@firebase/database 1.0.6-canary.1b9d95e5a → 1.0.6-canary.3f2c12a07

package/dist/index.esm2017.js

@@ -4,7 +4,7 @@ import { stringify, jsonEval, contains, assert, isNodeSdk, stringToByteArray, Sh
 import { Logger, LogLevel } from '@firebase/logger';
 
 const name = "@firebase/database";
-const version = "1.0.6-canary.1b9d95e5a";
+const version = "1.0.6-canary.3f2c12a07";
 
 /**
  * @license
@@ -1509,8 +1509,6 @@ class FirebaseIFrameScriptHolder {
             const iframeContents = '<html><body>' + script + '</body></html>';
             try {
                 this.myIFrame.doc.open();
-                // TODO: Do not use document.write, since it can lead to XSS. Instead, use the safevalues
-                // library to sanitize the HTML in the iframeContents.
                 this.myIFrame.doc.write(iframeContents);
                 this.myIFrame.doc.close();
             }
@@ -1733,10 +1731,6 @@ class FirebaseIFrameScriptHolder {
                     const newScript = this.myIFrame.doc.createElement('script');
                     newScript.type = 'text/javascript';
                     newScript.async = true;
-                    // TODO: We cannot assign an arbitrary URL to a script attached to the DOM, since it is
-                    // at risk of XSS. We should use the safevalues library to create a safeScriptEl, and
-                    // assign a sanitized trustedResourceURL to it. Since the URL must be a template string
-                    // literal, this could require some heavy refactoring.
                     newScript.src = url;
                     // eslint-disable-next-line @typescript-eslint/no-explicit-any
                     newScript.onload = newScript.onreadystatechange =