@angular/core 19.2.21 → 19.2.23

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/event_dispatcher.d-K56StcHr.d.ts +1 -1
  2. package/fesm2022/core.mjs +279 -50
  3. package/fesm2022/core.mjs.map +1 -1
  4. package/fesm2022/primitives/di.mjs +1 -1
  5. package/fesm2022/primitives/event-dispatch.mjs +1 -1
  6. package/fesm2022/primitives/signals.mjs +1 -1
  7. package/fesm2022/rxjs-interop.mjs +1 -1
  8. package/fesm2022/testing.mjs +1 -1
  9. package/fesm2022/untracked-BKcld_ew.mjs +1 -1
  10. package/index.d.ts +8 -3
  11. package/navigation_types.d-fAxd92YV.d.ts +1 -1
  12. package/package.json +1 -1
  13. package/primitives/di/index.d.ts +1 -1
  14. package/primitives/event-dispatch/index.d.ts +1 -1
  15. package/primitives/signals/index.d.ts +1 -1
  16. package/rxjs-interop/index.d.ts +1 -1
  17. package/schematics/bundles/add-bootstrap-context-to-server-main.cjs +2 -2
  18. package/schematics/bundles/{apply_import_manager-QEWElZT-.cjs → apply_import_manager-D8er9283.cjs} +3 -3
  19. package/schematics/bundles/{change_tracker-BPk3UwXG.cjs → change_tracker-BMoOL0o6.cjs} +2 -2
  20. package/schematics/bundles/{checker-DLkGMJj-.cjs → checker-C9K-IOAk.cjs} +287 -213
  21. package/schematics/bundles/cleanup-unused-imports.cjs +5 -5
  22. package/schematics/bundles/compiler_host-CAfDJO3W.cjs +1 -1
  23. package/schematics/bundles/control-flow-migration.cjs +3 -3
  24. package/schematics/bundles/explicit-standalone-flag.cjs +3 -3
  25. package/schematics/bundles/imports-CIX-JgAN.cjs +1 -1
  26. package/schematics/bundles/{index-BPwBW8Gv.cjs → index-C0sKgTb6.cjs} +4 -4
  27. package/schematics/bundles/{index-iQYWEThN.cjs → index-C55Aq2GC.cjs} +12 -12
  28. package/schematics/bundles/inject-migration.cjs +3 -3
  29. package/schematics/bundles/leading_space-D9nQ8UQC.cjs +1 -1
  30. package/schematics/bundles/{migrate_ts_type_references-BhOqwhYA.cjs → migrate_ts_type_references-CjUloDnc.cjs} +5 -5
  31. package/schematics/bundles/ng_decorators-B5HCqr20.cjs +1 -1
  32. package/schematics/bundles/nodes-B16H9JUd.cjs +1 -1
  33. package/schematics/bundles/output-migration.cjs +6 -6
  34. package/schematics/bundles/pending-tasks.cjs +3 -3
  35. package/schematics/bundles/{project_paths-DePtMwan.cjs → project_paths-D8qIpJ6r.cjs} +3 -3
  36. package/schematics/bundles/project_tsconfig_paths-CDVxT6Ov.cjs +1 -1
  37. package/schematics/bundles/property_name-BBwFuqMe.cjs +1 -1
  38. package/schematics/bundles/provide-initializer.cjs +3 -3
  39. package/schematics/bundles/route-lazy-loading.cjs +3 -3
  40. package/schematics/bundles/self-closing-tags-migration.cjs +4 -4
  41. package/schematics/bundles/signal-input-migration.cjs +7 -7
  42. package/schematics/bundles/signal-queries-migration.cjs +7 -7
  43. package/schematics/bundles/signals.cjs +7 -7
  44. package/schematics/bundles/standalone-migration.cjs +4 -4
  45. package/testing/index.d.ts +1 -1
  46. package/weak_ref.d-DWHPG08n.d.ts +1 -1
package/schematics/bundles/{checker-DLkGMJj-.cjs → checker-C9K-IOAk.cjs} RENAMED
@@ -1,6 +1,6 @@
1
1
  'use strict';
2
2
  /**
3
- * @license Angular v19.2.21
3
+ * @license Angular v19.2.23
4
4
  * (c) 2010-2025 Google LLC. https://angular.io/
5
5
  * License: MIT
6
6
  */
@@ -427,6 +427,150 @@ class SelectorContext {
427
427
  }
428
428
  }
429
429
 
430
+ /**
431
+ * A SecurityContext marks a location that has dangerous security implications, e.g. a DOM property
432
+ * like `innerHTML` that could cause Cross Site Scripting (XSS) security bugs when improperly
433
+ * handled.
434
+ *
435
+ * See DomSanitizer for more details on security in Angular applications.
436
+ *
437
+ * @publicApi
438
+ */
439
+ var SecurityContext;
440
+ (function (SecurityContext) {
441
+ SecurityContext[SecurityContext["NONE"] = 0] = "NONE";
442
+ SecurityContext[SecurityContext["HTML"] = 1] = "HTML";
443
+ SecurityContext[SecurityContext["STYLE"] = 2] = "STYLE";
444
+ SecurityContext[SecurityContext["SCRIPT"] = 3] = "SCRIPT";
445
+ SecurityContext[SecurityContext["URL"] = 4] = "URL";
446
+ SecurityContext[SecurityContext["RESOURCE_URL"] = 5] = "RESOURCE_URL";
447
+ SecurityContext[SecurityContext["ATTRIBUTE_NO_BINDING"] = 6] = "ATTRIBUTE_NO_BINDING";
448
+ })(SecurityContext || (SecurityContext = {}));
449
+ // =================================================================================================
450
+ // =================================================================================================
451
+ // =========== S T O P - S T O P - S T O P - S T O P - S T O P - S T O P ===========
452
+ // =================================================================================================
453
+ // =================================================================================================
454
+ //
455
+ // DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW!
456
+ //
457
+ // =================================================================================================
458
+ /**
459
+ * Map from tagName|propertyName to SecurityContext. Properties applying to all tags use '*'.
460
+ */
461
+ let _SECURITY_SCHEMA;
462
+ const SVG_NAMESPACE$1 = 'svg';
463
+ const MATH_ML_NAMESPACE$1 = 'math';
464
+ /**
465
+ * @remarks Keep is a copy of DOM Security Schema.
466
+ * @see [SECURITY_SCHEMA](../../../compiler/src/schema/dom_security_schema.ts)
467
+ */
468
+ function SECURITY_SCHEMA() {
469
+ if (!_SECURITY_SCHEMA) {
470
+ _SECURITY_SCHEMA = {};
471
+ // Case is insignificant below, all element and attribute names are lower-cased for lookup.
472
+ registerContext(SecurityContext.HTML, /** Namespace */ undefined, [
473
+ ['iframe', ['srcdoc']],
474
+ ['*', ['innerHTML', 'outerHTML']],
475
+ ]);
476
+ registerContext(SecurityContext.STYLE, /** Namespace */ undefined, [['*', ['style']]]);
477
+ // NB: no SCRIPT contexts here, they are never allowed due to the parser stripping them.
478
+ registerContext(SecurityContext.URL, /** Namespace */ undefined, [
479
+ ['*', ['formAction']],
480
+ ['area', ['href']],
481
+ ['a', ['href', 'xlink:href']],
482
+ ['form', ['action']],
483
+ // The below two items are safe and should be removed but they require a G3 clean-up as a small number of tests fail.
484
+ ['img', ['src']],
485
+ ['video', ['src']],
486
+ ]);
487
+ registerContext(SecurityContext.URL, MATH_ML_NAMESPACE$1, [
488
+ // MathML namespace
489
+ // https://crsrc.org/c/third_party/blink/renderer/core/sanitizer/sanitizer.cc;l=753-768;drc=b3eb16372dcd3317d65e9e0265015e322494edcd;bpv=1;bpt=1
490
+ ['annotation', ['href', 'xlink:href']],
491
+ ['annotation-xml', ['href', 'xlink:href']],
492
+ ['maction', ['href', 'xlink:href']],
493
+ ['malignmark', ['href', 'xlink:href']],
494
+ ['math', ['href', 'xlink:href']],
495
+ ['mroot', ['href', 'xlink:href']],
496
+ ['msqrt', ['href', 'xlink:href']],
497
+ ['merror', ['href', 'xlink:href']],
498
+ ['mfrac', ['href', 'xlink:href']],
499
+ ['mglyph', ['href', 'xlink:href']],
500
+ ['msub', ['href', 'xlink:href']],
501
+ ['msup', ['href', 'xlink:href']],
502
+ ['msubsup', ['href', 'xlink:href']],
503
+ ['mmultiscripts', ['href', 'xlink:href']],
504
+ ['mprescripts', ['href', 'xlink:href']],
505
+ ['mi', ['href', 'xlink:href']],
506
+ ['mn', ['href', 'xlink:href']],
507
+ ['mo', ['href', 'xlink:href']],
508
+ ['mpadded', ['href', 'xlink:href']],
509
+ ['mphantom', ['href', 'xlink:href']],
510
+ ['mrow', ['href', 'xlink:href']],
511
+ ['ms', ['href', 'xlink:href']],
512
+ ['mspace', ['href', 'xlink:href']],
513
+ ['mstyle', ['href', 'xlink:href']],
514
+ ['mtable', ['href', 'xlink:href']],
515
+ ['mtd', ['href', 'xlink:href']],
516
+ ['mtr', ['href', 'xlink:href']],
517
+ ['mtext', ['href', 'xlink:href']],
518
+ ['mover', ['href', 'xlink:href']],
519
+ ['munder', ['href', 'xlink:href']],
520
+ ['munderover', ['href', 'xlink:href']],
521
+ ['semantics', ['href', 'xlink:href']],
522
+ ['none', ['href', 'xlink:href']],
523
+ ]);
524
+ registerContext(SecurityContext.RESOURCE_URL, /** Namespace */ undefined, [
525
+ ['base', ['href']],
526
+ ['embed', ['src']],
527
+ ['frame', ['src']],
528
+ ['iframe', ['src']],
529
+ ['link', ['href']],
530
+ ['object', ['codebase', 'data']],
531
+ ]);
532
+ registerContext(SecurityContext.URL, SVG_NAMESPACE$1, [['a', ['href', 'xlink:href']]]);
533
+ // Keep this in sync with SECURITY_SENSITIVE_ELEMENTS in packages/core/src/sanitization/sanitization.ts
534
+ // Unknown is the internal tag name for unknown elements example used for host-bindings.
535
+ // These are unsafe as `attributeName` can be `href` or `xlink:href`
536
+ // See: http://b/463880509#comment7
537
+ registerContext(SecurityContext.ATTRIBUTE_NO_BINDING, SVG_NAMESPACE$1, [
538
+ ['animate', ['attributeName', 'values', 'to', 'from']],
539
+ ['set', ['to', 'attributeName']],
540
+ ['animateMotion', ['attributeName']],
541
+ ['animateTransform', ['attributeName']],
542
+ ]);
543
+ registerContext(SecurityContext.ATTRIBUTE_NO_BINDING, /** Namespace */ undefined, [
544
+ [
545
+ 'unknown',
546
+ [
547
+ 'attributeName',
548
+ 'values',
549
+ 'to',
550
+ 'from',
551
+ 'sandbox',
552
+ 'allow',
553
+ 'allowFullscreen',
554
+ 'referrerPolicy',
555
+ 'csp',
556
+ 'fetchPriority',
557
+ ],
558
+ ],
559
+ ['iframe', ['sandbox', 'allow', 'allowFullscreen', 'referrerPolicy', 'csp', 'fetchPriority']],
560
+ ]);
561
+ }
562
+ return _SECURITY_SCHEMA;
563
+ }
564
+ function registerContext(ctx, namespace, specs) {
565
+ for (const [element, attributeNames] of specs) {
566
+ let tagName = namespace && element !== '*' && element !== 'unknown' ? `:${namespace}:${element}` : element;
567
+ tagName = tagName.toLowerCase();
568
+ for (const attr of attributeNames) {
569
+ _SECURITY_SCHEMA[`${tagName}|${attr.toLowerCase()}`] = ctx;
570
+ }
571
+ }
572
+ }
573
+
430
574
  // Attention:
431
575
  // This file duplicates types and values from @angular/core
432
576
  // so that we are able to make @angular/compiler independent of @angular/core.
@@ -460,16 +604,6 @@ const CUSTOM_ELEMENTS_SCHEMA = {
460
604
  const NO_ERRORS_SCHEMA = {
461
605
  name: 'no-errors-schema',
462
606
  };
463
- var SecurityContext;
464
- (function (SecurityContext) {
465
- SecurityContext[SecurityContext["NONE"] = 0] = "NONE";
466
- SecurityContext[SecurityContext["HTML"] = 1] = "HTML";
467
- SecurityContext[SecurityContext["STYLE"] = 2] = "STYLE";
468
- SecurityContext[SecurityContext["SCRIPT"] = 3] = "SCRIPT";
469
- SecurityContext[SecurityContext["URL"] = 4] = "URL";
470
- SecurityContext[SecurityContext["RESOURCE_URL"] = 5] = "RESOURCE_URL";
471
- SecurityContext[SecurityContext["ATTRIBUTE_NO_BINDING"] = 6] = "ATTRIBUTE_NO_BINDING";
472
- })(SecurityContext || (SecurityContext = {}));
473
607
  var MissingTranslationStrategy;
474
608
  (function (MissingTranslationStrategy) {
475
609
  MissingTranslationStrategy[MissingTranslationStrategy["Error"] = 0] = "Error";
@@ -11947,10 +12081,7 @@ class ElementAttributes {
11947
12081
  if (value === null) {
11948
12082
  throw Error('Attribute, i18n attribute, & style element attributes must have a value');
11949
12083
  }
11950
- if (trustedValueFn !== null) {
11951
- if (!isStringLiteral(value)) {
11952
- throw Error('AssertionError: extracted attribute value should be string literal');
11953
- }
12084
+ if (trustedValueFn !== null && isStringLiteral(value)) {
11954
12085
  array.push(taggedTemplate(trustedValueFn, new TemplateLiteralExpr([new TemplateLiteralElementExpr(value.value)], []), undefined, value.sourceSpan));
11955
12086
  }
11956
12087
  else {
@@ -19353,162 +19484,8 @@ function interleave(left, right) {
19353
19484
  return result;
19354
19485
  }
19355
19486
 
19356
- // =================================================================================================
19357
- // =================================================================================================
19358
- // =========== S T O P - S T O P - S T O P - S T O P - S T O P - S T O P ===========
19359
- // =================================================================================================
19360
- // =================================================================================================
19361
- //
19362
- // DO NOT EDIT THIS LIST OF SECURITY SENSITIVE PROPERTIES WITHOUT A SECURITY REVIEW!
19363
- //
19364
- // =================================================================================================
19365
- /** Map from tagName|propertyName to SecurityContext. Properties applying to all tags use '*'. */
19366
- let _SECURITY_SCHEMA;
19367
- function SECURITY_SCHEMA() {
19368
- if (!_SECURITY_SCHEMA) {
19369
- _SECURITY_SCHEMA = {};
19370
- // Case is insignificant below, all element and attribute names are lower-cased for lookup.
19371
- registerContext(SecurityContext.HTML, ['iframe|srcdoc', '*|innerHTML', '*|outerHTML']);
19372
- registerContext(SecurityContext.STYLE, ['*|style']);
19373
- // NB: no SCRIPT contexts here, they are never allowed due to the parser stripping them.
19374
- registerContext(SecurityContext.URL, [
19375
- '*|formAction',
19376
- 'area|href',
19377
- 'area|ping',
19378
- 'audio|src',
19379
- 'a|href',
19380
- 'a|xlink:href',
19381
- 'a|ping',
19382
- 'blockquote|cite',
19383
- 'body|background',
19384
- 'del|cite',
19385
- 'form|action',
19386
- 'img|src',
19387
- 'input|src',
19388
- 'ins|cite',
19389
- 'q|cite',
19390
- 'source|src',
19391
- 'track|src',
19392
- 'video|poster',
19393
- 'video|src',
19394
- // MathML namespace
19395
- // https://crsrc.org/c/third_party/blink/renderer/core/sanitizer/sanitizer.cc;l=753-768;drc=b3eb16372dcd3317d65e9e0265015e322494edcd;bpv=1;bpt=1
19396
- 'annotation|href',
19397
- 'annotation|xlink:href',
19398
- 'annotation-xml|href',
19399
- 'annotation-xml|xlink:href',
19400
- 'maction|href',
19401
- 'maction|xlink:href',
19402
- 'malignmark|href',
19403
- 'malignmark|xlink:href',
19404
- 'math|href',
19405
- 'math|xlink:href',
19406
- 'mroot|href',
19407
- 'mroot|xlink:href',
19408
- 'msqrt|href',
19409
- 'msqrt|xlink:href',
19410
- 'merror|href',
19411
- 'merror|xlink:href',
19412
- 'mfrac|href',
19413
- 'mfrac|xlink:href',
19414
- 'mglyph|href',
19415
- 'mglyph|xlink:href',
19416
- 'msub|href',
19417
- 'msub|xlink:href',
19418
- 'msup|href',
19419
- 'msup|xlink:href',
19420
- 'msubsup|href',
19421
- 'msubsup|xlink:href',
19422
- 'mmultiscripts|href',
19423
- 'mmultiscripts|xlink:href',
19424
- 'mprescripts|href',
19425
- 'mprescripts|xlink:href',
19426
- 'mi|href',
19427
- 'mi|xlink:href',
19428
- 'mn|href',
19429
- 'mn|xlink:href',
19430
- 'mo|href',
19431
- 'mo|xlink:href',
19432
- 'mpadded|href',
19433
- 'mpadded|xlink:href',
19434
- 'mphantom|href',
19435
- 'mphantom|xlink:href',
19436
- 'mrow|href',
19437
- 'mrow|xlink:href',
19438
- 'ms|href',
19439
- 'ms|xlink:href',
19440
- 'mspace|href',
19441
- 'mspace|xlink:href',
19442
- 'mstyle|href',
19443
- 'mstyle|xlink:href',
19444
- 'mtable|href',
19445
- 'mtable|xlink:href',
19446
- 'mtd|href',
19447
- 'mtd|xlink:href',
19448
- 'mtr|href',
19449
- 'mtr|xlink:href',
19450
- 'mtext|href',
19451
- 'mtext|xlink:href',
19452
- 'mover|href',
19453
- 'mover|xlink:href',
19454
- 'munder|href',
19455
- 'munder|xlink:href',
19456
- 'munderover|href',
19457
- 'munderover|xlink:href',
19458
- 'semantics|href',
19459
- 'semantics|xlink:href',
19460
- 'none|href',
19461
- 'none|xlink:href',
19462
- ]);
19463
- registerContext(SecurityContext.RESOURCE_URL, [
19464
- 'applet|code',
19465
- 'applet|codebase',
19466
- 'base|href',
19467
- 'embed|src',
19468
- 'frame|src',
19469
- 'head|profile',
19470
- 'html|manifest',
19471
- 'iframe|src',
19472
- 'link|href',
19473
- 'media|src',
19474
- 'object|codebase',
19475
- 'object|data',
19476
- 'script|src',
19477
- // The below two are for Script SVG
19478
- // See: https://developer.mozilla.org/en-US/docs/Web/API/SVGScriptElement/href
19479
- 'script|href',
19480
- 'script|xlink:href',
19481
- ]);
19482
- // Keep this in sync with SECURITY_SENSITIVE_ELEMENTS in packages/core/src/sanitization/sanitization.ts
19483
- // Unknown is the internal tag name for unknown elements example used for host-bindings.
19484
- // These are unsafe as `attributeName` can be `href` or `xlink:href`
19485
- // See: http://b/463880509#comment7
19486
- registerContext(SecurityContext.ATTRIBUTE_NO_BINDING, [
19487
- 'animate|attributeName',
19488
- 'set|attributeName',
19489
- 'animateMotion|attributeName',
19490
- 'animateTransform|attributeName',
19491
- 'unknown|attributeName',
19492
- 'iframe|sandbox',
19493
- 'iframe|allow',
19494
- 'iframe|allowFullscreen',
19495
- 'iframe|referrerPolicy',
19496
- 'iframe|csp',
19497
- 'iframe|fetchPriority',
19498
- 'unknown|sandbox',
19499
- 'unknown|allow',
19500
- 'unknown|allowFullscreen',
19501
- 'unknown|referrerPolicy',
19502
- 'unknown|csp',
19503
- 'unknown|fetchPriority',
19504
- ]);
19505
- }
19506
- return _SECURITY_SCHEMA;
19507
- }
19508
- function registerContext(ctx, specs) {
19509
- for (const spec of specs)
19510
- _SECURITY_SCHEMA[spec.toLowerCase()] = ctx;
19511
- }
19487
+ const SVG_NAMESPACE = 'svg';
19488
+ const MATH_ML_NAMESPACE = 'math';
19512
19489
 
19513
19490
  class ElementSchemaRegistry {
19514
19491
  }
@@ -19517,6 +19494,11 @@ const BOOLEAN = 'boolean';
19517
19494
  const NUMBER = 'number';
19518
19495
  const STRING = 'string';
19519
19496
  const OBJECT = 'object';
19497
+ function normalizeTagName(tagName) {
19498
+ const tagNameLower = tagName.toLowerCase();
19499
+ const [ns, name] = splitNsName(tagNameLower, false);
19500
+ return ns === SVG_NAMESPACE || ns === MATH_ML_NAMESPACE ? `:${ns}:${name}` : name;
19501
+ }
19520
19502
  /**
19521
19503
  * This array represents the DOM schema. It encodes inheritance, properties, and events.
19522
19504
  *
@@ -19823,8 +19805,9 @@ class DomElementSchemaRegistry extends ElementSchemaRegistry {
19823
19805
  if (schemaMetas.some((schema) => schema.name === NO_ERRORS_SCHEMA.name)) {
19824
19806
  return true;
19825
19807
  }
19826
- if (tagName.indexOf('-') > -1) {
19827
- if (isNgContainer(tagName) || isNgContent(tagName)) {
19808
+ const normalizedTag = normalizeTagName(tagName);
19809
+ if (normalizedTag.includes('-')) {
19810
+ if (isNgContainer(normalizedTag) || isNgContent(normalizedTag)) {
19828
19811
  return false;
19829
19812
  }
19830
19813
  if (schemaMetas.some((schema) => schema.name === CUSTOM_ELEMENTS_SCHEMA.name)) {
@@ -19833,15 +19816,16 @@ class DomElementSchemaRegistry extends ElementSchemaRegistry {
19833
19816
  return true;
19834
19817
  }
19835
19818
  }
19836
- const elementProperties = this._schema.get(tagName.toLowerCase()) || this._schema.get('unknown');
19819
+ const elementProperties = this._schema.get(normalizedTag) || this._schema.get('unknown');
19837
19820
  return elementProperties.has(propName);
19838
19821
  }
19839
19822
  hasElement(tagName, schemaMetas) {
19840
19823
  if (schemaMetas.some((schema) => schema.name === NO_ERRORS_SCHEMA.name)) {
19841
19824
  return true;
19842
19825
  }
19843
- if (tagName.indexOf('-') > -1) {
19844
- if (isNgContainer(tagName) || isNgContent(tagName)) {
19826
+ const normalizedTag = normalizeTagName(tagName);
19827
+ if (normalizedTag.includes('-')) {
19828
+ if (isNgContainer(normalizedTag) || isNgContent(normalizedTag)) {
19845
19829
  return true;
19846
19830
  }
19847
19831
  if (schemaMetas.some((schema) => schema.name === CUSTOM_ELEMENTS_SCHEMA.name)) {
@@ -19849,7 +19833,7 @@ class DomElementSchemaRegistry extends ElementSchemaRegistry {
19849
19833
  return true;
19850
19834
  }
19851
19835
  }
19852
- return this._schema.has(tagName.toLowerCase());
19836
+ return this._schema.has(normalizedTag);
19853
19837
  }
19854
19838
  /**
19855
19839
  * securityContext returns the security context for the given property on the given DOM tag.
@@ -19866,16 +19850,13 @@ class DomElementSchemaRegistry extends ElementSchemaRegistry {
19866
19850
  // NB: For security purposes, use the mapped property name, not the attribute name.
19867
19851
  propName = this.getMappedPropName(propName);
19868
19852
  }
19869
- // Make sure comparisons are case insensitive, so that case differences between attribute and
19870
- // property names do not have a security impact.
19871
- tagName = tagName.toLowerCase();
19853
+ const normalizedTag = normalizeTagName(tagName);
19872
19854
  propName = propName.toLowerCase();
19873
- let ctx = SECURITY_SCHEMA()[tagName + '|' + propName];
19874
- if (ctx) {
19875
- return ctx;
19876
- }
19877
- ctx = SECURITY_SCHEMA()['*|' + propName];
19878
- return ctx ? ctx : SecurityContext.NONE;
19855
+ const securitySchema = SECURITY_SCHEMA();
19856
+ const ctx = securitySchema[normalizedTag + '|' + propName] ??
19857
+ securitySchema['*|' + propName] ??
19858
+ SecurityContext.NONE;
19859
+ return ctx;
19879
19860
  }
19880
19861
  getMappedPropName(propName) {
19881
19862
  return _ATTR_TO_PROP.get(propName) ?? propName;
@@ -19909,12 +19890,14 @@ class DomElementSchemaRegistry extends ElementSchemaRegistry {
19909
19890
  return Array.from(this._schema.keys());
19910
19891
  }
19911
19892
  allKnownAttributesOfElement(tagName) {
19912
- const elementProperties = this._schema.get(tagName.toLowerCase()) || this._schema.get('unknown');
19893
+ const normalizedTag = normalizeTagName(tagName);
19894
+ const elementProperties = this._schema.get(normalizedTag) || this._schema.get('unknown');
19913
19895
  // Convert properties to attributes.
19914
19896
  return Array.from(elementProperties.keys()).map((prop) => _PROP_TO_ATTR.get(prop) ?? prop);
19915
19897
  }
19916
19898
  allKnownEventsOfElement(tagName) {
19917
- return Array.from(this._eventSchema.get(tagName.toLowerCase()) ?? []);
19899
+ const normalizedTag = normalizeTagName(tagName);
19900
+ return Array.from(this._eventSchema.get(normalizedTag) ?? []);
19918
19901
  }
19919
19902
  normalizeAnimationStyleProperty(propName) {
19920
19903
  return dashCaseToCamelCase(propName);
@@ -23920,6 +23903,61 @@ function updatePlaceholder(op, value, i18nContexts, icuPlaceholders) {
23920
23903
  }
23921
23904
  }
23922
23905
 
23906
+ /**
23907
+ * Wraps static i18n extracted attributes in their corresponding sanitizers/validators.
23908
+ */
23909
+ function resolveI18nAttrSanitizers(job) {
23910
+ const tagNamesByElement = new Map();
23911
+ for (const unit of job.units) {
23912
+ for (const op of unit.ops()) {
23913
+ if (op.kind === OpKind.ElementStart || op.kind === OpKind.Template) {
23914
+ let tag = op.tag ?? '';
23915
+ switch (op.namespace) {
23916
+ case Namespace.SVG:
23917
+ tag = `:${SVG_NAMESPACE}:${tag}`;
23918
+ break;
23919
+ case Namespace.Math:
23920
+ tag = `:${MATH_ML_NAMESPACE}:${tag}`;
23921
+ break;
23922
+ }
23923
+ tagNamesByElement.set(op.xref, tag);
23924
+ }
23925
+ }
23926
+ }
23927
+ for (const unit of job.units) {
23928
+ for (const op of unit.create) {
23929
+ if (op.kind === OpKind.ExtractedAttribute &&
23930
+ op.i18nContext !== null &&
23931
+ op.expression !== null) {
23932
+ const tagName = tagNamesByElement.get(op.target) ?? '';
23933
+ let expr = op.expression;
23934
+ switch (op.securityContext) {
23935
+ case SecurityContext.HTML:
23936
+ expr = importExpr(Identifiers.sanitizeHtml).callFn([expr]);
23937
+ break;
23938
+ case SecurityContext.STYLE:
23939
+ expr = importExpr(Identifiers.sanitizeStyle).callFn([expr]);
23940
+ break;
23941
+ case SecurityContext.SCRIPT:
23942
+ expr = importExpr(Identifiers.sanitizeScript).callFn([expr]);
23943
+ break;
23944
+ case SecurityContext.URL:
23945
+ expr = importExpr(Identifiers.sanitizeUrl).callFn([expr]);
23946
+ break;
23947
+ case SecurityContext.RESOURCE_URL:
23948
+ expr = importExpr(Identifiers.sanitizeResourceUrl).callFn([expr]);
23949
+ break;
23950
+ case SecurityContext.ATTRIBUTE_NO_BINDING:
23951
+ expr = importExpr(Identifiers.validateAttribute)
23952
+ .callFn([expr, literal$1(tagName), literal$1(op.name)]);
23953
+ break;
23954
+ }
23955
+ op.expression = expr;
23956
+ }
23957
+ }
23958
+ }
23959
+ }
23960
+
23923
23961
  /**
23924
23962
  * Resolves lexical references in views (`ir.LexicalReadExpr`) to either a target variable or to
23925
23963
  * property reads on the top-level component context.
@@ -25252,6 +25290,7 @@ const phases = [
25252
25290
  { kind: CompilationJobKind.Tmpl, fn: resolveI18nExpressionPlaceholders },
25253
25291
  { kind: CompilationJobKind.Tmpl, fn: extractI18nMessages },
25254
25292
  { kind: CompilationJobKind.Tmpl, fn: collectI18nConsts },
25293
+ { kind: CompilationJobKind.Tmpl, fn: resolveI18nAttrSanitizers },
25255
25294
  { kind: CompilationJobKind.Tmpl, fn: collectConstExpressions },
25256
25295
  { kind: CompilationJobKind.Both, fn: collectElementConsts },
25257
25296
  { kind: CompilationJobKind.Tmpl, fn: removeI18nContexts },
@@ -26105,7 +26144,19 @@ function ingestElementBindings(unit, op, element) {
26105
26144
  let i18nAttributeBindingNames = new Set();
26106
26145
  for (const attr of element.attributes) {
26107
26146
  // Attribute literal bindings, such as `attr.foo="bar"`.
26108
- const securityContext = domSchema.securityContext(element.name, attr.name, true);
26147
+ const [ns, elementName] = splitNsName(element.name);
26148
+ let namespace = ns;
26149
+ if (!ns) {
26150
+ switch (op.namespace) {
26151
+ case Namespace.SVG:
26152
+ namespace = SVG_NAMESPACE;
26153
+ break;
26154
+ case Namespace.Math:
26155
+ namespace = MATH_ML_NAMESPACE;
26156
+ break;
26157
+ }
26158
+ }
26159
+ const securityContext = domSchema.securityContext(namespace ? `:${namespace}:${elementName}` : elementName, attr.name, true);
26109
26160
  bindings.push(createBindingOp(op.xref, BindingKind.Attribute, attr.name, convertAstWithInterpolation(unit.job, attr.value, attr.i18n), null, securityContext, true, false, null, asMessage(attr.i18n), attr.sourceSpan));
26110
26161
  if (attr.i18n) {
26111
26162
  i18nAttributeBindingNames.add(attr.name);
@@ -27026,15 +27077,43 @@ function isAnimationLabel(name) {
27026
27077
  return name[0] == '@';
27027
27078
  }
27028
27079
  function calcPossibleSecurityContexts(registry, selector, propName, isAttribute) {
27029
- const ctxs = [];
27030
- CssSelector.parse(selector).forEach((selector) => {
27031
- const elementNames = selector.element ? [selector.element] : registry.allKnownElementNames();
27032
- const notElementNames = new Set(selector.notSelectors
27033
- .filter((selector) => selector.isElementSelector())
27034
- .map((selector) => selector.element));
27035
- const possibleElementNames = elementNames.filter((elementName) => !notElementNames.has(elementName));
27036
- ctxs.push(...possibleElementNames.map((elementName) => registry.securityContext(elementName, propName, isAttribute)));
27037
- });
27080
+ let ctxs;
27081
+ const [namespaceKey, baseSelector] = selector ? splitNsName(selector, false) : [null, selector];
27082
+ const nameToContext = (elName) => {
27083
+ const [nsStr, name] = splitNsName(elName, false);
27084
+ const ns = nsStr ?? namespaceKey;
27085
+ const fullName = ns ? `:${ns}:${name}` : name;
27086
+ return registry.securityContext(fullName, propName, isAttribute);
27087
+ };
27088
+ const allKnownElements = registry.allKnownElementNames();
27089
+ if (baseSelector === null) {
27090
+ ctxs = allKnownElements.map(nameToContext);
27091
+ }
27092
+ else {
27093
+ ctxs = [];
27094
+ CssSelector.parse(baseSelector).forEach((selector) => {
27095
+ let elementNames = selector.element ? [selector.element] : allKnownElements;
27096
+ if (selector.element && !registry.hasElement(selector.element, [])) {
27097
+ const svgElement = `:${SVG_NAMESPACE}:${selector.element}`;
27098
+ const mathElement = `:${MATH_ML_NAMESPACE}:${selector.element}`;
27099
+ if (registry.hasElement(svgElement, [])) {
27100
+ elementNames = [svgElement];
27101
+ }
27102
+ else if (registry.hasElement(mathElement, [])) {
27103
+ elementNames = [mathElement];
27104
+ }
27105
+ }
27106
+ const notElementNames = new Set(selector.notSelectors
27107
+ .filter((selector) => selector.isElementSelector())
27108
+ .map((selector) => selector.element?.toLowerCase()));
27109
+ const possibleElementNames = elementNames.filter((elName) => {
27110
+ const elNameLowerCase = elName.toLowerCase();
27111
+ return (!notElementNames.has(elNameLowerCase) &&
27112
+ !notElementNames.has(splitNsName(elNameLowerCase)[1]));
27113
+ });
27114
+ ctxs.push(...possibleElementNames.map(nameToContext));
27115
+ });
27116
+ }
27038
27117
  return ctxs.length === 0 ? [SecurityContext.NONE] : Array.from(new Set(ctxs)).sort();
27039
27118
  }
27040
27119
  /**
@@ -27066,8 +27145,8 @@ const LINK_ELEMENT = 'link';
27066
27145
  const LINK_STYLE_REL_ATTR = 'rel';
27067
27146
  const LINK_STYLE_HREF_ATTR = 'href';
27068
27147
  const LINK_STYLE_REL_VALUE = 'stylesheet';
27069
- const STYLE_ELEMENT = 'style';
27070
- const SCRIPT_ELEMENT = 'script';
27148
+ const STYLE_ELEMENTS = new Set([':svg:style', 'style']);
27149
+ const SCRIPT_ELEMENTS = new Set([':svg:script', 'script']);
27071
27150
  const NG_NON_BINDABLE_ATTR = 'ngNonBindable';
27072
27151
  const NG_PROJECT_AS = 'ngProjectAs';
27073
27152
  function preparseElement(ast) {
@@ -27076,7 +27155,7 @@ function preparseElement(ast) {
27076
27155
  let relAttr = null;
27077
27156
  let nonBindable = false;
27078
27157
  let projectAs = '';
27079
- ast.attrs.forEach((attr) => {
27158
+ for (const attr of ast.attrs) {
27080
27159
  const lcAttrName = attr.name.toLowerCase();
27081
27160
  if (lcAttrName == NG_CONTENT_SELECT_ATTR) {
27082
27161
  selectAttr = attr.value;
@@ -27095,17 +27174,18 @@ function preparseElement(ast) {
27095
27174
  projectAs = attr.value;
27096
27175
  }
27097
27176
  }
27098
- });
27099
- selectAttr = normalizeNgContentSelect(selectAttr);
27177
+ }
27178
+ // Normalize selector to '*' if empty
27179
+ selectAttr ||= '*';
27100
27180
  const nodeName = ast.name.toLowerCase();
27101
27181
  let type = PreparsedElementType.OTHER;
27102
27182
  if (isNgContent(nodeName)) {
27103
27183
  type = PreparsedElementType.NG_CONTENT;
27104
27184
  }
27105
- else if (nodeName == STYLE_ELEMENT) {
27185
+ else if (STYLE_ELEMENTS.has(nodeName)) {
27106
27186
  type = PreparsedElementType.STYLE;
27107
27187
  }
27108
- else if (nodeName == SCRIPT_ELEMENT) {
27188
+ else if (SCRIPT_ELEMENTS.has(nodeName)) {
27109
27189
  type = PreparsedElementType.SCRIPT;
27110
27190
  }
27111
27191
  else if (nodeName == LINK_ELEMENT && relAttr == LINK_STYLE_REL_VALUE) {
@@ -27135,12 +27215,6 @@ class PreparsedElement {
27135
27215
  this.projectAs = projectAs;
27136
27216
  }
27137
27217
  }
27138
- function normalizeNgContentSelect(selectAttr) {
27139
- if (selectAttr === null || selectAttr.length === 0) {
27140
- return '*';
27141
- }
27142
- return selectAttr;
27143
- }
27144
27218
 
27145
27219
  /** Pattern for the expression in a for loop block. */
27146
27220
  const FOR_LOOP_EXPRESSION_PATTERN = /^\s*([0-9A-Za-z_$]*)\s+of\s+([\S\s]*)/;
@@ -30781,7 +30855,7 @@ function publishFacade(global) {
30781
30855
  * @description
30782
30856
  * Entry point for all public APIs of the compiler package.
30783
30857
  */
30784
- new Version('19.2.21');
30858
+ new Version('19.2.23');
30785
30859
 
30786
30860
  const _I18N_ATTR = 'i18n';
30787
30861
  const _I18N_ATTR_PREFIX = 'i18n-';
@@ -32199,7 +32273,7 @@ class NodeJSPathManipulation {
32199
32273
  // G3-ESM-MARKER: G3 uses CommonJS, but externally everything in ESM.
32200
32274
  // CommonJS/ESM interop for determining the current file name and containing dir.
32201
32275
  const isCommonJS = typeof __filename !== 'undefined';
32202
- const currentFileUrl = isCommonJS ? null : (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('checker-DLkGMJj-.cjs', document.baseURI).href));
32276
+ const currentFileUrl = isCommonJS ? null : (typeof document === 'undefined' ? require('u' + 'rl').pathToFileURL(__filename).href : (_documentCurrentScript && _documentCurrentScript.tagName.toUpperCase() === 'SCRIPT' && _documentCurrentScript.src || new URL('checker-C9K-IOAk.cjs', document.baseURI).href));
32203
32277
  const currentFileName = isCommonJS ? __filename : url.fileURLToPath(currentFileUrl);
32204
32278
  /**
32205
32279
  * A wrapper around the Node.js file-system that supports readonly operations and path manipulation.