npm - @firebase/database - Versions diffs - 1.0.6-canary.62661245f → 1.0.6-canary.6bb2e8931 - Mend

@firebase/database 1.0.6-canary.62661245f → 1.0.6-canary.6bb2e8931

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/dist/index.cjs.js +1 -7
package/dist/index.cjs.js.map +1 -1
package/dist/index.esm2017.js +1 -7
package/dist/index.esm2017.js.map +1 -1
package/dist/index.esm5.js +1 -7
package/dist/index.esm5.js.map +1 -1
package/dist/index.node.cjs.js +1 -7
package/dist/index.node.cjs.js.map +1 -1
package/dist/index.standalone.js +0 -6
package/dist/index.standalone.js.map +1 -1
package/dist/node-esm/index.node.esm.js +1 -7
package/dist/node-esm/index.node.esm.js.map +1 -1
package/package.json +7 -8

package/dist/node-esm/index.node.esm.js CHANGED Viewed

@@ -1251,7 +1251,7 @@ WebSocketConnection.responsesRequiredToBeHealthy = 2;
 WebSocketConnection.healthyTimeout = 30000;
 const name = "@firebase/database";
-const version = "1.0.6-canary.62661245f";
+const version = "1.0.6-canary.6bb2e8931";
 /**
  * @license
@@ -1861,8 +1861,6 @@ class FirebaseIFrameScriptHolder {
             const iframeContents = '<html><body>' + script + '</body></html>';
             try {
                 this.myIFrame.doc.open();
-                // TODO: Do not use document.write, since it can lead to XSS. Instead, use the safevalues
-                // library to sanitize the HTML in the iframeContents.
                 this.myIFrame.doc.write(iframeContents);
                 this.myIFrame.doc.close();
             }
@@ -2085,10 +2083,6 @@ class FirebaseIFrameScriptHolder {
                     const newScript = this.myIFrame.doc.createElement('script');
                     newScript.type = 'text/javascript';
                     newScript.async = true;
-                    // TODO: We cannot assign an arbitrary URL to a script attached to the DOM, since it is
-                    // at risk of XSS. We should use the safevalues library to create a safeScriptEl, and
-                    // assign a sanitized trustedResourceURL to it. Since the URL must be a template string
-                    // literal, this could require some heavy refactoring.
                     newScript.src = url;
                     // eslint-disable-next-line @typescript-eslint/no-explicit-any
                     newScript.onload = newScript.onreadystatechange =