@angular/core 10.2.1 → 10.2.5

package/bundles/core.umd.js

@@ -1,5 +1,5 @@
 /**
- * @license Angular v10.2.1
+ * @license Angular v10.2.5
  * (c) 2010-2020 Google LLC. https://angular.io/
  * License: MIT
  */
@@ -5014,6 +5014,11 @@
         if (_runModeLocked) {
             throw new Error('Cannot enable prod mode after platform setup.');
         }
+        // The below check is there so when ngDevMode is set via terser
+        // `global['ngDevMode'] = false;` is also dropped.
+        if (typeof ngDevMode === undefined || !!ngDevMode) {
+            _global['ngDevMode'] = false;
+        }
         _devMode = false;
     }
 
@@ -5658,6 +5663,55 @@
         return lView && lView[SANITIZER];
     }
 
+    /**
+     * @license
+     * Copyright Google LLC All Rights Reserved.
+     *
+     * Use of this source code is governed by an MIT-style license that can be
+     * found in the LICENSE file at https://angular.io/license
+     */
+    /**
+     * Disallowed strings in the comment.
+     *
+     * see: https://html.spec.whatwg.org/multipage/syntax.html#comments
+     */
+    var COMMENT_DISALLOWED = /^>|^->|<!--|-->|--!>|<!-$/g;
+    /**
+     * Delimiter in the disallowed strings which needs to be wrapped with zero with character.
+     */
+    var COMMENT_DELIMITER = /(<|>)/;
+    var COMMENT_DELIMITER_ESCAPED = '\u200B$1\u200B';
+    /**
+     * Escape the content of comment strings so that it can be safely inserted into a comment node.
+     *
+     * The issue is that HTML does not specify any way to escape comment end text inside the comment.
+     * Consider: `<!-- The way you close a comment is with ">", and "->" at the beginning or by "-->" or
+     * "--!>" at the end. -->`. Above the `"-->"` is meant to be text not an end to the comment. This
+     * can be created programmatically through DOM APIs. (`<!--` are also disallowed.)
+     *
+     * see: https://html.spec.whatwg.org/multipage/syntax.html#comments
+     *
+     * ```
+     * div.innerHTML = div.innerHTML
+     * ```
+     *
+     * One would expect that the above code would be safe to do, but it turns out that because comment
+     * text is not escaped, the comment may contain text which will prematurely close the comment
+     * opening up the application for XSS attack. (In SSR we programmatically create comment nodes which
+     * may contain such text and expect them to be safe.)
+     *
+     * This function escapes the comment text by looking for comment delimiters (`<` and `>`) and
+     * surrounding them with `_>_` where the `_` is a zero width space `\u200B`. The result is that if a
+     * comment contains any of the comment start/end delimiters (such as `<!--`, `-->` or `--!>`) the
+     * text it will render normally but it will not cause the HTML parser to close/open the comment.
+     *
+     * @param value text to make safe for comment node by escaping the comment open/close character
+     *     sequence.
+     */
+    function escapeCommentText(value) {
+        return value.replace(COMMENT_DISALLOWED, function (text) { return text.replace(COMMENT_DELIMITER, COMMENT_DELIMITER_ESCAPED); });
+    }
+
     /**
      * @license
      * Copyright Google LLC All Rights Reserved.
@@ -8400,7 +8454,7 @@
             }
         }
         else {
-            var textContent = "bindings=" + JSON.stringify((_a = {}, _a[attrName] = debugValue, _a), null, 2);
+            var textContent = escapeCommentText("bindings=" + JSON.stringify((_a = {}, _a[attrName] = debugValue, _a), null, 2));
             if (isProceduralRenderer(renderer)) {
                 renderer.setValue(element, textContent);
             }
@@ -9119,8 +9173,10 @@
      */
     function scheduleTick(rootContext, flags) {
         var nothingScheduled = rootContext.flags === 0 /* Empty */;
-        rootContext.flags |= flags;
         if (nothingScheduled && rootContext.clean == _CLEAN_PROMISE) {
+            // https://github.com/angular/angular/issues/39296
+            // should only attach the flags when really scheduling a tick
+            rootContext.flags |= flags;
             var res_1;
             rootContext.clean = new Promise(function (r) { return res_1 = r; });
             rootContext.scheduler(function () {
@@ -21684,7 +21740,7 @@
     /**
      * @publicApi
      */
-    var VERSION = new Version('10.2.1');
+    var VERSION = new Version('10.2.5');
 
     /**
      * @license
@@ -24873,13 +24929,6 @@
         });
     }
 
-    /**
-     * @license
-     * Copyright Google LLC All Rights Reserved.
-     *
-     * Use of this source code is governed by an MIT-style license that can be
-     * found in the LICENSE file at https://angular.io/license
-     */
     /**
      * Map of module-id to the corresponding NgModule.
      * - In pre Ivy we track NgModuleFactory,
@@ -24901,18 +24950,36 @@
         }
     }
     function registerNgModuleType(ngModuleType) {
-        if (ngModuleType.ɵmod.id !== null) {
-            var id = ngModuleType.ɵmod.id;
-            var existing = modules.get(id);
-            assertSameOrNotExisting(id, existing, ngModuleType);
-            modules.set(id, ngModuleType);
-        }
-        var imports = ngModuleType.ɵmod.imports;
-        if (imports instanceof Function) {
-            imports = imports();
-        }
-        if (imports) {
-            imports.forEach(function (i) { return registerNgModuleType(i); });
+        var visited = new Set();
+        recurse(ngModuleType);
+        function recurse(ngModuleType) {
+            var e_1, _a;
+            // The imports array of an NgModule must refer to other NgModules,
+            // so an error is thrown if no module definition is available.
+            var def = getNgModuleDef(ngModuleType, /* throwNotFound */ true);
+            var id = def.id;
+            if (id !== null) {
+                var existing = modules.get(id);
+                assertSameOrNotExisting(id, existing, ngModuleType);
+                modules.set(id, ngModuleType);
+            }
+            var imports = maybeUnwrapFn(def.imports);
+            try {
+                for (var imports_1 = __values(imports), imports_1_1 = imports_1.next(); !imports_1_1.done; imports_1_1 = imports_1.next()) {
+                    var i = imports_1_1.value;
+                    if (!visited.has(i)) {
+                        visited.add(i);
+                        recurse(i);
+                    }
+                }
+            }
+            catch (e_1_1) { e_1 = { error: e_1_1 }; }
+            finally {
+                try {
+                    if (imports_1_1 && !imports_1_1.done && (_a = imports_1.return)) _a.call(imports_1);
+                }
+                finally { if (e_1) throw e_1.error; }
+            }
         }
     }
     function clearModulesForTest() {
@@ -32150,7 +32217,7 @@
                 var el = asElementData(view, elDef.nodeIndex).renderElement;
                 if (!elDef.element.name) {
                     // a comment.
-                    view.renderer.setValue(el, "bindings=" + JSON.stringify(bindingValues, null, 2));
+                    view.renderer.setValue(el, escapeCommentText("bindings=" + JSON.stringify(bindingValues, null, 2)));
                 }
                 else {
                     // a regular element.
@@ -32439,7 +32506,7 @@
             return el;
         };
         DebugRenderer2.prototype.createComment = function (value) {
-            var comment = this.delegate.createComment(value);
+            var comment = this.delegate.createComment(escapeCommentText(value));
             var debugCtx = this.createDebugContext(comment);
             if (debugCtx) {
                 indexDebugNode(new DebugNode__PRE_R3__(comment, null, debugCtx));