@angular/language-service 9.1.12 → 9.1.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* @license Angular v9.1.
|
|
2
|
+
* @license Angular v9.1.13
|
|
3
3
|
* Copyright Google Inc. All Rights Reserved.
|
|
4
4
|
* License: MIT
|
|
5
5
|
*/
|
|
@@ -19601,7 +19601,7 @@ define(['exports', 'typescript/lib/tsserverlibrary', 'typescript', 'path'], func
|
|
|
19601
19601
|
* Use of this source code is governed by an MIT-style license that can be
|
|
19602
19602
|
* found in the LICENSE file at https://angular.io/license
|
|
19603
19603
|
*/
|
|
19604
|
-
var VERSION$1 = new Version('9.1.
|
|
19604
|
+
var VERSION$1 = new Version('9.1.13');
|
|
19605
19605
|
|
|
19606
19606
|
/**
|
|
19607
19607
|
* @license
|
|
@@ -33620,6 +33620,42 @@ define(['exports', 'typescript/lib/tsserverlibrary', 'typescript', 'path'], func
|
|
|
33620
33620
|
SecurityContext[SecurityContext["RESOURCE_URL"] = 5] = "RESOURCE_URL";
|
|
33621
33621
|
})(SecurityContext$1 || (SecurityContext$1 = {}));
|
|
33622
33622
|
|
|
33623
|
+
/**
|
|
33624
|
+
* @license
|
|
33625
|
+
* Copyright Google Inc. All Rights Reserved.
|
|
33626
|
+
*
|
|
33627
|
+
* Use of this source code is governed by an MIT-style license that can be
|
|
33628
|
+
* found in the LICENSE file at https://angular.io/license
|
|
33629
|
+
*/
|
|
33630
|
+
var END_COMMENT = /-->/g;
|
|
33631
|
+
var END_COMMENT_ESCAPED = '-\u200B-\u200B>';
|
|
33632
|
+
/**
|
|
33633
|
+
* Escape the content of the strings so that it can be safely inserted into a comment node.
|
|
33634
|
+
*
|
|
33635
|
+
* The issue is that HTML does not specify any way to escape comment end text inside the comment.
|
|
33636
|
+
* `<!-- The way you close a comment is with "-->". -->`. Above the `"-->"` is meant to be text not
|
|
33637
|
+
* an end to the comment. This can be created programmatically through DOM APIs.
|
|
33638
|
+
*
|
|
33639
|
+
* ```
|
|
33640
|
+
* div.innerHTML = div.innerHTML
|
|
33641
|
+
* ```
|
|
33642
|
+
*
|
|
33643
|
+
* One would expect that the above code would be safe to do, but it turns out that because comment
|
|
33644
|
+
* text is not escaped, the comment may contain text which will prematurely close the comment
|
|
33645
|
+
* opening up the application for XSS attack. (In SSR we programmatically create comment nodes which
|
|
33646
|
+
* may contain such text and expect them to be safe.)
|
|
33647
|
+
*
|
|
33648
|
+
* This function escapes the comment text by looking for the closing char sequence `-->` and replace
|
|
33649
|
+
* it with `-_-_>` where the `_` is a zero width space `\u200B`. The result is that if a comment
|
|
33650
|
+
* contains `-->` text it will render normally but it will not cause the HTML parser to close the
|
|
33651
|
+
* comment.
|
|
33652
|
+
*
|
|
33653
|
+
* @param value text to make safe for comment node by escaping the comment close character sequence
|
|
33654
|
+
*/
|
|
33655
|
+
function escapeCommentText(value) {
|
|
33656
|
+
return value.replace(END_COMMENT, END_COMMENT_ESCAPED);
|
|
33657
|
+
}
|
|
33658
|
+
|
|
33623
33659
|
/**
|
|
33624
33660
|
* @license
|
|
33625
33661
|
* Copyright Google Inc. All Rights Reserved.
|
|
@@ -40127,7 +40163,7 @@ define(['exports', 'typescript/lib/tsserverlibrary', 'typescript', 'path'], func
|
|
|
40127
40163
|
/**
|
|
40128
40164
|
* @publicApi
|
|
40129
40165
|
*/
|
|
40130
|
-
var VERSION$2 = new Version$1('9.1.
|
|
40166
|
+
var VERSION$2 = new Version$1('9.1.13');
|
|
40131
40167
|
|
|
40132
40168
|
/**
|
|
40133
40169
|
* @license
|
|
@@ -49271,7 +49307,7 @@ define(['exports', 'typescript/lib/tsserverlibrary', 'typescript', 'path'], func
|
|
|
49271
49307
|
var el = asElementData(view, elDef.nodeIndex).renderElement;
|
|
49272
49308
|
if (!elDef.element.name) {
|
|
49273
49309
|
// a comment.
|
|
49274
|
-
view.renderer.setValue(el, "bindings=" + JSON.stringify(bindingValues, null, 2));
|
|
49310
|
+
view.renderer.setValue(el, escapeCommentText("bindings=" + JSON.stringify(bindingValues, null, 2)));
|
|
49275
49311
|
}
|
|
49276
49312
|
else {
|
|
49277
49313
|
// a regular element.
|
|
@@ -49560,7 +49596,7 @@ define(['exports', 'typescript/lib/tsserverlibrary', 'typescript', 'path'], func
|
|
|
49560
49596
|
return el;
|
|
49561
49597
|
};
|
|
49562
49598
|
DebugRenderer2.prototype.createComment = function (value) {
|
|
49563
|
-
var comment = this.delegate.createComment(value);
|
|
49599
|
+
var comment = this.delegate.createComment(escapeCommentText(value));
|
|
49564
49600
|
var debugCtx = this.createDebugContext(comment);
|
|
49565
49601
|
if (debugCtx) {
|
|
49566
49602
|
indexDebugNode(new DebugNode__PRE_R3__(comment, null, debugCtx));
|