npm - @firebase/database-compat - Versions diffs - 1.0.6-canary.9cd3c1eca → 1.0.6-canary.fd8bd4b02 - Mend

@firebase/database-compat 1.0.6-canary.9cd3c1eca → 1.0.6-canary.fd8bd4b02

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.esm2017.js +1 -1
package/dist/index.esm5.js +1 -1
package/dist/index.js +1 -1
package/dist/index.standalone.js +6 -0
package/dist/index.standalone.js.map +1 -1
package/dist/node-esm/index.js +1 -1
package/package.json +7 -7

package/dist/index.esm2017.js CHANGED Viewed

@@ -5,7 +5,7 @@ import { errorPrefix, validateArgCount, validateCallback, validateContextObject,
 import { Logger } from '@firebase/logger';
 const name = "@firebase/database-compat";
-const version = "1.0.6-canary.9cd3c1eca";
+const version = "1.0.6-canary.fd8bd4b02";
 /**
  * @license

package/dist/index.esm5.js CHANGED Viewed

@@ -6,7 +6,7 @@ import { __extends } from 'tslib';
 import { Logger } from '@firebase/logger';
 var name = "@firebase/database-compat";
-var version = "1.0.6-canary.9cd3c1eca";
+var version = "1.0.6-canary.fd8bd4b02";
 /**
  * @license

package/dist/index.js CHANGED Viewed

@@ -12,7 +12,7 @@ function _interopDefaultLegacy (e) { return e && typeof e === 'object' && 'defau
 var firebase__default = /*#__PURE__*/_interopDefaultLegacy(firebase);
 var name = "@firebase/database-compat";
-var version = "1.0.6-canary.9cd3c1eca";
+var version = "1.0.6-canary.fd8bd4b02";
 /**
  * @license

package/dist/index.standalone.js CHANGED Viewed

@@ -5282,6 +5282,8 @@ var FirebaseIFrameScriptHolder = /** @class */ (function () {
             var iframeContents = '<html><body>' + script + '</body></html>';
             try {
                 this.myIFrame.doc.open();
+                // TODO: Do not use document.write, since it can lead to XSS. Instead, use the safevalues
+                // library to sanitize the HTML in the iframeContents.
                 this.myIFrame.doc.write(iframeContents);
                 this.myIFrame.doc.close();
             }
@@ -5507,6 +5509,10 @@ var FirebaseIFrameScriptHolder = /** @class */ (function () {
                     var newScript_1 = _this.myIFrame.doc.createElement('script');
                     newScript_1.type = 'text/javascript';
                     newScript_1.async = true;
+                    // TODO: We cannot assign an arbitrary URL to a script attached to the DOM, since it is
+                    // at risk of XSS. We should use the safevalues library to create a safeScriptEl, and
+                    // assign a sanitized trustedResourceURL to it. Since the URL must be a template string
+                    // literal, this could require some heavy refactoring.
                     newScript_1.src = url;
                     // eslint-disable-next-line @typescript-eslint/no-explicit-any
                     newScript_1.onload = newScript_1.onreadystatechange =