@angular/core 10.2.4 → 10.2.5

package/bundles/core.umd.js

@@ -1,5 +1,5 @@
 /**
- * @license Angular v10.2.4
+ * @license Angular v10.2.5
  * (c) 2010-2020 Google LLC. https://angular.io/
  * License: MIT
  */
@@ -5670,14 +5670,26 @@
      * Use of this source code is governed by an MIT-style license that can be
      * found in the LICENSE file at https://angular.io/license
      */
-    var END_COMMENT = /-->/g;
-    var END_COMMENT_ESCAPED = '-\u200B-\u200B>';
     /**
-     * Escape the content of the strings so that it can be safely inserted into a comment node.
+     * Disallowed strings in the comment.
+     *
+     * see: https://html.spec.whatwg.org/multipage/syntax.html#comments
+     */
+    var COMMENT_DISALLOWED = /^>|^->|<!--|-->|--!>|<!-$/g;
+    /**
+     * Delimiter in the disallowed strings which needs to be wrapped with zero with character.
+     */
+    var COMMENT_DELIMITER = /(<|>)/;
+    var COMMENT_DELIMITER_ESCAPED = '\u200B$1\u200B';
+    /**
+     * Escape the content of comment strings so that it can be safely inserted into a comment node.
      *
      * The issue is that HTML does not specify any way to escape comment end text inside the comment.
-     * `<!-- The way you close a comment is with "-->". -->`. Above the `"-->"` is meant to be text not
-     * an end to the comment. This can be created programmatically through DOM APIs.
+     * Consider: `<!-- The way you close a comment is with ">", and "->" at the beginning or by "-->" or
+     * "--!>" at the end. -->`. Above the `"-->"` is meant to be text not an end to the comment. This
+     * can be created programmatically through DOM APIs. (`<!--` are also disallowed.)
+     *
+     * see: https://html.spec.whatwg.org/multipage/syntax.html#comments
      *
      * ```
      * div.innerHTML = div.innerHTML
@@ -5688,15 +5700,16 @@
      * opening up the application for XSS attack. (In SSR we programmatically create comment nodes which
      * may contain such text and expect them to be safe.)
      *
-     * This function escapes the comment text by looking for the closing char sequence `-->` and replace
-     * it with `-_-_>` where the `_` is a zero width space `\u200B`. The result is that if a comment
-     * contains `-->` text it will render normally but it will not cause the HTML parser to close the
-     * comment.
+     * This function escapes the comment text by looking for comment delimiters (`<` and `>`) and
+     * surrounding them with `_>_` where the `_` is a zero width space `\u200B`. The result is that if a
+     * comment contains any of the comment start/end delimiters (such as `<!--`, `-->` or `--!>`) the
+     * text it will render normally but it will not cause the HTML parser to close/open the comment.
      *
-     * @param value text to make safe for comment node by escaping the comment close character sequence
+     * @param value text to make safe for comment node by escaping the comment open/close character
+     *     sequence.
      */
     function escapeCommentText(value) {
-        return value.replace(END_COMMENT, END_COMMENT_ESCAPED);
+        return value.replace(COMMENT_DISALLOWED, function (text) { return text.replace(COMMENT_DELIMITER, COMMENT_DELIMITER_ESCAPED); });
     }
 
     /**
@@ -21727,7 +21740,7 @@
     /**
      * @publicApi
      */
-    var VERSION = new Version('10.2.4');
+    var VERSION = new Version('10.2.5');
 
     /**
      * @license