_NO_BINDING"] = 6] = "ATTRIBUTE_NO_BINDING";
 })(SecurityContext || (SecurityContext = {}));
 var MissingTranslationStrategy;
 (function (MissingTranslationStrategy) {
@@ -3100,6 +3101,10 @@ class Identifiers {
     // sanitization-related functions
     static sanitizeHtml = { name: 'ɵɵsanitizeHtml', moduleName: CORE };
     static sanitizeStyle = { name: 'ɵɵsanitizeStyle', moduleName: CORE };
+    static validateAttribute = {
+        name: 'ɵɵvalidateAttribute',
+        moduleName: CORE,
+    };
     static sanitizeResourceUrl = {
         name: 'ɵɵsanitizeResourceUrl',
         moduleName: CORE,
@@ -3115,10 +3120,6 @@ class Identifiers {
         name: 'ɵɵtrustConstantResourceUrl',
         moduleName: CORE,
     };
-    static validateIframeAttribute = {
-        name: 'ɵɵvalidateIframeAttribute',
-        moduleName: CORE,
-    };
     // type-checking
     static InputSignalBrandWriteType = { name: 'ɵINPUT_SIGNAL_BRAND_WRITE_TYPE', moduleName: CORE };
     static UnwrapDirectiveSignalInputs = { name: 'ɵUnwrapDirectiveSignalInputs', moduleName: CORE };
@@ -19479,7 +19480,6 @@ function interleave(left, right) {
 // =================================================================================================
 //
 //        DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW!
-//                               Reach out to mprobst for details.
 //
 // =================================================================================================
 /** Map from tagName|propertyName to SecurityContext. Properties applying to all tags use '*'. */
@@ -19497,6 +19497,7 @@ function SECURITY_SCHEMA() {
             'area|ping',
             'audio|src',
             'a|href',
+            'a|xlink:href',
             'a|ping',
             'blockquote|cite',
             'body|background',
@@ -19510,6 +19511,74 @@ function SECURITY_SCHEMA() {
             'track|src',
             'video|poster',
             'video|src',
+            // MathML namespace
+            // https://crsrc.org/c/third_party/blink/renderer/core/sanitizer/sanitizer.cc;l=753-768;drc=b3eb16372dcd3317d65e9e0265015e322494edcd;bpv=1;bpt=1
+            'annotation|href',
+            'annotation|xlink:href',
+            'annotation-xml|href',
+            'annotation-xml|xlink:href',
+            'maction|href',
+            'maction|xlink:href',
+            'malignmark|href',
+            'malignmark|xlink:href',
+            'math|href',
+            'math|xlink:href',
+            'mroot|href',
+            'mroot|xlink:href',
+            'msqrt|href',
+            'msqrt|xlink:href',
+            'merror|href',
+            'merror|xlink:href',
+            'mfrac|href',
+            'mfrac|xlink:href',
+            'mglyph|href',
+            'mglyph|xlink:href',
+            'msub|href',
+            'msub|xlink:href',
+            'msup|href',
+            'msup|xlink:href',
+            'msubsup|href',
+            'msubsup|xlink:href',
+            'mmultiscripts|href',
+            'mmultiscripts|xlink:href',
+            'mprescripts|href',
+            'mprescripts|xlink:href',
+            'mi|href',
+            'mi|xlink:href',
+            'mn|href',
+            'mn|xlink:href',
+            'mo|href',
+            'mo|xlink:href',
+            'mpadded|href',
+            'mpadded|xlink:href',
+            'mphantom|href',
+            'mphantom|xlink:href',
+            'mrow|href',
+            'mrow|xlink:href',
+            'ms|href',
+            'ms|xlink:href',
+            'mspace|href',
+            'mspace|xlink:href',
+            'mstyle|href',
+            'mstyle|xlink:href',
+            'mtable|href',
+            'mtable|xlink:href',
+            'mtd|href',
+            'mtd|xlink:href',
+            'mtr|href',
+            'mtr|xlink:href',
+            'mtext|href',
+            'mtext|xlink:href',
+            'mover|href',
+            'mover|xlink:href',
+            'munder|href',
+            'munder|xlink:href',
+            'munderover|href',
+            'munderover|xlink:href',
+            'semantics|href',
+            'semantics|xlink:href',
+            'none|href',
+            'none|xlink:href',
         ]);
         registerContext(SecurityContext.RESOURCE_URL, [
             'applet|code',
@@ -19525,6 +19594,33 @@ function SECURITY_SCHEMA() {
             'object|codebase',
             'object|data',
             'script|src',
+            // The below two are for Script SVG
+            // See: https://developer.mozilla.org/en-US/docs/Web/API/SVGScriptElement/href
+            'script|href',
+            'script|xlink:href',
+        ]);
+        // Keep this in sync with SECURITY_SENSITIVE_ELEMENTS in packages/core/src/sanitization/sanitization.ts
+        // Unknown is the internal tag name for unknown elements example used for host-bindings.
+        // These are unsafe as `attributeName` can be `href` or `xlink:href`
+        // See: http://b/463880509#comment7
+        registerContext(SecurityContext.ATTRIBUTE_NO_BINDING, [
+            'animate|attributeName',
+            'set|attributeName',
+            'animateMotion|attributeName',
+            'animateTransform|attributeName',
+            'unknown|attributeName',
+            'iframe|sandbox',
+            'iframe|allow',
+            'iframe|allowFullscreen',
+            'iframe|referrerPolicy',
+            'iframe|csp',
+            'iframe|fetchPriority',
+            'unknown|sandbox',
+            'unknown|allow',
+            'unknown|allowFullscreen',
+            'unknown|referrerPolicy',
+            'unknown|csp',
+            'unknown|fetchPriority',
         ]);
     }
     return _SECURITY_SCHEMA;
@@ -19533,32 +19629,6 @@ function registerContext(ctx, specs) {
     for (const spec of specs)
         _SECURITY_SCHEMA[spec.toLowerCase()] = ctx;
 }
-/**
- * The set of security-sensitive attributes of an `<iframe>` that *must* be
- * applied as a static attribute only. This ensures that all security-sensitive
- * attributes are taken into account while creating an instance of an `<iframe>`
- * at runtime.
- *
- * Note: avoid using this set directly, use the `isIframeSecuritySensitiveAttr` function
- * in the code instead.
- */
-const IFRAME_SECURITY_SENSITIVE_ATTRS = new Set([
-    'sandbox',
-    'allow',
-    'allowfullscreen',
-    'referrerpolicy',
-    'csp',
-    'fetchpriority',
-]);
-/**
- * Checks whether a given attribute name might represent a security-sensitive
- * attribute of an <iframe>.
- */
-function isIframeSecuritySensitiveAttr(attrName) {
-    // The `setAttribute` DOM API is case-insensitive, so we lowercase the value
-    // before checking it against a known security-sensitive attributes.
-    return IFRAME_SECURITY_SENSITIVE_ATTRS.has(attrName.toLowerCase());
-}
 
 class ElementSchemaRegistry {
 }
@@ -24098,6 +24168,7 @@ const sanitizerFns = new Map([
     [SecurityContext.SCRIPT, Identifiers.sanitizeScript],
     [SecurityContext.STYLE, Identifiers.sanitizeStyle],
     [SecurityContext.URL, Identifiers.sanitizeUrl],
+    [SecurityContext.ATTRIBUTE_NO_BINDING, Identifiers.validateAttribute],
 ]);
 /**
  * Map of security contexts to their trusted value function.
@@ -24111,7 +24182,6 @@ const trustedValueFns = new Map([
  */
 function resolveSanitizers(job) {
     for (const unit of job.units) {
-        const elements = createOpXrefMap(unit);
         // For normal element bindings we create trusted values for security sensitive constant
         // attributes. However, for host bindings we skip this step (this matches what
         // TemplateDefinitionBuilder does).
@@ -24132,8 +24202,8 @@ function resolveSanitizers(job) {
                     let sanitizerFn = null;
                     if (Array.isArray(op.securityContext) &&
                         op.securityContext.length === 2 &&
-                        op.securityContext.indexOf(SecurityContext.URL) > -1 &&
-                        op.securityContext.indexOf(SecurityContext.RESOURCE_URL) > -1) {
+                        op.securityContext.includes(SecurityContext.URL) &&
+                        op.securityContext.includes(SecurityContext.RESOURCE_URL)) {
                         // When the host element isn't known, some URL attributes (such as "src" and "href") may
                         // be part of multiple different security contexts. In this case we use special
                         // sanitization function and select the actual sanitizer at runtime based on a tag name
@@ -24144,43 +24214,11 @@ function resolveSanitizers(job) {
                         sanitizerFn = sanitizerFns.get(getOnlySecurityContext(op.securityContext)) ?? null;
                     }
                     op.sanitizer = sanitizerFn !== null ? importExpr(sanitizerFn) : null;
-                    // If there was no sanitization function found based on the security context of an
-                    // attribute/property, check whether this attribute/property is one of the
-                    // security-sensitive <iframe> attributes (and that the current element is actually an
-                    // <iframe>).
-                    if (op.sanitizer === null) {
-                        let isIframe = false;
-                        if (job.kind === CompilationJobKind.Host || op.kind === OpKind.HostProperty) {
-                            // Note: for host bindings defined on a directive, we do not try to find all
-                            // possible places where it can be matched, so we can not determine whether
-                            // the host element is an <iframe>. In this case, we just assume it is and append a
-                            // validation function, which is invoked at runtime and would have access to the
-                            // underlying DOM element to check if it's an <iframe> and if so - run extra checks.
-                            isIframe = true;
-                        }
-                        else {
-                            // For a normal binding we can just check if the element its on is an iframe.
-                            const ownerOp = elements.get(op.target);
-                            if (ownerOp === undefined || !isElementOrContainerOp(ownerOp)) {
-                                throw Error('Property should have an element-like owner');
-                            }
-                            isIframe = isIframeElement(ownerOp);
-                        }
-                        if (isIframe && isIframeSecuritySensitiveAttr(op.name)) {
-                            op.sanitizer = importExpr(Identifiers.validateIframeAttribute);
-                        }
-                    }
                     break;
             }
         }
     }
 }
-/**
- * Checks whether the given op represents an iframe element.
- */
-function isIframeElement(op) {
-    return op.kind === OpKind.ElementStart && op.tag?.toLowerCase() === 'iframe';
-}
 /**
  * Asserts that there is only a single security context and returns it.
  */
@@ -30947,7 +30985,7 @@ function publishFacade(global) {
  * @description
  * Entry point for all public APIs of the compiler package.
  */
-const VERSION = new Version('19.2.16');
+const VERSION = new Version('19.2.18');
 
 class CompilerConfig {
     defaultEncapsulation;
@@ -32804,7 +32842,7 @@ const MINIMUM_PARTIAL_LINKER_DEFER_SUPPORT_VERSION = '18.0.0';
 function compileDeclareClassMetadata(metadata) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$5));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.18'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', metadata.type);
     definitionMap.set('decorators', metadata.decorators);
@@ -32822,7 +32860,7 @@ function compileComponentDeclareClassMetadata(metadata, dependencies) {
     callbackReturnDefinitionMap.set('ctorParameters', metadata.ctorParameters ?? literal(null));
     callbackReturnDefinitionMap.set('propDecorators', metadata.propDecorators ?? literal(null));
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_DEFER_SUPPORT_VERSION));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.18'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', metadata.type);
     definitionMap.set('resolveDeferredDeps', compileComponentMetadataAsyncResolver(dependencies));
@@ -32917,7 +32955,7 @@ function createDirectiveDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     const minVersion = getMinimumVersionForPartialOutput(meta);
     definitionMap.set('minVersion', literal(minVersion));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.18'));
     // e.g. `type: MyDirective`
     definitionMap.set('type', meta.type.value);
     if (meta.isStandalone !== undefined) {
@@ -33333,7 +33371,7 @@ const MINIMUM_PARTIAL_LINKER_VERSION$4 = '12.0.0';
 function compileDeclareFactoryFunction(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$4));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.18'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.type.value);
     definitionMap.set('deps', compileDependencies(meta.deps));
@@ -33368,7 +33406,7 @@ function compileDeclareInjectableFromMetadata(meta) {
 function createInjectableDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$3));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.18'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.type.value);
     // Only generate providedIn property if it has a non-null value
@@ -33419,7 +33457,7 @@ function compileDeclareInjectorFromMetadata(meta) {
 function createInjectorDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$2));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.18'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.type.value);
     definitionMap.set('providers', meta.providers);
@@ -33452,7 +33490,7 @@ function createNgModuleDefinitionMap(meta) {
         throw new Error('Invalid path! Local compilation mode should not get into the partial compilation path');
     }
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION$1));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.18'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     definitionMap.set('type', meta.type.value);
     // We only generate the keys in the metadata if the arrays contain values.
@@ -33503,7 +33541,7 @@ function compileDeclarePipeFromMetadata(meta) {
 function createPipeDefinitionMap(meta) {
     const definitionMap = new DefinitionMap();
     definitionMap.set('minVersion', literal(MINIMUM_PARTIAL_LINKER_VERSION));
-    definitionMap.set('version', literal('19.2.16'));
+    definitionMap.set('version', literal('19.2.18'));
     definitionMap.set('ngImport', importExpr(Identifiers.core));
     // e.g. `type: MyPipe`
     definitionMap.set('type', meta.type.value);