@firebase/database 1.0.6-canary.4b4db85ff → 1.0.6-canary.62661245f

package/dist/index.standalone.js

@@ -607,7 +607,7 @@ var isWindowsStoreApp = function () {
     return typeof Windows === 'object' && typeof Windows.UI === 'object';
 };
 /**
- * Converts a server error code to a Javascript Error
+ * Converts a server error code to a JavaScript Error
  */
 function errorForServerCode(code, query) {
     var reason = 'Unknown Error';
@@ -636,7 +636,7 @@ var INTEGER_REGEXP_ = new RegExp('^-?(0*)\\d{1,10}$');
  */
 var INTEGER_32_MIN = -2147483648;
 /**
- * For use in kyes, the maximum possible 32-bit integer.
+ * For use in keys, the maximum possible 32-bit integer.
  */
 var INTEGER_32_MAX = 2147483647;
 /**
@@ -1334,7 +1334,7 @@ var AppCheckTokenProvider = /** @class */ (function () {
                 // Support delayed initialization of FirebaseAppCheck. This allows our
                 // customers to initialize the RTDB SDK before initializing Firebase
                 // AppCheck and ensures that all requests are authenticated if a token
-                // becomes available before the timoeout below expires.
+                // becomes available before the timeout below expires.
                 setTimeout(function () {
                     if (_this.appCheck) {
                         _this.getToken(forceRefresh).then(resolve, reject);
@@ -1396,7 +1396,7 @@ var FirebaseAuthTokenProvider = /** @class */ (function () {
                 // Support delayed initialization of FirebaseAuth. This allows our
                 // customers to initialize the RTDB SDK before initializing Firebase
                 // Auth and ensures that all requests are authenticated if a token
-                // becomes available before the timoeout below expires.
+                // becomes available before the timeout below expires.
                 setTimeout(function () {
                     if (_this.auth_) {
                         _this.getToken(forceRefresh).then(resolve, reject);
@@ -1890,7 +1890,7 @@ var BrowserPollConnection = /** @class */ (function () {
  *********************************************************************************************/
 var FirebaseIFrameScriptHolder = /** @class */ (function () {
     /**
-     * @param commandCB - The callback to be called when control commands are recevied from the server.
+     * @param commandCB - The callback to be called when control commands are received from the server.
      * @param onMessageCB - The callback to be triggered when responses arrive from the server.
      * @param onDisconnect - The callback to be triggered when this tag holder is closed
      * @param urlFn - A function that provides the URL of the endpoint to send data to.
@@ -1935,6 +1935,8 @@ var FirebaseIFrameScriptHolder = /** @class */ (function () {
             var iframeContents = '<html><body>' + script + '</body></html>';
             try {
                 this.myIFrame.doc.open();
+                // TODO: Do not use document.write, since it can lead to XSS. Instead, use the safevalues
+                // library to sanitize the HTML in the iframeContents.
                 this.myIFrame.doc.write(iframeContents);
                 this.myIFrame.doc.close();
             }
@@ -2160,6 +2162,10 @@ var FirebaseIFrameScriptHolder = /** @class */ (function () {
                     var newScript_1 = _this.myIFrame.doc.createElement('script');
                     newScript_1.type = 'text/javascript';
                     newScript_1.async = true;
+                    // TODO: We cannot assign an arbitrary URL to a script attached to the DOM, since it is
+                    // at risk of XSS. We should use the safevalues library to create a safeScriptEl, and
+                    // assign a sanitized trustedResourceURL to it. Since the URL must be a template string
+                    // literal, this could require some heavy refactoring.
                     newScript_1.src = url;
                     // eslint-disable-next-line @typescript-eslint/no-explicit-any
                     newScript_1.onload = newScript_1.onreadystatechange =
@@ -10650,7 +10656,7 @@ function treeHasChildren(tree) {
     return tree.node.childCount > 0;
 }
 /**
- * @returns Whethe rthe tree is empty (no value or children).
+ * @returns Whether the tree is empty (no value or children).
  */
 function treeIsEmpty(tree) {
     return treeGetValue(tree) === undefined && !treeHasChildren(tree);
@@ -13061,7 +13067,7 @@ function push(parent, value) {
     // then() and catch() methods and is used as the return value of push(). The
     // second remains a regular Reference and is used as the fulfilled value of
     // the first ThennableReference.
-    var thennablePushRef = child(parent, name);
+    var thenablePushRef = child(parent, name);
     var pushRef = child(parent, name);
     var promise;
     if (value != null) {
@@ -13070,9 +13076,9 @@ function push(parent, value) {
     else {
         promise = Promise.resolve(pushRef);
     }
-    thennablePushRef.then = promise.then.bind(promise);
-    thennablePushRef.catch = promise.then.bind(promise, undefined);
-    return thennablePushRef;
+    thenablePushRef.then = promise.then.bind(promise);
+    thenablePushRef.catch = promise.then.bind(promise, undefined);
+    return thenablePushRef;
 }
 /**
  * Removes the data at this Database location.