npm - @lwc/engine-core - Versions diffs - 8.1.0 → 8.1.2 - Mend

@lwc/engine-core 8.1.0 → 8.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/framework/api.d.ts +2 -1
package/dist/framework/sanitized-html-content.d.ts +29 -0
package/dist/index.cjs.js +67 -5
package/dist/index.cjs.js.map +1 -1
package/dist/index.js +67 -5
package/dist/index.js.map +1 -1
package/package.json +4 -4

package/dist/framework/api.d.ts CHANGED Viewed

@@ -1,6 +1,7 @@
 import { SlotSet } from './vm';
 import { LightningElementConstructor } from './base-lightning-element';
 import { Key, VComment, VCustomElement, VElement, VElementData, VFragment, VNode, VNodes, VScopedSlotFragment, VStatic, VStaticPart, VStaticPartData, VText } from './vnodes';
+import { SanitizedHtmlContent } from './sanitized-html-content';
 declare function sp(partId: number, data: VStaticPartData | null, text: string | null): VStaticPart;
 declare function ssf(slotName: unknown, factory: (value: any, key: any) => VFragment): VScopedSlotFragment;
 declare function st(fragmentFactory: (parts?: VStaticPart[]) => Element, key: Key, parts?: VStaticPart[]): VStatic;
@@ -45,7 +46,7 @@ export type SanitizeHtmlContentHook = (content: unknown) => string;
  * @param newHookImpl
  */
 export declare function setSanitizeHtmlContentHook(newHookImpl: SanitizeHtmlContentHook): void;
-declare function shc(content: unknown): string;
+declare function shc(content: unknown): SanitizedHtmlContent;
 /**
  * [ncls] - Normalize class name attribute.
  *

package/dist/framework/sanitized-html-content.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import type { RendererAPI } from './renderer';
+declare const sanitizedHtmlContentSymbol: unique symbol;
+export type SanitizedHtmlContent = {
+    [sanitizedHtmlContentSymbol]: unknown;
+};
+/**
+ * Wrap a pre-sanitized string designated for `.innerHTML` via `lwc:inner-html`
+ * as an object with a Symbol that only we have access to.
+ * @param sanitizedString
+ * @returns SanitizedHtmlContent
+ */
+export declare function createSanitizedHtmlContent(sanitizedString: unknown): SanitizedHtmlContent;
+/**
+ * Safely call setProperty on an Element while handling any SanitizedHtmlContent objects correctly
+ *
+ * @param setProperty - renderer.setProperty
+ * @param elm - Element
+ * @param key - key to set
+ * @param value -  value to set
+ */
+export declare function safelySetProperty(setProperty: RendererAPI['setProperty'], elm: Element, key: string, value: any): void;
+/**
+ * Given two objects (likely either a string or a SanitizedHtmlContent object), return true if their
+ * string values are equivalent.
+ * @param first
+ * @param second
+ */
+export declare function isSanitizedHtmlContentEqual(first: any, second: any): boolean;
+export {};

package/dist/index.cjs.js CHANGED Viewed

@@ -3937,6 +3937,65 @@ function isVStaticPartText(vnode) {
     return vnode.type === 0 /* VStaticPartType.Text */;
 }
+const sanitizedHtmlContentSymbol = Symbol('lwc-get-sanitized-html-content');
+function isSanitizedHtmlContent(object) {
+    return shared.isObject(object) && !shared.isNull(object) && sanitizedHtmlContentSymbol in object;
+}
+function unwrapIfNecessary(object) {
+    return isSanitizedHtmlContent(object) ? object[sanitizedHtmlContentSymbol] : object;
+}
+/**
+ * Wrap a pre-sanitized string designated for `.innerHTML` via `lwc:inner-html`
+ * as an object with a Symbol that only we have access to.
+ * @param sanitizedString
+ * @returns SanitizedHtmlContent
+ */
+function createSanitizedHtmlContent(sanitizedString) {
+    return shared.create(null, {
+        [sanitizedHtmlContentSymbol]: {
+            value: sanitizedString,
+            configurable: false,
+            writable: false,
+        },
+    });
+}
+/**
+ * Safely call setProperty on an Element while handling any SanitizedHtmlContent objects correctly
+ *
+ * @param setProperty - renderer.setProperty
+ * @param elm - Element
+ * @param key - key to set
+ * @param value -  value to set
+ */
+function safelySetProperty(setProperty, elm, key, value) {
+    // See W-16614337
+    // we support setting innerHTML to `undefined` because it's inherently safe
+    if ((key === 'innerHTML' || key === 'outerHTML') && !shared.isUndefined(value)) {
+        if (isSanitizedHtmlContent(value)) {
+            // it's a SanitizedHtmlContent object
+            setProperty(elm, key, value[sanitizedHtmlContentSymbol]);
+        }
+        else {
+            // not a SanitizedHtmlContent object
+            if (process.env.NODE_ENV !== 'production') {
+                logWarn(`Cannot set property "${key}". Instead, use lwc:inner-html or lwc:dom-manual.`);
+            }
+        }
+    }
+    else {
+        setProperty(elm, key, value);
+    }
+}
+/**
+ * Given two objects (likely either a string or a SanitizedHtmlContent object), return true if their
+ * string values are equivalent.
+ * @param first
+ * @param second
+ */
+function isSanitizedHtmlContentEqual(first, second) {
+    return unwrapIfNecessary(first) === unwrapIfNecessary(second);
+}
 /*
  * Copyright (c) 2018, salesforce.com, inc.
  * All rights reserved.
@@ -3967,7 +4026,7 @@ function patchAttributes(oldVnode, vnode, renderer) {
             // Use kebabCaseToCamelCase directly because we don't want to set props like `ariaLabel` or `tabIndex`
             // on a custom element versus just using the more reliable attribute format.
             if (external && (propName = shared.kebabCaseToCamelCase(key)) in elm) {
-                setProperty(elm, propName, cur);
+                safelySetProperty(setProperty, elm, propName, cur);
             }
             else if (shared.StringCharCodeAt.call(key, 3) === ColonCharCode) {
                 // Assume xml namespace
@@ -4047,7 +4106,7 @@ function patchProps(oldVnode, vnode, renderer) {
                     logWarn(`Unknown public property "${key}" of element <${elm.tagName.toLowerCase()}>. This is either a typo on the corresponding attribute "${shared.htmlPropertyToAttribute(key)}", or the attribute does not exist in this browser or DOM implementation.`);
                 }
             }
-            setProperty(elm, key, cur);
+            safelySetProperty(setProperty, elm, key, cur);
         }
     }
 }
@@ -5755,7 +5814,8 @@ function setSanitizeHtmlContentHook(newHookImpl) {
 }
 // [s]anitize [h]tml [c]ontent
 function shc(content) {
-    return sanitizeHtmlContentHook(content);
+    const sanitizedString = sanitizeHtmlContentHook(content);
+    return createSanitizedHtmlContent(sanitizedString);
 }
 /**
  * [ncls] - Normalize class name attribute.
@@ -7653,6 +7713,8 @@ function hydrateComment(node, vnode, renderer) {
         }
     }
     const { setProperty } = renderer;
+    // We only set the `nodeValue` property here (on a comment), so we don't need
+    // to sanitize the content as HTML using `safelySetProperty`
     setProperty(node, NODE_VALUE_PROP, vnode.text ?? null);
     vnode.elm = node;
     return node;
@@ -7699,7 +7761,7 @@ function hydrateElement(elm, vnode, renderer) {
         const { data: { props }, } = vnode;
         const { getProperty } = renderer;
         if (!shared.isUndefined(props) && !shared.isUndefined(props.innerHTML)) {
-            if (getProperty(elm, 'innerHTML') === props.innerHTML) {
+            if (isSanitizedHtmlContentEqual(getProperty(elm, 'innerHTML'), props.innerHTML)) {
                 // Do a shallow clone since VNodeData may be shared across VNodes due to hoist optimization
                 vnode.data = {
                     ...vnode.data,
@@ -8416,5 +8478,5 @@ exports.swapTemplate = swapTemplate;
 exports.track = track;
 exports.unwrap = unwrap;
 exports.wire = wire;
-/** version: 8.1.0 */
+/** version: 8.1.2 */
 //# sourceMappingURL=index.cjs.js.map