@angular/core 10.2.4 → 10.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (18) hide show
  1. package/bundles/core-testing.umd.js +1 -1
  2. package/bundles/core-testing.umd.min.js +1 -1
  3. package/bundles/core-testing.umd.min.js.map +1 -1
  4. package/bundles/core.umd.js +26 -13
  5. package/bundles/core.umd.js.map +1 -1
  6. package/bundles/core.umd.min.js +90 -90
  7. package/bundles/core.umd.min.js.map +1 -1
  8. package/core.d.ts +1 -1
  9. package/core.metadata.json +1 -1
  10. package/esm2015/src/util/dom.js +25 -12
  11. package/esm2015/src/version.js +1 -1
  12. package/fesm2015/core.js +26 -13
  13. package/fesm2015/core.js.map +1 -1
  14. package/fesm2015/testing.js +1 -1
  15. package/package.json +1 -1
  16. package/src/r3_symbols.d.ts +1 -1
  17. package/testing/testing.d.ts +1 -1
  18. package/testing.d.ts +1 -1
package/esm2015/src/util/dom.js CHANGED
@@ -5,14 +5,26 @@
5
5
  * Use of this source code is governed by an MIT-style license that can be
6
6
  * found in the LICENSE file at https://angular.io/license
7
7
  */
8
- const END_COMMENT = /-->/g;
9
- const END_COMMENT_ESCAPED = '-\u200B-\u200B>';
10
8
  /**
11
- * Escape the content of the strings so that it can be safely inserted into a comment node.
9
+ * Disallowed strings in the comment.
10
+ *
11
+ * see: https://html.spec.whatwg.org/multipage/syntax.html#comments
12
+ */
13
+ const COMMENT_DISALLOWED = /^>|^->|<!--|-->|--!>|<!-$/g;
14
+ /**
15
+ * Delimiter in the disallowed strings which needs to be wrapped with zero with character.
16
+ */
17
+ const COMMENT_DELIMITER = /(<|>)/;
18
+ const COMMENT_DELIMITER_ESCAPED = '\u200B$1\u200B';
19
+ /**
20
+ * Escape the content of comment strings so that it can be safely inserted into a comment node.
12
21
  *
13
22
  * The issue is that HTML does not specify any way to escape comment end text inside the comment.
14
- * `<!-- The way you close a comment is with "-->". -->`. Above the `"-->"` is meant to be text not
15
- * an end to the comment. This can be created programmatically through DOM APIs.
23
+ * Consider: `<!-- The way you close a comment is with ">", and "->" at the beginning or by "-->" or
24
+ * "--!>" at the end. -->`. Above the `"-->"` is meant to be text not an end to the comment. This
25
+ * can be created programmatically through DOM APIs. (`<!--` are also disallowed.)
26
+ *
27
+ * see: https://html.spec.whatwg.org/multipage/syntax.html#comments
16
28
  *
17
29
  * ```
18
30
  * div.innerHTML = div.innerHTML
@@ -23,14 +35,15 @@ const END_COMMENT_ESCAPED = '-\u200B-\u200B>';
23
35
  * opening up the application for XSS attack. (In SSR we programmatically create comment nodes which
24
36
  * may contain such text and expect them to be safe.)
25
37
  *
26
- * This function escapes the comment text by looking for the closing char sequence `-->` and replace
27
- * it with `-_-_>` where the `_` is a zero width space `\u200B`. The result is that if a comment
28
- * contains `-->` text it will render normally but it will not cause the HTML parser to close the
29
- * comment.
38
+ * This function escapes the comment text by looking for comment delimiters (`<` and `>`) and
39
+ * surrounding them with `_>_` where the `_` is a zero width space `\u200B`. The result is that if a
40
+ * comment contains any of the comment start/end delimiters (such as `<!--`, `-->` or `--!>`) the
41
+ * text it will render normally but it will not cause the HTML parser to close/open the comment.
30
42
  *
31
- * @param value text to make safe for comment node by escaping the comment close character sequence
43
+ * @param value text to make safe for comment node by escaping the comment open/close character
44
+ * sequence.
32
45
  */
33
46
  export function escapeCommentText(value) {
34
- return value.replace(END_COMMENT, END_COMMENT_ESCAPED);
47
+ return value.replace(COMMENT_DISALLOWED, (text) => text.replace(COMMENT_DELIMITER, COMMENT_DELIMITER_ESCAPED));
35
48
  }
36
- //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZG9tLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vLi4vLi4vcGFja2FnZXMvY29yZS9zcmMvdXRpbC9kb20udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUE7Ozs7OztHQU1HO0FBRUgsTUFBTSxXQUFXLEdBQUcsTUFBTSxDQUFDO0FBQzNCLE1BQU0sbUJBQW1CLEdBQUcsaUJBQWlCLENBQUM7QUFFOUM7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7R0FzQkc7QUFDSCxNQUFNLFVBQVUsaUJBQWlCLENBQUMsS0FBYTtJQUM3QyxPQUFPLEtBQUssQ0FBQyxPQUFPLENBQUMsV0FBVyxFQUFFLG1CQUFtQixDQUFDLENBQUM7QUFDekQsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogQGxpY2Vuc2VcbiAqIENvcHlyaWdodCBHb29nbGUgTExDIEFsbCBSaWdodHMgUmVzZXJ2ZWQuXG4gKlxuICogVXNlIG9mIHRoaXMgc291cmNlIGNvZGUgaXMgZ292ZXJuZWQgYnkgYW4gTUlULXN0eWxlIGxpY2Vuc2UgdGhhdCBjYW4gYmVcbiAqIGZvdW5kIGluIHRoZSBMSUNFTlNFIGZpbGUgYXQgaHR0cHM6Ly9hbmd1bGFyLmlvL2xpY2Vuc2VcbiAqL1xuXG5jb25zdCBFTkRfQ09NTUVOVCA9IC8tLT4vZztcbmNvbnN0IEVORF9DT01NRU5UX0VTQ0FQRUQgPSAnLVxcdTIwMEItXFx1MjAwQj4nO1xuXG4vKipcbiAqIEVzY2FwZSB0aGUgY29udGVudCBvZiB0aGUgc3RyaW5ncyBzbyB0aGF0IGl0IGNhbiBiZSBzYWZlbHkgaW5zZXJ0ZWQgaW50byBhIGNvbW1lbnQgbm9kZS5cbiAqXG4gKiBUaGUgaXNzdWUgaXMgdGhhdCBIVE1MIGRvZXMgbm90IHNwZWNpZnkgYW55IHdheSB0byBlc2NhcGUgY29tbWVudCBlbmQgdGV4dCBpbnNpZGUgdGhlIGNvbW1lbnQuXG4gKiBgPCEtLSBUaGUgd2F5IHlvdSBjbG9zZSBhIGNvbW1lbnQgaXMgd2l0aCBcIi0tPlwiLiAtLT5gLiBBYm92ZSB0aGUgYFwiLS0+XCJgIGlzIG1lYW50IHRvIGJlIHRleHQgbm90XG4gKiBhbiBlbmQgdG8gdGhlIGNvbW1lbnQuIFRoaXMgY2FuIGJlIGNyZWF0ZWQgcHJvZ3JhbW1hdGljYWxseSB0aHJvdWdoIERPTSBBUElzLlxuICpcbiAqIGBgYFxuICogZGl2LmlubmVySFRNTCA9IGRpdi5pbm5lckhUTUxcbiAqIGBgYFxuICpcbiAqIE9uZSB3b3VsZCBleHBlY3QgdGhhdCB0aGUgYWJvdmUgY29kZSB3b3VsZCBiZSBzYWZlIHRvIGRvLCBidXQgaXQgdHVybnMgb3V0IHRoYXQgYmVjYXVzZSBjb21tZW50XG4gKiB0ZXh0IGlzIG5vdCBlc2NhcGVkLCB0aGUgY29tbWVudCBtYXkgY29udGFpbiB0ZXh0IHdoaWNoIHdpbGwgcHJlbWF0dXJlbHkgY2xvc2UgdGhlIGNvbW1lbnRcbiAqIG9wZW5pbmcgdXAgdGhlIGFwcGxpY2F0aW9uIGZvciBYU1MgYXR0YWNrLiAoSW4gU1NSIHdlIHByb2dyYW1tYXRpY2FsbHkgY3JlYXRlIGNvbW1lbnQgbm9kZXMgd2hpY2hcbiAqIG1heSBjb250YWluIHN1Y2ggdGV4dCBhbmQgZXhwZWN0IHRoZW0gdG8gYmUgc2FmZS4pXG4gKlxuICogVGhpcyBmdW5jdGlvbiBlc2NhcGVzIHRoZSBjb21tZW50IHRleHQgYnkgbG9va2luZyBmb3IgdGhlIGNsb3NpbmcgY2hhciBzZXF1ZW5jZSBgLS0+YCBhbmQgcmVwbGFjZVxuICogaXQgd2l0aCBgLV8tXz5gIHdoZXJlIHRoZSBgX2AgaXMgYSB6ZXJvIHdpZHRoIHNwYWNlIGBcXHUyMDBCYC4gVGhlIHJlc3VsdCBpcyB0aGF0IGlmIGEgY29tbWVudFxuICogY29udGFpbnMgYC0tPmAgdGV4dCBpdCB3aWxsIHJlbmRlciBub3JtYWxseSBidXQgaXQgd2lsbCBub3QgY2F1c2UgdGhlIEhUTUwgcGFyc2VyIHRvIGNsb3NlIHRoZVxuICogY29tbWVudC5cbiAqXG4gKiBAcGFyYW0gdmFsdWUgdGV4dCB0byBtYWtlIHNhZmUgZm9yIGNvbW1lbnQgbm9kZSBieSBlc2NhcGluZyB0aGUgY29tbWVudCBjbG9zZSBjaGFyYWN0ZXIgc2VxdWVuY2VcbiAqL1xuZXhwb3J0IGZ1bmN0aW9uIGVzY2FwZUNvbW1lbnRUZXh0KHZhbHVlOiBzdHJpbmcpOiBzdHJpbmcge1xuICByZXR1cm4gdmFsdWUucmVwbGFjZShFTkRfQ09NTUVOVCwgRU5EX0NPTU1FTlRfRVNDQVBFRCk7XG59Il19
49
+ //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoiZG9tLmpzIiwic291cmNlUm9vdCI6IiIsInNvdXJjZXMiOlsiLi4vLi4vLi4vLi4vLi4vLi4vLi4vcGFja2FnZXMvY29yZS9zcmMvdXRpbC9kb20udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUE7Ozs7OztHQU1HO0FBRUg7Ozs7R0FJRztBQUNILE1BQU0sa0JBQWtCLEdBQUcsNEJBQTRCLENBQUM7QUFDeEQ7O0dBRUc7QUFDSCxNQUFNLGlCQUFpQixHQUFHLE9BQU8sQ0FBQztBQUNsQyxNQUFNLHlCQUF5QixHQUFHLGdCQUFnQixDQUFDO0FBRW5EOzs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7OztHQTBCRztBQUNILE1BQU0sVUFBVSxpQkFBaUIsQ0FBQyxLQUFhO0lBQzdDLE9BQU8sS0FBSyxDQUFDLE9BQU8sQ0FDaEIsa0JBQWtCLEVBQUUsQ0FBQyxJQUFJLEVBQUUsRUFBRSxDQUFDLElBQUksQ0FBQyxPQUFPLENBQUMsaUJBQWlCLEVBQUUseUJBQXlCLENBQUMsQ0FBQyxDQUFDO0FBQ2hHLENBQUMiLCJzb3VyY2VzQ29udGVudCI6WyIvKipcbiAqIEBsaWNlbnNlXG4gKiBDb3B5cmlnaHQgR29vZ2xlIExMQyBBbGwgUmlnaHRzIFJlc2VydmVkLlxuICpcbiAqIFVzZSBvZiB0aGlzIHNvdXJjZSBjb2RlIGlzIGdvdmVybmVkIGJ5IGFuIE1JVC1zdHlsZSBsaWNlbnNlIHRoYXQgY2FuIGJlXG4gKiBmb3VuZCBpbiB0aGUgTElDRU5TRSBmaWxlIGF0IGh0dHBzOi8vYW5ndWxhci5pby9saWNlbnNlXG4gKi9cblxuLyoqXG4gKiBEaXNhbGxvd2VkIHN0cmluZ3MgaW4gdGhlIGNvbW1lbnQuXG4gKlxuICogc2VlOiBodHRwczovL2h0bWwuc3BlYy53aGF0d2cub3JnL211bHRpcGFnZS9zeW50YXguaHRtbCNjb21tZW50c1xuICovXG5jb25zdCBDT01NRU5UX0RJU0FMTE9XRUQgPSAvXj58Xi0+fDwhLS18LS0+fC0tIT58PCEtJC9nO1xuLyoqXG4gKiBEZWxpbWl0ZXIgaW4gdGhlIGRpc2FsbG93ZWQgc3RyaW5ncyB3aGljaCBuZWVkcyB0byBiZSB3cmFwcGVkIHdpdGggemVybyB3aXRoIGNoYXJhY3Rlci5cbiAqL1xuY29uc3QgQ09NTUVOVF9ERUxJTUlURVIgPSAvKDx8PikvO1xuY29uc3QgQ09NTUVOVF9ERUxJTUlURVJfRVNDQVBFRCA9ICdcXHUyMDBCJDFcXHUyMDBCJztcblxuLyoqXG4gKiBFc2NhcGUgdGhlIGNvbnRlbnQgb2YgY29tbWVudCBzdHJpbmdzIHNvIHRoYXQgaXQgY2FuIGJlIHNhZmVseSBpbnNlcnRlZCBpbnRvIGEgY29tbWVudCBub2RlLlxuICpcbiAqIFRoZSBpc3N1ZSBpcyB0aGF0IEhUTUwgZG9lcyBub3Qgc3BlY2lmeSBhbnkgd2F5IHRvIGVzY2FwZSBjb21tZW50IGVuZCB0ZXh0IGluc2lkZSB0aGUgY29tbWVudC5cbiAqIENvbnNpZGVyOiBgPCEtLSBUaGUgd2F5IHlvdSBjbG9zZSBhIGNvbW1lbnQgaXMgd2l0aCBcIj5cIiwgYW5kIFwiLT5cIiBhdCB0aGUgYmVnaW5uaW5nIG9yIGJ5IFwiLS0+XCIgb3JcbiAqIFwiLS0hPlwiIGF0IHRoZSBlbmQuIC0tPmAuIEFib3ZlIHRoZSBgXCItLT5cImAgaXMgbWVhbnQgdG8gYmUgdGV4dCBub3QgYW4gZW5kIHRvIHRoZSBjb21tZW50LiBUaGlzXG4gKiBjYW4gYmUgY3JlYXRlZCBwcm9ncmFtbWF0aWNhbGx5IHRocm91Z2ggRE9NIEFQSXMuIChgPCEtLWAgYXJlIGFsc28gZGlzYWxsb3dlZC4pXG4gKlxuICogc2VlOiBodHRwczovL2h0bWwuc3BlYy53aGF0d2cub3JnL211bHRpcGFnZS9zeW50YXguaHRtbCNjb21tZW50c1xuICpcbiAqIGBgYFxuICogZGl2LmlubmVySFRNTCA9IGRpdi5pbm5lckhUTUxcbiAqIGBgYFxuICpcbiAqIE9uZSB3b3VsZCBleHBlY3QgdGhhdCB0aGUgYWJvdmUgY29kZSB3b3VsZCBiZSBzYWZlIHRvIGRvLCBidXQgaXQgdHVybnMgb3V0IHRoYXQgYmVjYXVzZSBjb21tZW50XG4gKiB0ZXh0IGlzIG5vdCBlc2NhcGVkLCB0aGUgY29tbWVudCBtYXkgY29udGFpbiB0ZXh0IHdoaWNoIHdpbGwgcHJlbWF0dXJlbHkgY2xvc2UgdGhlIGNvbW1lbnRcbiAqIG9wZW5pbmcgdXAgdGhlIGFwcGxpY2F0aW9uIGZvciBYU1MgYXR0YWNrLiAoSW4gU1NSIHdlIHByb2dyYW1tYXRpY2FsbHkgY3JlYXRlIGNvbW1lbnQgbm9kZXMgd2hpY2hcbiAqIG1heSBjb250YWluIHN1Y2ggdGV4dCBhbmQgZXhwZWN0IHRoZW0gdG8gYmUgc2FmZS4pXG4gKlxuICogVGhpcyBmdW5jdGlvbiBlc2NhcGVzIHRoZSBjb21tZW50IHRleHQgYnkgbG9va2luZyBmb3IgY29tbWVudCBkZWxpbWl0ZXJzIChgPGAgYW5kIGA+YCkgYW5kXG4gKiBzdXJyb3VuZGluZyB0aGVtIHdpdGggYF8+X2Agd2hlcmUgdGhlIGBfYCBpcyBhIHplcm8gd2lkdGggc3BhY2UgYFxcdTIwMEJgLiBUaGUgcmVzdWx0IGlzIHRoYXQgaWYgYVxuICogY29tbWVudCBjb250YWlucyBhbnkgb2YgdGhlIGNvbW1lbnQgc3RhcnQvZW5kIGRlbGltaXRlcnMgKHN1Y2ggYXMgYDwhLS1gLCBgLS0+YCBvciBgLS0hPmApIHRoZVxuICogdGV4dCBpdCB3aWxsIHJlbmRlciBub3JtYWxseSBidXQgaXQgd2lsbCBub3QgY2F1c2UgdGhlIEhUTUwgcGFyc2VyIHRvIGNsb3NlL29wZW4gdGhlIGNvbW1lbnQuXG4gKlxuICogQHBhcmFtIHZhbHVlIHRleHQgdG8gbWFrZSBzYWZlIGZvciBjb21tZW50IG5vZGUgYnkgZXNjYXBpbmcgdGhlIGNvbW1lbnQgb3Blbi9jbG9zZSBjaGFyYWN0ZXJcbiAqICAgICBzZXF1ZW5jZS5cbiAqL1xuZXhwb3J0IGZ1bmN0aW9uIGVzY2FwZUNvbW1lbnRUZXh0KHZhbHVlOiBzdHJpbmcpOiBzdHJpbmcge1xuICByZXR1cm4gdmFsdWUucmVwbGFjZShcbiAgICAgIENPTU1FTlRfRElTQUxMT1dFRCwgKHRleHQpID0+IHRleHQucmVwbGFjZShDT01NRU5UX0RFTElNSVRFUiwgQ09NTUVOVF9ERUxJTUlURVJfRVNDQVBFRCkpO1xufSJdfQ==
package/esm2015/src/version.js CHANGED
@@ -21,5 +21,5 @@ export class Version {
21
21
  /**
22
22
  * @publicApi
23
23
  */
24
- export const VERSION = new Version('10.2.4');
24
+ export const VERSION = new Version('10.2.5');
25
25
  //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidmVyc2lvbi5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uL3BhY2thZ2VzL2NvcmUvc3JjL3ZlcnNpb24udHMiXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IkFBQUE7Ozs7OztHQU1HO0FBRUg7Ozs7R0FJRztBQUNILE1BQU0sT0FBTyxPQUFPO0lBS2xCLFlBQW1CLElBQVk7UUFBWixTQUFJLEdBQUosSUFBSSxDQUFRO1FBQzdCLElBQUksQ0FBQyxLQUFLLEdBQUcsSUFBSSxDQUFDLEtBQUssQ0FBQyxHQUFHLENBQUMsQ0FBQyxDQUFDLENBQUMsQ0FBQztRQUNoQyxJQUFJLENBQUMsS0FBSyxHQUFHLElBQUksQ0FBQyxLQUFLLENBQUMsR0FBRyxDQUFDLENBQUMsQ0FBQyxDQUFDLENBQUM7UUFDaEMsSUFBSSxDQUFDLEtBQUssR0FBRyxJQUFJLENBQUMsS0FBSyxDQUFDLEdBQUcsQ0FBQyxDQUFDLEtBQUssQ0FBQyxDQUFDLENBQUMsQ0FBQyxJQUFJLENBQUMsR0FBRyxDQUFDLENBQUM7SUFDbEQsQ0FBQztDQUNGO0FBRUQ7O0dBRUc7QUFDSCxNQUFNLENBQUMsTUFBTSxPQUFPLEdBQUcsSUFBSSxPQUFPLENBQUMsbUJBQW1CLENBQUMsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogQGxpY2Vuc2VcbiAqIENvcHlyaWdodCBHb29nbGUgTExDIEFsbCBSaWdodHMgUmVzZXJ2ZWQuXG4gKlxuICogVXNlIG9mIHRoaXMgc291cmNlIGNvZGUgaXMgZ292ZXJuZWQgYnkgYW4gTUlULXN0eWxlIGxpY2Vuc2UgdGhhdCBjYW4gYmVcbiAqIGZvdW5kIGluIHRoZSBMSUNFTlNFIGZpbGUgYXQgaHR0cHM6Ly9hbmd1bGFyLmlvL2xpY2Vuc2VcbiAqL1xuXG4vKipcbiAqIEBkZXNjcmlwdGlvbiBSZXByZXNlbnRzIHRoZSB2ZXJzaW9uIG9mIEFuZ3VsYXJcbiAqXG4gKiBAcHVibGljQXBpXG4gKi9cbmV4cG9ydCBjbGFzcyBWZXJzaW9uIHtcbiAgcHVibGljIHJlYWRvbmx5IG1ham9yOiBzdHJpbmc7XG4gIHB1YmxpYyByZWFkb25seSBtaW5vcjogc3RyaW5nO1xuICBwdWJsaWMgcmVhZG9ubHkgcGF0Y2g6IHN0cmluZztcblxuICBjb25zdHJ1Y3RvcihwdWJsaWMgZnVsbDogc3RyaW5nKSB7XG4gICAgdGhpcy5tYWpvciA9IGZ1bGwuc3BsaXQoJy4nKVswXTtcbiAgICB0aGlzLm1pbm9yID0gZnVsbC5zcGxpdCgnLicpWzFdO1xuICAgIHRoaXMucGF0Y2ggPSBmdWxsLnNwbGl0KCcuJykuc2xpY2UoMikuam9pbignLicpO1xuICB9XG59XG5cbi8qKlxuICogQHB1YmxpY0FwaVxuICovXG5leHBvcnQgY29uc3QgVkVSU0lPTiA9IG5ldyBWZXJzaW9uKCcwLjAuMC1QTEFDRUhPTERFUicpO1xuIl19
package/fesm2015/core.js CHANGED
@@ -1,5 +1,5 @@
1
1
  /**
2
- * @license Angular v10.2.4
2
+ * @license Angular v10.2.5
3
3
  * (c) 2010-2020 Google LLC. https://angular.io/
4
4
  * License: MIT
5
5
  */
@@ -5341,14 +5341,26 @@ function getSanitizer() {
5341
5341
  * Use of this source code is governed by an MIT-style license that can be
5342
5342
  * found in the LICENSE file at https://angular.io/license
5343
5343
  */
5344
- const END_COMMENT = /-->/g;
5345
- const END_COMMENT_ESCAPED = '-\u200B-\u200B>';
5346
5344
  /**
5347
- * Escape the content of the strings so that it can be safely inserted into a comment node.
5345
+ * Disallowed strings in the comment.
5346
+ *
5347
+ * see: https://html.spec.whatwg.org/multipage/syntax.html#comments
5348
+ */
5349
+ const COMMENT_DISALLOWED = /^>|^->|<!--|-->|--!>|<!-$/g;
5350
+ /**
5351
+ * Delimiter in the disallowed strings which needs to be wrapped with zero with character.
5352
+ */
5353
+ const COMMENT_DELIMITER = /(<|>)/;
5354
+ const COMMENT_DELIMITER_ESCAPED = '\u200B$1\u200B';
5355
+ /**
5356
+ * Escape the content of comment strings so that it can be safely inserted into a comment node.
5348
5357
  *
5349
5358
  * The issue is that HTML does not specify any way to escape comment end text inside the comment.
5350
- * `<!-- The way you close a comment is with "-->". -->`. Above the `"-->"` is meant to be text not
5351
- * an end to the comment. This can be created programmatically through DOM APIs.
5359
+ * Consider: `<!-- The way you close a comment is with ">", and "->" at the beginning or by "-->" or
5360
+ * "--!>" at the end. -->`. Above the `"-->"` is meant to be text not an end to the comment. This
5361
+ * can be created programmatically through DOM APIs. (`<!--` are also disallowed.)
5362
+ *
5363
+ * see: https://html.spec.whatwg.org/multipage/syntax.html#comments
5352
5364
  *
5353
5365
  * ```
5354
5366
  * div.innerHTML = div.innerHTML
@@ -5359,15 +5371,16 @@ const END_COMMENT_ESCAPED = '-\u200B-\u200B>';
5359
5371
  * opening up the application for XSS attack. (In SSR we programmatically create comment nodes which
5360
5372
  * may contain such text and expect them to be safe.)
5361
5373
  *
5362
- * This function escapes the comment text by looking for the closing char sequence `-->` and replace
5363
- * it with `-_-_>` where the `_` is a zero width space `\u200B`. The result is that if a comment
5364
- * contains `-->` text it will render normally but it will not cause the HTML parser to close the
5365
- * comment.
5374
+ * This function escapes the comment text by looking for comment delimiters (`<` and `>`) and
5375
+ * surrounding them with `_>_` where the `_` is a zero width space `\u200B`. The result is that if a
5376
+ * comment contains any of the comment start/end delimiters (such as `<!--`, `-->` or `--!>`) the
5377
+ * text it will render normally but it will not cause the HTML parser to close/open the comment.
5366
5378
  *
5367
- * @param value text to make safe for comment node by escaping the comment close character sequence
5379
+ * @param value text to make safe for comment node by escaping the comment open/close character
5380
+ * sequence.
5368
5381
  */
5369
5382
  function escapeCommentText(value) {
5370
- return value.replace(END_COMMENT, END_COMMENT_ESCAPED);
5383
+ return value.replace(COMMENT_DISALLOWED, (text) => text.replace(COMMENT_DELIMITER, COMMENT_DELIMITER_ESCAPED));
5371
5384
  }
5372
5385
 
5373
5386
  /**
@@ -21109,7 +21122,7 @@ class Version {
21109
21122
  /**
21110
21123
  * @publicApi
21111
21124
  */
21112
- const VERSION = new Version('10.2.4');
21125
+ const VERSION = new Version('10.2.5');
21113
21126
 
21114
21127
  /**
21115
21128
  * @license