@firebase/database 1.0.6-canary.9cd3c1eca → 1.0.6-canary.f58d48cd4

package/dist/index.node.cjs.js

@@ -1300,7 +1300,7 @@ var WebSocketConnection = /** @class */ (function () {
 }());
 
 var name = "@firebase/database";
-var version = "1.0.6-canary.9cd3c1eca";
+var version = "1.0.6-canary.f58d48cd4";
 
 /**
  * @license
@@ -1939,6 +1939,8 @@ var FirebaseIFrameScriptHolder = /** @class */ (function () {
             var iframeContents = '<html><body>' + script + '</body></html>';
             try {
                 this.myIFrame.doc.open();
+                // TODO: Do not use document.write, since it can lead to XSS. Instead, use the safevalues
+                // library to sanitize the HTML in the iframeContents.
                 this.myIFrame.doc.write(iframeContents);
                 this.myIFrame.doc.close();
             }
@@ -2164,6 +2166,10 @@ var FirebaseIFrameScriptHolder = /** @class */ (function () {
                     var newScript_1 = _this.myIFrame.doc.createElement('script');
                     newScript_1.type = 'text/javascript';
                     newScript_1.async = true;
+                    // TODO: We cannot assign an arbitrary URL to a script attached to the DOM, since it is
+                    // at risk of XSS. We should use the safevalues library to create a safeScriptEl, and
+                    // assign a sanitized trustedResourceURL to it. Since the URL must be a template string
+                    // literal, this could require some heavy refactoring.
                     newScript_1.src = url;
                     // eslint-disable-next-line @typescript-eslint/no-explicit-any
                     newScript_1.onload = newScript_1.onreadystatechange =