@ionic/core 8.8.9-dev.11781024903.1e4268e5 → 8.8.9-dev.11781201980.1b6e8398

package/dist/cjs/select-option-render-DQyZnlF5.js

@@ -1,116 +0,0 @@
-/*!
- * (C) Ionic http://ionicframework.com - MIT License
- */
-'use strict';
-
-var index = require('./index-CzcLEdQ5.js');
-var index$1 = require('./index-Dm4Dm7Vg.js');
-
-/**
- * Converts a DOM node into a Stencil VNode (or text string) so the
- * resulting tree is rendered through the component's normal render
- * path. Rendering through Stencil ensures that scoped CSS classes
- * (e.g. `sc-ion-action-sheet-ionic`) are applied to every element.
- *
- * Highly recommended to pre-sanitize the source DOM (see
- * `getOptionContent` in select.tsx). This function performs pure
- * structural conversion — no security filtering.
- *
- * Preserves attributes only — properties set imperatively on the source
- * element (e.g. `input.value` after a user types) won't carry through.
- * In practice this isn't a concern: interactive controls shouldn't
- * appear in select-option rich content since they'd nest inside the
- * overlay's button/radio/checkbox wrapper, which is invalid HTML and
- * an accessibility issue.
- *
- * @param node - The DOM node to convert. Text nodes become strings,
- * element nodes become VNodes, and any other node types are skipped.
- * @param keyPrefix - String prefix used to build a stable VNode key,
- * so Stencil's diff can preserve elements across re-renders.
- * @param index - Position of this node among its siblings. Combined
- * with `keyPrefix` to form the final unique key.
- * @returns The converted VNode, a text string, or `null` if the node
- * type isn't supported.
- *
- * @internal Exported only so it can be unit tested; not part of the
- * public API.
- */
-const cloneToVNode = (node, keyPrefix, index$1) => {
-    var _a;
-    if (node.nodeType === Node.TEXT_NODE) {
-        return (_a = node.textContent) !== null && _a !== void 0 ? _a : '';
-    }
-    if (node.nodeType !== Node.ELEMENT_NODE) {
-        return null;
-    }
-    const el = node;
-    const tag = el.tagName.toLowerCase();
-    const key = `${keyPrefix}-${index$1}`;
-    const attrs = { key };
-    for (let i = 0; i < el.attributes.length; i++) {
-        const attr = el.attributes.item(i);
-        attrs[attr.name] = attr.value;
-    }
-    const children = Array.from(el.childNodes)
-        .map((child, i) => cloneToVNode(child, key, i))
-        .filter((c) => c !== null);
-    return index.h(tag, attrs, children);
-};
-/**
- * Renders cloned DOM content as Stencil JSX. Walking the source DOM
- * into VNodes (rather than injecting it via innerHTML) keeps the
- * content inside Stencil's render path, so scoped CSS classes are
- * applied automatically and component attributes like `size` or
- * `color` survive intact.
- *
- * Span elements should be used when this content renders within buttons,
- * depending on the select interface. Buttons can only have phrasing
- * content to prevent accessibility issues.
- *
- * @param id - Unique identifier for generating stable virtual DOM keys.
- * @param content - The HTMLElement container whose child nodes will be cloned.
- * @param className - CSS class applied to the wrapper element.
- * @param useSpan - Whether to use a span element instead of a div for the wrapper.
- */
-const renderClonedContent = (id, content, className, useSpan = false) => {
-    const Tag = useSpan ? 'span' : 'div';
-    const keyPrefix = `${className}-${id}`;
-    index$1.sanitizeDOMTree(content);
-    return (index.h(Tag, { class: className, key: keyPrefix }, Array.from(content.childNodes).map((child, i) => cloneToVNode(child, keyPrefix, i))));
-};
-/**
- * Renders the label content for a select option within an overlay
- * interface based on the presence of rich content.
- *
- * Span elements should be used when this content renders within buttons,
- * depending on the select interface. Buttons can only have phrasing
- * content to prevent accessibility issues.
- *
- * @param option - The content option data containing label, slots,
- * and description.
- * @param className - The base CSS class for the label element.
- * @param useSpan - Whether to use a span element instead of a div for the label.
- */
-const renderOptionLabel = (option, className, useSpan = false) => {
-    const { id, label, startContent, endContent, description } = option;
-    const hasRichContent = !!startContent || !!endContent || !!description;
-    const Tag = useSpan ? 'span' : 'div';
-    // Render simple string label if there is no rich content to display
-    if (!hasRichContent && (typeof label === 'string' || !label)) {
-        return (index.h(Tag, { class: className, key: `${className}-${id}` }, label));
-    }
-    // Render the main label
-    const labelEl = typeof label === 'string' || !label ? (
-    // Label is a simple string or undefined
-    index.h(Tag, { key: `${className}-label-${id}` }, label)) : (
-    // Label is an HTMLElement with potential rich content
-    renderClonedContent(id, label, `${className}-text`, useSpan));
-    // No rich content, render just the label
-    if (!hasRichContent) {
-        return (index.h(Tag, { class: className, key: `${className}-${id}` }, labelEl));
-    }
-    // Render label with rich content (start, end, description)
-    return (index.h(Tag, { class: `${className} ${className}-has-rich-content`, key: `${className}-${id}` }, startContent && renderClonedContent(id, startContent, 'select-option-start', useSpan), index.h(Tag, { class: "select-option-content", key: `${className}-content-${id}` }, labelEl, description && (index.h(Tag, { class: "select-option-description", key: `${className}-desc-${id}` }, description))), endContent && renderClonedContent(id, endContent, 'select-option-end', useSpan)));
-};
-
-exports.renderOptionLabel = renderOptionLabel;

package/dist/collection/utils/overlay-control-label.js

@@ -1,47 +0,0 @@
-/*!
- * (C) Ionic http://ionicframework.com - MIT License
- */
-// TODO(FW-6886, FW-6892, FW-6891): Remove this file in favor of the Modular Ionic component config. Each overlay will be able to select its own defaults for label placement and justify based on the interface and theme, so this utility will no longer be necessary.
-/**
- * Returns the default `labelPlacement` for a radio or checkbox option
- * rendered inside an overlay. Defaults follow each theme's established
- * option-row layout:
- * - `ionic`: always `"start"`.
- * - `ios`: `"start"` for radio in `alert` and `popover`. The `modal`
- *   interface flips iOS radio back to `"end"`. Checkbox is always
- *   `"end"` on iOS.
- * - everything else (e.g. `md`): `"end"`.
- *
- * `interfaceType` is optional; only `"modal"` changes the result, so
- * callers that aren't a modal can omit it.
- *
- * Used by `alert`, `select-popover`, and `select-modal` as the fallback
- * when an option doesn't explicitly set `labelPlacement`.
- */
-export const getOverlayLabelPlacement = (theme, control, interfaceType) => {
-    if (theme === 'ionic' || (theme === 'ios' && control === 'radio' && interfaceType !== 'modal')) {
-        return 'start';
-    }
-    return 'end';
-};
-/**
- * Returns the default `justify` for a radio or checkbox option rendered
- * inside an overlay. Defaults follow each theme's option-row layout:
- * - `ionic`: always `"space-between"`.
- * - `ios`: `"space-between"` for radio in `alert` and `popover`. The
- *   `modal` interface falls back to `"start"`. Checkbox is always `"start"`
- *   on iOS.
- * - everything else (e.g. `md`): `"start"`.
- *
- * `interfaceType` is optional; only `"modal"` changes the result, so
- * callers that aren't a modal can omit it.
- *
- * Used by `alert`, `select-popover`, and `select-modal` as the fallback when
- * an option doesn't explicitly set `justify`.
- */
-export const getOverlayLabelJustify = (theme, control, interfaceType) => {
-    if (theme === 'ionic' || (theme === 'ios' && control === 'radio' && interfaceType !== 'modal')) {
-        return 'space-between';
-    }
-    return 'start';
-};

package/dist/esm/index-Bmyj8b0z.js

@@ -1,409 +0,0 @@
-/*!
- * (C) Ionic http://ionicframework.com - MIT License
- */
-import { j as printIonError } from './index-Omi_TcwW.js';
-
-/**
- * Sanitize an untrusted HTML string.
- *
- * Parses the string into a detached DOM, removes blocked tags, strips
- * attributes outside the `allowedAttributes` list (refer `sanitizeElement`),
- * and scrubs script-scheme URLs. Returns the sanitized HTML string.
- *
- * Use this when you have an HTML string from an unknown source and need to
- * render it via `innerHTML`. Use `sanitizeDOMTree` instead when you already
- * have a DOM tree and want to sanitize it in place without a string round
- * trip; both apply the same attribute policy.
- *
- * @param untrustedString - The HTML string to sanitize. Pass an
- * `IonicSafeString` to bypass sanitization, or `undefined` to short-circuit.
- * @returns The sanitized HTML string, or `undefined` if the input was
- * `undefined`. Returns `''` if sanitization fails or the input contains
- * an inline `onload=` handler.
- */
-const sanitizeDOMString = (untrustedString) => {
-    try {
-        if (untrustedString instanceof IonicSafeString) {
-            return untrustedString.value;
-        }
-        if (!isSanitizerEnabled() || typeof untrustedString !== 'string' || untrustedString === '') {
-            return untrustedString;
-        }
-        /**
-         * onload is fired when appending to a document
-         * fragment in Chrome. If a string
-         * contains onload then we should not
-         * attempt to add this to the fragment.
-         */
-        if (untrustedString.includes('onload=')) {
-            return '';
-        }
-        /**
-         * Create a document fragment
-         * separate from the main DOM,
-         * create a div to do our work in
-         */
-        const documentFragment = document.createDocumentFragment();
-        const workingDiv = document.createElement('div');
-        documentFragment.appendChild(workingDiv);
-        workingDiv.innerHTML = untrustedString;
-        /**
-         * Remove any elements
-         * that are blocked
-         */
-        blockedTags.forEach((blockedTag) => {
-            const getElementsToRemove = documentFragment.querySelectorAll(blockedTag);
-            for (let elementIndex = getElementsToRemove.length - 1; elementIndex >= 0; elementIndex--) {
-                const element = getElementsToRemove[elementIndex];
-                if (element.parentNode) {
-                    element.parentNode.removeChild(element);
-                }
-                else {
-                    documentFragment.removeChild(element);
-                }
-                /**
-                 * We still need to sanitize
-                 * the children of this element
-                 * as they are left behind
-                 */
-                const childElements = getElementChildren(element);
-                /* eslint-disable-next-line */
-                for (let childIndex = 0; childIndex < childElements.length; childIndex++) {
-                    sanitizeElement(childElements[childIndex]);
-                }
-            }
-        });
-        /**
-         * Go through remaining elements and remove
-         * non-allowed attribs
-         */
-        // IE does not support .children on document fragments, only .childNodes
-        const dfChildren = getElementChildren(documentFragment);
-        /* eslint-disable-next-line */
-        for (let childIndex = 0; childIndex < dfChildren.length; childIndex++) {
-            sanitizeElement(dfChildren[childIndex]);
-        }
-        // Append document fragment to div
-        const fragmentDiv = document.createElement('div');
-        fragmentDiv.appendChild(documentFragment);
-        // First child is always the div we did our work in
-        const getInnerDiv = fragmentDiv.querySelector('div');
-        return getInnerDiv !== null ? getInnerDiv.innerHTML : fragmentDiv.innerHTML;
-    }
-    catch (err) {
-        printIonError('sanitizeDOMString', err);
-        return '';
-    }
-};
-/**
- * Sanitize an entire trusted DOM tree in place.
- *
- * Removes blocked tags (`script`, `iframe`, etc.) from the subtree and
- * then sanitizes attributes on every remaining element using the same
- * allowlist policy as `sanitizeDOMString` (refer `sanitizeElement`).
- * Component presentational attributes (`size`, `color`, `shape`, inline
- * SVG, `aria-*`, `data-*`) are preserved; `style`, event handlers (`on*`),
- * form/navigation-hijack attributes, script-scheme URLs, and non-image
- * `data:` URLs are stripped.
- *
- * Use this when you have a DOM tree the developer controls (e.g.
- * cloned slot content from a component) and you need to render it
- * elsewhere safely.
- *
- * @param root - The root element whose subtree will be sanitized in
- * place. No-op when the sanitizer is disabled via `Ionic.config`.
- */
-const sanitizeDOMTree = (root) => {
-    if (!isSanitizerEnabled()) {
-        return;
-    }
-    blockedTags.forEach((tag) => {
-        const matches = root.querySelectorAll(tag);
-        for (let i = matches.length - 1; i >= 0; i--) {
-            matches[i].remove();
-        }
-    });
-    sanitizeElement(root);
-};
-/**
- * Clean up current element based on allowed attributes
- * and then recursively dig down into any child elements to
- * clean those up as well
- */
-// TODO(FW-2832): type (using Element triggers other type errors as well)
-const sanitizeElement = (element) => {
-    // IE uses childNodes, so ignore nodes that are not elements
-    if (element.nodeType && element.nodeType !== 1) {
-        return;
-    }
-    /**
-     * If attributes is not a NamedNodeMap
-     * then we should remove the element entirely.
-     * This helps avoid DOM Clobbering attacks where
-     * attributes is overridden.
-     */
-    if (typeof NamedNodeMap !== 'undefined' && !(element.attributes instanceof NamedNodeMap)) {
-        element.remove();
-        return;
-    }
-    /**
-     * Always strip `style` (CSS injection, `background:url()` beaconing, UI
-     * spoofing). It is never on the allowlist, but it is removed explicitly
-     * here because some engines (e.g. jsdom) don't enumerate the CSSOM-backed
-     * `style` attribute in `element.attributes`, which would let the loop
-     * below skip over it.
-     */
-    element.removeAttribute('style');
-    for (let i = element.attributes.length - 1; i >= 0; i--) {
-        const attribute = element.attributes.item(i);
-        const attributeName = attribute.name;
-        const lowerName = attributeName.toLowerCase();
-        /**
-         * Remove any attribute that is not on the allowlist. This drops event
-         * handlers (`on*`), `style`, the form/navigation-hijack attributes
-         * (`formaction`, `action`, `target`), namespaced attributes like
-         * `xlink:href`, and anything else not explicitly known to be safe.
-         */
-        if (!isAttributeAllowed(lowerName)) {
-            element.removeAttribute(attributeName);
-            continue;
-        }
-        // clean up any allowed attribs
-        // that attempt to do any JS funny-business
-        const attributeValue = attribute.value;
-        if (attributeValue == null) {
-            continue;
-        }
-        /**
-         * Scrub dangerous schemes from the value. The value is normalized first
-         * (whitespace and ASCII control characters removed) so entity-obfuscated
-         * payloads such as `java&#9;script:`, which the parser decodes to
-         * `java\tscript:`, are still caught. Normalizing the value also covers
-         * namespaced attributes, where the previous `element[attributeName]`
-         * property reflection returned `undefined` and let them slip through.
-         */
-        const normalizedValue = attributeValue.replace(controlCharactersAndWhitespace, '').toLowerCase();
-        // Script schemes are never allowed, on any attribute.
-        if (normalizedValue.includes('javascript:') || normalizedValue.includes('vbscript:')) {
-            element.removeAttribute(attributeName);
-            continue;
-        }
-        /**
-         * For URL-bearing attributes, allow `data:` URIs only for raster
-         * images. Document-bearing types (`text/html`, `image/svg+xml`,
-         * `application/*`, etc.) can carry markup or script when navigated to
-         * or rendered, so they are stripped, while safe image types are kept so
-         * inline images keep working.
-         */
-        if (urlAttributes.includes(lowerName) &&
-            normalizedValue.startsWith('data:') &&
-            !safeDataImageUri.test(normalizedValue)) {
-            element.removeAttribute(attributeName);
-        }
-    }
-    /**
-     * Sanitize any nested children
-     */
-    const childElements = getElementChildren(element);
-    /* eslint-disable-next-line */
-    for (let i = 0; i < childElements.length; i++) {
-        sanitizeElement(childElements[i]);
-    }
-};
-/**
- * IE doesn't always support .children
- * so we revert to .childNodes instead
- */
-// TODO(FW-2832): type
-const getElementChildren = (el) => {
-    return el.children != null ? el.children : el.childNodes;
-};
-const isSanitizerEnabled = () => {
-    var _a;
-    const win = window;
-    const config = (_a = win === null || win === void 0 ? void 0 : win.Ionic) === null || _a === void 0 ? void 0 : _a.config;
-    if (config) {
-        if (config.get) {
-            return config.get('sanitizerEnabled', true);
-        }
-        else {
-            return config.sanitizerEnabled === true || config.sanitizerEnabled === undefined;
-        }
-    }
-    return true;
-};
-/**
- * Mirror known custom-element DOM properties onto attributes so they
- * survive `cloneNode`. Call this on a DOM subtree before cloning it for
- * rendering elsewhere (e.g. cloning slotted option content into an
- * overlay).
- *
- * Only sets the attribute when the property holds a non-empty string
- * and the attribute isn't already present, so existing attributes
- * take precedence.
- *
- * @param root - The root element whose subtree (and itself) will be
- * inspected.
- */
-const reflectPropertiesToAttributes = (root) => {
-    const candidates = [];
-    if (root.tagName in elementPropsToReflect) {
-        candidates.push(root);
-    }
-    for (const tagName of Object.keys(elementPropsToReflect)) {
-        candidates.push(...Array.from(root.querySelectorAll(tagName.toLowerCase())));
-    }
-    for (const el of candidates) {
-        if (!(el.tagName in elementPropsToReflect)) {
-            continue;
-        }
-        const props = elementPropsToReflect[el.tagName];
-        for (const prop of props) {
-            const value = el[prop];
-            if (typeof value === 'string' && value.length > 0 && !el.hasAttribute(prop)) {
-                el.setAttribute(prop, value);
-            }
-        }
-    }
-};
-/**
- * Attribute names that are always safe to keep. Covers global HTML
- * attributes, the Ionic component presentational props that cloned rich
- * content (e.g. `ion-select-option` markup) relies on, and the inert SVG
- * presentation attributes used by inline icons.
- *
- * `aria-*` and `data-*` are allowed separately by prefix (refer
- * `allowedAttributePrefixes`) since they are inert and not worth
- * enumerating. URL-bearing names (`href`, `src`) are allowed here, but
- * their values are still scrubbed for script schemes in `sanitizeElement`.
- *
- * Notably absent: `style`, event handlers (`on*`), and the
- * form/navigation-hijack attributes (`formaction`, `action`, `target`),
- * which are therefore stripped.
- */
-const allowedAttributes = [
-    // Global / structural
-    'class',
-    'id',
-    'slot',
-    'name',
-    'title',
-    'alt',
-    'lang',
-    'dir',
-    'role',
-    'type',
-    'value',
-    'disabled',
-    'width',
-    'height',
-    'href',
-    'src',
-    // Ionic component presentational props
-    'color',
-    'size',
-    'shape',
-    'fill',
-    'expand',
-    'mode',
-    'theme',
-    'icon',
-    'label',
-    'label-placement',
-    'justify',
-    'inset',
-    'lines',
-    'ios',
-    'md',
-    // SVG presentation attributes (compared lowercased, e.g. `viewBox`)
-    'xmlns',
-    'viewbox',
-    'preserveaspectratio',
-    'stroke',
-    'stroke-width',
-    'stroke-linecap',
-    'stroke-linejoin',
-    'stroke-opacity',
-    'stroke-dasharray',
-    'fill-rule',
-    'fill-opacity',
-    'clip-rule',
-    'd',
-    'points',
-    'cx',
-    'cy',
-    'r',
-    'rx',
-    'ry',
-    'x',
-    'y',
-    'x1',
-    'y1',
-    'x2',
-    'y2',
-    'transform',
-    'opacity',
-];
-/**
- * Attribute-name prefixes that are always safe to keep. `aria-*` and
- * `data-*` attributes cannot execute script or load resources, so they are
- * allowed wholesale rather than enumerated by name.
- */
-const allowedAttributePrefixes = ['aria-', 'data-'];
-/**
- * Whether an attribute name (already lowercased) is safe to keep, by exact
- * match or by an allowed prefix.
- */
-const isAttributeAllowed = (lowerName) => {
-    if (allowedAttributes.includes(lowerName)) {
-        return true;
-    }
-    return allowedAttributePrefixes.some((prefix) => lowerName.startsWith(prefix));
-};
-/**
- * Matches ASCII control characters and whitespace (including the
- * non-breaking space). Used to normalize attribute values before matching
- * a URL scheme so entity-obfuscated payloads such as `java&#9;script:`
- * (decoded by the parser to `java\tscript:`) can't smuggle a scheme past
- * the check.
- */
-// eslint-disable-next-line no-control-regex -- matching control characters is the point
-const controlCharactersAndWhitespace = /[\u0000-\u0020\u007f-\u00a0]/g;
-/**
- * Attributes whose values are URLs. Their values are scheme-checked in
- * `sanitizeElement` (e.g. `data:` filtering) beyond the script-scheme scrub
- * applied to every attribute.
- */
-const urlAttributes = ['href', 'src'];
-/**
- * Matches a `data:` URI for a raster image type that cannot carry script.
- * `image/svg+xml` is deliberately excluded (SVG can execute script), as are
- * document types like `text/html` and `application/*`. The value is already
- * lowercased and whitespace-stripped before this is tested.
- */
-const safeDataImageUri = /^data:image\/(?:png|jpe?g|gif|webp|bmp|avif|x-icon|vnd\.microsoft\.icon)[;,]/;
-/**
- * Tags removed entirely (with their subtree) before attribute sanitization.
- * Exported so tests can assert the set without hardcoding it.
- */
-const blockedTags = ['script', 'style', 'iframe', 'meta', 'link', 'object', 'embed', 'base'];
-/**
- * Properties on custom elements that frameworks (Vue, Angular) often
- * set as DOM properties rather than attributes. `cloneNode` only copies
- * attributes, so these values are lost when slotted content is cloned
- * into an overlay. For each known custom element, we mirror the listed
- * properties onto attributes so the cloned copy still has the data it
- * needs to render.
- *
- * Keyed by uppercased tagName so the lookup matches `Element.tagName`.
- */
-const elementPropsToReflect = {
-    'ION-ICON': ['icon', 'name', 'src', 'ios', 'md'],
-};
-class IonicSafeString {
-    constructor(value) {
-        this.value = value;
-    }
-}
-
-export { IonicSafeString as I, sanitizeDOMTree as a, reflectPropertiesToAttributes as r, sanitizeDOMString as s };

package/dist/esm/overlay-control-label-CODBQrPj.js

@@ -1,49 +0,0 @@
-/*!
- * (C) Ionic http://ionicframework.com - MIT License
- */
-// TODO(FW-6886, FW-6892, FW-6891): Remove this file in favor of the Modular Ionic component config. Each overlay will be able to select its own defaults for label placement and justify based on the interface and theme, so this utility will no longer be necessary.
-/**
- * Returns the default `labelPlacement` for a radio or checkbox option
- * rendered inside an overlay. Defaults follow each theme's established
- * option-row layout:
- * - `ionic`: always `"start"`.
- * - `ios`: `"start"` for radio in `alert` and `popover`. The `modal`
- *   interface flips iOS radio back to `"end"`. Checkbox is always
- *   `"end"` on iOS.
- * - everything else (e.g. `md`): `"end"`.
- *
- * `interfaceType` is optional; only `"modal"` changes the result, so
- * callers that aren't a modal can omit it.
- *
- * Used by `alert`, `select-popover`, and `select-modal` as the fallback
- * when an option doesn't explicitly set `labelPlacement`.
- */
-const getOverlayLabelPlacement = (theme, control, interfaceType) => {
-    if (theme === 'ionic' || (theme === 'ios' && control === 'radio' && interfaceType !== 'modal')) {
-        return 'start';
-    }
-    return 'end';
-};
-/**
- * Returns the default `justify` for a radio or checkbox option rendered
- * inside an overlay. Defaults follow each theme's option-row layout:
- * - `ionic`: always `"space-between"`.
- * - `ios`: `"space-between"` for radio in `alert` and `popover`. The
- *   `modal` interface falls back to `"start"`. Checkbox is always `"start"`
- *   on iOS.
- * - everything else (e.g. `md`): `"start"`.
- *
- * `interfaceType` is optional; only `"modal"` changes the result, so
- * callers that aren't a modal can omit it.
- *
- * Used by `alert`, `select-popover`, and `select-modal` as the fallback when
- * an option doesn't explicitly set `justify`.
- */
-const getOverlayLabelJustify = (theme, control, interfaceType) => {
-    if (theme === 'ionic' || (theme === 'ios' && control === 'radio' && interfaceType !== 'modal')) {
-        return 'space-between';
-    }
-    return 'start';
-};
-
-export { getOverlayLabelPlacement as a, getOverlayLabelJustify as g };