npm - @angular/platform-browser - Versions diffs - 0.0.0-6 → 2.0.0-rc.2 - Mend

@angular/platform-browser 0.0.0-6 → 2.0.0-rc.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (546) hide show

package/bundles/platform-browser.umd.js +4685 -0
package/bundles/platform-browser.umd.min.js +4 -0
package/core_private.d.ts +27 -1
package/core_private.js +16 -0
package/core_private.js.map +1 -1
package/core_private.metadata.json +1 -1
package/esm/core_private.d.ts +27 -1
package/esm/core_private.js +16 -0
package/esm/core_private.js.map +1 -1
package/esm/core_private.metadata.json +1 -1
package/esm/index.d.ts +22 -1
package/esm/index.js +25 -1
package/esm/index.js.map +1 -1
package/esm/index.metadata.json +1 -0
package/esm/private_export.d.ts +21 -21
package/esm/private_export.js +11 -21
package/esm/private_export.js.map +1 -1
package/esm/private_export.metadata.json +1 -0
package/esm/src/browser/browser_adapter.d.ts +6 -0
package/esm/src/browser/browser_adapter.js +146 -76
package/esm/src/browser/browser_adapter.js.map +1 -1
package/esm/src/browser/generic_browser_adapter.js +4 -4
package/esm/src/browser/generic_browser_adapter.js.map +1 -1
package/esm/src/browser/location/browser_platform_location.d.ts +1 -5
package/esm/src/browser/location/browser_platform_location.js +16 -3
package/esm/src/browser/location/browser_platform_location.js.map +1 -1
package/esm/src/browser/location/browser_platform_location.metadata.json +1 -1
package/esm/src/browser/location/history.d.ts +1 -0
package/esm/src/browser/location/history.js +4 -0
package/esm/src/browser/location/history.js.map +1 -0
package/esm/src/browser/location/history.metadata.json +1 -0
package/esm/src/browser/testability.d.ts +1 -1
package/esm/src/browser/testability.js +7 -5
package/esm/src/browser/testability.js.map +1 -1
package/esm/src/browser/title.d.ts +2 -0
package/esm/src/browser/title.js +2 -0
package/esm/src/browser/title.js.map +1 -1
package/esm/src/browser/tools/common_tools.js +2 -2
package/esm/src/browser/tools/common_tools.js.map +1 -1
package/esm/src/browser/tools/tools.d.ts +1 -1
package/esm/src/browser/tools/tools.js +2 -1
package/esm/src/browser/tools/tools.js.map +1 -1
package/esm/src/browser.d.ts +15 -0
package/esm/src/browser.js +76 -0
package/esm/src/browser.js.map +1 -0
package/esm/src/browser.metadata.json +1 -0
package/esm/src/dom/debug/by.d.ts +2 -2
package/esm/src/dom/debug/by.js +1 -1
package/esm/src/dom/debug/by.js.map +1 -1
package/esm/src/dom/debug/ng_probe.js +10 -19
package/esm/src/dom/debug/ng_probe.js.map +1 -1
package/esm/src/dom/debug/ng_probe.metadata.json +1 -1
package/esm/src/dom/dom_adapter.d.ts +7 -5
package/esm/src/dom/dom_adapter.js +1 -1
package/esm/src/dom/dom_adapter.js.map +1 -1
package/esm/src/dom/dom_adapter.metadata.json +1 -0
package/esm/src/dom/dom_animate_player.d.ts +9 -0
package/esm/src/dom/dom_animate_player.js +1 -0
package/esm/src/dom/dom_animate_player.js.map +1 -0
package/esm/src/dom/dom_renderer.d.ts +9 -19
package/esm/src/dom/dom_renderer.js +29 -61
package/esm/src/dom/dom_renderer.js.map +1 -1
package/esm/src/dom/dom_renderer.metadata.json +1 -1
package/esm/src/dom/dom_tokens.js.map +1 -1
package/esm/src/dom/dom_tokens.metadata.json +1 -1
package/esm/src/dom/events/dom_events.js +3 -2
package/esm/src/dom/events/dom_events.js.map +1 -1
package/esm/src/dom/events/dom_events.metadata.json +1 -1
package/esm/src/dom/events/event_manager.d.ts +1 -3
package/esm/src/dom/events/event_manager.js +9 -8
package/esm/src/dom/events/event_manager.js.map +1 -1
package/esm/src/dom/events/event_manager.metadata.json +1 -1
package/esm/src/dom/events/hammer_common.js +1 -1
package/esm/src/dom/events/hammer_common.js.map +1 -1
package/esm/src/dom/events/hammer_gestures.js +10 -6
package/esm/src/dom/events/hammer_gestures.js.map +1 -1
package/esm/src/dom/events/hammer_gestures.metadata.json +1 -1
package/esm/src/dom/events/key_events.d.ts +0 -2
package/esm/src/dom/events/key_events.js +5 -3
package/esm/src/dom/events/key_events.js.map +1 -1
package/esm/src/dom/events/key_events.metadata.json +1 -1
package/esm/src/dom/shared_styles_host.d.ts +0 -6
package/esm/src/dom/shared_styles_host.js +5 -1
package/esm/src/dom/shared_styles_host.js.map +1 -1
package/esm/src/dom/shared_styles_host.metadata.json +1 -1
package/esm/src/dom/util.js +3 -3
package/esm/src/dom/util.js.map +1 -1
package/esm/src/dom/util.metadata.json +1 -0
package/esm/src/dom/web_animations_driver.d.ts +4 -0
package/esm/src/dom/web_animations_driver.js +118 -0
package/esm/src/dom/web_animations_driver.js.map +1 -0
package/esm/src/dom/web_animations_player.d.ts +20 -0
package/esm/src/dom/web_animations_player.js +42 -0
package/esm/src/dom/web_animations_player.js.map +1 -0
package/esm/src/facade/async.d.ts +90 -0
package/esm/src/facade/async.js +137 -0
package/esm/src/facade/async.js.map +1 -0
package/esm/src/facade/base_wrapped_exception.js +4 -4
package/esm/src/facade/base_wrapped_exception.js.map +1 -1
package/esm/src/facade/browser.js +2 -2
package/esm/src/facade/browser.js.map +1 -1
package/esm/src/facade/browser.metadata.json +1 -1
package/esm/src/facade/collection.js +1 -1
package/esm/src/facade/collection.js.map +1 -1
package/esm/src/facade/collection.metadata.json +1 -1
package/esm/src/facade/exception_handler.d.ts +2 -11
package/esm/src/facade/exception_handler.js +8 -7
package/esm/src/facade/exception_handler.js.map +1 -1
package/esm/src/facade/exceptions.d.ts +4 -0
package/esm/src/facade/exceptions.js +6 -2
package/esm/src/facade/exceptions.js.map +1 -1
package/esm/src/facade/exceptions.metadata.json +1 -0
package/esm/src/facade/lang.d.ts +6 -4
package/esm/src/facade/lang.js +12 -11
package/esm/src/facade/lang.js.map +1 -1
package/esm/src/facade/lang.metadata.json +1 -1
package/esm/src/facade/promise.d.ts +17 -0
package/esm/src/facade/promise.js +41 -0
package/esm/src/facade/promise.js.map +1 -0
package/esm/src/security/dom_sanitization_service.d.ts +98 -0
package/esm/src/security/dom_sanitization_service.js +108 -0
package/esm/src/security/dom_sanitization_service.js.map +1 -0
package/esm/src/security/dom_sanitization_service.metadata.json +1 -0
package/esm/src/security/html_sanitizer.d.ts +5 -0
package/esm/src/security/html_sanitizer.js +233 -0
package/esm/src/security/html_sanitizer.js.map +1 -0
package/esm/src/security/style_sanitizer.d.ts +5 -0
package/esm/src/security/style_sanitizer.js +81 -0
package/esm/src/security/style_sanitizer.js.map +1 -0
package/esm/src/security/url_sanitizer.d.ts +1 -0
package/esm/src/security/url_sanitizer.js +40 -0
package/esm/src/security/url_sanitizer.js.map +1 -0
package/esm/src/web_workers/shared/api.d.ts +2 -0
package/esm/src/web_workers/shared/api.js +3 -0
package/esm/src/web_workers/shared/api.js.map +1 -0
package/esm/src/web_workers/shared/api.metadata.json +1 -0
package/esm/src/web_workers/shared/client_message_broker.d.ts +51 -0
package/esm/src/web_workers/shared/client_message_broker.js +156 -0
package/esm/src/web_workers/shared/client_message_broker.js.map +1 -0
package/esm/src/web_workers/shared/client_message_broker.metadata.json +1 -0
package/esm/src/web_workers/shared/message_bus.d.ts +82 -0
package/esm/src/web_workers/shared/message_bus.js +10 -0
package/esm/src/web_workers/shared/message_bus.js.map +1 -0
package/esm/src/web_workers/shared/messaging_api.d.ts +7 -0
package/esm/src/web_workers/shared/messaging_api.js +8 -0
package/esm/src/web_workers/shared/messaging_api.js.map +1 -0
package/esm/src/web_workers/shared/messaging_api.metadata.json +1 -0
package/esm/src/web_workers/shared/post_message_bus.d.ts +41 -0
package/esm/src/web_workers/shared/post_message_bus.js +133 -0
package/esm/src/web_workers/shared/post_message_bus.js.map +1 -0
package/esm/src/web_workers/shared/post_message_bus.metadata.json +1 -0
package/esm/src/web_workers/shared/render_store.d.ts +11 -0
package/esm/src/web_workers/shared/render_store.js +40 -0
package/esm/src/web_workers/shared/render_store.js.map +1 -0
package/esm/src/web_workers/shared/render_store.metadata.json +1 -0
package/esm/src/web_workers/shared/serialized_types.d.ts +12 -0
package/esm/src/web_workers/shared/serialized_types.js +16 -0
package/esm/src/web_workers/shared/serialized_types.js.map +1 -0
package/esm/src/web_workers/shared/serializer.d.ts +18 -0
package/esm/src/web_workers/shared/serializer.js +110 -0
package/esm/src/web_workers/shared/serializer.js.map +1 -0
package/esm/src/web_workers/shared/serializer.metadata.json +1 -0
package/esm/src/web_workers/shared/service_message_broker.d.ts +48 -0
package/esm/src/web_workers/shared/service_message_broker.js +88 -0
package/esm/src/web_workers/shared/service_message_broker.js.map +1 -0
package/esm/src/web_workers/shared/service_message_broker.metadata.json +1 -0
package/esm/src/web_workers/ui/event_dispatcher.d.ts +8 -0
package/esm/src/web_workers/ui/event_dispatcher.js +104 -0
package/esm/src/web_workers/ui/event_dispatcher.js.map +1 -0
package/esm/src/web_workers/ui/event_serializer.d.ts +15 -0
package/esm/src/web_workers/ui/event_serializer.js +53 -0
package/esm/src/web_workers/ui/event_serializer.js.map +1 -0
package/esm/src/web_workers/ui/event_serializer.metadata.json +1 -0
package/esm/src/web_workers/ui/location_providers.d.ts +14 -0
package/esm/src/web_workers/ui/location_providers.js +19 -0
package/esm/src/web_workers/ui/location_providers.js.map +1 -0
package/esm/src/web_workers/ui/location_providers.metadata.json +1 -0
package/esm/src/web_workers/ui/platform_location.d.ts +16 -0
package/esm/src/web_workers/ui/platform_location.js +49 -0
package/esm/src/web_workers/ui/platform_location.js.map +1 -0
package/esm/src/web_workers/ui/platform_location.metadata.json +1 -0
package/esm/src/web_workers/ui/renderer.d.ts +35 -0
package/esm/src/web_workers/ui/renderer.js +122 -0
package/esm/src/web_workers/ui/renderer.js.map +1 -0
package/esm/src/web_workers/ui/renderer.metadata.json +1 -0
package/esm/src/web_workers/worker/event_deserializer.d.ts +5 -0
package/esm/src/web_workers/worker/event_deserializer.js +6 -0
package/esm/src/web_workers/worker/event_deserializer.js.map +1 -0
package/esm/src/web_workers/worker/event_deserializer.metadata.json +1 -0
package/esm/src/web_workers/worker/location_providers.d.ts +17 -0
package/esm/src/web_workers/worker/location_providers.js +20 -0
package/esm/src/web_workers/worker/location_providers.js.map +1 -0
package/esm/src/web_workers/worker/location_providers.metadata.json +1 -0
package/esm/src/web_workers/worker/platform_location.d.ts +23 -0
package/esm/src/web_workers/worker/platform_location.js +111 -0
package/esm/src/web_workers/worker/platform_location.js.map +1 -0
package/esm/src/web_workers/worker/platform_location.metadata.json +1 -0
package/esm/src/web_workers/worker/renderer.d.ts +55 -0
package/esm/src/web_workers/worker/renderer.js +227 -0
package/esm/src/web_workers/worker/renderer.js.map +1 -0
package/esm/src/web_workers/worker/renderer.metadata.json +1 -0
package/esm/src/web_workers/worker/worker_adapter.d.ts +132 -0
package/esm/src/web_workers/worker/worker_adapter.js +192 -0
package/esm/src/web_workers/worker/worker_adapter.js.map +1 -0
package/esm/src/worker_app.d.ts +13 -0
package/esm/src/worker_app.js +68 -0
package/esm/src/worker_app.js.map +1 -0
package/esm/src/worker_app.metadata.json +1 -0
package/esm/src/worker_render.d.ts +35 -0
package/esm/src/worker_render.js +147 -0
package/esm/src/worker_render.js.map +1 -0
package/esm/src/worker_render.metadata.json +1 -0
package/esm/testing/browser.d.ts +8 -0
package/esm/testing/browser.js +38 -0
package/esm/testing/browser.js.map +1 -0
package/esm/testing/browser.metadata.json +1 -0
package/esm/testing/browser_util.d.ts +1 -0
package/esm/testing/browser_util.js +11 -6
package/esm/testing/browser_util.js.map +1 -1
package/esm/testing/browser_util.metadata.json +1 -1
package/esm/testing/e2e_util.d.ts +4 -0
package/esm/testing/e2e_util.js +21 -0
package/esm/testing/e2e_util.js.map +1 -0
package/esm/testing/e2e_util.metadata.json +1 -0
package/esm/testing/matchers.js +24 -22
package/esm/testing/matchers.js.map +1 -1
package/esm/testing/matchers.metadata.json +1 -1
package/esm/testing.d.ts +1 -2
package/esm/testing.js +1 -2
package/esm/testing.js.map +1 -1
package/esm/testing_e2e.d.ts +1 -0
package/esm/testing_e2e.js +2 -0
package/esm/testing_e2e.js.map +1 -0
package/index.d.ts +22 -1
package/index.js +50 -1
package/index.js.map +1 -1
package/index.metadata.json +1 -0
package/package.json +8 -4
package/private_export.d.ts +21 -21
package/private_export.js +11 -21
package/private_export.js.map +1 -1
package/private_export.metadata.json +1 -0
package/src/browser/browser_adapter.d.ts +6 -0
package/src/browser/browser_adapter.js +144 -76
package/src/browser/browser_adapter.js.map +1 -1
package/src/browser/generic_browser_adapter.js +4 -4
package/src/browser/generic_browser_adapter.js.map +1 -1
package/src/browser/location/browser_platform_location.d.ts +1 -5
package/src/browser/location/browser_platform_location.js +16 -3
package/src/browser/location/browser_platform_location.js.map +1 -1
package/src/browser/location/browser_platform_location.metadata.json +1 -1
package/src/browser/location/history.d.ts +1 -0
package/src/browser/location/history.js +6 -0
package/src/browser/location/history.js.map +1 -0
package/src/browser/location/history.metadata.json +1 -0
package/src/browser/testability.d.ts +1 -1
package/src/browser/testability.js +7 -5
package/src/browser/testability.js.map +1 -1
package/src/browser/title.d.ts +2 -0
package/src/browser/title.js +2 -0
package/src/browser/title.js.map +1 -1
package/src/browser/tools/common_tools.js +2 -2
package/src/browser/tools/common_tools.js.map +1 -1
package/src/browser/tools/tools.d.ts +1 -1
package/src/browser/tools/tools.js +2 -1
package/src/browser/tools/tools.js.map +1 -1
package/src/browser.d.ts +15 -0
package/src/browser.js +78 -0
package/src/browser.js.map +1 -0
package/src/browser.metadata.json +1 -0
package/src/dom/debug/by.d.ts +2 -2
package/src/dom/debug/by.js +1 -1
package/src/dom/debug/by.js.map +1 -1
package/src/dom/debug/ng_probe.js +9 -18
package/src/dom/debug/ng_probe.js.map +1 -1
package/src/dom/debug/ng_probe.metadata.json +1 -1
package/src/dom/dom_adapter.d.ts +7 -5
package/src/dom/dom_adapter.js +1 -1
package/src/dom/dom_adapter.js.map +1 -1
package/src/dom/dom_adapter.metadata.json +1 -0
package/src/dom/dom_animate_player.d.ts +9 -0
package/src/dom/dom_animate_player.js +2 -0
package/src/dom/dom_animate_player.js.map +1 -0
package/src/dom/dom_renderer.d.ts +9 -19
package/src/dom/dom_renderer.js +29 -61
package/src/dom/dom_renderer.js.map +1 -1
package/src/dom/dom_renderer.metadata.json +1 -1
package/src/dom/dom_tokens.js.map +1 -1
package/src/dom/dom_tokens.metadata.json +1 -1
package/src/dom/events/dom_events.js +3 -2
package/src/dom/events/dom_events.js.map +1 -1
package/src/dom/events/dom_events.metadata.json +1 -1
package/src/dom/events/event_manager.d.ts +1 -3
package/src/dom/events/event_manager.js +8 -7
package/src/dom/events/event_manager.js.map +1 -1
package/src/dom/events/event_manager.metadata.json +1 -1
package/src/dom/events/hammer_common.js +1 -1
package/src/dom/events/hammer_common.js.map +1 -1
package/src/dom/events/hammer_gestures.js +9 -5
package/src/dom/events/hammer_gestures.js.map +1 -1
package/src/dom/events/hammer_gestures.metadata.json +1 -1
package/src/dom/events/key_events.d.ts +0 -2
package/src/dom/events/key_events.js +5 -3
package/src/dom/events/key_events.js.map +1 -1
package/src/dom/events/key_events.metadata.json +1 -1
package/src/dom/shared_styles_host.d.ts +0 -6
package/src/dom/shared_styles_host.js +5 -1
package/src/dom/shared_styles_host.js.map +1 -1
package/src/dom/shared_styles_host.metadata.json +1 -1
package/src/dom/util.js +3 -3
package/src/dom/util.js.map +1 -1
package/src/dom/util.metadata.json +1 -0
package/src/dom/web_animations_driver.d.ts +4 -0
package/src/dom/web_animations_driver.js +123 -0
package/src/dom/web_animations_driver.js.map +1 -0
package/src/dom/web_animations_player.d.ts +20 -0
package/src/dom/web_animations_player.js +46 -0
package/src/dom/web_animations_player.js.map +1 -0
package/src/facade/async.d.ts +90 -0
package/src/facade/async.js +160 -0
package/src/facade/async.js.map +1 -0
package/src/facade/base_wrapped_exception.js +4 -4
package/src/facade/base_wrapped_exception.js.map +1 -1
package/src/facade/browser.js +2 -2
package/src/facade/browser.js.map +1 -1
package/src/facade/browser.metadata.json +1 -1
package/src/facade/collection.js.map +1 -1
package/src/facade/collection.metadata.json +1 -1
package/src/facade/exception_handler.d.ts +2 -11
package/src/facade/exception_handler.js +8 -7
package/src/facade/exception_handler.js.map +1 -1
package/src/facade/exceptions.d.ts +4 -0
package/src/facade/exceptions.js +6 -2
package/src/facade/exceptions.js.map +1 -1
package/src/facade/exceptions.metadata.json +1 -0
package/src/facade/lang.d.ts +6 -4
package/src/facade/lang.js +12 -11
package/src/facade/lang.js.map +1 -1
package/src/facade/lang.metadata.json +1 -1
package/src/facade/promise.d.ts +17 -0
package/src/facade/promise.js +49 -0
package/src/facade/promise.js.map +1 -0
package/src/security/dom_sanitization_service.d.ts +98 -0
package/src/security/dom_sanitization_service.js +150 -0
package/src/security/dom_sanitization_service.js.map +1 -0
package/src/security/dom_sanitization_service.metadata.json +1 -0
package/src/security/html_sanitizer.d.ts +5 -0
package/src/security/html_sanitizer.js +246 -0
package/src/security/html_sanitizer.js.map +1 -0
package/src/security/style_sanitizer.d.ts +5 -0
package/src/security/style_sanitizer.js +83 -0
package/src/security/style_sanitizer.js.map +1 -0
package/src/security/url_sanitizer.d.ts +1 -0
package/src/security/url_sanitizer.js +42 -0
package/src/security/url_sanitizer.js.map +1 -0
package/src/web_workers/shared/api.d.ts +2 -0
package/src/web_workers/shared/api.js +4 -0
package/src/web_workers/shared/api.js.map +1 -0
package/src/web_workers/shared/api.metadata.json +1 -0
package/src/web_workers/shared/client_message_broker.d.ts +51 -0
package/src/web_workers/shared/client_message_broker.js +184 -0
package/src/web_workers/shared/client_message_broker.js.map +1 -0
package/src/web_workers/shared/client_message_broker.metadata.json +1 -0
package/src/web_workers/shared/message_bus.d.ts +82 -0
package/src/web_workers/shared/message_bus.js +15 -0
package/src/web_workers/shared/message_bus.js.map +1 -0
package/src/web_workers/shared/messaging_api.d.ts +7 -0
package/src/web_workers/shared/messaging_api.js +9 -0
package/src/web_workers/shared/messaging_api.js.map +1 -0
package/src/web_workers/shared/messaging_api.metadata.json +1 -0
package/src/web_workers/shared/post_message_bus.d.ts +41 -0
package/src/web_workers/shared/post_message_bus.js +147 -0
package/src/web_workers/shared/post_message_bus.js.map +1 -0
package/src/web_workers/shared/post_message_bus.metadata.json +1 -0
package/src/web_workers/shared/render_store.d.ts +11 -0
package/src/web_workers/shared/render_store.js +43 -0
package/src/web_workers/shared/render_store.js.map +1 -0
package/src/web_workers/shared/render_store.metadata.json +1 -0
package/src/web_workers/shared/serialized_types.d.ts +12 -0
package/src/web_workers/shared/serialized_types.js +19 -0
package/src/web_workers/shared/serialized_types.js.map +1 -0
package/src/web_workers/shared/serializer.d.ts +18 -0
package/src/web_workers/shared/serializer.js +119 -0
package/src/web_workers/shared/serializer.js.map +1 -0
package/src/web_workers/shared/serializer.metadata.json +1 -0
package/src/web_workers/shared/service_message_broker.d.ts +48 -0
package/src/web_workers/shared/service_message_broker.js +114 -0
package/src/web_workers/shared/service_message_broker.js.map +1 -0
package/src/web_workers/shared/service_message_broker.metadata.json +1 -0
package/src/web_workers/ui/event_dispatcher.d.ts +8 -0
package/src/web_workers/ui/event_dispatcher.js +107 -0
package/src/web_workers/ui/event_dispatcher.js.map +1 -0
package/src/web_workers/ui/event_serializer.d.ts +15 -0
package/src/web_workers/ui/event_serializer.js +59 -0
package/src/web_workers/ui/event_serializer.js.map +1 -0
package/src/web_workers/ui/event_serializer.metadata.json +1 -0
package/src/web_workers/ui/location_providers.d.ts +14 -0
package/src/web_workers/ui/location_providers.js +20 -0
package/src/web_workers/ui/location_providers.js.map +1 -0
package/src/web_workers/ui/location_providers.metadata.json +1 -0
package/src/web_workers/ui/platform_location.d.ts +16 -0
package/src/web_workers/ui/platform_location.js +52 -0
package/src/web_workers/ui/platform_location.js.map +1 -0
package/src/web_workers/ui/platform_location.metadata.json +1 -0
package/src/web_workers/ui/renderer.d.ts +35 -0
package/src/web_workers/ui/renderer.js +131 -0
package/src/web_workers/ui/renderer.js.map +1 -0
package/src/web_workers/ui/renderer.metadata.json +1 -0
package/src/web_workers/worker/event_deserializer.d.ts +5 -0
package/src/web_workers/worker/event_deserializer.js +8 -0
package/src/web_workers/worker/event_deserializer.js.map +1 -0
package/src/web_workers/worker/event_deserializer.metadata.json +1 -0
package/src/web_workers/worker/location_providers.d.ts +17 -0
package/src/web_workers/worker/location_providers.js +21 -0
package/src/web_workers/worker/location_providers.js.map +1 -0
package/src/web_workers/worker/location_providers.metadata.json +1 -0
package/src/web_workers/worker/platform_location.d.ts +23 -0
package/src/web_workers/worker/platform_location.js +134 -0
package/src/web_workers/worker/platform_location.js.map +1 -0
package/src/web_workers/worker/platform_location.metadata.json +1 -0
package/src/web_workers/worker/renderer.d.ts +55 -0
package/src/web_workers/worker/renderer.js +241 -0
package/src/web_workers/worker/renderer.js.map +1 -0
package/src/web_workers/worker/renderer.metadata.json +1 -0
package/src/web_workers/worker/worker_adapter.d.ts +132 -0
package/src/web_workers/worker/worker_adapter.js +208 -0
package/src/web_workers/worker/worker_adapter.js.map +1 -0
package/src/worker_app.d.ts +13 -0
package/src/worker_app.js +71 -0
package/src/worker_app.js.map +1 -0
package/src/worker_app.metadata.json +1 -0
package/src/worker_render.d.ts +35 -0
package/src/worker_render.js +153 -0
package/src/worker_render.js.map +1 -0
package/src/worker_render.metadata.json +1 -0
package/testing/browser.d.ts +8 -0
package/testing/browser.js +39 -0
package/testing/browser.js.map +1 -0
package/testing/browser.metadata.json +1 -0
package/testing/browser_util.d.ts +1 -0
package/testing/browser_util.js +14 -5
package/testing/browser_util.js.map +1 -1
package/testing/browser_util.metadata.json +1 -1
package/testing/e2e_util.d.ts +4 -0
package/testing/e2e_util.js +24 -0
package/testing/e2e_util.js.map +1 -0
package/testing/e2e_util.metadata.json +1 -0
package/testing/matchers.js +24 -22
package/testing/matchers.js.map +1 -1
package/testing/matchers.metadata.json +1 -1
package/testing.d.ts +1 -2
package/testing.js +1 -2
package/testing.js.map +1 -1
package/testing_e2e.d.ts +1 -0
package/testing_e2e.js +6 -0
package/testing_e2e.js.map +1 -0
package/esm/platform-browser.umd.js.map +0 -1
package/esm/src/animate/animation.d.ts +0 -82
package/esm/src/animate/animation.js +0 -173
package/esm/src/animate/animation.js.map +0 -1
package/esm/src/animate/animation_builder.d.ts +0 -15
package/esm/src/animate/animation_builder.js +0 -24
package/esm/src/animate/animation_builder.js.map +0 -1
package/esm/src/animate/animation_builder.metadata.json +0 -1
package/esm/src/animate/browser_details.d.ts +0 -10
package/esm/src/animate/browser_details.js +0 -60
package/esm/src/animate/browser_details.js.map +0 -1
package/esm/src/animate/browser_details.metadata.json +0 -1
package/esm/src/animate/css_animation_builder.d.ts +0 -66
package/esm/src/animate/css_animation_builder.js +0 -84
package/esm/src/animate/css_animation_builder.js.map +0 -1
package/esm/src/animate/css_animation_options.d.ts +0 -20
package/esm/src/animate/css_animation_options.js +0 -11
package/esm/src/animate/css_animation_options.js.map +0 -1
package/esm/src/browser_common.d.ts +0 -20
package/esm/src/browser_common.js +0 -76
package/esm/src/browser_common.js.map +0 -1
package/esm/src/browser_common.metadata.json +0 -1
package/esm/src/facade/math.d.ts +0 -2
package/esm/src/facade/math.js +0 -4
package/esm/src/facade/math.js.map +0 -1
package/esm/src/facade/math.metadata.json +0 -1
package/esm/src/platform_browser.d.ts +0 -9
package/esm/src/platform_browser.js +0 -17
package/esm/src/platform_browser.js.map +0 -1
package/esm/src/platform_browser_static.d.ts +0 -16
package/esm/src/platform_browser_static.js +0 -32
package/esm/src/platform_browser_static.js.map +0 -1
package/esm/src/platform_browser_static.metadata.json +0 -1
package/esm/testing/animation_builder_mock.d.ts +0 -6
package/esm/testing/animation_builder_mock.js +0 -35
package/esm/testing/animation_builder_mock.js.map +0 -1
package/esm/testing/animation_builder_mock.metadata.json +0 -1
package/esm/testing/browser_static.d.ts +0 -10
package/esm/testing/browser_static.js +0 -53
package/esm/testing/browser_static.js.map +0 -1
package/esm/testing/browser_static.metadata.json +0 -1
package/esm/testing/dom_test_component_renderer.d.ts +0 -9
package/esm/testing/dom_test_component_renderer.js +0 -27
package/esm/testing/dom_test_component_renderer.js.map +0 -1
package/esm/testing/dom_test_component_renderer.metadata.json +0 -1
package/platform-browser.umd.js +0 -2488
package/src/animate/animation.d.ts +0 -82
package/src/animate/animation.js +0 -183
package/src/animate/animation.js.map +0 -1
package/src/animate/animation_builder.d.ts +0 -15
package/src/animate/animation_builder.js +0 -27
package/src/animate/animation_builder.js.map +0 -1
package/src/animate/animation_builder.metadata.json +0 -1
package/src/animate/browser_details.d.ts +0 -10
package/src/animate/browser_details.js +0 -66
package/src/animate/browser_details.js.map +0 -1
package/src/animate/browser_details.metadata.json +0 -1
package/src/animate/css_animation_builder.d.ts +0 -66
package/src/animate/css_animation_builder.js +0 -87
package/src/animate/css_animation_builder.js.map +0 -1
package/src/animate/css_animation_options.d.ts +0 -20
package/src/animate/css_animation_options.js +0 -14
package/src/animate/css_animation_options.js.map +0 -1
package/src/browser_common.d.ts +0 -20
package/src/browser_common.js +0 -85
package/src/browser_common.js.map +0 -1
package/src/browser_common.metadata.json +0 -1
package/src/facade/math.d.ts +0 -2
package/src/facade/math.js +0 -5
package/src/facade/math.js.map +0 -1
package/src/facade/math.metadata.json +0 -1
package/src/platform_browser.d.ts +0 -9
package/src/platform_browser.js +0 -39
package/src/platform_browser.js.map +0 -1
package/src/platform_browser_static.d.ts +0 -16
package/src/platform_browser_static.js +0 -42
package/src/platform_browser_static.js.map +0 -1
package/src/platform_browser_static.metadata.json +0 -1
package/testing/animation_builder_mock.d.ts +0 -6
package/testing/animation_builder_mock.js +0 -53
package/testing/animation_builder_mock.js.map +0 -1
package/testing/animation_builder_mock.metadata.json +0 -1
package/testing/browser_static.d.ts +0 -10
package/testing/browser_static.js +0 -55
package/testing/browser_static.js.map +0 -1
package/testing/browser_static.metadata.json +0 -1
package/testing/dom_test_component_renderer.d.ts +0 -9
package/testing/dom_test_component_renderer.js +0 -36
package/testing/dom_test_component_renderer.js.map +0 -1
package/testing/dom_test_component_renderer.metadata.json +0 -1

package/src/security/html_sanitizer.js ADDED Viewed

@@ -0,0 +1,246 @@
+"use strict";
+var dom_adapter_1 = require('../dom/dom_adapter');
+var lang_1 = require('../facade/lang');
+var url_sanitizer_1 = require('./url_sanitizer');
+/** A <body> element that can be safely used to parse untrusted HTML. Lazily initialized below. */
+var inertElement = null;
+/** Lazily initialized to make sure the DOM adapter gets set before use. */
+var DOM = null;
+/** Returns an HTML element that is guaranteed to not execute code when creating elements in it. */
+function getInertElement() {
+    if (inertElement)
+        return inertElement;
+    DOM = dom_adapter_1.getDOM();
+    // Prefer using <template> element if supported.
+    var templateEl = DOM.createElement('template');
+    if ('content' in templateEl)
+        return templateEl;
+    var doc = DOM.createHtmlDocument();
+    inertElement = DOM.querySelector(doc, 'body');
+    if (inertElement == null) {
+        // usually there should be only one body element in the document, but IE doesn't have any, so we
+        // need to create one.
+        var html = DOM.createElement('html', doc);
+        inertElement = DOM.createElement('body', doc);
+        DOM.appendChild(html, inertElement);
+        DOM.appendChild(doc, html);
+    }
+    return inertElement;
+}
+function tagSet(tags) {
+    var res = {};
+    for (var _i = 0, _a = tags.split(','); _i < _a.length; _i++) {
+        var t = _a[_i];
+        res[t.toLowerCase()] = true;
+    }
+    return res;
+}
+function merge() {
+    var sets = [];
+    for (var _i = 0; _i < arguments.length; _i++) {
+        sets[_i - 0] = arguments[_i];
+    }
+    var res = {};
+    for (var _a = 0, sets_1 = sets; _a < sets_1.length; _a++) {
+        var s = sets_1[_a];
+        for (var v in s) {
+            if (s.hasOwnProperty(v))
+                res[v] = true;
+        }
+    }
+    return res;
+}
+// Good source of info about elements and attributes
+// http://dev.w3.org/html5/spec/Overview.html#semantics
+// http://simon.html5.org/html-elements
+// Safe Void Elements - HTML5
+// http://dev.w3.org/html5/spec/Overview.html#void-elements
+var VOID_ELEMENTS = tagSet('area,br,col,hr,img,wbr');
+// Elements that you can, intentionally, leave open (and which close themselves)
+// http://dev.w3.org/html5/spec/Overview.html#optional-tags
+var OPTIONAL_END_TAG_BLOCK_ELEMENTS = tagSet('colgroup,dd,dt,li,p,tbody,td,tfoot,th,thead,tr');
+var OPTIONAL_END_TAG_INLINE_ELEMENTS = tagSet('rp,rt');
+var OPTIONAL_END_TAG_ELEMENTS = merge(OPTIONAL_END_TAG_INLINE_ELEMENTS, OPTIONAL_END_TAG_BLOCK_ELEMENTS);
+// Safe Block Elements - HTML5
+var BLOCK_ELEMENTS = merge(OPTIONAL_END_TAG_BLOCK_ELEMENTS, tagSet('address,article,' +
+    'aside,blockquote,caption,center,del,dir,div,dl,figure,figcaption,footer,h1,h2,h3,h4,h5,' +
+    'h6,header,hgroup,hr,ins,map,menu,nav,ol,pre,section,table,ul'));
+// Inline Elements - HTML5
+var INLINE_ELEMENTS = merge(OPTIONAL_END_TAG_INLINE_ELEMENTS, tagSet('a,abbr,acronym,b,' +
+    'bdi,bdo,big,br,cite,code,del,dfn,em,font,i,img,ins,kbd,label,map,mark,q,ruby,rp,rt,s,' +
+    'samp,small,span,strike,strong,sub,sup,time,tt,u,var'));
+var VALID_ELEMENTS = merge(VOID_ELEMENTS, BLOCK_ELEMENTS, INLINE_ELEMENTS, OPTIONAL_END_TAG_ELEMENTS);
+// Attributes that have href and hence need to be sanitized
+var URI_ATTRS = tagSet('background,cite,href,longdesc,src,xlink:href');
+var HTML_ATTRS = tagSet('abbr,align,alt,axis,bgcolor,border,cellpadding,cellspacing,class,clear,' +
+    'color,cols,colspan,compact,coords,dir,face,headers,height,hreflang,hspace,' +
+    'ismap,lang,language,nohref,nowrap,rel,rev,rows,rowspan,rules,' +
+    'scope,scrolling,shape,size,span,start,summary,tabindex,target,title,type,' +
+    'valign,value,vspace,width');
+// NB: This currently conciously doesn't support SVG. SVG sanitization has had several security
+// issues in the past, so it seems safer to leave it out if possible. If support for binding SVG via
+// innerHTML is required, SVG attributes should be added here.
+// NB: Sanitization does not allow <form> elements or other active elements (<button> etc). Those
+// can be sanitized, but they increase security surface area without a legitimate use case, so they
+// are left out here.
+var VALID_ATTRS = merge(URI_ATTRS, HTML_ATTRS);
+/**
+ * SanitizingHtmlSerializer serializes a DOM fragment, stripping out any unsafe elements and unsafe
+ * attributes.
+ */
+var SanitizingHtmlSerializer = (function () {
+    function SanitizingHtmlSerializer() {
+        this.buf = [];
+    }
+    SanitizingHtmlSerializer.prototype.sanitizeChildren = function (el) {
+        // This cannot use a TreeWalker, as it has to run on Angular's various DOM adapters.
+        // However this code never accesses properties off of `document` before deleting its contents
+        // again, so it shouldn't be vulnerable to DOM clobbering.
+        var current = el.firstChild;
+        while (current) {
+            if (DOM.isElementNode(current)) {
+                this.startElement(current);
+            }
+            else if (DOM.isTextNode(current)) {
+                this.chars(DOM.nodeValue(current));
+            }
+            if (DOM.firstChild(current)) {
+                current = DOM.firstChild(current);
+                continue;
+            }
+            while (current) {
+                // Leaving the element. Walk up and to the right, closing tags as we go.
+                if (DOM.isElementNode(current)) {
+                    this.endElement(DOM.nodeName(current).toLowerCase());
+                }
+                if (DOM.nextSibling(current)) {
+                    current = DOM.nextSibling(current);
+                    break;
+                }
+                current = DOM.parentElement(current);
+            }
+        }
+        return this.buf.join('');
+    };
+    SanitizingHtmlSerializer.prototype.startElement = function (element) {
+        var _this = this;
+        var tagName = DOM.nodeName(element).toLowerCase();
+        tagName = tagName.toLowerCase();
+        if (VALID_ELEMENTS.hasOwnProperty(tagName)) {
+            this.buf.push('<');
+            this.buf.push(tagName);
+            DOM.attributeMap(element).forEach(function (value, attrName) {
+                var lower = attrName.toLowerCase();
+                if (!VALID_ATTRS.hasOwnProperty(lower))
+                    return;
+                // TODO(martinprobst): Special case image URIs for data:image/...
+                if (URI_ATTRS[lower])
+                    value = url_sanitizer_1.sanitizeUrl(value);
+                _this.buf.push(' ');
+                _this.buf.push(attrName);
+                _this.buf.push('="');
+                _this.buf.push(encodeEntities(value));
+                _this.buf.push('"');
+            });
+            this.buf.push('>');
+        }
+    };
+    SanitizingHtmlSerializer.prototype.endElement = function (tagName) {
+        tagName = tagName.toLowerCase();
+        if (VALID_ELEMENTS.hasOwnProperty(tagName) && !VOID_ELEMENTS.hasOwnProperty(tagName)) {
+            this.buf.push('</');
+            this.buf.push(tagName);
+            this.buf.push('>');
+        }
+    };
+    SanitizingHtmlSerializer.prototype.chars = function (chars /** TODO #9100 */) { this.buf.push(encodeEntities(chars)); };
+    return SanitizingHtmlSerializer;
+}());
+// Regular Expressions for parsing tags and attributes
+var SURROGATE_PAIR_REGEXP = /[\uD800-\uDBFF][\uDC00-\uDFFF]/g;
+// ! to ~ is the ASCII range.
+var NON_ALPHANUMERIC_REGEXP = /([^\#-~ |!])/g;
+/**
+ * Escapes all potentially dangerous characters, so that the
+ * resulting string can be safely inserted into attribute or
+ * element text.
+ * @param value
+ * @returns {string} escaped text
+ */
+function encodeEntities(value /** TODO #9100 */) {
+    return value.replace(/&/g, '&amp;')
+        .replace(SURROGATE_PAIR_REGEXP, function (match /** TODO #9100 */) {
+        var hi = match.charCodeAt(0);
+        var low = match.charCodeAt(1);
+        return '&#' + (((hi - 0xD800) * 0x400) + (low - 0xDC00) + 0x10000) + ';';
+    })
+        .replace(NON_ALPHANUMERIC_REGEXP, function (match /** TODO #9100 */) { return '&#' + match.charCodeAt(0) + ';'; })
+        .replace(/</g, '&lt;')
+        .replace(/>/g, '&gt;');
+}
+/**
+ * When IE9-11 comes across an unknown namespaced attribute e.g. 'xlink:foo' it adds 'xmlns:ns1'
+ * attribute to declare ns1 namespace and prefixes the attribute with 'ns1' (e.g. 'ns1:xlink:foo').
+ *
+ * This is undesirable since we don't want to allow any of these custom attributes. This method
+ * strips them all.
+ */
+function stripCustomNsAttrs(el) {
+    DOM.attributeMap(el).forEach(function (_, attrName) {
+        if (attrName === 'xmlns:ns1' || attrName.indexOf('ns1:') === 0) {
+            DOM.removeAttribute(el, attrName);
+        }
+    });
+    for (var _i = 0, _a = DOM.childNodesAsList(el); _i < _a.length; _i++) {
+        var n = _a[_i];
+        if (DOM.isElementNode(n))
+            stripCustomNsAttrs(n);
+    }
+}
+/**
+ * Sanitizes the given unsafe, untrusted HTML fragment, and returns HTML text that is safe to add to
+ * the DOM in a browser environment.
+ */
+function sanitizeHtml(unsafeHtml) {
+    try {
+        var containerEl = getInertElement();
+        // Make sure unsafeHtml is actually a string (TypeScript types are not enforced at runtime).
+        unsafeHtml = unsafeHtml ? String(unsafeHtml) : '';
+        // mXSS protection. Repeatedly parse the document to make sure it stabilizes, so that a browser
+        // trying to auto-correct incorrect HTML cannot cause formerly inert HTML to become dangerous.
+        var mXSSAttempts = 5;
+        var parsedHtml = unsafeHtml;
+        do {
+            if (mXSSAttempts === 0) {
+                throw new Error('Failed to sanitize html because the input is unstable');
+            }
+            mXSSAttempts--;
+            unsafeHtml = parsedHtml;
+            DOM.setInnerHTML(containerEl, unsafeHtml);
+            if (DOM.defaultDoc().documentMode) {
+                // strip custom-namespaced attributes on IE<=11
+                stripCustomNsAttrs(containerEl);
+            }
+            parsedHtml = DOM.getInnerHTML(containerEl);
+        } while (unsafeHtml !== parsedHtml);
+        var sanitizer = new SanitizingHtmlSerializer();
+        var safeHtml = sanitizer.sanitizeChildren(DOM.getTemplateContent(containerEl) || containerEl);
+        // Clear out the body element.
+        var parent_1 = DOM.getTemplateContent(containerEl) || containerEl;
+        for (var _i = 0, _a = DOM.childNodesAsList(parent_1); _i < _a.length; _i++) {
+            var child = _a[_i];
+            DOM.removeChild(parent_1, child);
+        }
+        if (lang_1.assertionsEnabled() && safeHtml !== unsafeHtml) {
+            DOM.log('WARNING: sanitizing HTML stripped some content.');
+        }
+        return safeHtml;
+    }
+    catch (e) {
+        // In case anything goes wrong, clear out inertElement to reset the entire DOM structure.
+        inertElement = null;
+        throw e;
+    }
+}
+exports.sanitizeHtml = sanitizeHtml;
+//# sourceMappingURL=html_sanitizer.js.map

package/src/security/html_sanitizer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"html_sanitizer.js","sourceRoot":"","sources":["../../../../../modules/@angular/platform-browser/src/security/html_sanitizer.ts"],"names":[],"mappings":";AAAA,4BAAiC,oBAAoB,CAAC,CAAA;AACtD,qBAAgC,gBAAgB,CAAC,CAAA;AAEjD,8BAA0B,iBAAiB,CAAC,CAAA;AAG5C,kGAAkG;AAClG,IAAI,YAAY,GAAgB,IAAI,CAAC;AACrC,2EAA2E;AAC3E,IAAI,GAAG,GAAe,IAAI,CAAC;AAE3B,mGAAmG;AACnG;IACE,EAAE,CAAC,CAAC,YAAY,CAAC;QAAC,MAAM,CAAC,YAAY,CAAC;IACtC,GAAG,GAAG,oBAAM,EAAE,CAAC;IAEf,gDAAgD;IAChD,IAAI,UAAU,GAAG,GAAG,CAAC,aAAa,CAAC,UAAU,CAAC,CAAC;IAC/C,EAAE,CAAC,CAAC,SAAS,IAAI,UAAU,CAAC;QAAC,MAAM,CAAC,UAAU,CAAC;IAE/C,IAAI,GAAG,GAAG,GAAG,CAAC,kBAAkB,EAAE,CAAC;IACnC,YAAY,GAAG,GAAG,CAAC,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAC9C,EAAE,CAAC,CAAC,YAAY,IAAI,IAAI,CAAC,CAAC,CAAC;QACzB,gGAAgG;QAChG,sBAAsB;QACtB,IAAI,IAAI,GAAG,GAAG,CAAC,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC1C,YAAY,GAAG,GAAG,CAAC,aAAa,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAC9C,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,YAAY,CAAC,CAAC;QACpC,GAAG,CAAC,WAAW,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAC7B,CAAC;IACD,MAAM,CAAC,YAAY,CAAC;AACtB,CAAC;AAED,gBAAgB,IAAY;IAC1B,IAAI,GAAG,GAA2B,EAAE,CAAC;IACrC,GAAG,CAAC,CAAU,UAAe,EAAf,KAAA,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAf,cAAe,EAAf,IAAe,CAAC;QAAzB,IAAI,CAAC,SAAA;QAAqB,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,GAAG,IAAI,CAAC;KAAA;IAC3D,MAAM,CAAC,GAAG,CAAC;AACb,CAAC;AAED;IAAe,cAAiC;SAAjC,WAAiC,CAAjC,sBAAiC,CAAjC,IAAiC;QAAjC,6BAAiC;;IAC9C,IAAI,GAAG,GAA2B,EAAE,CAAC;IACrC,GAAG,CAAC,CAAU,UAAI,EAAJ,aAAI,EAAJ,kBAAI,EAAJ,IAAI,CAAC;QAAd,IAAI,CAAC,aAAA;QACR,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAChB,EAAE,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,CAAC,CAAC,CAAC;gBAAC,GAAG,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;QACzC,CAAC;KACF;IACD,MAAM,CAAC,GAAG,CAAC;AACb,CAAC;AAED,oDAAoD;AACpD,uDAAuD;AACvD,uCAAuC;AAEvC,6BAA6B;AAC7B,2DAA2D;AAC3D,IAAM,aAAa,GAAG,MAAM,CAAC,wBAAwB,CAAC,CAAC;AAEvD,gFAAgF;AAChF,2DAA2D;AAC3D,IAAM,+BAA+B,GAAG,MAAM,CAAC,gDAAgD,CAAC,CAAC;AACjG,IAAM,gCAAgC,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC;AACzD,IAAM,yBAAyB,GAC3B,KAAK,CAAC,gCAAgC,EAAE,+BAA+B,CAAC,CAAC;AAE7E,8BAA8B;AAC9B,IAAM,cAAc,GAAG,KAAK,CACxB,+BAA+B,EAC/B,MAAM,CACF,kBAAkB;IAClB,yFAAyF;IACzF,8DAA8D,CAAC,CAAC,CAAC;AAEzE,0BAA0B;AAC1B,IAAM,eAAe,GAAG,KAAK,CACzB,gCAAgC,EAChC,MAAM,CACF,mBAAmB;IACnB,uFAAuF;IACvF,qDAAqD,CAAC,CAAC,CAAC;AAEhE,IAAM,cAAc,GAChB,KAAK,CAAC,aAAa,EAAE,cAAc,EAAE,eAAe,EAAE,yBAAyB,CAAC,CAAC;AAErF,2DAA2D;AAC3D,IAAM,SAAS,GAAG,MAAM,CAAC,8CAA8C,CAAC,CAAC;AAEzE,IAAM,UAAU,GAAG,MAAM,CACrB,yEAAyE;IACzE,4EAA4E;IAC5E,+DAA+D;IAC/D,2EAA2E;IAC3E,2BAA2B,CAAC,CAAC;AAEjC,+FAA+F;AAC/F,oGAAoG;AACpG,8DAA8D;AAE9D,iGAAiG;AACjG,mGAAmG;AACnG,qBAAqB;AAErB,IAAM,WAAW,GAAG,KAAK,CAAC,SAAS,EAAE,UAAU,CAAC,CAAC;AAEjD;;;GAGG;AACH;IAAA;QACU,QAAG,GAAa,EAAE,CAAC;IA+D7B,CAAC;IA7DC,mDAAgB,GAAhB,UAAiB,EAAW;QAC1B,oFAAoF;QACpF,6FAA6F;QAC7F,0DAA0D;QAC1D,IAAI,OAAO,GAAS,EAAE,CAAC,UAAU,CAAC;QAClC,OAAO,OAAO,EAAE,CAAC;YACf,EAAE,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;gBAC/B,IAAI,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC;YAC7B,CAAC;YAAC,IAAI,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;gBACnC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC;YACrC,CAAC;YACD,EAAE,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;gBAC5B,OAAO,GAAG,GAAG,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;gBAClC,QAAQ,CAAC;YACX,CAAC;YACD,OAAO,OAAO,EAAE,CAAC;gBACf,wEAAwE;gBACxE,EAAE,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBAC/B,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC;gBACvD,CAAC;gBACD,EAAE,CAAC,CAAC,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;oBAC7B,OAAO,GAAG,GAAG,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;oBACnC,KAAK,CAAC;gBACR,CAAC;gBACD,OAAO,GAAG,GAAG,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC;YACvC,CAAC;QACH,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAC3B,CAAC;IAEO,+CAAY,GAApB,UAAqB,OAAY;QAAjC,iBAmBC;QAlBC,IAAI,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;QAClD,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAChC,EAAE,CAAC,CAAC,cAAc,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YAC3C,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACnB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACvB,GAAG,CAAC,YAAY,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,UAAC,KAAa,EAAE,QAAgB;gBAChE,IAAI,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;gBACnC,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC;oBAAC,MAAM,CAAC;gBAC/C,iEAAiE;gBACjE,EAAE,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;oBAAC,KAAK,GAAG,2BAAW,CAAC,KAAK,CAAC,CAAC;gBACjD,KAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;gBACnB,KAAI,CAAC,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACxB,KAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBACpB,KAAI,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC;gBACrC,KAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YACrB,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAEO,6CAAU,GAAlB,UAAmB,OAAe;QAChC,OAAO,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;QAChC,EAAE,CAAC,CAAC,cAAc,CAAC,cAAc,CAAC,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;YACrF,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACpB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACvB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACrB,CAAC;IACH,CAAC;IAEO,wCAAK,GAAb,UAAc,KAAU,CAAC,iBAAiB,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IACvF,+BAAC;AAAD,CAAC,AAhED,IAgEC;AAED,sDAAsD;AACtD,IAAM,qBAAqB,GAAG,iCAAiC,CAAC;AAChE,6BAA6B;AAC7B,IAAM,uBAAuB,GAAG,eAAe,CAAC;AAEhD;;;;;;GAMG;AACH,wBAAwB,KAAU,CAAC,iBAAiB;IAClD,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC;SAC9B,OAAO,CACJ,qBAAqB,EACrB,UAAS,KAAU,CAAC,iBAAiB;QACnC,IAAI,EAAE,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC7B,IAAI,GAAG,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE,GAAG,MAAM,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,GAAG,GAAG,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,GAAG,CAAC;IAC3E,CAAC,CAAC;SACL,OAAO,CACJ,uBAAuB,EACvB,UAAS,KAAU,CAAC,iBAAiB,IAAI,MAAM,CAAC,IAAI,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC;SACvF,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC;SACrB,OAAO,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;AAC7B,CAAC;AAED;;;;;;GAMG;AACH,4BAA4B,EAAO;IACjC,GAAG,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,UAAC,CAAC,EAAE,QAAQ;QACvC,EAAE,CAAC,CAAC,QAAQ,KAAK,WAAW,IAAI,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;YAC/D,GAAG,CAAC,eAAe,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;QACpC,CAAC;IACH,CAAC,CAAC,CAAC;IACH,GAAG,CAAC,CAAU,UAAwB,EAAxB,KAAA,GAAG,CAAC,gBAAgB,CAAC,EAAE,CAAC,EAAxB,cAAwB,EAAxB,IAAwB,CAAC;QAAlC,IAAI,CAAC,SAAA;QACR,EAAE,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC;YAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC;KACjD;AACH,CAAC;AAED;;;GAGG;AACH,sBAA6B,UAAkB;IAC7C,IAAI,CAAC;QACH,IAAI,WAAW,GAAG,eAAe,EAAE,CAAC;QACpC,4FAA4F;QAC5F,UAAU,GAAG,UAAU,GAAG,MAAM,CAAC,UAAU,CAAC,GAAG,EAAE,CAAC;QAElD,+FAA+F;QAC/F,8FAA8F;QAC9F,IAAI,YAAY,GAAG,CAAC,CAAC;QACrB,IAAI,UAAU,GAAG,UAAU,CAAC;QAE5B,GAAG,CAAC;YACF,EAAE,CAAC,CAAC,YAAY,KAAK,CAAC,CAAC,CAAC,CAAC;gBACvB,MAAM,IAAI,KAAK,CAAC,uDAAuD,CAAC,CAAC;YAC3E,CAAC;YACD,YAAY,EAAE,CAAC;YAEf,UAAU,GAAG,UAAU,CAAC;YACxB,GAAG,CAAC,YAAY,CAAC,WAAW,EAAE,UAAU,CAAC,CAAC;YAC1C,EAAE,CAAC,CAAE,GAAG,CAAC,UAAU,EAAU,CAAC,YAAY,CAAC,CAAC,CAAC;gBAC3C,+CAA+C;gBAC/C,kBAAkB,CAAC,WAAW,CAAC,CAAC;YAClC,CAAC;YACD,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,WAAW,CAAC,CAAC;QAC7C,CAAC,QAAQ,UAAU,KAAK,UAAU,EAAE;QAEpC,IAAI,SAAS,GAAG,IAAI,wBAAwB,EAAE,CAAC;QAC/C,IAAI,QAAQ,GAAG,SAAS,CAAC,gBAAgB,CAAC,GAAG,CAAC,kBAAkB,CAAC,WAAW,CAAC,IAAI,WAAW,CAAC,CAAC;QAE9F,8BAA8B;QAC9B,IAAI,QAAM,GAAG,GAAG,CAAC,kBAAkB,CAAC,WAAW,CAAC,IAAI,WAAW,CAAC;QAChE,GAAG,CAAC,CAAc,UAA4B,EAA5B,KAAA,GAAG,CAAC,gBAAgB,CAAC,QAAM,CAAC,EAA5B,cAA4B,EAA5B,IAA4B,CAAC;YAA1C,IAAI,KAAK,SAAA;YACZ,GAAG,CAAC,WAAW,CAAC,QAAM,EAAE,KAAK,CAAC,CAAC;SAChC;QAED,EAAE,CAAC,CAAC,wBAAiB,EAAE,IAAI,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC;YACnD,GAAG,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,CAAC,QAAQ,CAAC;IAClB,CAAE;IAAA,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACX,yFAAyF;QACzF,YAAY,GAAG,IAAI,CAAC;QACpB,MAAM,CAAC,CAAC;IACV,CAAC;AACH,CAAC;AA7Ce,oBAAY,eA6C3B,CAAA","sourcesContent":["import {DomAdapter, getDOM} from '../dom/dom_adapter';\nimport {assertionsEnabled} from '../facade/lang';\n\nimport {sanitizeUrl} from './url_sanitizer';\n\n\n/** A <body> element that can be safely used to parse untrusted HTML. Lazily initialized below. */\nlet inertElement: HTMLElement = null;\n/** Lazily initialized to make sure the DOM adapter gets set before use. */\nlet DOM: DomAdapter = null;\n\n/** Returns an HTML element that is guaranteed to not execute code when creating elements in it. */\nfunction getInertElement() {\n if (inertElement) return inertElement;\n DOM = getDOM();\n\n // Prefer using <template> element if supported.\n let templateEl = DOM.createElement('template');\n if ('content' in templateEl) return templateEl;\n\n let doc = DOM.createHtmlDocument();\n inertElement = DOM.querySelector(doc, 'body');\n if (inertElement == null) {\n // usually there should be only one body element in the document, but IE doesn't have any, so we\n // need to create one.\n let html = DOM.createElement('html', doc);\n inertElement = DOM.createElement('body', doc);\n DOM.appendChild(html, inertElement);\n DOM.appendChild(doc, html);\n }\n return inertElement;\n}\n\nfunction tagSet(tags: string): {[k: string]: boolean} {\n let res: {[k: string]: boolean} = {};\n for (let t of tags.split(',')) res[t.toLowerCase()] = true;\n return res;\n}\n\nfunction merge(...sets: {[k: string]: boolean}[]): {[k: string]: boolean} {\n let res: {[k: string]: boolean} = {};\n for (let s of sets) {\n for (let v in s) {\n if (s.hasOwnProperty(v)) res[v] = true;\n }\n }\n return res;\n}\n\n// Good source of info about elements and attributes\n// http://dev.w3.org/html5/spec/Overview.html#semantics\n// http://simon.html5.org/html-elements\n\n// Safe Void Elements - HTML5\n// http://dev.w3.org/html5/spec/Overview.html#void-elements\nconst VOID_ELEMENTS = tagSet('area,br,col,hr,img,wbr');\n\n// Elements that you can, intentionally, leave open (and which close themselves)\n// http://dev.w3.org/html5/spec/Overview.html#optional-tags\nconst OPTIONAL_END_TAG_BLOCK_ELEMENTS = tagSet('colgroup,dd,dt,li,p,tbody,td,tfoot,th,thead,tr');\nconst OPTIONAL_END_TAG_INLINE_ELEMENTS = tagSet('rp,rt');\nconst OPTIONAL_END_TAG_ELEMENTS =\n merge(OPTIONAL_END_TAG_INLINE_ELEMENTS, OPTIONAL_END_TAG_BLOCK_ELEMENTS);\n\n// Safe Block Elements - HTML5\nconst BLOCK_ELEMENTS = merge(\n OPTIONAL_END_TAG_BLOCK_ELEMENTS,\n tagSet(\n 'address,article,' +\n 'aside,blockquote,caption,center,del,dir,div,dl,figure,figcaption,footer,h1,h2,h3,h4,h5,' +\n 'h6,header,hgroup,hr,ins,map,menu,nav,ol,pre,section,table,ul'));\n\n// Inline Elements - HTML5\nconst INLINE_ELEMENTS = merge(\n OPTIONAL_END_TAG_INLINE_ELEMENTS,\n tagSet(\n 'a,abbr,acronym,b,' +\n 'bdi,bdo,big,br,cite,code,del,dfn,em,font,i,img,ins,kbd,label,map,mark,q,ruby,rp,rt,s,' +\n 'samp,small,span,strike,strong,sub,sup,time,tt,u,var'));\n\nconst VALID_ELEMENTS =\n merge(VOID_ELEMENTS, BLOCK_ELEMENTS, INLINE_ELEMENTS, OPTIONAL_END_TAG_ELEMENTS);\n\n// Attributes that have href and hence need to be sanitized\nconst URI_ATTRS = tagSet('background,cite,href,longdesc,src,xlink:href');\n\nconst HTML_ATTRS = tagSet(\n 'abbr,align,alt,axis,bgcolor,border,cellpadding,cellspacing,class,clear,' +\n 'color,cols,colspan,compact,coords,dir,face,headers,height,hreflang,hspace,' +\n 'ismap,lang,language,nohref,nowrap,rel,rev,rows,rowspan,rules,' +\n 'scope,scrolling,shape,size,span,start,summary,tabindex,target,title,type,' +\n 'valign,value,vspace,width');\n\n// NB: This currently conciously doesn't support SVG. SVG sanitization has had several security\n// issues in the past, so it seems safer to leave it out if possible. If support for binding SVG via\n// innerHTML is required, SVG attributes should be added here.\n\n// NB: Sanitization does not allow <form> elements or other active elements (<button> etc). Those\n// can be sanitized, but they increase security surface area without a legitimate use case, so they\n// are left out here.\n\nconst VALID_ATTRS = merge(URI_ATTRS, HTML_ATTRS);\n\n/**\n * SanitizingHtmlSerializer serializes a DOM fragment, stripping out any unsafe elements and unsafe\n * attributes.\n */\nclass SanitizingHtmlSerializer {\n private buf: string[] = [];\n\n sanitizeChildren(el: Element): string {\n // This cannot use a TreeWalker, as it has to run on Angular's various DOM adapters.\n // However this code never accesses properties off of `document` before deleting its contents\n // again, so it shouldn't be vulnerable to DOM clobbering.\n let current: Node = el.firstChild;\n while (current) {\n if (DOM.isElementNode(current)) {\n this.startElement(current);\n } else if (DOM.isTextNode(current)) {\n this.chars(DOM.nodeValue(current));\n }\n if (DOM.firstChild(current)) {\n current = DOM.firstChild(current);\n continue;\n }\n while (current) {\n // Leaving the element. Walk up and to the right, closing tags as we go.\n if (DOM.isElementNode(current)) {\n this.endElement(DOM.nodeName(current).toLowerCase());\n }\n if (DOM.nextSibling(current)) {\n current = DOM.nextSibling(current);\n break;\n }\n current = DOM.parentElement(current);\n }\n }\n return this.buf.join('');\n }\n\n private startElement(element: any) {\n let tagName = DOM.nodeName(element).toLowerCase();\n tagName = tagName.toLowerCase();\n if (VALID_ELEMENTS.hasOwnProperty(tagName)) {\n this.buf.push('<');\n this.buf.push(tagName);\n DOM.attributeMap(element).forEach((value: string, attrName: string) => {\n let lower = attrName.toLowerCase();\n if (!VALID_ATTRS.hasOwnProperty(lower)) return;\n // TODO(martinprobst): Special case image URIs for data:image/...\n if (URI_ATTRS[lower]) value = sanitizeUrl(value);\n this.buf.push(' ');\n this.buf.push(attrName);\n this.buf.push('=\"');\n this.buf.push(encodeEntities(value));\n this.buf.push('\"');\n });\n this.buf.push('>');\n }\n }\n\n private endElement(tagName: string) {\n tagName = tagName.toLowerCase();\n if (VALID_ELEMENTS.hasOwnProperty(tagName) && !VOID_ELEMENTS.hasOwnProperty(tagName)) {\n this.buf.push('</');\n this.buf.push(tagName);\n this.buf.push('>');\n }\n }\n\n private chars(chars: any /** TODO #9100 */) { this.buf.push(encodeEntities(chars)); }\n}\n\n// Regular Expressions for parsing tags and attributes\nconst SURROGATE_PAIR_REGEXP = /[\\uD800-\\uDBFF][\\uDC00-\\uDFFF]/g;\n// ! to ~ is the ASCII range.\nconst NON_ALPHANUMERIC_REGEXP = /([^\\#-~ |!])/g;\n\n/**\n * Escapes all potentially dangerous characters, so that the\n * resulting string can be safely inserted into attribute or\n * element text.\n * @param value\n * @returns {string} escaped text\n */\nfunction encodeEntities(value: any /** TODO #9100 */) {\n return value.replace(/&/g, '&')\n .replace(\n SURROGATE_PAIR_REGEXP,\n function(match: any /** TODO #9100 */) {\n let hi = match.charCodeAt(0);\n let low = match.charCodeAt(1);\n return '&#' + (((hi - 0xD800) * 0x400) + (low - 0xDC00) + 0x10000) + ';';\n })\n .replace(\n NON_ALPHANUMERIC_REGEXP,\n function(match: any /** TODO #9100 */) { return '&#' + match.charCodeAt(0) + ';'; })\n .replace(/</g, '<')\n .replace(/>/g, '>');\n}\n\n/**\n * When IE9-11 comes across an unknown namespaced attribute e.g. 'xlink:foo' it adds 'xmlns:ns1'\n * attribute to declare ns1 namespace and prefixes the attribute with 'ns1' (e.g. 'ns1:xlink:foo').\n *\n * This is undesirable since we don't want to allow any of these custom attributes. This method\n * strips them all.\n */\nfunction stripCustomNsAttrs(el: any) {\n DOM.attributeMap(el).forEach((_, attrName) => {\n if (attrName === 'xmlns:ns1' || attrName.indexOf('ns1:') === 0) {\n DOM.removeAttribute(el, attrName);\n }\n });\n for (let n of DOM.childNodesAsList(el)) {\n if (DOM.isElementNode(n)) stripCustomNsAttrs(n);\n }\n}\n\n/**\n * Sanitizes the given unsafe, untrusted HTML fragment, and returns HTML text that is safe to add to\n * the DOM in a browser environment.\n */\nexport function sanitizeHtml(unsafeHtml: string): string {\n try {\n let containerEl = getInertElement();\n // Make sure unsafeHtml is actually a string (TypeScript types are not enforced at runtime).\n unsafeHtml = unsafeHtml ? String(unsafeHtml) : '';\n\n // mXSS protection. Repeatedly parse the document to make sure it stabilizes, so that a browser\n // trying to auto-correct incorrect HTML cannot cause formerly inert HTML to become dangerous.\n let mXSSAttempts = 5;\n let parsedHtml = unsafeHtml;\n\n do {\n if (mXSSAttempts === 0) {\n throw new Error('Failed to sanitize html because the input is unstable');\n }\n mXSSAttempts--;\n\n unsafeHtml = parsedHtml;\n DOM.setInnerHTML(containerEl, unsafeHtml);\n if ((DOM.defaultDoc() as any).documentMode) {\n // strip custom-namespaced attributes on IE<=11\n stripCustomNsAttrs(containerEl);\n }\n parsedHtml = DOM.getInnerHTML(containerEl);\n } while (unsafeHtml !== parsedHtml);\n\n let sanitizer = new SanitizingHtmlSerializer();\n let safeHtml = sanitizer.sanitizeChildren(DOM.getTemplateContent(containerEl) || containerEl);\n\n // Clear out the body element.\n let parent = DOM.getTemplateContent(containerEl) || containerEl;\n for (let child of DOM.childNodesAsList(parent)) {\n DOM.removeChild(parent, child);\n }\n\n if (assertionsEnabled() && safeHtml !== unsafeHtml) {\n DOM.log('WARNING: sanitizing HTML stripped some content.');\n }\n\n return safeHtml;\n } catch (e) {\n // In case anything goes wrong, clear out inertElement to reset the entire DOM structure.\n inertElement = null;\n throw e;\n }\n}\n\ninterface DecoratorInvocation {\n type: Function;\n args?: any[];\n}\n"]}

package/src/security/style_sanitizer.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+/**
+ * Sanitizes the given untrusted CSS style property value (i.e. not an entire object, just a single
+ * value) and returns a value that is safe to use in a browser environment.
+ */
+export declare function sanitizeStyle(value: string): string;

package/src/security/style_sanitizer.js ADDED Viewed

@@ -0,0 +1,83 @@
+"use strict";
+var dom_adapter_1 = require('../dom/dom_adapter');
+var lang_1 = require('../facade/lang');
+var url_sanitizer_1 = require('./url_sanitizer');
+/**
+ * Regular expression for safe style values.
+ *
+ * Quotes (" and ') are allowed, but a check must be done elsewhere to ensure they're balanced.
+ *
+ * ',' allows multiple values to be assigned to the same property (e.g. background-attachment or
+ * font-family) and hence could allow multiple values to get injected, but that should pose no risk
+ * of XSS.
+ *
+ * The function expression checks only for XSS safety, not for CSS validity.
+ *
+ * This regular expression was taken from the Closure sanitization library, and augmented for
+ * transformation values.
+ */
+var VALUES = '[-,."\'%_!# a-zA-Z0-9]+';
+var TRANSFORMATION_FNS = '(?:matrix|translate|scale|rotate|skew|perspective)(?:X|Y|3d)?';
+var COLOR_FNS = '(?:rgb|hsl)a?';
+var FN_ARGS = '\\([-0-9.%, a-zA-Z]+\\)';
+var SAFE_STYLE_VALUE = new RegExp("^(" + VALUES + "|(?:" + TRANSFORMATION_FNS + "|" + COLOR_FNS + ")" + FN_ARGS + ")$", 'g');
+/**
+ * Matches a `url(...)` value with an arbitrary argument as long as it does
+ * not contain parentheses.
+ *
+ * The URL value still needs to be sanitized separately.
+ *
+ * `url(...)` values are a very common use case, e.g. for `background-image`. With carefully crafted
+ * CSS style rules, it is possible to construct an information leak with `url` values in CSS, e.g.
+ * by observing whether scroll bars are displayed, or character ranges used by a font face
+ * definition.
+ *
+ * Angular only allows binding CSS values (as opposed to entire CSS rules), so it is unlikely that
+ * binding a URL value without further cooperation from the page will cause an information leak, and
+ * if so, it is just a leak, not a full blown XSS vulnerability.
+ *
+ * Given the common use case, low likelihood of attack vector, and low impact of an attack, this
+ * code is permissive and allows URLs that sanitize otherwise.
+ */
+var URL_RE = /^url\(([^)]+)\)$/;
+/**
+ * Checks that quotes (" and ') are properly balanced inside a string. Assumes
+ * that neither escape (\) nor any other character that could result in
+ * breaking out of a string parsing context are allowed;
+ * see http://www.w3.org/TR/css3-syntax/#string-token-diagram.
+ *
+ * This code was taken from the Closure sanitization library.
+ */
+function hasBalancedQuotes(value) {
+    var outsideSingle = true;
+    var outsideDouble = true;
+    for (var i = 0; i < value.length; i++) {
+        var c = value.charAt(i);
+        if (c === '\'' && outsideDouble) {
+            outsideSingle = !outsideSingle;
+        }
+        else if (c === '"' && outsideSingle) {
+            outsideDouble = !outsideDouble;
+        }
+    }
+    return outsideSingle && outsideDouble;
+}
+/**
+ * Sanitizes the given untrusted CSS style property value (i.e. not an entire object, just a single
+ * value) and returns a value that is safe to use in a browser environment.
+ */
+function sanitizeStyle(value) {
+    value = String(value).trim(); // Make sure it's actually a string.
+    // Single url(...) values are supported, but only for URLs that sanitize cleanly. See above for
+    // reasoning behind this.
+    var urlMatch = URL_RE.exec(value);
+    if ((urlMatch && url_sanitizer_1.sanitizeUrl(urlMatch[1]) === urlMatch[1]) ||
+        value.match(SAFE_STYLE_VALUE) && hasBalancedQuotes(value)) {
+        return value; // Safe style values.
+    }
+    if (lang_1.assertionsEnabled())
+        dom_adapter_1.getDOM().log('WARNING: sanitizing unsafe style value ' + value);
+    return 'unsafe';
+}
+exports.sanitizeStyle = sanitizeStyle;
+//# sourceMappingURL=style_sanitizer.js.map

package/src/security/style_sanitizer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"style_sanitizer.js","sourceRoot":"","sources":["../../../../../modules/@angular/platform-browser/src/security/style_sanitizer.ts"],"names":[],"mappings":";AAAA,4BAAqB,oBAAoB,CAAC,CAAA;AAC1C,qBAAgC,gBAAgB,CAAC,CAAA;AAEjD,8BAA0B,iBAAiB,CAAC,CAAA;AAE5C;;;;;;;;;;;;;GAaG;AACH,IAAM,MAAM,GAAG,yBAAyB,CAAC;AACzC,IAAM,kBAAkB,GAAG,+DAA+D,CAAC;AAC3F,IAAM,SAAS,GAAG,eAAe,CAAC;AAClC,IAAM,OAAO,GAAG,yBAAyB,CAAC;AAC1C,IAAM,gBAAgB,GAClB,IAAI,MAAM,CAAC,OAAK,MAAM,YAAO,kBAAkB,SAAI,SAAS,SAAI,OAAO,OAAI,EAAE,GAAG,CAAC,CAAC;AAEtF;;;;;;;;;;;;;;;;;GAiBG;AACH,IAAM,MAAM,GAAG,kBAAkB,CAAC;AAElC;;;;;;;GAOG;AACH,2BAA2B,KAAa;IACtC,IAAI,aAAa,GAAG,IAAI,CAAC;IACzB,IAAI,aAAa,GAAG,IAAI,CAAC;IACzB,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,CAAC,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;QACxB,EAAE,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,aAAa,CAAC,CAAC,CAAC;YAChC,aAAa,GAAG,CAAC,aAAa,CAAC;QACjC,CAAC;QAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,IAAI,aAAa,CAAC,CAAC,CAAC;YACtC,aAAa,GAAG,CAAC,aAAa,CAAC;QACjC,CAAC;IACH,CAAC;IACD,MAAM,CAAC,aAAa,IAAI,aAAa,CAAC;AACxC,CAAC;AAED;;;GAGG;AACH,uBAA8B,KAAa;IACzC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,IAAI,EAAE,CAAC,CAAE,oCAAoC;IAEnE,+FAA+F;IAC/F,yBAAyB;IACzB,IAAI,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAClC,EAAE,CAAC,CAAC,CAAC,QAAQ,IAAI,2BAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC;QACtD,KAAK,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,iBAAiB,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC9D,MAAM,CAAC,KAAK,CAAC,CAAE,qBAAqB;IACtC,CAAC;IAED,EAAE,CAAC,CAAC,wBAAiB,EAAE,CAAC;QAAC,oBAAM,EAAE,CAAC,GAAG,CAAC,yCAAyC,GAAG,KAAK,CAAC,CAAC;IAEzF,MAAM,CAAC,QAAQ,CAAC;AAClB,CAAC;AAde,qBAAa,gBAc5B,CAAA","sourcesContent":["import {getDOM} from '../dom/dom_adapter';\nimport {assertionsEnabled} from '../facade/lang';\n\nimport {sanitizeUrl} from './url_sanitizer';\n\n/**\n * Regular expression for safe style values.\n *\n * Quotes (\" and ') are allowed, but a check must be done elsewhere to ensure they're balanced.\n *\n * ',' allows multiple values to be assigned to the same property (e.g. background-attachment or\n * font-family) and hence could allow multiple values to get injected, but that should pose no risk\n * of XSS.\n *\n * The function expression checks only for XSS safety, not for CSS validity.\n *\n * This regular expression was taken from the Closure sanitization library, and augmented for\n * transformation values.\n */\nconst VALUES = '[-,.\"\\'%_!# a-zA-Z0-9]+';\nconst TRANSFORMATION_FNS = '(?:matrix|translate|scale|rotate|skew|perspective)(?:X|Y|3d)?';\nconst COLOR_FNS = '(?:rgb|hsl)a?';\nconst FN_ARGS = '\\\$[-0-9.%, a-zA-Z]+\\\$';\nconst SAFE_STYLE_VALUE =\n new RegExp(`^(${VALUES}|(?:${TRANSFORMATION_FNS}|${COLOR_FNS})${FN_ARGS})$`, 'g');\n\n/**\n * Matches a `url(...)` value with an arbitrary argument as long as it does\n * not contain parentheses.\n *\n * The URL value still needs to be sanitized separately.\n *\n * `url(...)` values are a very common use case, e.g. for `background-image`. With carefully crafted\n * CSS style rules, it is possible to construct an information leak with `url` values in CSS, e.g.\n * by observing whether scroll bars are displayed, or character ranges used by a font face\n * definition.\n *\n * Angular only allows binding CSS values (as opposed to entire CSS rules), so it is unlikely that\n * binding a URL value without further cooperation from the page will cause an information leak, and\n * if so, it is just a leak, not a full blown XSS vulnerability.\n *\n * Given the common use case, low likelihood of attack vector, and low impact of an attack, this\n * code is permissive and allows URLs that sanitize otherwise.\n */\nconst URL_RE = /^url\$([^)]+)\$$/;\n\n/**\n * Checks that quotes (\" and ') are properly balanced inside a string. Assumes\n * that neither escape (\\) nor any other character that could result in\n * breaking out of a string parsing context are allowed;\n * see http://www.w3.org/TR/css3-syntax/#string-token-diagram.\n *\n * This code was taken from the Closure sanitization library.\n */\nfunction hasBalancedQuotes(value: string) {\n let outsideSingle = true;\n let outsideDouble = true;\n for (let i = 0; i < value.length; i++) {\n let c = value.charAt(i);\n if (c === '\\'' && outsideDouble) {\n outsideSingle = !outsideSingle;\n } else if (c === '\"' && outsideSingle) {\n outsideDouble = !outsideDouble;\n }\n }\n return outsideSingle && outsideDouble;\n}\n\n/**\n * Sanitizes the given untrusted CSS style property value (i.e. not an entire object, just a single\n * value) and returns a value that is safe to use in a browser environment.\n */\nexport function sanitizeStyle(value: string): string {\n value = String(value).trim(); // Make sure it's actually a string.\n\n // Single url(...) values are supported, but only for URLs that sanitize cleanly. See above for\n // reasoning behind this.\n let urlMatch = URL_RE.exec(value);\n if ((urlMatch && sanitizeUrl(urlMatch[1]) === urlMatch[1]) ||\n value.match(SAFE_STYLE_VALUE) && hasBalancedQuotes(value)) {\n return value; // Safe style values.\n }\n\n if (assertionsEnabled()) getDOM().log('WARNING: sanitizing unsafe style value ' + value);\n\n return 'unsafe';\n}\n\ninterface DecoratorInvocation {\n type: Function;\n args?: any[];\n}\n"]}

package/src/security/url_sanitizer.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export declare function sanitizeUrl(url: string): string;

package/src/security/url_sanitizer.js ADDED Viewed

@@ -0,0 +1,42 @@
+"use strict";
+var dom_adapter_1 = require('../dom/dom_adapter');
+var lang_1 = require('../facade/lang');
+/**
+ * A pattern that recognizes a commonly useful subset of URLs that are safe.
+ *
+ * This regular expression matches a subset of URLs that will not cause script
+ * execution if used in URL context within a HTML document. Specifically, this
+ * regular expression matches if (comment from here on and regex copied from
+ * Soy's EscapingConventions):
+ * (1) Either a protocol in a whitelist (http, https, mailto or ftp).
+ * (2) or no protocol.  A protocol must be followed by a colon. The below
+ *     allows that by allowing colons only after one of the characters [/?#].
+ *     A colon after a hash (#) must be in the fragment.
+ *     Otherwise, a colon after a (?) must be in a query.
+ *     Otherwise, a colon after a single solidus (/) must be in a path.
+ *     Otherwise, a colon after a double solidus (//) must be in the authority
+ *     (before port).
+ *
+ * The pattern disallows &, used in HTML entity declarations before
+ * one of the characters in [/?#]. This disallows HTML entities used in the
+ * protocol name, which should never happen, e.g. "h&#116;tp" for "http".
+ * It also disallows HTML entities in the first path part of a relative path,
+ * e.g. "foo&lt;bar/baz".  Our existing escaping functions should not produce
+ * that. More importantly, it disallows masking of a colon,
+ * e.g. "javascript&#58;...".
+ *
+ * This regular expression was taken from the Closure sanitization library.
+ */
+var SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^&:/?#]*(?:[/?#]|$))/gi;
+/** A pattern that matches safe data URLs. Only matches image and video types. */
+var DATA_URL_PATTERN = /^data:(?:image\/(?:bmp|gif|jpeg|jpg|png|tiff|webp)|video\/(?:mpeg|mp4|ogg|webm));base64,[a-z0-9+\/]+=*$/i;
+function sanitizeUrl(url) {
+    url = String(url);
+    if (url.match(SAFE_URL_PATTERN) || url.match(DATA_URL_PATTERN))
+        return url;
+    if (lang_1.assertionsEnabled())
+        dom_adapter_1.getDOM().log('WARNING: sanitizing unsafe URL value ' + url);
+    return 'unsafe:' + url;
+}
+exports.sanitizeUrl = sanitizeUrl;
+//# sourceMappingURL=url_sanitizer.js.map

package/src/security/url_sanitizer.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"url_sanitizer.js","sourceRoot":"","sources":["../../../../../modules/@angular/platform-browser/src/security/url_sanitizer.ts"],"names":[],"mappings":";AAAA,4BAAqB,oBAAoB,CAAC,CAAA;AAC1C,qBAAgC,gBAAgB,CAAC,CAAA;AAEjD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,IAAM,gBAAgB,GAAG,6DAA6D,CAAC;AAEvF,iFAAiF;AACjF,IAAM,gBAAgB,GAClB,0GAA0G,CAAC;AAE/G,qBAA4B,GAAW;IACrC,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC;IAClB,EAAE,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAAC,MAAM,CAAC,GAAG,CAAC;IAE3E,EAAE,CAAC,CAAC,wBAAiB,EAAE,CAAC;QAAC,oBAAM,EAAE,CAAC,GAAG,CAAC,uCAAuC,GAAG,GAAG,CAAC,CAAC;IAErF,MAAM,CAAC,SAAS,GAAG,GAAG,CAAC;AACzB,CAAC;AAPe,mBAAW,cAO1B,CAAA","sourcesContent":["import {getDOM} from '../dom/dom_adapter';\nimport {assertionsEnabled} from '../facade/lang';\n\n/**\n * A pattern that recognizes a commonly useful subset of URLs that are safe.\n *\n * This regular expression matches a subset of URLs that will not cause script\n * execution if used in URL context within a HTML document. Specifically, this\n * regular expression matches if (comment from here on and regex copied from\n * Soy's EscapingConventions):\n * (1) Either a protocol in a whitelist (http, https, mailto or ftp).\n * (2) or no protocol. A protocol must be followed by a colon. The below\n * allows that by allowing colons only after one of the characters [/?#].\n * A colon after a hash (#) must be in the fragment.\n * Otherwise, a colon after a (?) must be in a query.\n * Otherwise, a colon after a single solidus (/) must be in a path.\n * Otherwise, a colon after a double solidus (//) must be in the authority\n * (before port).\n *\n * The pattern disallows &, used in HTML entity declarations before\n * one of the characters in [/?#]. This disallows HTML entities used in the\n * protocol name, which should never happen, e.g. \"http\" for \"http\".\n * It also disallows HTML entities in the first path part of a relative path,\n * e.g. \"foo<bar/baz\". Our existing escaping functions should not produce\n * that. More importantly, it disallows masking of a colon,\n * e.g. \"javascript:...\".\n *\n * This regular expression was taken from the Closure sanitization library.\n */\nconst SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^&:/?#]*(?:[/?#]|$))/gi;\n\n/** A pattern that matches safe data URLs. Only matches image and video types. */\nconst DATA_URL_PATTERN =\n /^data:(?:image\\/(?:bmp|gif|jpeg|jpg|png|tiff|webp)|video\\/(?:mpeg|mp4|ogg|webm));base64,[a-z0-9+\\/]+=*$/i;\n\nexport function sanitizeUrl(url: string): string {\n url = String(url);\n if (url.match(SAFE_URL_PATTERN) || url.match(DATA_URL_PATTERN)) return url;\n\n if (assertionsEnabled()) getDOM().log('WARNING: sanitizing unsafe URL value ' + url);\n\n return 'unsafe:' + url;\n}\n\ninterface DecoratorInvocation {\n type: Function;\n args?: any[];\n}\n"]}

package/src/web_workers/shared/api.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ import { OpaqueToken } from '@angular/core';
2	+ export declare const ON_WEB_WORKER: OpaqueToken;

package/src/web_workers/shared/api.js ADDED Viewed

@@ -0,0 +1,4 @@
+"use strict";
+var core_1 = require('@angular/core');
+exports.ON_WEB_WORKER = new core_1.OpaqueToken('WebWorker.onWebWorker');
+//# sourceMappingURL=api.js.map

package/src/web_workers/shared/api.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"api.js","sourceRoot":"","sources":["../../../../../../modules/@angular/platform-browser/src/web_workers/shared/api.ts"],"names":[],"mappings":";AAAA,qBAA0B,eAAe,CAAC,CAAA;AAE7B,qBAAa,GAAG,IAAI,kBAAW,CAAC,uBAAuB,CAAC,CAAC","sourcesContent":["import {OpaqueToken} from '@angular/core';\n\nexport const ON_WEB_WORKER = new OpaqueToken('WebWorker.onWebWorker');\n\ninterface DecoratorInvocation {\n type: Function;\n args?: any[];\n}\n"]}

package/src/web_workers/shared/api.metadata.json ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"__symbolic":"module","version":1,"metadata":{"ON_WEB_WORKER":{"__symbolic":"new","expression":{"__symbolic":"reference","module":"@angular/core","name":"OpaqueToken"},"arguments":["WebWorker.onWebWorker"]}}}

package/src/web_workers/shared/client_message_broker.d.ts ADDED Viewed

@@ -0,0 +1,51 @@
+import { Type } from '@angular/core';
+import { MessageBus } from './message_bus';
+import { Serializer } from './serializer';
+/**
+ * @experimental
+ */
+export declare abstract class ClientMessageBrokerFactory {
+    /**
+     * Initializes the given channel and attaches a new {@link ClientMessageBroker} to it.
+     */
+    abstract createMessageBroker(channel: string, runInZone?: boolean): ClientMessageBroker;
+}
+export declare class ClientMessageBrokerFactory_ extends ClientMessageBrokerFactory {
+    private _messageBus;
+    constructor(_messageBus: MessageBus, _serializer: Serializer);
+    /**
+     * Initializes the given channel and attaches a new {@link ClientMessageBroker} to it.
+     */
+    createMessageBroker(channel: string, runInZone?: boolean): ClientMessageBroker;
+}
+/**
+ * @experimental
+ */
+export declare abstract class ClientMessageBroker {
+    abstract runOnService(args: UiArguments, returnType: Type): Promise<any>;
+}
+export declare class ClientMessageBroker_ extends ClientMessageBroker {
+    channel: any;
+    private _pending;
+    private _sink;
+    constructor(messageBus: MessageBus, _serializer: Serializer, channel: any);
+    private _generateMessageId(name);
+    runOnService(args: UiArguments, returnType: Type): Promise<any>;
+    private _handleMessage(message);
+}
+/**
+ * @experimental
+ */
+export declare class FnArg {
+    value: any;
+    type: Type;
+    constructor(value: any, type: Type);
+}
+/**
+ * @experimental
+ */
+export declare class UiArguments {
+    method: string;
+    args: FnArg[];
+    constructor(method: string, args?: FnArg[]);
+}