@lwrjs/client-modules 0.15.4-alpha.0 → 0.15.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -230,7 +230,6 @@ const LOCKER_NEAR_MEMBRANE_IS_MASKED_SYMBOL$LWS = SymbolFor$LWS$1('@@lockerNearM
|
|
|
230
230
|
const LOCKER_NEAR_MEMBRANE_SERIALIZED_VALUE_SYMBOL$LWS$1 = SymbolFor$LWS$1('@@lockerNearMembraneSerializedValue');
|
|
231
231
|
const LOCKER_NEAR_MEMBRANE_SYMBOL$LWS$1 = SymbolFor$LWS$1('@@lockerNearMembrane');
|
|
232
232
|
const LOCKER_NEAR_MEMBRANE_UNMASKED_VALUE_SYMBOL$LWS = SymbolFor$LWS$1('@@lockerNearMembraneUnmaskedValue');
|
|
233
|
-
// Legacy symbol used by packages/locker-core-engine/src/LockerFilter.js.
|
|
234
233
|
const SYMBOL_LIVE_OBJECT$LWS = SymbolFor$LWS$1('@@lockerLiveValue');
|
|
235
234
|
// Object brand constants.
|
|
236
235
|
const TO_STRING_BRAND_ARRAY$LWS = '[object Array]';
|
|
@@ -445,6 +444,7 @@ function maskFunction$LWS(func$LWS, maskFunc$LWS, trapInvokers$LWS) {
|
|
|
445
444
|
// `LOCKER_NEAR_MEMBRANE_IS_MASKED_SYMBOL` properties
|
|
446
445
|
// because we know that when the `handshakeProxyMaskedFlag`
|
|
447
446
|
// is ON that there are NO shadowed values.
|
|
447
|
+
// istanbul ignore else: returns immediately
|
|
448
448
|
if (isProxyMaskedSymbol$LWS) {
|
|
449
449
|
return true;
|
|
450
450
|
}
|
|
@@ -605,9 +605,9 @@ const TrustedHTMLProtoToString$LWS = TrustedHTMLCtor$LWS == null || (_TrustedHTM
|
|
|
605
605
|
const TrustedScriptCtor$LWS = typeof TrustedScript === 'function' ? TrustedScript : /* istanbul ignore next: unreachable in test env */undefined;
|
|
606
606
|
// istanbul ignore next: optional chaining and nullish coalescing results in an expansion that contains an unreachable "void 0" branch for every occurrence of the operator
|
|
607
607
|
const TrustedScriptProtoToString$LWS = TrustedScriptCtor$LWS == null || (_TrustedScriptCtor$pr$LWS = TrustedScriptCtor$LWS.prototype) == null ? void 0 : _TrustedScriptCtor$pr$LWS.toString;
|
|
608
|
-
const URLCtor$LWS = typeof URL === 'function' ? URL : /* istanbul ignore next: unreachable in test env */undefined;
|
|
608
|
+
const URLCtor$LWS$1 = typeof URL === 'function' ? URL : /* istanbul ignore next: unreachable in test env */undefined;
|
|
609
609
|
// istanbul ignore next: optional chaining and nullish coalescing results in an expansion that contains an unreachable "void 0" branch for every occurrence of the operator
|
|
610
|
-
const URLProtoToString$LWS = URLCtor$LWS == null || (_URLCtor$prototype$LWS = URLCtor$LWS.prototype) == null ? void 0 : _URLCtor$prototype$LWS.toString;
|
|
610
|
+
const URLProtoToString$LWS = URLCtor$LWS$1 == null || (_URLCtor$prototype$LWS = URLCtor$LWS$1.prototype) == null ? void 0 : _URLCtor$prototype$LWS.toString;
|
|
611
611
|
// To extract the function body start the match from the beginning of the
|
|
612
612
|
// source code with the character class `[\s\S]` instead of `.` because `[\s\S]`
|
|
613
613
|
// matches everything including newlines where as `.` matches everything except
|
|
@@ -637,21 +637,11 @@ function extractFunctionBodySource$LWS(func$LWS) {
|
|
|
637
637
|
// istanbul ignore next: optional chaining and nullish coalescing results in an expansion that contains an unreachable "void 0" branch for every occurrence of the operator
|
|
638
638
|
return (_ref$LWS = (_match$$LWS = match$LWS == null ? void 0 : match$LWS[1]) != null ? _match$$LWS : match$LWS == null ? void 0 : match$LWS[2]) != null ? _ref$LWS : '';
|
|
639
639
|
}
|
|
640
|
-
|
|
641
|
-
|
|
642
|
-
|
|
643
|
-
|
|
644
|
-
|
|
645
|
-
// https://tc39.es/ecma262/#sec-tostring
|
|
646
|
-
return `${value$LWS}` !== undefined;
|
|
647
|
-
// eslint-disable-next-line no-empty
|
|
648
|
-
} catch (_unused2$LWS) {}
|
|
649
|
-
}
|
|
650
|
-
return false;
|
|
651
|
-
}
|
|
652
|
-
// Use `toString()` to coerce values using the default string concatenation
|
|
653
|
-
// operation.
|
|
654
|
-
function toString$LWS(value$LWS) {
|
|
640
|
+
// Use `toSafeStringValue()` to coerce values using the default string concatenation
|
|
641
|
+
// operation. This must be done ONLY once on incoming values to avoid creating
|
|
642
|
+
// shape-shifting exploits, ie. passing { toString() {...} } where a string
|
|
643
|
+
// is otherwise expected.
|
|
644
|
+
function toSafeStringValue$LWS(value$LWS) {
|
|
655
645
|
return typeof value$LWS === 'string' ? value$LWS :
|
|
656
646
|
// Attempt to coerce `value` to a string with the ToString operation.
|
|
657
647
|
// Section 7.1.17 ToString ( argument )
|
|
@@ -670,6 +660,7 @@ function toSafeTemplateStringValue$LWS(value$LWS) {
|
|
|
670
660
|
return ReflectApply$LWS$1(FunctionProtoToString$LWS, value$LWS, []);
|
|
671
661
|
}
|
|
672
662
|
if (typeof value$LWS === 'object' && value$LWS !== null) {
|
|
663
|
+
/* istanbul ignore next: unreachable in test env */
|
|
673
664
|
if (TrustedHTMLCtor$LWS && value$LWS instanceof TrustedHTMLCtor$LWS) {
|
|
674
665
|
return ReflectApply$LWS$1(TrustedHTMLProtoToString$LWS, value$LWS, []);
|
|
675
666
|
}
|
|
@@ -677,7 +668,7 @@ function toSafeTemplateStringValue$LWS(value$LWS) {
|
|
|
677
668
|
if (TrustedScriptCtor$LWS && value$LWS instanceof TrustedScriptCtor$LWS) {
|
|
678
669
|
return ReflectApply$LWS$1(TrustedScriptProtoToString$LWS, value$LWS, []);
|
|
679
670
|
}
|
|
680
|
-
if (URLCtor$LWS && value$LWS instanceof URLCtor$LWS) {
|
|
671
|
+
if (URLCtor$LWS$1 && value$LWS instanceof URLCtor$LWS$1) {
|
|
681
672
|
return ReflectApply$LWS$1(URLProtoToString$LWS, value$LWS, []);
|
|
682
673
|
}
|
|
683
674
|
const result$LWS = ReflectApply$LWS$1(ObjectProtoToString$LWS$1, value$LWS, []);
|
|
@@ -691,7 +682,7 @@ function toSafeTemplateStringValue$LWS(value$LWS) {
|
|
|
691
682
|
// https://tc39.es/ecma262/#sec-string-constructor-string-value
|
|
692
683
|
return StringCtor$LWS$1(value$LWS);
|
|
693
684
|
// eslint-disable-next-line no-empty
|
|
694
|
-
} catch (
|
|
685
|
+
} catch (_unused2$LWS) {}
|
|
695
686
|
return '[object Unknown]';
|
|
696
687
|
}
|
|
697
688
|
const RegExpCtor$LWS$1 = RegExp;
|
|
@@ -824,7 +815,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
824
815
|
return TO_STRING_BRAND_ARRAY_BUFFER$LWS;
|
|
825
816
|
}
|
|
826
817
|
// eslint-disable-next-line no-empty
|
|
827
|
-
} catch (
|
|
818
|
+
} catch (_unused3$LWS) {}
|
|
828
819
|
// Section 21.4.4 Properties of the Date Prototype Object
|
|
829
820
|
// https://tc39.es/ecma262/#thistimevalue
|
|
830
821
|
// Step 1: If Type(value) is Object and value has a [[DateValue]] internal slot, then
|
|
@@ -836,7 +827,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
836
827
|
return TO_STRING_BRAND_DATE$LWS;
|
|
837
828
|
}
|
|
838
829
|
// eslint-disable-next-line no-empty
|
|
839
|
-
} catch (
|
|
830
|
+
} catch (_unused4$LWS) {}
|
|
840
831
|
// Section 24.1.3.10 get Map.prototype.size
|
|
841
832
|
// https://tc39.es/ecma262/#sec-get-map.prototype.size
|
|
842
833
|
// Step 2: Perform ? RequireInternalSlot(M, [[MapData]]).
|
|
@@ -846,7 +837,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
846
837
|
return TO_STRING_BRAND_MAP$LWS;
|
|
847
838
|
}
|
|
848
839
|
// eslint-disable-next-line no-empty
|
|
849
|
-
} catch (
|
|
840
|
+
} catch (_unused5$LWS) {}
|
|
850
841
|
// Section 24.2.3.9 get Set.prototype.size
|
|
851
842
|
// https://tc39.es/ecma262/#sec-get-set.prototype.size
|
|
852
843
|
// Step 2: Perform ? RequireInternalSlot(S, [[SetData]]).
|
|
@@ -856,7 +847,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
856
847
|
return TO_STRING_BRAND_SET$LWS;
|
|
857
848
|
}
|
|
858
849
|
// eslint-disable-next-line no-empty
|
|
859
|
-
} catch (
|
|
850
|
+
} catch (_unused6$LWS) {}
|
|
860
851
|
// Section 24.3.3.4 WeakMap.prototype.has ( key )
|
|
861
852
|
// https://tc39.es/ecma262/#sec-weakmap.prototype.has
|
|
862
853
|
// Step 2: Perform RequireInternalSlot(M, [[WeakMapData]]).
|
|
@@ -866,7 +857,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
866
857
|
return TO_STRING_BRAND_WEAK_MAP$LWS;
|
|
867
858
|
}
|
|
868
859
|
// eslint-disable-next-line no-empty
|
|
869
|
-
} catch (
|
|
860
|
+
} catch (_unused7$LWS) {}
|
|
870
861
|
// Section 24.4.3.4 WeakSet.prototype.has ( value )
|
|
871
862
|
// https://tc39.es/ecma262/#sec-weakset.prototype.has
|
|
872
863
|
// Step 2: 2. Perform RequireInternalSlot(S, [[WeakSetData]]).
|
|
@@ -876,7 +867,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
876
867
|
return TO_STRING_BRAND_WEAK_SET$LWS;
|
|
877
868
|
}
|
|
878
869
|
// eslint-disable-next-line no-empty
|
|
879
|
-
} catch (
|
|
870
|
+
} catch (_unused8$LWS) {}
|
|
880
871
|
// The following checks are for the rare occurrence of object, i.e. boxed,
|
|
881
872
|
// primitive values or those objects without a default @@toStringTag.
|
|
882
873
|
// Section 21.1.3 Properties of the Number Prototype Object
|
|
@@ -890,7 +881,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
890
881
|
return TO_STRING_BRAND_NUMBER$LWS$1;
|
|
891
882
|
}
|
|
892
883
|
// eslint-disable-next-line no-empty
|
|
893
|
-
} catch (
|
|
884
|
+
} catch (_unused9$LWS) {}
|
|
894
885
|
// Section 20.4.3 Properties of the Symbol Prototype Object
|
|
895
886
|
// https://tc39.es/ecma262/#thissymbolvalue
|
|
896
887
|
// Step 2: If Type(value) is Object and value has a [[SymbolData]] internal slot, then
|
|
@@ -902,7 +893,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
902
893
|
return TO_STRING_BRAND_SYMBOL$LWS$1;
|
|
903
894
|
}
|
|
904
895
|
// eslint-disable-next-line no-empty
|
|
905
|
-
} catch (
|
|
896
|
+
} catch (_unused10$LWS) {}
|
|
906
897
|
// Perform heavier checks last.
|
|
907
898
|
// Section 22.2.6.13 get RegExp.prototype.source
|
|
908
899
|
// https://tc39.es/ecma262/#sec-get-regexp.prototype.source
|
|
@@ -915,7 +906,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
915
906
|
return TO_STRING_BRAND_REG_EXP$LWS;
|
|
916
907
|
}
|
|
917
908
|
// eslint-disable-next-line no-empty
|
|
918
|
-
} catch (
|
|
909
|
+
} catch (_unused11$LWS) {}
|
|
919
910
|
// Section 22.1.3 Properties of the String Prototype Object
|
|
920
911
|
// https://tc39.es/ecma262/#thisstringvalue
|
|
921
912
|
// Step 2: If Type(value) is Object and value has a [[StringData]] internal slot, then
|
|
@@ -927,7 +918,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
927
918
|
return TO_STRING_BRAND_STRING$LWS$1;
|
|
928
919
|
}
|
|
929
920
|
// eslint-disable-next-line no-empty
|
|
930
|
-
} catch (
|
|
921
|
+
} catch (_unused12$LWS) {}
|
|
931
922
|
// Section 20.3.3 Properties of the Boolean Prototype Object
|
|
932
923
|
// https://tc39.es/ecma262/#thisbooleanvalue
|
|
933
924
|
// Step 2: If Type(value) is Object and value has a [[BooleanData]] internal slot, then
|
|
@@ -937,7 +928,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
937
928
|
ReflectApply$LWS$1(BooleanProtoValueOf$LWS, value$LWS, []);
|
|
938
929
|
return TO_STRING_BRAND_BOOLEAN$LWS$1;
|
|
939
930
|
// eslint-disable-next-line no-empty
|
|
940
|
-
} catch (
|
|
931
|
+
} catch (_unused13$LWS) {}
|
|
941
932
|
// istanbul ignore else: All platforms that LWS runs tests in support BigInt
|
|
942
933
|
if (SUPPORTS_BIG_INT$LWS) {
|
|
943
934
|
try {
|
|
@@ -948,7 +939,7 @@ function getBrandByTrialAndError$LWS(value$LWS) {
|
|
|
948
939
|
ReflectApply$LWS$1(BigIntProtoValueOf$LWS, value$LWS, []);
|
|
949
940
|
return TO_STRING_BRAND_BIG_INT$LWS$1;
|
|
950
941
|
// eslint-disable-next-line no-empty
|
|
951
|
-
} catch (
|
|
942
|
+
} catch (_unused14$LWS) {}
|
|
952
943
|
}
|
|
953
944
|
// Cannot detect brands for Arguments and Error objects.
|
|
954
945
|
return TO_STRING_BRAND_OBJECT$LWS;
|
|
@@ -1329,7 +1320,7 @@ function partialStructuredClone$LWS(value$LWS) {
|
|
|
1329
1320
|
try {
|
|
1330
1321
|
result$LWS = partialStructuredCloneInternal$LWS(value$LWS);
|
|
1331
1322
|
// eslint-disable-next-line no-empty
|
|
1332
|
-
} catch (
|
|
1323
|
+
} catch (_unused15$LWS) {}
|
|
1333
1324
|
SEEN_OBJECTS$LWS.clear();
|
|
1334
1325
|
}
|
|
1335
1326
|
return result$LWS;
|
|
@@ -1357,9 +1348,33 @@ const {
|
|
|
1357
1348
|
function consoleWarn$LWS(...args$LWS) {
|
|
1358
1349
|
ReflectApply$LWS$1(consoleWarnRef$LWS, consoleRef$LWS, args$LWS);
|
|
1359
1350
|
}
|
|
1360
|
-
|
|
1351
|
+
const gaterEnabledFeatures$LWS = toSafeSet$LWS(new SetCtor$LWS$1());
|
|
1352
|
+
const FEATURE_NAME_PREFIX$LWS = 'com.salesforce.locker.';
|
|
1353
|
+
const fullName$LWS = featureName$LWS => featureName$LWS.startsWith(FEATURE_NAME_PREFIX$LWS) ? featureName$LWS : `${FEATURE_NAME_PREFIX$LWS}${featureName$LWS}`;
|
|
1361
1354
|
function isGaterEnabledFeature$LWS(featureName$LWS) {
|
|
1362
|
-
return
|
|
1355
|
+
return gaterEnabledFeatures$LWS.has(fullName$LWS(featureName$LWS));
|
|
1356
|
+
}
|
|
1357
|
+
const ENABLE_MAX_PERF_MODE_GATE$LWS = 'enableMaxPerfMode';
|
|
1358
|
+
const ENABLE_SANDBOXED_SAMEORIGIN_IFRAME_GATE$LWS = 'enableSandboxedSameOriginIframe';
|
|
1359
|
+
const omniStudioPredicates$LWS = [key$LWS => key$LWS === 'omnistudio', key$LWS => ReflectApply$LWS$1(StringProtoStartsWith$LWS, key$LWS, ['devopsimpkg'])];
|
|
1360
|
+
const gaterEnabledOverrideRegistry$LWS = {
|
|
1361
|
+
__proto__: null,
|
|
1362
|
+
$lwsBogusFeatureDisabledTrue: [() => true],
|
|
1363
|
+
$lwsBogusFeatureDisabledFalse: [() => false],
|
|
1364
|
+
[ENABLE_MAX_PERF_MODE_GATE$LWS]: omniStudioPredicates$LWS,
|
|
1365
|
+
// Temporarily disable this feature gate
|
|
1366
|
+
// Ref:
|
|
1367
|
+
// "W-17049687: [LWS] Temporarily disable same origin iframe sandbox security fix for OS and devopsimpkg"
|
|
1368
|
+
// https://gus.lightning.force.com/lightning/r/ADM_Work__c/a07EE000023unysYAA/view
|
|
1369
|
+
[ENABLE_SANDBOXED_SAMEORIGIN_IFRAME_GATE$LWS]: omniStudioPredicates$LWS
|
|
1370
|
+
};
|
|
1371
|
+
function isAllowedToOverrideGaterEnabledFeature$LWS(sandboxKey$LWS, featureName$LWS) {
|
|
1372
|
+
var _gaterEnabledOverride$LWS;
|
|
1373
|
+
const gaterEnabledOverridePredicates$LWS = toSafeArray$LWS$1((_gaterEnabledOverride$LWS = gaterEnabledOverrideRegistry$LWS[featureName$LWS]) != null ? _gaterEnabledOverride$LWS : []);
|
|
1374
|
+
return gaterEnabledOverridePredicates$LWS.some(predicate$LWS => predicate$LWS(sandboxKey$LWS));
|
|
1375
|
+
}
|
|
1376
|
+
function isNotAllowedToOverrideGaterEnabledFeature$LWS(...args$LWS) {
|
|
1377
|
+
return !isAllowedToOverrideGaterEnabledFeature$LWS(...args$LWS);
|
|
1363
1378
|
}
|
|
1364
1379
|
const trackedLiveTargets$LWS = toSafeWeakSet$LWS$1(new WeakSetCtor$LWS$1());
|
|
1365
1380
|
function isTargetLive$LWS(target$LWS, targetTraits$LWS = 0 /* TargetTraits.None */) {
|
|
@@ -1370,7 +1385,7 @@ function isTargetLive$LWS(target$LWS, targetTraits$LWS = 0 /* TargetTraits.None
|
|
|
1370
1385
|
try {
|
|
1371
1386
|
return trackedLiveTargets$LWS.has(target$LWS) || ObjectHasOwn$LWS$1(target$LWS, SYMBOL_LIVE_OBJECT$LWS);
|
|
1372
1387
|
// eslint-disable-next-line no-empty
|
|
1373
|
-
} catch (
|
|
1388
|
+
} catch (_unused16$LWS) {}
|
|
1374
1389
|
return false;
|
|
1375
1390
|
}
|
|
1376
1391
|
if (typeof target$LWS === 'object') {
|
|
@@ -1379,7 +1394,7 @@ function isTargetLive$LWS(target$LWS, targetTraits$LWS = 0 /* TargetTraits.None
|
|
|
1379
1394
|
return true;
|
|
1380
1395
|
}
|
|
1381
1396
|
// eslint-disable-next-line no-empty
|
|
1382
|
-
} catch (
|
|
1397
|
+
} catch (_unused17$LWS) {}
|
|
1383
1398
|
let constructor$LWS;
|
|
1384
1399
|
try {
|
|
1385
1400
|
({
|
|
@@ -1391,7 +1406,7 @@ function isTargetLive$LWS(target$LWS, targetTraits$LWS = 0 /* TargetTraits.None
|
|
|
1391
1406
|
return true;
|
|
1392
1407
|
}
|
|
1393
1408
|
// eslint-disable-next-line no-empty
|
|
1394
|
-
} catch (
|
|
1409
|
+
} catch (_unused18$LWS) {}
|
|
1395
1410
|
try {
|
|
1396
1411
|
if (ReflectGetPrototypeOf$LWS$1(target$LWS) === null && (
|
|
1397
1412
|
// Ensure `target` is not an `Object.prototype` from an iframe.
|
|
@@ -1399,13 +1414,13 @@ function isTargetLive$LWS(target$LWS, targetTraits$LWS = 0 /* TargetTraits.None
|
|
|
1399
1414
|
return true;
|
|
1400
1415
|
}
|
|
1401
1416
|
// eslint-disable-next-line no-empty
|
|
1402
|
-
} catch (
|
|
1417
|
+
} catch (_unused19$LWS) {}
|
|
1403
1418
|
if (targetTraits$LWS === 0 /* TargetTraits.None */) {
|
|
1404
1419
|
try {
|
|
1405
1420
|
if (ArrayIsArray$LWS$1(target$LWS)) {
|
|
1406
1421
|
return true;
|
|
1407
1422
|
}
|
|
1408
|
-
} catch (
|
|
1423
|
+
} catch (_unused20$LWS) {
|
|
1409
1424
|
// The target is a revoked proxy.
|
|
1410
1425
|
return false;
|
|
1411
1426
|
}
|
|
@@ -1424,7 +1439,7 @@ function isTargetLive$LWS(target$LWS, targetTraits$LWS = 0 /* TargetTraits.None
|
|
|
1424
1439
|
return true;
|
|
1425
1440
|
}
|
|
1426
1441
|
// eslint-disable-next-line no-empty
|
|
1427
|
-
} catch (
|
|
1442
|
+
} catch (_unused21$LWS) {}
|
|
1428
1443
|
// Section 25.1.5.1 get ArrayBuffer.prototype.byteLength
|
|
1429
1444
|
// https://tc39.es/ecma262/#sec-get-arraybuffer.prototype.bytelength
|
|
1430
1445
|
// Step 2: Perform RequireInternalSlot(O, [[ArrayBufferData]]).
|
|
@@ -1434,7 +1449,7 @@ function isTargetLive$LWS(target$LWS, targetTraits$LWS = 0 /* TargetTraits.None
|
|
|
1434
1449
|
return true;
|
|
1435
1450
|
}
|
|
1436
1451
|
// eslint-disable-next-line no-empty
|
|
1437
|
-
} catch (
|
|
1452
|
+
} catch (_unused22$LWS) {}
|
|
1438
1453
|
}
|
|
1439
1454
|
return false;
|
|
1440
1455
|
}
|
|
@@ -1489,7 +1504,7 @@ const {
|
|
|
1489
1504
|
} = PromiseCtor$LWS.prototype;
|
|
1490
1505
|
const PromiseResolve$LWS = PromiseCtor$LWS.resolve.bind(PromiseCtor$LWS);
|
|
1491
1506
|
const PromiseReject$LWS = PromiseCtor$LWS.reject.bind(PromiseCtor$LWS);
|
|
1492
|
-
/*! version: 0.
|
|
1507
|
+
/*! version: 0.23.6 */
|
|
1493
1508
|
|
|
1494
1509
|
/*!
|
|
1495
1510
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -1533,6 +1548,7 @@ const {
|
|
|
1533
1548
|
} = DocumentProto$LWS$1;
|
|
1534
1549
|
const {
|
|
1535
1550
|
createComment: DocumentProtoCreateComment$LWS,
|
|
1551
|
+
createDocumentFragment: DocumentProtoCreateDocumentFragment$LWS,
|
|
1536
1552
|
createElement: DocumentProtoCreateElement$LWS$1,
|
|
1537
1553
|
createElementNS: DocumentProtoCreateElementNS$LWS,
|
|
1538
1554
|
getElementById: DocumentProtoGetElementById$LWS
|
|
@@ -1546,6 +1562,10 @@ const DocumentProtoDefaultViewGetter$LWS = ObjectLookupOwnGetter$LWS$1(DocumentP
|
|
|
1546
1562
|
const DocumentProtoDocumentElementGetter$LWS = ObjectLookupOwnGetter$LWS$1(DocumentProto$LWS$1, 'documentElement');
|
|
1547
1563
|
const DocumentProtoHeadGetter$LWS = ObjectLookupOwnGetter$LWS$1(DocumentProto$LWS$1, 'head');
|
|
1548
1564
|
const DocumentProtoImplementationGetter$LWS = ObjectLookupOwnGetter$LWS$1(DocumentProto$LWS$1, 'implementation');
|
|
1565
|
+
const {
|
|
1566
|
+
append: DocumentFragmentProtoAppend$LWS,
|
|
1567
|
+
getElementById: DocumentFragmentProtoGetElementById$LWS
|
|
1568
|
+
} = DocumentFragment.prototype;
|
|
1549
1569
|
const {
|
|
1550
1570
|
prototype: ElementProto$LWS
|
|
1551
1571
|
} = Element;
|
|
@@ -1598,6 +1618,10 @@ const ElementAriaAttributesToPropertyName$LWS = {
|
|
|
1598
1618
|
'aria-valuenow': 'ariaValueNow',
|
|
1599
1619
|
'aria-valuetext': 'ariaValueText'
|
|
1600
1620
|
};
|
|
1621
|
+
// Used by '@locker/near-membrane-dom'.
|
|
1622
|
+
const {
|
|
1623
|
+
remove: ElementProtoRemove$LWS$1
|
|
1624
|
+
} = ElementProto$LWS;
|
|
1601
1625
|
const {
|
|
1602
1626
|
closest: ElementProtoClosest$LWS,
|
|
1603
1627
|
getAttribute: ElementProtoGetAttribute$LWS,
|
|
@@ -1622,23 +1646,6 @@ const {
|
|
|
1622
1646
|
get: ElementProtoOuterHTMLGetter$LWS
|
|
1623
1647
|
} = ReflectGetOwnPropertyDescriptor$LWS(ElementProto$LWS, 'outerHTML');
|
|
1624
1648
|
const ElementProtoTagNameGetter$LWS = ObjectLookupOwnGetter$LWS$1(ElementProto$LWS, 'tagName');
|
|
1625
|
-
const HTMLTemplateElementProtoContentGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLTemplateElement.prototype, 'content');
|
|
1626
|
-
const {
|
|
1627
|
-
prototype: NodeProto$LWS$1
|
|
1628
|
-
} = Node;
|
|
1629
|
-
const {
|
|
1630
|
-
appendChild: NodeProtoAppendChild$LWS$1,
|
|
1631
|
-
cloneNode: NodeProtoCloneNode$LWS,
|
|
1632
|
-
isEqualNode: NodeProtoIsEqualNode$LWS
|
|
1633
|
-
} = NodeProto$LWS$1;
|
|
1634
|
-
const NodeProtoChildNodesGetter$LWS = ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'childNodes');
|
|
1635
|
-
const NodeProtoFirstChildGetter$LWS = ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'firstChild');
|
|
1636
|
-
const NodeProtoIsConnectedGetter$LWS = ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'isConnected');
|
|
1637
|
-
// Used by '@locker/near-membrane-dom'.
|
|
1638
|
-
ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'lastChild');
|
|
1639
|
-
const NodeProtoNodeNameGetter$LWS = ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'nodeName');
|
|
1640
|
-
const NodeProtoOwnerDocumentGetter$LWS = ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'ownerDocument');
|
|
1641
|
-
ReflectGetOwnPropertyDescriptor$LWS(NodeProto$LWS$1, 'textContent');
|
|
1642
1649
|
|
|
1643
1650
|
// Check for the noopener feature being enabled:
|
|
1644
1651
|
// - noopener
|
|
@@ -1744,6 +1751,7 @@ function markForUnsafePropertyBlocking$LWS(childWindow$LWS) {
|
|
|
1744
1751
|
return true;
|
|
1745
1752
|
}
|
|
1746
1753
|
});
|
|
1754
|
+
// istanbul ignore else: currently unreachable via tests
|
|
1747
1755
|
if (typeof childWindow$LWS[blocked$LWS] === 'function') {
|
|
1748
1756
|
descriptor$LWS.value = replacement$LWS;
|
|
1749
1757
|
}
|
|
@@ -1833,7 +1841,41 @@ function normalizeWindowOpenArguments$LWS(args$LWS) {
|
|
|
1833
1841
|
}
|
|
1834
1842
|
return normalizedArgs$LWS;
|
|
1835
1843
|
}
|
|
1836
|
-
|
|
1844
|
+
const HTMLElement$LWS = getUnmaskedFunction$LWS(rootWindow$LWS$1.HTMLElement);
|
|
1845
|
+
const {
|
|
1846
|
+
prototype: HTMLElementProto$LWS
|
|
1847
|
+
} = HTMLElement$LWS;
|
|
1848
|
+
const HTMLElementProtoInnerTextGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLElementProto$LWS, 'innerText');
|
|
1849
|
+
// Used by '@locker/near-membrane-dom'.
|
|
1850
|
+
ObjectLookupOwnGetter$LWS$1(HTMLElementProto$LWS, 'style');
|
|
1851
|
+
const HTMLElementGlobalAttributesToPropertyName$LWS = {
|
|
1852
|
+
__proto__: null,
|
|
1853
|
+
accesskey: 'accessKey',
|
|
1854
|
+
contenteditable: 'contentEditable',
|
|
1855
|
+
enterkeyhint: 'enterKeyHint',
|
|
1856
|
+
inputmode: 'inputMode',
|
|
1857
|
+
tabindex: 'tabIndex'
|
|
1858
|
+
};
|
|
1859
|
+
const HTMLTemplateElementProtoContentGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLTemplateElement.prototype, 'content');
|
|
1860
|
+
const {
|
|
1861
|
+
prototype: NodeProto$LWS$1
|
|
1862
|
+
} = Node;
|
|
1863
|
+
const {
|
|
1864
|
+
appendChild: NodeProtoAppendChild$LWS$1,
|
|
1865
|
+
cloneNode: NodeProtoCloneNode$LWS,
|
|
1866
|
+
isEqualNode: NodeProtoIsEqualNode$LWS
|
|
1867
|
+
} = NodeProto$LWS$1;
|
|
1868
|
+
const NodeProtoChildNodesGetter$LWS = ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'childNodes');
|
|
1869
|
+
const NodeProtoFirstChildGetter$LWS = ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'firstChild');
|
|
1870
|
+
const NodeProtoIsConnectedGetter$LWS = ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'isConnected');
|
|
1871
|
+
// Used by '@locker/near-membrane-dom'.
|
|
1872
|
+
ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'lastChild');
|
|
1873
|
+
const NodeProtoNodeNameGetter$LWS = ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'nodeName');
|
|
1874
|
+
const NodeProtoOwnerDocumentGetter$LWS = ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'ownerDocument');
|
|
1875
|
+
const NodeProtoParentNodeGetter$LWS = ObjectLookupOwnGetter$LWS$1(NodeProto$LWS$1, 'parentNode');
|
|
1876
|
+
ReflectGetOwnPropertyDescriptor$LWS(NodeProto$LWS$1, 'textContent');
|
|
1877
|
+
const rootDocumentDetachedFragment$LWS = ReflectApply$LWS$1(DocumentProtoCreateDocumentFragment$LWS, rootDocument$LWS, []);
|
|
1878
|
+
const rootDocumentDetachedContainer$LWS = ReflectApply$LWS$1(DocumentProtoCreateElement$LWS$1, rootDocument$LWS, ['div']);
|
|
1837
1879
|
/* eslint-disable no-underscore-dangle */
|
|
1838
1880
|
class Validator$LWS {
|
|
1839
1881
|
constructor(document$LWS, {
|
|
@@ -1849,7 +1891,36 @@ class Validator$LWS {
|
|
|
1849
1891
|
};
|
|
1850
1892
|
// There is no reason to ever allow any HTML or XML that contains all three of these substrings.
|
|
1851
1893
|
// eslint-disable-next-line class-methods-use-this
|
|
1852
|
-
this.isInherentlyUnsecure = input$LWS =>
|
|
1894
|
+
this.isInherentlyUnsecure = input$LWS => {
|
|
1895
|
+
const hasIframe$LWS = hasTag$LWS(input$LWS, 'iframe') && ReflectApply$LWS$1(StringProtoIncludes$LWS, input$LWS, ['srcdoc']);
|
|
1896
|
+
const hasScript$LWS = hasTag$LWS(input$LWS, 'script');
|
|
1897
|
+
// If neither an iframe or a script was detected, then this input is safe.
|
|
1898
|
+
// istanbul ignore else: returns immediately
|
|
1899
|
+
if (!hasIframe$LWS && !hasScript$LWS) {
|
|
1900
|
+
return false;
|
|
1901
|
+
}
|
|
1902
|
+
// If the string contains both the words iframe and srcdoc, it is unsafe
|
|
1903
|
+
// istanbul ignore else: returns immediately
|
|
1904
|
+
if (hasIframe$LWS) {
|
|
1905
|
+
return true;
|
|
1906
|
+
}
|
|
1907
|
+
// If the input contained the word "script", then we need to confirm that the string
|
|
1908
|
+
// that was seen is actually markup.
|
|
1909
|
+
//
|
|
1910
|
+
// IMPORTANT: We CANNOT reuse this.template.left/right for this check. Template elements
|
|
1911
|
+
// do not return innerText or textContent, which makes the following innerHTML/innerText
|
|
1912
|
+
// check useless.
|
|
1913
|
+
ReflectApply$LWS$1(DocumentFragmentProtoAppend$LWS, rootDocumentDetachedFragment$LWS, [rootDocumentDetachedContainer$LWS]);
|
|
1914
|
+
ReflectApply$LWS$1(ElementProtoInnerHTMLSetter$LWS, rootDocumentDetachedContainer$LWS, [input$LWS]);
|
|
1915
|
+
// This MUST BE CHECKED AFTER IT IS RENDERED. The nature of these attacks requires
|
|
1916
|
+
// the actual source to be set to the innerHTML to allow the browser to render
|
|
1917
|
+
const innerHTML$LWS = ReflectApply$LWS$1(ElementProtoInnerHTMLGetter$LWS, rootDocumentDetachedContainer$LWS, []);
|
|
1918
|
+
const innerText$LWS = ReflectApply$LWS$1(HTMLElementProtoInnerTextGetter$LWS, rootDocumentDetachedContainer$LWS, []);
|
|
1919
|
+
ReflectApply$LWS$1(ElementProtoRemove$LWS$1, rootDocumentDetachedContainer$LWS, []);
|
|
1920
|
+
// If innerHTML contains "script", but innerText does not, then the string
|
|
1921
|
+
// was hiding a script element through some kind of obfuscation, and is unsecure.
|
|
1922
|
+
return hasTag$LWS(innerHTML$LWS, 'script') && !hasTag$LWS(innerText$LWS, 'script');
|
|
1923
|
+
};
|
|
1853
1924
|
this.isSharedElement = element$LWS => element$LWS === ReflectApply$LWS$1(DocumentProtoHeadGetter$LWS, this._document, []) || element$LWS === ReflectApply$LWS$1(DocumentProtoBodyGetter$LWS$1, this._document, []) || element$LWS === ReflectApply$LWS$1(DocumentProtoDocumentElementGetter$LWS, this._document, []);
|
|
1854
1925
|
this._constructors = {
|
|
1855
1926
|
HTMLLinkElement: HTMLLinkElement$LWS,
|
|
@@ -1882,6 +1953,9 @@ function deepIsEqualNode$LWS(leftRoot$LWS, rightRoot$LWS) {
|
|
|
1882
1953
|
}
|
|
1883
1954
|
return false;
|
|
1884
1955
|
}
|
|
1956
|
+
function hasTag$LWS(input$LWS, tag$LWS) {
|
|
1957
|
+
return ReflectApply$LWS$1(StringProtoIncludes$LWS, input$LWS, [`<${tag$LWS} `]) || ReflectApply$LWS$1(StringProtoIncludes$LWS, input$LWS, [`:${tag$LWS} `]) || ReflectApply$LWS$1(StringProtoIncludes$LWS, input$LWS, [`<${tag$LWS}>`]) || ReflectApply$LWS$1(StringProtoIncludes$LWS, input$LWS, [`:${tag$LWS}>`]);
|
|
1958
|
+
}
|
|
1885
1959
|
const rootValidator$LWS = new Validator$LWS(rootDocument$LWS, rootWindow$LWS$1);
|
|
1886
1960
|
const documentToValidatorMap$LWS = toSafeWeakMap$LWS$1(new WeakMapCtor$LWS$1([[rootDocument$LWS, rootValidator$LWS]]));
|
|
1887
1961
|
function getValidator$LWS(document$LWS, globalObject$LWS) {
|
|
@@ -1955,9 +2029,6 @@ item$LWS => {
|
|
|
1955
2029
|
const brand$LWS = item$LWS == null ? void 0 : item$LWS.brand;
|
|
1956
2030
|
return typeof brand$LWS === 'string' && ReflectApply$LWS$1(RegExpProtoTest$LWS$1, webKitUserAgentRegExp$LWS, [brand$LWS]);
|
|
1957
2031
|
}]) !== undefined : ReflectApply$LWS$1(RegExpProtoTest$LWS$1, webKitUserAgentRegExp$LWS, [getUserAgent$LWS$1()]));
|
|
1958
|
-
const {
|
|
1959
|
-
getElementById: DocumentFragmentProtoGetElementById$LWS
|
|
1960
|
-
} = DocumentFragment.prototype;
|
|
1961
2032
|
|
|
1962
2033
|
// Used by '@locker/near-membrane-shared-dom'.
|
|
1963
2034
|
// The DOMException constructor was exposed in Edge 12 but wasn't invocable
|
|
@@ -1968,7 +2039,17 @@ ObjectLookupOwnGetter$LWS$1(DOMExceptionCtor$LWS$1.prototype, 'code');
|
|
|
1968
2039
|
const {
|
|
1969
2040
|
createDocument: DOMImplementationProtoCreateDocument$LWS
|
|
1970
2041
|
} = DOMImplementation.prototype;
|
|
1971
|
-
const
|
|
2042
|
+
const DOMTokenListCtor$LWS = DOMTokenList;
|
|
2043
|
+
const {
|
|
2044
|
+
prototype: DOMTokenListProto$LWS
|
|
2045
|
+
} = DOMTokenListCtor$LWS;
|
|
2046
|
+
const {
|
|
2047
|
+
add: DOMTokenListProtoAdd$LWS,
|
|
2048
|
+
contains: DOMTokenListProtoContains$LWS,
|
|
2049
|
+
remove: DOMTokenListProtoRemove$LWS
|
|
2050
|
+
} = DOMTokenListProto$LWS;
|
|
2051
|
+
const DOMTokenListProtoLengthGetter$LWS = ObjectLookupOwnGetter$LWS$1(DOMTokenListProto$LWS, 'length');
|
|
2052
|
+
const DOMTokenListProtoValueGetter$LWS = ObjectLookupOwnGetter$LWS$1(DOMTokenListProto$LWS, 'value');
|
|
1972
2053
|
const EventCtor$LWS = Event;
|
|
1973
2054
|
const {
|
|
1974
2055
|
prototype: EventProto$LWS
|
|
@@ -1992,25 +2073,14 @@ const {
|
|
|
1992
2073
|
} = ReflectGetOwnPropertyDescriptor$LWS(HTMLAnchorElementProto$LWS, 'href');
|
|
1993
2074
|
const HTMLAnchorElementProtoPathnameGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLAnchorElementProto$LWS, 'pathname');
|
|
1994
2075
|
const HTMLAnchorElementProtoProtocolGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLAnchorElementProto$LWS, 'protocol');
|
|
1995
|
-
const HTMLElement$LWS = getUnmaskedFunction$LWS(rootWindow$LWS$1.HTMLElement);
|
|
1996
|
-
const {
|
|
1997
|
-
prototype: HTMLElementProto$LWS
|
|
1998
|
-
} = HTMLElement$LWS;
|
|
1999
|
-
// Used by '@locker/near-membrane-dom'.
|
|
2000
|
-
ObjectLookupOwnGetter$LWS$1(HTMLElementProto$LWS, 'style');
|
|
2001
|
-
const HTMLElementGlobalAttributesToPropertyName$LWS = {
|
|
2002
|
-
__proto__: null,
|
|
2003
|
-
accesskey: 'accessKey',
|
|
2004
|
-
contenteditable: 'contentEditable',
|
|
2005
|
-
enterkeyhint: 'enterKeyHint',
|
|
2006
|
-
inputmode: 'inputMode',
|
|
2007
|
-
tabindex: 'tabIndex'
|
|
2008
|
-
};
|
|
2009
2076
|
const {
|
|
2010
2077
|
prototype: HTMLIFrameElementProto$LWS
|
|
2011
2078
|
} = HTMLIFrameElement;
|
|
2012
2079
|
// Used by '@locker/near-membrane-dom'.
|
|
2013
2080
|
ObjectLookupOwnGetter$LWS$1(HTMLIFrameElementProto$LWS, 'contentWindow');
|
|
2081
|
+
const HTMLIFrameElementProtoSandboxGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLIFrameElementProto$LWS, 'sandbox');
|
|
2082
|
+
const HTMLIFrameElementProtoSandboxSetter$LWS = ObjectLookupOwnSetter$LWS(HTMLIFrameElementProto$LWS, 'sandbox');
|
|
2083
|
+
const HTMLIFrameElementProtoSrcGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLIFrameElementProto$LWS, 'src');
|
|
2014
2084
|
const HTMLIFrameElementProtoSrcSetter$LWS = ObjectLookupOwnSetter$LWS(HTMLIFrameElementProto$LWS, 'src');
|
|
2015
2085
|
const HTMLScriptElementCtor$LWS = HTMLScriptElement;
|
|
2016
2086
|
const {
|
|
@@ -2033,10 +2103,12 @@ ObjectLookupOwnGetter$LWS$1(ResponseProto$LWS, 'statusText');
|
|
|
2033
2103
|
const {
|
|
2034
2104
|
text: ResponseProtoText$LWS
|
|
2035
2105
|
} = ResponseProto$LWS;
|
|
2106
|
+
const URLCtor$LWS = URL;
|
|
2107
|
+
const URLProtoOriginGetter$LWS = ObjectLookupOwnGetter$LWS$1(URLCtor$LWS.prototype, 'origin');
|
|
2036
2108
|
const {
|
|
2037
2109
|
createObjectURL: URLCreateObjectURL$LWS,
|
|
2038
2110
|
revokeObjectURL: URLRevokeObjectURL$LWS
|
|
2039
|
-
} =
|
|
2111
|
+
} = URLCtor$LWS;
|
|
2040
2112
|
const SCRIPT_EVALUATOR_PROPERTY_NAME$LWS = '$evaluator$';
|
|
2041
2113
|
const SCRIPT_HOOK_SOURCE_TEXT$LWS = `document.currentScript.${SCRIPT_EVALUATOR_PROPERTY_NAME$LWS}`;
|
|
2042
2114
|
const evaluatedScriptElements$LWS = toSafeWeakSet$LWS$1(new WeakSetCtor$LWS$1());
|
|
@@ -2052,6 +2124,7 @@ function defineScriptAccessorProperty$LWS(script$LWS, propKey$LWS, getter$LWS, s
|
|
|
2052
2124
|
});
|
|
2053
2125
|
}
|
|
2054
2126
|
function defineScriptEvaluatorProperty$LWS(script$LWS, callback$LWS) {
|
|
2127
|
+
// istanbul ignore if: require a test to get the evaluator in a bad state. Like code that tried to access it in between. This is mostly a "the universe is not as expected error"
|
|
2055
2128
|
if (!ReflectDefineProperty$LWS$1(script$LWS, SCRIPT_EVALUATOR_PROPERTY_NAME$LWS, {
|
|
2056
2129
|
__proto__: null,
|
|
2057
2130
|
configurable: true,
|
|
@@ -2203,7 +2276,7 @@ const {
|
|
|
2203
2276
|
const XhrProtoResponseTextGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'responseText');
|
|
2204
2277
|
const XhrProtoStatusGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'status');
|
|
2205
2278
|
ObjectLookupOwnSetter$LWS(XhrProto$LWS, 'withCredentials');
|
|
2206
|
-
/*! version: 0.
|
|
2279
|
+
/*! version: 0.23.6 */
|
|
2207
2280
|
|
|
2208
2281
|
/*!
|
|
2209
2282
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -2224,13 +2297,14 @@ function isMIMETypeAllowed$LWS(mimeType$LWS) {
|
|
|
2224
2297
|
}
|
|
2225
2298
|
return false;
|
|
2226
2299
|
}
|
|
2227
|
-
const DISALLOWED_ENDPOINTS_LIST$LWS = ['/aura', '/webruntime'];
|
|
2228
2300
|
const TRUSTED_DOMAINS_REG_EXP$LWS = /\.(force|salesforce|visualforce|documentforce|my\.site|salesforce-sites)\.com$/;
|
|
2229
2301
|
const URL_SCHEMES_LIST$LWS = toSafeArray$LWS$1(['about:', 'http:', 'https:']);
|
|
2230
2302
|
const newlinesAndTabsRegExp$LWS = /[\u2028\u2029\n\r\t]/g;
|
|
2231
2303
|
const normalizerAnchor$LWS = ReflectApply$LWS$1(DocumentProtoCreateElement$LWS$1, rootDocument$LWS, ['a']);
|
|
2232
2304
|
// @TODO: W-7302311 Make paths and domains configurable.
|
|
2233
2305
|
function isValidURL$LWS(parsedURL$LWS) {
|
|
2306
|
+
// Need to add /services to isValidUrl unit test and locker/scripts/test/disallowed-endpoints.js once we remove the gate.
|
|
2307
|
+
const DISALLOWED_ENDPOINTS_LIST$LWS = isGaterEnabledFeature$LWS('enableBlockServicesEndpoint') ? ['/aura', '/webruntime', '/services'] : ['/aura', '/webruntime'];
|
|
2234
2308
|
const loweredPathname$LWS = ReflectApply$LWS$1(StringProtoToLowerCase$LWS, parsedURL$LWS.pathname, []);
|
|
2235
2309
|
for (let i$LWS = 0, {
|
|
2236
2310
|
length: length$LWS
|
|
@@ -2262,9 +2336,9 @@ function sanitizeURLForElement$LWS(url$LWS) {
|
|
|
2262
2336
|
function sanitizeURLString$LWS(urlString$LWS) {
|
|
2263
2337
|
return urlString$LWS === '' ? urlString$LWS : ReflectApply$LWS$1(StringProtoReplace$LWS, urlString$LWS, [newlinesAndTabsRegExp$LWS, '']);
|
|
2264
2338
|
}
|
|
2265
|
-
/*! version: 0.
|
|
2339
|
+
/*! version: 0.23.6 */
|
|
2266
2340
|
|
|
2267
|
-
/*! @license DOMPurify 3.
|
|
2341
|
+
/*! @license DOMPurify 3.1.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.6/LICENSE */
|
|
2268
2342
|
|
|
2269
2343
|
const {
|
|
2270
2344
|
entries,
|
|
@@ -2278,36 +2352,30 @@ let {
|
|
|
2278
2352
|
seal,
|
|
2279
2353
|
create
|
|
2280
2354
|
} = Object; // eslint-disable-line import/no-mutable-exports
|
|
2281
|
-
|
|
2282
2355
|
let {
|
|
2283
2356
|
apply,
|
|
2284
2357
|
construct
|
|
2285
2358
|
} = typeof Reflect !== 'undefined' && Reflect;
|
|
2286
|
-
|
|
2287
|
-
if (!apply) {
|
|
2288
|
-
apply = function apply(fun, thisValue, args) {
|
|
2289
|
-
return fun.apply(thisValue, args);
|
|
2290
|
-
};
|
|
2291
|
-
}
|
|
2292
|
-
|
|
2293
2359
|
if (!freeze) {
|
|
2294
2360
|
freeze = function freeze(x) {
|
|
2295
2361
|
return x;
|
|
2296
2362
|
};
|
|
2297
2363
|
}
|
|
2298
|
-
|
|
2299
2364
|
if (!seal) {
|
|
2300
2365
|
seal = function seal(x) {
|
|
2301
2366
|
return x;
|
|
2302
2367
|
};
|
|
2303
2368
|
}
|
|
2304
|
-
|
|
2369
|
+
if (!apply) {
|
|
2370
|
+
apply = function apply(fun, thisValue, args) {
|
|
2371
|
+
return fun.apply(thisValue, args);
|
|
2372
|
+
};
|
|
2373
|
+
}
|
|
2305
2374
|
if (!construct) {
|
|
2306
2375
|
construct = function construct(Func, args) {
|
|
2307
2376
|
return new Func(...args);
|
|
2308
2377
|
};
|
|
2309
2378
|
}
|
|
2310
|
-
|
|
2311
2379
|
const arrayForEach = unapply(Array.prototype.forEach);
|
|
2312
2380
|
const arrayPop = unapply(Array.prototype.pop);
|
|
2313
2381
|
const arrayPush = unapply(Array.prototype.push);
|
|
@@ -2317,136 +2385,175 @@ const stringMatch = unapply(String.prototype.match);
|
|
|
2317
2385
|
const stringReplace = unapply(String.prototype.replace);
|
|
2318
2386
|
const stringIndexOf = unapply(String.prototype.indexOf);
|
|
2319
2387
|
const stringTrim = unapply(String.prototype.trim);
|
|
2388
|
+
const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
|
|
2320
2389
|
const regExpTest = unapply(RegExp.prototype.test);
|
|
2321
2390
|
const typeErrorCreate = unconstruct(TypeError);
|
|
2391
|
+
|
|
2392
|
+
/**
|
|
2393
|
+
* Creates a new function that calls the given function with a specified thisArg and arguments.
|
|
2394
|
+
*
|
|
2395
|
+
* @param {Function} func - The function to be wrapped and called.
|
|
2396
|
+
* @returns {Function} A new function that calls the given function with a specified thisArg and arguments.
|
|
2397
|
+
*/
|
|
2322
2398
|
function unapply(func) {
|
|
2323
2399
|
return function (thisArg) {
|
|
2324
2400
|
for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
|
|
2325
2401
|
args[_key - 1] = arguments[_key];
|
|
2326
2402
|
}
|
|
2327
|
-
|
|
2328
2403
|
return apply(func, thisArg, args);
|
|
2329
2404
|
};
|
|
2330
2405
|
}
|
|
2406
|
+
|
|
2407
|
+
/**
|
|
2408
|
+
* Creates a new function that constructs an instance of the given constructor function with the provided arguments.
|
|
2409
|
+
*
|
|
2410
|
+
* @param {Function} func - The constructor function to be wrapped and called.
|
|
2411
|
+
* @returns {Function} A new function that constructs an instance of the given constructor function with the provided arguments.
|
|
2412
|
+
*/
|
|
2331
2413
|
function unconstruct(func) {
|
|
2332
2414
|
return function () {
|
|
2333
2415
|
for (var _len2 = arguments.length, args = new Array(_len2), _key2 = 0; _key2 < _len2; _key2++) {
|
|
2334
2416
|
args[_key2] = arguments[_key2];
|
|
2335
2417
|
}
|
|
2336
|
-
|
|
2337
2418
|
return construct(func, args);
|
|
2338
2419
|
};
|
|
2339
2420
|
}
|
|
2340
|
-
/* Add properties to a lookup table */
|
|
2341
|
-
|
|
2342
|
-
function addToSet(set, array, transformCaseFunc) {
|
|
2343
|
-
var _transformCaseFunc;
|
|
2344
|
-
|
|
2345
|
-
transformCaseFunc = (_transformCaseFunc = transformCaseFunc) !== null && _transformCaseFunc !== void 0 ? _transformCaseFunc : stringToLowerCase;
|
|
2346
2421
|
|
|
2422
|
+
/**
|
|
2423
|
+
* Add properties to a lookup table
|
|
2424
|
+
*
|
|
2425
|
+
* @param {Object} set - The set to which elements will be added.
|
|
2426
|
+
* @param {Array} array - The array containing elements to be added to the set.
|
|
2427
|
+
* @param {Function} transformCaseFunc - An optional function to transform the case of each element before adding to the set.
|
|
2428
|
+
* @returns {Object} The modified set with added elements.
|
|
2429
|
+
*/
|
|
2430
|
+
function addToSet(set, array) {
|
|
2431
|
+
let transformCaseFunc = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : stringToLowerCase;
|
|
2347
2432
|
if (setPrototypeOf) {
|
|
2348
2433
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
2349
2434
|
// independent of any properties defined on Object.prototype.
|
|
2350
2435
|
// Prevent prototype setters from intercepting set as a this value.
|
|
2351
2436
|
setPrototypeOf(set, null);
|
|
2352
2437
|
}
|
|
2353
|
-
|
|
2354
2438
|
let l = array.length;
|
|
2355
|
-
|
|
2356
2439
|
while (l--) {
|
|
2357
2440
|
let element = array[l];
|
|
2358
|
-
|
|
2359
2441
|
if (typeof element === 'string') {
|
|
2360
2442
|
const lcElement = transformCaseFunc(element);
|
|
2361
|
-
|
|
2362
2443
|
if (lcElement !== element) {
|
|
2363
2444
|
// Config presets (e.g. tags.js, attrs.js) are immutable.
|
|
2364
2445
|
if (!isFrozen(array)) {
|
|
2365
2446
|
array[l] = lcElement;
|
|
2366
2447
|
}
|
|
2367
|
-
|
|
2368
2448
|
element = lcElement;
|
|
2369
2449
|
}
|
|
2370
2450
|
}
|
|
2371
|
-
|
|
2372
2451
|
set[element] = true;
|
|
2373
2452
|
}
|
|
2374
|
-
|
|
2375
2453
|
return set;
|
|
2376
2454
|
}
|
|
2377
|
-
/* Shallow clone an object */
|
|
2378
2455
|
|
|
2456
|
+
/**
|
|
2457
|
+
* Clean up an array to harden against CSPP
|
|
2458
|
+
*
|
|
2459
|
+
* @param {Array} array - The array to be cleaned.
|
|
2460
|
+
* @returns {Array} The cleaned version of the array
|
|
2461
|
+
*/
|
|
2462
|
+
function cleanArray(array) {
|
|
2463
|
+
for (let index = 0; index < array.length; index++) {
|
|
2464
|
+
const isPropertyExist = objectHasOwnProperty(array, index);
|
|
2465
|
+
if (!isPropertyExist) {
|
|
2466
|
+
array[index] = null;
|
|
2467
|
+
}
|
|
2468
|
+
}
|
|
2469
|
+
return array;
|
|
2470
|
+
}
|
|
2471
|
+
|
|
2472
|
+
/**
|
|
2473
|
+
* Shallow clone an object
|
|
2474
|
+
*
|
|
2475
|
+
* @param {Object} object - The object to be cloned.
|
|
2476
|
+
* @returns {Object} A new object that copies the original.
|
|
2477
|
+
*/
|
|
2379
2478
|
function clone(object) {
|
|
2380
2479
|
const newObject = create(null);
|
|
2381
|
-
|
|
2382
2480
|
for (const [property, value] of entries(object)) {
|
|
2383
|
-
|
|
2481
|
+
const isPropertyExist = objectHasOwnProperty(object, property);
|
|
2482
|
+
if (isPropertyExist) {
|
|
2483
|
+
if (Array.isArray(value)) {
|
|
2484
|
+
newObject[property] = cleanArray(value);
|
|
2485
|
+
} else if (value && typeof value === 'object' && value.constructor === Object) {
|
|
2486
|
+
newObject[property] = clone(value);
|
|
2487
|
+
} else {
|
|
2488
|
+
newObject[property] = value;
|
|
2489
|
+
}
|
|
2490
|
+
}
|
|
2384
2491
|
}
|
|
2385
|
-
|
|
2386
2492
|
return newObject;
|
|
2387
2493
|
}
|
|
2388
|
-
/* This method automatically checks if the prop is function
|
|
2389
|
-
* or getter and behaves accordingly. */
|
|
2390
2494
|
|
|
2495
|
+
/**
|
|
2496
|
+
* This method automatically checks if the prop is function or getter and behaves accordingly.
|
|
2497
|
+
*
|
|
2498
|
+
* @param {Object} object - The object to look up the getter function in its prototype chain.
|
|
2499
|
+
* @param {String} prop - The property name for which to find the getter function.
|
|
2500
|
+
* @returns {Function} The getter function found in the prototype chain or a fallback function.
|
|
2501
|
+
*/
|
|
2391
2502
|
function lookupGetter(object, prop) {
|
|
2392
2503
|
while (object !== null) {
|
|
2393
2504
|
const desc = getOwnPropertyDescriptor(object, prop);
|
|
2394
|
-
|
|
2395
2505
|
if (desc) {
|
|
2396
2506
|
if (desc.get) {
|
|
2397
2507
|
return unapply(desc.get);
|
|
2398
2508
|
}
|
|
2399
|
-
|
|
2400
2509
|
if (typeof desc.value === 'function') {
|
|
2401
2510
|
return unapply(desc.value);
|
|
2402
2511
|
}
|
|
2403
2512
|
}
|
|
2404
|
-
|
|
2405
2513
|
object = getPrototypeOf(object);
|
|
2406
2514
|
}
|
|
2407
|
-
|
|
2408
|
-
function fallbackValue(element) {
|
|
2409
|
-
console.warn('fallback value for', element);
|
|
2515
|
+
function fallbackValue() {
|
|
2410
2516
|
return null;
|
|
2411
2517
|
}
|
|
2412
|
-
|
|
2413
2518
|
return fallbackValue;
|
|
2414
2519
|
}
|
|
2415
2520
|
|
|
2416
|
-
const html$1 = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dialog', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']);
|
|
2521
|
+
const html$1 = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dialog', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']);
|
|
2417
2522
|
|
|
2523
|
+
// SVG
|
|
2418
2524
|
const svg$1 = freeze(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'view', 'vkern']);
|
|
2419
|
-
const svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feDropShadow', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']);
|
|
2525
|
+
const svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feDropShadow', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']);
|
|
2526
|
+
|
|
2527
|
+
// List of SVG elements that are disallowed by default.
|
|
2420
2528
|
// We still need to know them so that we can do namespace
|
|
2421
2529
|
// checks properly in case one wants to add them to
|
|
2422
2530
|
// allow-list.
|
|
2423
|
-
|
|
2424
2531
|
const svgDisallowed = freeze(['animate', 'color-profile', 'cursor', 'discard', 'font-face', 'font-face-format', 'font-face-name', 'font-face-src', 'font-face-uri', 'foreignobject', 'hatch', 'hatchpath', 'mesh', 'meshgradient', 'meshpatch', 'meshrow', 'missing-glyph', 'script', 'set', 'solidcolor', 'unknown', 'use']);
|
|
2425
|
-
const mathMl$1 = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover', 'mprescripts']);
|
|
2426
|
-
// even those that we disallow by default.
|
|
2532
|
+
const mathMl$1 = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover', 'mprescripts']);
|
|
2427
2533
|
|
|
2534
|
+
// Similarly to SVG, we want to know all MathML elements,
|
|
2535
|
+
// even those that we disallow by default.
|
|
2428
2536
|
const mathMlDisallowed = freeze(['maction', 'maligngroup', 'malignmark', 'mlongdiv', 'mscarries', 'mscarry', 'msgroup', 'mstack', 'msline', 'msrow', 'semantics', 'annotation', 'annotation-xml', 'mprescripts', 'none']);
|
|
2429
2537
|
const text = freeze(['#text']);
|
|
2430
2538
|
|
|
2431
|
-
const html = freeze(['accept', 'action', 'align', 'alt', 'autocapitalize', 'autocomplete', 'autopictureinpicture', 'autoplay', 'background', 'bgcolor', 'border', 'capture', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'controlslist', 'coords', 'crossorigin', 'datetime', 'decoding', 'default', 'dir', 'disabled', 'disablepictureinpicture', 'disableremoteplayback', 'download', 'draggable', 'enctype', 'enterkeyhint', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'inputmode', 'integrity', 'ismap', 'kind', 'label', 'lang', 'list', 'loading', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'muted', 'name', 'nonce', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'playsinline', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'translate', 'type', 'usemap', 'valign', 'value', 'width', 'xmlns', 'slot']);
|
|
2539
|
+
const html = freeze(['accept', 'action', 'align', 'alt', 'autocapitalize', 'autocomplete', 'autopictureinpicture', 'autoplay', 'background', 'bgcolor', 'border', 'capture', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'controlslist', 'coords', 'crossorigin', 'datetime', 'decoding', 'default', 'dir', 'disabled', 'disablepictureinpicture', 'disableremoteplayback', 'download', 'draggable', 'enctype', 'enterkeyhint', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'inputmode', 'integrity', 'ismap', 'kind', 'label', 'lang', 'list', 'loading', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'muted', 'name', 'nonce', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'playsinline', 'popover', 'popovertarget', 'popovertargetaction', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'translate', 'type', 'usemap', 'valign', 'value', 'width', 'wrap', 'xmlns', 'slot']);
|
|
2432
2540
|
const svg = freeze(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clippathunits', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'startoffset', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'systemlanguage', 'tabindex', 'targetx', 'targety', 'transform', 'transform-origin', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']);
|
|
2433
2541
|
const mathMl = freeze(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']);
|
|
2434
2542
|
const xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']);
|
|
2435
2543
|
|
|
2544
|
+
// eslint-disable-next-line unicorn/better-regex
|
|
2436
2545
|
const MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
|
|
2437
|
-
|
|
2438
2546
|
const ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);
|
|
2439
2547
|
const TMPLIT_EXPR = seal(/\${[\w\W]*}/gm);
|
|
2440
2548
|
const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]/); // eslint-disable-line no-useless-escape
|
|
2441
|
-
|
|
2442
2549
|
const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
|
|
2443
|
-
|
|
2444
2550
|
const IS_ALLOWED_URI = seal(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
|
|
2445
2551
|
);
|
|
2446
2552
|
const IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i);
|
|
2447
2553
|
const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
|
|
2448
2554
|
);
|
|
2449
2555
|
const DOCTYPE_NAME = seal(/^html$/i);
|
|
2556
|
+
const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);
|
|
2450
2557
|
|
|
2451
2558
|
var EXPRESSIONS = /*#__PURE__*/Object.freeze({
|
|
2452
2559
|
__proto__: null,
|
|
@@ -2458,47 +2565,61 @@ var EXPRESSIONS = /*#__PURE__*/Object.freeze({
|
|
|
2458
2565
|
IS_ALLOWED_URI: IS_ALLOWED_URI,
|
|
2459
2566
|
IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,
|
|
2460
2567
|
ATTR_WHITESPACE: ATTR_WHITESPACE,
|
|
2461
|
-
DOCTYPE_NAME: DOCTYPE_NAME
|
|
2568
|
+
DOCTYPE_NAME: DOCTYPE_NAME,
|
|
2569
|
+
CUSTOM_ELEMENT: CUSTOM_ELEMENT
|
|
2462
2570
|
});
|
|
2463
2571
|
|
|
2464
|
-
|
|
2572
|
+
// https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeType
|
|
2573
|
+
const NODE_TYPE = {
|
|
2574
|
+
element: 1,
|
|
2575
|
+
attribute: 2,
|
|
2576
|
+
text: 3,
|
|
2577
|
+
cdataSection: 4,
|
|
2578
|
+
entityReference: 5,
|
|
2579
|
+
// Deprecated
|
|
2580
|
+
entityNode: 6,
|
|
2581
|
+
// Deprecated
|
|
2582
|
+
progressingInstruction: 7,
|
|
2583
|
+
comment: 8,
|
|
2584
|
+
document: 9,
|
|
2585
|
+
documentType: 10,
|
|
2586
|
+
documentFragment: 11,
|
|
2587
|
+
notation: 12 // Deprecated
|
|
2588
|
+
};
|
|
2589
|
+
const getGlobal = function getGlobal() {
|
|
2590
|
+
return typeof window === 'undefined' ? null : window;
|
|
2591
|
+
};
|
|
2592
|
+
|
|
2465
2593
|
/**
|
|
2466
2594
|
* Creates a no-op policy for internal use only.
|
|
2467
2595
|
* Don't export this function outside this module!
|
|
2468
|
-
* @param {
|
|
2596
|
+
* @param {TrustedTypePolicyFactory} trustedTypes The policy factory.
|
|
2469
2597
|
* @param {HTMLScriptElement} purifyHostElement The Script element used to load DOMPurify (to determine policy name suffix).
|
|
2470
|
-
* @return {
|
|
2598
|
+
* @return {TrustedTypePolicy} The policy created (or null, if Trusted Types
|
|
2471
2599
|
* are not supported or creating the policy failed).
|
|
2472
2600
|
*/
|
|
2473
|
-
|
|
2474
|
-
|
|
2475
2601
|
const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes, purifyHostElement) {
|
|
2476
2602
|
if (typeof trustedTypes !== 'object' || typeof trustedTypes.createPolicy !== 'function') {
|
|
2477
2603
|
return null;
|
|
2478
|
-
}
|
|
2604
|
+
}
|
|
2605
|
+
|
|
2606
|
+
// Allow the callers to control the unique policy name
|
|
2479
2607
|
// by adding a data-tt-policy-suffix to the script element with the DOMPurify.
|
|
2480
2608
|
// Policy creation with duplicate names throws in Trusted Types.
|
|
2481
|
-
|
|
2482
|
-
|
|
2483
2609
|
let suffix = null;
|
|
2484
2610
|
const ATTR_NAME = 'data-tt-policy-suffix';
|
|
2485
|
-
|
|
2486
2611
|
if (purifyHostElement && purifyHostElement.hasAttribute(ATTR_NAME)) {
|
|
2487
2612
|
suffix = purifyHostElement.getAttribute(ATTR_NAME);
|
|
2488
2613
|
}
|
|
2489
|
-
|
|
2490
2614
|
const policyName = 'dompurify' + (suffix ? '#' + suffix : '');
|
|
2491
|
-
|
|
2492
2615
|
try {
|
|
2493
2616
|
return trustedTypes.createPolicy(policyName, {
|
|
2494
2617
|
createHTML(html) {
|
|
2495
2618
|
return html;
|
|
2496
2619
|
},
|
|
2497
|
-
|
|
2498
2620
|
createScriptURL(scriptUrl) {
|
|
2499
2621
|
return scriptUrl;
|
|
2500
2622
|
}
|
|
2501
|
-
|
|
2502
2623
|
});
|
|
2503
2624
|
} catch (_) {
|
|
2504
2625
|
// Policy creation failed (most likely another DOMPurify script has
|
|
@@ -2508,37 +2629,32 @@ const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedType
|
|
|
2508
2629
|
return null;
|
|
2509
2630
|
}
|
|
2510
2631
|
};
|
|
2511
|
-
|
|
2512
2632
|
function createDOMPurify() {
|
|
2513
2633
|
let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
|
|
2514
|
-
|
|
2515
2634
|
const DOMPurify = root => createDOMPurify(root);
|
|
2635
|
+
|
|
2516
2636
|
/**
|
|
2517
2637
|
* Version label, exposed for easier checks
|
|
2518
2638
|
* if DOMPurify is up to date or not
|
|
2519
2639
|
*/
|
|
2640
|
+
DOMPurify.version = '3.1.6';
|
|
2520
2641
|
|
|
2521
|
-
|
|
2522
|
-
DOMPurify.version = '3.0.5';
|
|
2523
2642
|
/**
|
|
2524
2643
|
* Array of elements that DOMPurify removed during sanitation.
|
|
2525
2644
|
* Empty if nothing was removed.
|
|
2526
2645
|
*/
|
|
2527
|
-
|
|
2528
2646
|
DOMPurify.removed = [];
|
|
2529
|
-
|
|
2530
|
-
if (!window || !window.document || window.document.nodeType !== 9) {
|
|
2647
|
+
if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document) {
|
|
2531
2648
|
// Not running in a browser, provide a factory function
|
|
2532
2649
|
// so that you can pass your own Window
|
|
2533
2650
|
DOMPurify.isSupported = false;
|
|
2534
2651
|
return DOMPurify;
|
|
2535
2652
|
}
|
|
2536
|
-
|
|
2537
|
-
const originalDocument = window.document;
|
|
2538
|
-
const currentScript = originalDocument.currentScript;
|
|
2539
2653
|
let {
|
|
2540
2654
|
document
|
|
2541
2655
|
} = window;
|
|
2656
|
+
const originalDocument = document;
|
|
2657
|
+
const currentScript = originalDocument.currentScript;
|
|
2542
2658
|
const {
|
|
2543
2659
|
DocumentFragment,
|
|
2544
2660
|
HTMLTemplateElement,
|
|
@@ -2552,23 +2668,23 @@ function createDOMPurify() {
|
|
|
2552
2668
|
} = window;
|
|
2553
2669
|
const ElementPrototype = Element.prototype;
|
|
2554
2670
|
const cloneNode = lookupGetter(ElementPrototype, 'cloneNode');
|
|
2671
|
+
const remove = lookupGetter(ElementPrototype, 'remove');
|
|
2555
2672
|
const getNextSibling = lookupGetter(ElementPrototype, 'nextSibling');
|
|
2556
2673
|
const getChildNodes = lookupGetter(ElementPrototype, 'childNodes');
|
|
2557
|
-
const getParentNode = lookupGetter(ElementPrototype, 'parentNode');
|
|
2674
|
+
const getParentNode = lookupGetter(ElementPrototype, 'parentNode');
|
|
2675
|
+
|
|
2676
|
+
// As per issue #47, the web-components registry is inherited by a
|
|
2558
2677
|
// new document created via createHTMLDocument. As per the spec
|
|
2559
2678
|
// (http://w3c.github.io/webcomponents/spec/custom/#creating-and-passing-registries)
|
|
2560
2679
|
// a new empty registry is used when creating a template contents owner
|
|
2561
2680
|
// document, so we use that as our parent document to ensure nothing
|
|
2562
2681
|
// is inherited.
|
|
2563
|
-
|
|
2564
2682
|
if (typeof HTMLTemplateElement === 'function') {
|
|
2565
2683
|
const template = document.createElement('template');
|
|
2566
|
-
|
|
2567
2684
|
if (template.content && template.content.ownerDocument) {
|
|
2568
2685
|
document = template.content.ownerDocument;
|
|
2569
2686
|
}
|
|
2570
2687
|
}
|
|
2571
|
-
|
|
2572
2688
|
let trustedTypesPolicy;
|
|
2573
2689
|
let emptyHTML = '';
|
|
2574
2690
|
const {
|
|
@@ -2581,10 +2697,10 @@ function createDOMPurify() {
|
|
|
2581
2697
|
importNode
|
|
2582
2698
|
} = originalDocument;
|
|
2583
2699
|
let hooks = {};
|
|
2700
|
+
|
|
2584
2701
|
/**
|
|
2585
2702
|
* Expose whether this browser supports running the full DOMPurify.
|
|
2586
2703
|
*/
|
|
2587
|
-
|
|
2588
2704
|
DOMPurify.isSupported = typeof entries === 'function' && typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined;
|
|
2589
2705
|
const {
|
|
2590
2706
|
MUSTACHE_EXPR,
|
|
@@ -2593,32 +2709,33 @@ function createDOMPurify() {
|
|
|
2593
2709
|
DATA_ATTR,
|
|
2594
2710
|
ARIA_ATTR,
|
|
2595
2711
|
IS_SCRIPT_OR_DATA,
|
|
2596
|
-
ATTR_WHITESPACE
|
|
2712
|
+
ATTR_WHITESPACE,
|
|
2713
|
+
CUSTOM_ELEMENT
|
|
2597
2714
|
} = EXPRESSIONS;
|
|
2598
2715
|
let {
|
|
2599
2716
|
IS_ALLOWED_URI: IS_ALLOWED_URI$1
|
|
2600
2717
|
} = EXPRESSIONS;
|
|
2718
|
+
|
|
2601
2719
|
/**
|
|
2602
2720
|
* We consider the elements and attributes below to be safe. Ideally
|
|
2603
2721
|
* don't add any new ones but feel free to remove unwanted ones.
|
|
2604
2722
|
*/
|
|
2605
2723
|
|
|
2606
2724
|
/* allowed element names */
|
|
2607
|
-
|
|
2608
2725
|
let ALLOWED_TAGS = null;
|
|
2609
2726
|
const DEFAULT_ALLOWED_TAGS = addToSet({}, [...html$1, ...svg$1, ...svgFilters, ...mathMl$1, ...text]);
|
|
2610
|
-
/* Allowed attribute names */
|
|
2611
2727
|
|
|
2728
|
+
/* Allowed attribute names */
|
|
2612
2729
|
let ALLOWED_ATTR = null;
|
|
2613
2730
|
const DEFAULT_ALLOWED_ATTR = addToSet({}, [...html, ...svg, ...mathMl, ...xml]);
|
|
2731
|
+
|
|
2614
2732
|
/*
|
|
2615
2733
|
* Configure how DOMPUrify should handle custom elements and their attributes as well as customized built-in elements.
|
|
2616
2734
|
* @property {RegExp|Function|null} tagNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any custom elements)
|
|
2617
2735
|
* @property {RegExp|Function|null} attributeNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any attributes not on the allow list)
|
|
2618
2736
|
* @property {boolean} allowCustomizedBuiltInElements allow custom elements derived from built-ins if they pass CUSTOM_ELEMENT_HANDLING.tagNameCheck. Default: `false`.
|
|
2619
2737
|
*/
|
|
2620
|
-
|
|
2621
|
-
let CUSTOM_ELEMENT_HANDLING = Object.seal(Object.create(null, {
|
|
2738
|
+
let CUSTOM_ELEMENT_HANDLING = Object.seal(create(null, {
|
|
2622
2739
|
tagNameCheck: {
|
|
2623
2740
|
writable: true,
|
|
2624
2741
|
configurable: false,
|
|
@@ -2638,59 +2755,65 @@ function createDOMPurify() {
|
|
|
2638
2755
|
value: false
|
|
2639
2756
|
}
|
|
2640
2757
|
}));
|
|
2641
|
-
/* Explicitly forbidden tags (overrides ALLOWED_TAGS/ADD_TAGS) */
|
|
2642
2758
|
|
|
2759
|
+
/* Explicitly forbidden tags (overrides ALLOWED_TAGS/ADD_TAGS) */
|
|
2643
2760
|
let FORBID_TAGS = null;
|
|
2644
|
-
/* Explicitly forbidden attributes (overrides ALLOWED_ATTR/ADD_ATTR) */
|
|
2645
2761
|
|
|
2762
|
+
/* Explicitly forbidden attributes (overrides ALLOWED_ATTR/ADD_ATTR) */
|
|
2646
2763
|
let FORBID_ATTR = null;
|
|
2647
|
-
/* Decide if ARIA attributes are okay */
|
|
2648
2764
|
|
|
2765
|
+
/* Decide if ARIA attributes are okay */
|
|
2649
2766
|
let ALLOW_ARIA_ATTR = true;
|
|
2650
|
-
/* Decide if custom data attributes are okay */
|
|
2651
2767
|
|
|
2768
|
+
/* Decide if custom data attributes are okay */
|
|
2652
2769
|
let ALLOW_DATA_ATTR = true;
|
|
2653
|
-
/* Decide if unknown protocols are okay */
|
|
2654
2770
|
|
|
2771
|
+
/* Decide if unknown protocols are okay */
|
|
2655
2772
|
let ALLOW_UNKNOWN_PROTOCOLS = false;
|
|
2773
|
+
|
|
2656
2774
|
/* Decide if self-closing tags in attributes are allowed.
|
|
2657
2775
|
* Usually removed due to a mXSS issue in jQuery 3.0 */
|
|
2658
|
-
|
|
2659
2776
|
let ALLOW_SELF_CLOSE_IN_ATTR = true;
|
|
2777
|
+
|
|
2660
2778
|
/* Output should be safe for common template engines.
|
|
2661
2779
|
* This means, DOMPurify removes data attributes, mustaches and ERB
|
|
2662
2780
|
*/
|
|
2663
|
-
|
|
2664
2781
|
let SAFE_FOR_TEMPLATES = false;
|
|
2665
|
-
/* Decide if document with <html>... should be returned */
|
|
2666
2782
|
|
|
2783
|
+
/* Output should be safe even for XML used within HTML and alike.
|
|
2784
|
+
* This means, DOMPurify removes comments when containing risky content.
|
|
2785
|
+
*/
|
|
2786
|
+
let SAFE_FOR_XML = true;
|
|
2787
|
+
|
|
2788
|
+
/* Decide if document with <html>... should be returned */
|
|
2667
2789
|
let WHOLE_DOCUMENT = false;
|
|
2668
|
-
/* Track whether config is already set on this instance of DOMPurify. */
|
|
2669
2790
|
|
|
2791
|
+
/* Track whether config is already set on this instance of DOMPurify. */
|
|
2670
2792
|
let SET_CONFIG = false;
|
|
2793
|
+
|
|
2671
2794
|
/* Decide if all elements (e.g. style, script) must be children of
|
|
2672
2795
|
* document.body. By default, browsers might move them to document.head */
|
|
2673
|
-
|
|
2674
2796
|
let FORCE_BODY = false;
|
|
2797
|
+
|
|
2675
2798
|
/* Decide if a DOM `HTMLBodyElement` should be returned, instead of a html
|
|
2676
2799
|
* string (or a TrustedHTML object if Trusted Types are supported).
|
|
2677
2800
|
* If `WHOLE_DOCUMENT` is enabled a `HTMLHtmlElement` will be returned instead
|
|
2678
2801
|
*/
|
|
2679
|
-
|
|
2680
2802
|
let RETURN_DOM = false;
|
|
2803
|
+
|
|
2681
2804
|
/* Decide if a DOM `DocumentFragment` should be returned, instead of a html
|
|
2682
2805
|
* string (or a TrustedHTML object if Trusted Types are supported) */
|
|
2683
|
-
|
|
2684
2806
|
let RETURN_DOM_FRAGMENT = false;
|
|
2807
|
+
|
|
2685
2808
|
/* Try to return a Trusted Type object instead of a string, return a string in
|
|
2686
2809
|
* case Trusted Types are not supported */
|
|
2687
|
-
|
|
2688
2810
|
let RETURN_TRUSTED_TYPE = false;
|
|
2811
|
+
|
|
2689
2812
|
/* Output should be free from DOM clobbering attacks?
|
|
2690
2813
|
* This sanitizes markups named with colliding, clobberable built-in DOM APIs.
|
|
2691
2814
|
*/
|
|
2692
|
-
|
|
2693
2815
|
let SANITIZE_DOM = true;
|
|
2816
|
+
|
|
2694
2817
|
/* Achieve full DOM Clobbering protection by isolating the namespace of named
|
|
2695
2818
|
* properties and JS variables, mitigating attacks that abuse the HTML/DOM spec rules.
|
|
2696
2819
|
*
|
|
@@ -2704,352 +2827,309 @@ function createDOMPurify() {
|
|
|
2704
2827
|
* Namespace isolation is implemented by prefixing `id` and `name` attributes
|
|
2705
2828
|
* with a constant string, i.e., `user-content-`
|
|
2706
2829
|
*/
|
|
2707
|
-
|
|
2708
2830
|
let SANITIZE_NAMED_PROPS = false;
|
|
2709
2831
|
const SANITIZE_NAMED_PROPS_PREFIX = 'user-content-';
|
|
2710
|
-
/* Keep element content when removing element? */
|
|
2711
2832
|
|
|
2833
|
+
/* Keep element content when removing element? */
|
|
2712
2834
|
let KEEP_CONTENT = true;
|
|
2835
|
+
|
|
2713
2836
|
/* If a `Node` is passed to sanitize(), then performs sanitization in-place instead
|
|
2714
2837
|
* of importing it into a new Document and returning a sanitized copy */
|
|
2715
|
-
|
|
2716
2838
|
let IN_PLACE = false;
|
|
2717
|
-
/* Allow usage of profiles like html, svg and mathMl */
|
|
2718
2839
|
|
|
2840
|
+
/* Allow usage of profiles like html, svg and mathMl */
|
|
2719
2841
|
let USE_PROFILES = {};
|
|
2720
|
-
/* Tags to ignore content of when KEEP_CONTENT is true */
|
|
2721
2842
|
|
|
2843
|
+
/* Tags to ignore content of when KEEP_CONTENT is true */
|
|
2722
2844
|
let FORBID_CONTENTS = null;
|
|
2723
2845
|
const DEFAULT_FORBID_CONTENTS = addToSet({}, ['annotation-xml', 'audio', 'colgroup', 'desc', 'foreignobject', 'head', 'iframe', 'math', 'mi', 'mn', 'mo', 'ms', 'mtext', 'noembed', 'noframes', 'noscript', 'plaintext', 'script', 'style', 'svg', 'template', 'thead', 'title', 'video', 'xmp']);
|
|
2724
|
-
/* Tags that are safe for data: URIs */
|
|
2725
2846
|
|
|
2847
|
+
/* Tags that are safe for data: URIs */
|
|
2726
2848
|
let DATA_URI_TAGS = null;
|
|
2727
2849
|
const DEFAULT_DATA_URI_TAGS = addToSet({}, ['audio', 'video', 'img', 'source', 'image', 'track']);
|
|
2728
|
-
/* Attributes safe for values like "javascript:" */
|
|
2729
2850
|
|
|
2851
|
+
/* Attributes safe for values like "javascript:" */
|
|
2730
2852
|
let URI_SAFE_ATTRIBUTES = null;
|
|
2731
2853
|
const DEFAULT_URI_SAFE_ATTRIBUTES = addToSet({}, ['alt', 'class', 'for', 'id', 'label', 'name', 'pattern', 'placeholder', 'role', 'summary', 'title', 'value', 'style', 'xmlns']);
|
|
2732
2854
|
const MATHML_NAMESPACE = 'http://www.w3.org/1998/Math/MathML';
|
|
2733
2855
|
const SVG_NAMESPACE = 'http://www.w3.org/2000/svg';
|
|
2734
2856
|
const HTML_NAMESPACE = 'http://www.w3.org/1999/xhtml';
|
|
2735
2857
|
/* Document namespace */
|
|
2736
|
-
|
|
2737
2858
|
let NAMESPACE = HTML_NAMESPACE;
|
|
2738
2859
|
let IS_EMPTY_INPUT = false;
|
|
2739
|
-
/* Allowed XHTML+XML namespaces */
|
|
2740
2860
|
|
|
2861
|
+
/* Allowed XHTML+XML namespaces */
|
|
2741
2862
|
let ALLOWED_NAMESPACES = null;
|
|
2742
2863
|
const DEFAULT_ALLOWED_NAMESPACES = addToSet({}, [MATHML_NAMESPACE, SVG_NAMESPACE, HTML_NAMESPACE], stringToString);
|
|
2743
|
-
/* Parsing of strict XHTML documents */
|
|
2744
2864
|
|
|
2745
|
-
|
|
2865
|
+
/* Parsing of strict XHTML documents */
|
|
2866
|
+
let PARSER_MEDIA_TYPE = null;
|
|
2746
2867
|
const SUPPORTED_PARSER_MEDIA_TYPES = ['application/xhtml+xml', 'text/html'];
|
|
2747
2868
|
const DEFAULT_PARSER_MEDIA_TYPE = 'text/html';
|
|
2748
|
-
let transformCaseFunc;
|
|
2749
|
-
/* Keep a reference to config to pass to hooks */
|
|
2869
|
+
let transformCaseFunc = null;
|
|
2750
2870
|
|
|
2871
|
+
/* Keep a reference to config to pass to hooks */
|
|
2751
2872
|
let CONFIG = null;
|
|
2752
|
-
/* Ideally, do not touch anything below this line */
|
|
2753
2873
|
|
|
2874
|
+
/* Ideally, do not touch anything below this line */
|
|
2754
2875
|
/* ______________________________________________ */
|
|
2755
2876
|
|
|
2756
2877
|
const formElement = document.createElement('form');
|
|
2757
|
-
|
|
2758
2878
|
const isRegexOrFunction = function isRegexOrFunction(testValue) {
|
|
2759
2879
|
return testValue instanceof RegExp || testValue instanceof Function;
|
|
2760
2880
|
};
|
|
2881
|
+
|
|
2761
2882
|
/**
|
|
2762
2883
|
* _parseConfig
|
|
2763
2884
|
*
|
|
2764
2885
|
* @param {Object} cfg optional config literal
|
|
2765
2886
|
*/
|
|
2766
2887
|
// eslint-disable-next-line complexity
|
|
2767
|
-
|
|
2768
|
-
|
|
2769
|
-
const _parseConfig = function _parseConfig(cfg) {
|
|
2888
|
+
const _parseConfig = function _parseConfig() {
|
|
2889
|
+
let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
|
|
2770
2890
|
if (CONFIG && CONFIG === cfg) {
|
|
2771
2891
|
return;
|
|
2772
2892
|
}
|
|
2773
|
-
/* Shield configuration object from tampering */
|
|
2774
|
-
|
|
2775
2893
|
|
|
2894
|
+
/* Shield configuration object from tampering */
|
|
2776
2895
|
if (!cfg || typeof cfg !== 'object') {
|
|
2777
2896
|
cfg = {};
|
|
2778
2897
|
}
|
|
2779
|
-
/* Shield configuration object from prototype pollution */
|
|
2780
|
-
|
|
2781
2898
|
|
|
2899
|
+
/* Shield configuration object from prototype pollution */
|
|
2782
2900
|
cfg = clone(cfg);
|
|
2783
|
-
PARSER_MEDIA_TYPE =
|
|
2784
|
-
|
|
2901
|
+
PARSER_MEDIA_TYPE =
|
|
2902
|
+
// eslint-disable-next-line unicorn/prefer-includes
|
|
2903
|
+
SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? DEFAULT_PARSER_MEDIA_TYPE : cfg.PARSER_MEDIA_TYPE;
|
|
2785
2904
|
|
|
2905
|
+
// HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
|
|
2786
2906
|
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? stringToString : stringToLowerCase;
|
|
2787
|
-
/* Set configuration parameters */
|
|
2788
2907
|
|
|
2789
|
-
|
|
2790
|
-
|
|
2791
|
-
|
|
2792
|
-
|
|
2793
|
-
cfg
|
|
2908
|
+
/* Set configuration parameters */
|
|
2909
|
+
ALLOWED_TAGS = objectHasOwnProperty(cfg, 'ALLOWED_TAGS') ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
|
|
2910
|
+
ALLOWED_ATTR = objectHasOwnProperty(cfg, 'ALLOWED_ATTR') ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
|
|
2911
|
+
ALLOWED_NAMESPACES = objectHasOwnProperty(cfg, 'ALLOWED_NAMESPACES') ? addToSet({}, cfg.ALLOWED_NAMESPACES, stringToString) : DEFAULT_ALLOWED_NAMESPACES;
|
|
2912
|
+
URI_SAFE_ATTRIBUTES = objectHasOwnProperty(cfg, 'ADD_URI_SAFE_ATTR') ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES),
|
|
2913
|
+
// eslint-disable-line indent
|
|
2914
|
+
cfg.ADD_URI_SAFE_ATTR,
|
|
2915
|
+
// eslint-disable-line indent
|
|
2794
2916
|
transformCaseFunc // eslint-disable-line indent
|
|
2795
2917
|
) // eslint-disable-line indent
|
|
2796
2918
|
: DEFAULT_URI_SAFE_ATTRIBUTES;
|
|
2797
|
-
DATA_URI_TAGS = 'ADD_DATA_URI_TAGS'
|
|
2798
|
-
|
|
2919
|
+
DATA_URI_TAGS = objectHasOwnProperty(cfg, 'ADD_DATA_URI_TAGS') ? addToSet(clone(DEFAULT_DATA_URI_TAGS),
|
|
2920
|
+
// eslint-disable-line indent
|
|
2921
|
+
cfg.ADD_DATA_URI_TAGS,
|
|
2922
|
+
// eslint-disable-line indent
|
|
2799
2923
|
transformCaseFunc // eslint-disable-line indent
|
|
2800
2924
|
) // eslint-disable-line indent
|
|
2801
2925
|
: DEFAULT_DATA_URI_TAGS;
|
|
2802
|
-
FORBID_CONTENTS = 'FORBID_CONTENTS'
|
|
2803
|
-
FORBID_TAGS = 'FORBID_TAGS'
|
|
2804
|
-
FORBID_ATTR = 'FORBID_ATTR'
|
|
2805
|
-
USE_PROFILES = 'USE_PROFILES'
|
|
2926
|
+
FORBID_CONTENTS = objectHasOwnProperty(cfg, 'FORBID_CONTENTS') ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
|
|
2927
|
+
FORBID_TAGS = objectHasOwnProperty(cfg, 'FORBID_TAGS') ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
|
|
2928
|
+
FORBID_ATTR = objectHasOwnProperty(cfg, 'FORBID_ATTR') ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
|
|
2929
|
+
USE_PROFILES = objectHasOwnProperty(cfg, 'USE_PROFILES') ? cfg.USE_PROFILES : false;
|
|
2806
2930
|
ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
|
|
2807
|
-
|
|
2808
2931
|
ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false; // Default true
|
|
2809
|
-
|
|
2810
2932
|
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
|
|
2811
|
-
|
|
2812
2933
|
ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
|
|
2813
|
-
|
|
2814
2934
|
SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
|
|
2815
|
-
|
|
2935
|
+
SAFE_FOR_XML = cfg.SAFE_FOR_XML !== false; // Default true
|
|
2816
2936
|
WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
|
|
2817
|
-
|
|
2818
2937
|
RETURN_DOM = cfg.RETURN_DOM || false; // Default false
|
|
2819
|
-
|
|
2820
2938
|
RETURN_DOM_FRAGMENT = cfg.RETURN_DOM_FRAGMENT || false; // Default false
|
|
2821
|
-
|
|
2822
2939
|
RETURN_TRUSTED_TYPE = cfg.RETURN_TRUSTED_TYPE || false; // Default false
|
|
2823
|
-
|
|
2824
2940
|
FORCE_BODY = cfg.FORCE_BODY || false; // Default false
|
|
2825
|
-
|
|
2826
2941
|
SANITIZE_DOM = cfg.SANITIZE_DOM !== false; // Default true
|
|
2827
|
-
|
|
2828
2942
|
SANITIZE_NAMED_PROPS = cfg.SANITIZE_NAMED_PROPS || false; // Default false
|
|
2829
|
-
|
|
2830
2943
|
KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true
|
|
2831
|
-
|
|
2832
2944
|
IN_PLACE = cfg.IN_PLACE || false; // Default false
|
|
2833
|
-
|
|
2834
2945
|
IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI;
|
|
2835
2946
|
NAMESPACE = cfg.NAMESPACE || HTML_NAMESPACE;
|
|
2836
2947
|
CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING || {};
|
|
2837
|
-
|
|
2838
2948
|
if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck)) {
|
|
2839
2949
|
CUSTOM_ELEMENT_HANDLING.tagNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck;
|
|
2840
2950
|
}
|
|
2841
|
-
|
|
2842
2951
|
if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.attributeNameCheck)) {
|
|
2843
2952
|
CUSTOM_ELEMENT_HANDLING.attributeNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.attributeNameCheck;
|
|
2844
2953
|
}
|
|
2845
|
-
|
|
2846
2954
|
if (cfg.CUSTOM_ELEMENT_HANDLING && typeof cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements === 'boolean') {
|
|
2847
2955
|
CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements = cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements;
|
|
2848
2956
|
}
|
|
2849
|
-
|
|
2850
2957
|
if (SAFE_FOR_TEMPLATES) {
|
|
2851
2958
|
ALLOW_DATA_ATTR = false;
|
|
2852
2959
|
}
|
|
2853
|
-
|
|
2854
2960
|
if (RETURN_DOM_FRAGMENT) {
|
|
2855
2961
|
RETURN_DOM = true;
|
|
2856
2962
|
}
|
|
2857
|
-
/* Parse profile info */
|
|
2858
|
-
|
|
2859
2963
|
|
|
2964
|
+
/* Parse profile info */
|
|
2860
2965
|
if (USE_PROFILES) {
|
|
2861
|
-
ALLOWED_TAGS = addToSet({},
|
|
2966
|
+
ALLOWED_TAGS = addToSet({}, text);
|
|
2862
2967
|
ALLOWED_ATTR = [];
|
|
2863
|
-
|
|
2864
2968
|
if (USE_PROFILES.html === true) {
|
|
2865
2969
|
addToSet(ALLOWED_TAGS, html$1);
|
|
2866
2970
|
addToSet(ALLOWED_ATTR, html);
|
|
2867
2971
|
}
|
|
2868
|
-
|
|
2869
2972
|
if (USE_PROFILES.svg === true) {
|
|
2870
2973
|
addToSet(ALLOWED_TAGS, svg$1);
|
|
2871
2974
|
addToSet(ALLOWED_ATTR, svg);
|
|
2872
2975
|
addToSet(ALLOWED_ATTR, xml);
|
|
2873
2976
|
}
|
|
2874
|
-
|
|
2875
2977
|
if (USE_PROFILES.svgFilters === true) {
|
|
2876
2978
|
addToSet(ALLOWED_TAGS, svgFilters);
|
|
2877
2979
|
addToSet(ALLOWED_ATTR, svg);
|
|
2878
2980
|
addToSet(ALLOWED_ATTR, xml);
|
|
2879
2981
|
}
|
|
2880
|
-
|
|
2881
2982
|
if (USE_PROFILES.mathMl === true) {
|
|
2882
2983
|
addToSet(ALLOWED_TAGS, mathMl$1);
|
|
2883
2984
|
addToSet(ALLOWED_ATTR, mathMl);
|
|
2884
2985
|
addToSet(ALLOWED_ATTR, xml);
|
|
2885
2986
|
}
|
|
2886
2987
|
}
|
|
2887
|
-
/* Merge configuration parameters */
|
|
2888
|
-
|
|
2889
2988
|
|
|
2989
|
+
/* Merge configuration parameters */
|
|
2890
2990
|
if (cfg.ADD_TAGS) {
|
|
2891
2991
|
if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
|
|
2892
2992
|
ALLOWED_TAGS = clone(ALLOWED_TAGS);
|
|
2893
2993
|
}
|
|
2894
|
-
|
|
2895
2994
|
addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
|
|
2896
2995
|
}
|
|
2897
|
-
|
|
2898
2996
|
if (cfg.ADD_ATTR) {
|
|
2899
2997
|
if (ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) {
|
|
2900
2998
|
ALLOWED_ATTR = clone(ALLOWED_ATTR);
|
|
2901
2999
|
}
|
|
2902
|
-
|
|
2903
3000
|
addToSet(ALLOWED_ATTR, cfg.ADD_ATTR, transformCaseFunc);
|
|
2904
3001
|
}
|
|
2905
|
-
|
|
2906
3002
|
if (cfg.ADD_URI_SAFE_ATTR) {
|
|
2907
3003
|
addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR, transformCaseFunc);
|
|
2908
3004
|
}
|
|
2909
|
-
|
|
2910
3005
|
if (cfg.FORBID_CONTENTS) {
|
|
2911
3006
|
if (FORBID_CONTENTS === DEFAULT_FORBID_CONTENTS) {
|
|
2912
3007
|
FORBID_CONTENTS = clone(FORBID_CONTENTS);
|
|
2913
3008
|
}
|
|
2914
|
-
|
|
2915
3009
|
addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);
|
|
2916
3010
|
}
|
|
2917
|
-
/* Add #text in case KEEP_CONTENT is set to true */
|
|
2918
|
-
|
|
2919
3011
|
|
|
3012
|
+
/* Add #text in case KEEP_CONTENT is set to true */
|
|
2920
3013
|
if (KEEP_CONTENT) {
|
|
2921
3014
|
ALLOWED_TAGS['#text'] = true;
|
|
2922
3015
|
}
|
|
2923
|
-
/* Add html, head and body to ALLOWED_TAGS in case WHOLE_DOCUMENT is true */
|
|
2924
|
-
|
|
2925
3016
|
|
|
3017
|
+
/* Add html, head and body to ALLOWED_TAGS in case WHOLE_DOCUMENT is true */
|
|
2926
3018
|
if (WHOLE_DOCUMENT) {
|
|
2927
3019
|
addToSet(ALLOWED_TAGS, ['html', 'head', 'body']);
|
|
2928
3020
|
}
|
|
2929
|
-
/* Add tbody to ALLOWED_TAGS in case tables are permitted, see #286, #365 */
|
|
2930
|
-
|
|
2931
3021
|
|
|
3022
|
+
/* Add tbody to ALLOWED_TAGS in case tables are permitted, see #286, #365 */
|
|
2932
3023
|
if (ALLOWED_TAGS.table) {
|
|
2933
3024
|
addToSet(ALLOWED_TAGS, ['tbody']);
|
|
2934
3025
|
delete FORBID_TAGS.tbody;
|
|
2935
3026
|
}
|
|
2936
|
-
|
|
2937
3027
|
if (cfg.TRUSTED_TYPES_POLICY) {
|
|
2938
3028
|
if (typeof cfg.TRUSTED_TYPES_POLICY.createHTML !== 'function') {
|
|
2939
3029
|
throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');
|
|
2940
3030
|
}
|
|
2941
|
-
|
|
2942
3031
|
if (typeof cfg.TRUSTED_TYPES_POLICY.createScriptURL !== 'function') {
|
|
2943
3032
|
throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');
|
|
2944
|
-
}
|
|
2945
|
-
|
|
3033
|
+
}
|
|
2946
3034
|
|
|
2947
|
-
|
|
3035
|
+
// Overwrite existing TrustedTypes policy.
|
|
3036
|
+
trustedTypesPolicy = cfg.TRUSTED_TYPES_POLICY;
|
|
2948
3037
|
|
|
3038
|
+
// Sign local variables required by `sanitize`.
|
|
2949
3039
|
emptyHTML = trustedTypesPolicy.createHTML('');
|
|
2950
3040
|
} else {
|
|
2951
3041
|
// Uninitialized policy, attempt to initialize the internal dompurify policy.
|
|
2952
3042
|
if (trustedTypesPolicy === undefined) {
|
|
2953
3043
|
trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, currentScript);
|
|
2954
|
-
}
|
|
2955
|
-
|
|
3044
|
+
}
|
|
2956
3045
|
|
|
3046
|
+
// If creating the internal policy succeeded sign internal variables.
|
|
2957
3047
|
if (trustedTypesPolicy !== null && typeof emptyHTML === 'string') {
|
|
2958
3048
|
emptyHTML = trustedTypesPolicy.createHTML('');
|
|
2959
3049
|
}
|
|
2960
|
-
}
|
|
2961
|
-
// Not available in IE8, Safari 5, etc.
|
|
2962
|
-
|
|
3050
|
+
}
|
|
2963
3051
|
|
|
3052
|
+
// Prevent further manipulation of configuration.
|
|
3053
|
+
// Not available in IE8, Safari 5, etc.
|
|
2964
3054
|
if (freeze) {
|
|
2965
3055
|
freeze(cfg);
|
|
2966
3056
|
}
|
|
2967
|
-
|
|
2968
3057
|
CONFIG = cfg;
|
|
2969
3058
|
};
|
|
2970
|
-
|
|
2971
3059
|
const MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
|
|
2972
|
-
const HTML_INTEGRATION_POINTS = addToSet({}, ['foreignobject', '
|
|
3060
|
+
const HTML_INTEGRATION_POINTS = addToSet({}, ['foreignobject', 'annotation-xml']);
|
|
3061
|
+
|
|
3062
|
+
// Certain elements are allowed in both SVG and HTML
|
|
2973
3063
|
// namespace. We need to specify them explicitly
|
|
2974
3064
|
// so that they don't get erroneously deleted from
|
|
2975
3065
|
// HTML namespace.
|
|
2976
|
-
|
|
2977
3066
|
const COMMON_SVG_AND_HTML_ELEMENTS = addToSet({}, ['title', 'style', 'font', 'a', 'script']);
|
|
3067
|
+
|
|
2978
3068
|
/* Keep track of all possible SVG and MathML tags
|
|
2979
3069
|
* so that we can perform the namespace checks
|
|
2980
3070
|
* correctly. */
|
|
3071
|
+
const ALL_SVG_TAGS = addToSet({}, [...svg$1, ...svgFilters, ...svgDisallowed]);
|
|
3072
|
+
const ALL_MATHML_TAGS = addToSet({}, [...mathMl$1, ...mathMlDisallowed]);
|
|
2981
3073
|
|
|
2982
|
-
const ALL_SVG_TAGS = addToSet({}, svg$1);
|
|
2983
|
-
addToSet(ALL_SVG_TAGS, svgFilters);
|
|
2984
|
-
addToSet(ALL_SVG_TAGS, svgDisallowed);
|
|
2985
|
-
const ALL_MATHML_TAGS = addToSet({}, mathMl$1);
|
|
2986
|
-
addToSet(ALL_MATHML_TAGS, mathMlDisallowed);
|
|
2987
3074
|
/**
|
|
2988
|
-
*
|
|
2989
|
-
*
|
|
2990
3075
|
* @param {Element} element a DOM element whose namespace is being checked
|
|
2991
3076
|
* @returns {boolean} Return false if the element has a
|
|
2992
3077
|
* namespace that a spec-compliant parser would never
|
|
2993
3078
|
* return. Return true otherwise.
|
|
2994
3079
|
*/
|
|
2995
|
-
|
|
2996
3080
|
const _checkValidNamespace = function _checkValidNamespace(element) {
|
|
2997
|
-
let parent = getParentNode(element);
|
|
2998
|
-
// can be null. We just simulate parent in this case.
|
|
3081
|
+
let parent = getParentNode(element);
|
|
2999
3082
|
|
|
3083
|
+
// In JSDOM, if we're inside shadow DOM, then parentNode
|
|
3084
|
+
// can be null. We just simulate parent in this case.
|
|
3000
3085
|
if (!parent || !parent.tagName) {
|
|
3001
3086
|
parent = {
|
|
3002
3087
|
namespaceURI: NAMESPACE,
|
|
3003
3088
|
tagName: 'template'
|
|
3004
3089
|
};
|
|
3005
3090
|
}
|
|
3006
|
-
|
|
3007
3091
|
const tagName = stringToLowerCase(element.tagName);
|
|
3008
3092
|
const parentTagName = stringToLowerCase(parent.tagName);
|
|
3009
|
-
|
|
3010
3093
|
if (!ALLOWED_NAMESPACES[element.namespaceURI]) {
|
|
3011
3094
|
return false;
|
|
3012
3095
|
}
|
|
3013
|
-
|
|
3014
3096
|
if (element.namespaceURI === SVG_NAMESPACE) {
|
|
3015
3097
|
// The only way to switch from HTML namespace to SVG
|
|
3016
3098
|
// is via <svg>. If it happens via any other tag, then
|
|
3017
3099
|
// it should be killed.
|
|
3018
3100
|
if (parent.namespaceURI === HTML_NAMESPACE) {
|
|
3019
3101
|
return tagName === 'svg';
|
|
3020
|
-
}
|
|
3102
|
+
}
|
|
3103
|
+
|
|
3104
|
+
// The only way to switch from MathML to SVG is via`
|
|
3021
3105
|
// svg if parent is either <annotation-xml> or MathML
|
|
3022
3106
|
// text integration points.
|
|
3023
|
-
|
|
3024
|
-
|
|
3025
3107
|
if (parent.namespaceURI === MATHML_NAMESPACE) {
|
|
3026
3108
|
return tagName === 'svg' && (parentTagName === 'annotation-xml' || MATHML_TEXT_INTEGRATION_POINTS[parentTagName]);
|
|
3027
|
-
}
|
|
3028
|
-
// spec. All others are disallowed in SVG namespace.
|
|
3029
|
-
|
|
3109
|
+
}
|
|
3030
3110
|
|
|
3111
|
+
// We only allow elements that are defined in SVG
|
|
3112
|
+
// spec. All others are disallowed in SVG namespace.
|
|
3031
3113
|
return Boolean(ALL_SVG_TAGS[tagName]);
|
|
3032
3114
|
}
|
|
3033
|
-
|
|
3034
3115
|
if (element.namespaceURI === MATHML_NAMESPACE) {
|
|
3035
3116
|
// The only way to switch from HTML namespace to MathML
|
|
3036
3117
|
// is via <math>. If it happens via any other tag, then
|
|
3037
3118
|
// it should be killed.
|
|
3038
3119
|
if (parent.namespaceURI === HTML_NAMESPACE) {
|
|
3039
3120
|
return tagName === 'math';
|
|
3040
|
-
}
|
|
3041
|
-
// <math> and HTML integration points
|
|
3042
|
-
|
|
3121
|
+
}
|
|
3043
3122
|
|
|
3123
|
+
// The only way to switch from SVG to MathML is via
|
|
3124
|
+
// <math> and HTML integration points
|
|
3044
3125
|
if (parent.namespaceURI === SVG_NAMESPACE) {
|
|
3045
3126
|
return tagName === 'math' && HTML_INTEGRATION_POINTS[parentTagName];
|
|
3046
|
-
}
|
|
3047
|
-
// spec. All others are disallowed in MathML namespace.
|
|
3048
|
-
|
|
3127
|
+
}
|
|
3049
3128
|
|
|
3129
|
+
// We only allow elements that are defined in MathML
|
|
3130
|
+
// spec. All others are disallowed in MathML namespace.
|
|
3050
3131
|
return Boolean(ALL_MATHML_TAGS[tagName]);
|
|
3051
3132
|
}
|
|
3052
|
-
|
|
3053
3133
|
if (element.namespaceURI === HTML_NAMESPACE) {
|
|
3054
3134
|
// The only way to switch from SVG to HTML is via
|
|
3055
3135
|
// HTML integration points, and from MathML to HTML
|
|
@@ -3057,54 +3137,50 @@ function createDOMPurify() {
|
|
|
3057
3137
|
if (parent.namespaceURI === SVG_NAMESPACE && !HTML_INTEGRATION_POINTS[parentTagName]) {
|
|
3058
3138
|
return false;
|
|
3059
3139
|
}
|
|
3060
|
-
|
|
3061
3140
|
if (parent.namespaceURI === MATHML_NAMESPACE && !MATHML_TEXT_INTEGRATION_POINTS[parentTagName]) {
|
|
3062
3141
|
return false;
|
|
3063
|
-
}
|
|
3064
|
-
// or SVG and should never appear in HTML namespace
|
|
3065
|
-
|
|
3142
|
+
}
|
|
3066
3143
|
|
|
3144
|
+
// We disallow tags that are specific for MathML
|
|
3145
|
+
// or SVG and should never appear in HTML namespace
|
|
3067
3146
|
return !ALL_MATHML_TAGS[tagName] && (COMMON_SVG_AND_HTML_ELEMENTS[tagName] || !ALL_SVG_TAGS[tagName]);
|
|
3068
|
-
}
|
|
3069
|
-
|
|
3147
|
+
}
|
|
3070
3148
|
|
|
3149
|
+
// For XHTML and XML documents that support custom namespaces
|
|
3071
3150
|
if (PARSER_MEDIA_TYPE === 'application/xhtml+xml' && ALLOWED_NAMESPACES[element.namespaceURI]) {
|
|
3072
3151
|
return true;
|
|
3073
|
-
}
|
|
3152
|
+
}
|
|
3153
|
+
|
|
3154
|
+
// The code should never reach this place (this means
|
|
3074
3155
|
// that the element somehow got namespace that is not
|
|
3075
3156
|
// HTML, SVG, MathML or allowed via ALLOWED_NAMESPACES).
|
|
3076
3157
|
// Return false just in case.
|
|
3077
|
-
|
|
3078
|
-
|
|
3079
3158
|
return false;
|
|
3080
3159
|
};
|
|
3160
|
+
|
|
3081
3161
|
/**
|
|
3082
3162
|
* _forceRemove
|
|
3083
3163
|
*
|
|
3084
3164
|
* @param {Node} node a DOM node
|
|
3085
3165
|
*/
|
|
3086
|
-
|
|
3087
|
-
|
|
3088
3166
|
const _forceRemove = function _forceRemove(node) {
|
|
3089
3167
|
arrayPush(DOMPurify.removed, {
|
|
3090
3168
|
element: node
|
|
3091
3169
|
});
|
|
3092
|
-
|
|
3093
3170
|
try {
|
|
3094
3171
|
// eslint-disable-next-line unicorn/prefer-dom-node-remove
|
|
3095
|
-
node.
|
|
3172
|
+
getParentNode(node).removeChild(node);
|
|
3096
3173
|
} catch (_) {
|
|
3097
|
-
|
|
3174
|
+
remove(node);
|
|
3098
3175
|
}
|
|
3099
3176
|
};
|
|
3177
|
+
|
|
3100
3178
|
/**
|
|
3101
3179
|
* _removeAttribute
|
|
3102
3180
|
*
|
|
3103
3181
|
* @param {String} name an Attribute name
|
|
3104
3182
|
* @param {Node} node a DOM node
|
|
3105
3183
|
*/
|
|
3106
|
-
|
|
3107
|
-
|
|
3108
3184
|
const _removeAttribute = function _removeAttribute(name, node) {
|
|
3109
3185
|
try {
|
|
3110
3186
|
arrayPush(DOMPurify.removed, {
|
|
@@ -3117,9 +3193,9 @@ function createDOMPurify() {
|
|
|
3117
3193
|
from: node
|
|
3118
3194
|
});
|
|
3119
3195
|
}
|
|
3196
|
+
node.removeAttribute(name);
|
|
3120
3197
|
|
|
3121
|
-
|
|
3122
|
-
|
|
3198
|
+
// We void attribute values for unremovable "is"" attributes
|
|
3123
3199
|
if (name === 'is' && !ALLOWED_ATTR[name]) {
|
|
3124
3200
|
if (RETURN_DOM || RETURN_DOM_FRAGMENT) {
|
|
3125
3201
|
try {
|
|
@@ -3132,19 +3208,17 @@ function createDOMPurify() {
|
|
|
3132
3208
|
}
|
|
3133
3209
|
}
|
|
3134
3210
|
};
|
|
3211
|
+
|
|
3135
3212
|
/**
|
|
3136
3213
|
* _initDocument
|
|
3137
3214
|
*
|
|
3138
3215
|
* @param {String} dirty a string of dirty markup
|
|
3139
3216
|
* @return {Document} a DOM, filled with the dirty markup
|
|
3140
3217
|
*/
|
|
3141
|
-
|
|
3142
|
-
|
|
3143
3218
|
const _initDocument = function _initDocument(dirty) {
|
|
3144
3219
|
/* Create a HTML document */
|
|
3145
|
-
let doc;
|
|
3146
|
-
let leadingWhitespace;
|
|
3147
|
-
|
|
3220
|
+
let doc = null;
|
|
3221
|
+
let leadingWhitespace = null;
|
|
3148
3222
|
if (FORCE_BODY) {
|
|
3149
3223
|
dirty = '<remove></remove>' + dirty;
|
|
3150
3224
|
} else {
|
|
@@ -3152,83 +3226,74 @@ function createDOMPurify() {
|
|
|
3152
3226
|
const matches = stringMatch(dirty, /^[\r\n\t ]+/);
|
|
3153
3227
|
leadingWhitespace = matches && matches[0];
|
|
3154
3228
|
}
|
|
3155
|
-
|
|
3156
3229
|
if (PARSER_MEDIA_TYPE === 'application/xhtml+xml' && NAMESPACE === HTML_NAMESPACE) {
|
|
3157
3230
|
// Root of XHTML doc must contain xmlns declaration (see https://www.w3.org/TR/xhtml1/normative.html#strict)
|
|
3158
3231
|
dirty = '<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>' + dirty + '</body></html>';
|
|
3159
3232
|
}
|
|
3160
|
-
|
|
3161
3233
|
const dirtyPayload = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty;
|
|
3162
3234
|
/*
|
|
3163
3235
|
* Use the DOMParser API by default, fallback later if needs be
|
|
3164
3236
|
* DOMParser not work for svg when has multiple root element.
|
|
3165
3237
|
*/
|
|
3166
|
-
|
|
3167
3238
|
if (NAMESPACE === HTML_NAMESPACE) {
|
|
3168
3239
|
try {
|
|
3169
3240
|
doc = new DOMParser().parseFromString(dirtyPayload, PARSER_MEDIA_TYPE);
|
|
3170
3241
|
} catch (_) {}
|
|
3171
3242
|
}
|
|
3172
|
-
/* Use createHTMLDocument in case DOMParser is not available */
|
|
3173
|
-
|
|
3174
3243
|
|
|
3244
|
+
/* Use createHTMLDocument in case DOMParser is not available */
|
|
3175
3245
|
if (!doc || !doc.documentElement) {
|
|
3176
3246
|
doc = implementation.createDocument(NAMESPACE, 'template', null);
|
|
3177
|
-
|
|
3178
3247
|
try {
|
|
3179
3248
|
doc.documentElement.innerHTML = IS_EMPTY_INPUT ? emptyHTML : dirtyPayload;
|
|
3180
|
-
} catch (_) {
|
|
3249
|
+
} catch (_) {
|
|
3250
|
+
// Syntax error if dirtyPayload is invalid xml
|
|
3181
3251
|
}
|
|
3182
3252
|
}
|
|
3183
|
-
|
|
3184
3253
|
const body = doc.body || doc.documentElement;
|
|
3185
|
-
|
|
3186
3254
|
if (dirty && leadingWhitespace) {
|
|
3187
3255
|
body.insertBefore(document.createTextNode(leadingWhitespace), body.childNodes[0] || null);
|
|
3188
3256
|
}
|
|
3189
|
-
/* Work on whole document or just its body */
|
|
3190
|
-
|
|
3191
3257
|
|
|
3258
|
+
/* Work on whole document or just its body */
|
|
3192
3259
|
if (NAMESPACE === HTML_NAMESPACE) {
|
|
3193
3260
|
return getElementsByTagName.call(doc, WHOLE_DOCUMENT ? 'html' : 'body')[0];
|
|
3194
3261
|
}
|
|
3195
|
-
|
|
3196
3262
|
return WHOLE_DOCUMENT ? doc.documentElement : body;
|
|
3197
3263
|
};
|
|
3264
|
+
|
|
3198
3265
|
/**
|
|
3199
|
-
*
|
|
3266
|
+
* Creates a NodeIterator object that you can use to traverse filtered lists of nodes or elements in a document.
|
|
3200
3267
|
*
|
|
3201
|
-
* @param {
|
|
3202
|
-
* @return {
|
|
3268
|
+
* @param {Node} root The root element or node to start traversing on.
|
|
3269
|
+
* @return {NodeIterator} The created NodeIterator
|
|
3203
3270
|
*/
|
|
3204
|
-
|
|
3205
|
-
|
|
3206
|
-
|
|
3207
|
-
|
|
3208
|
-
NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT, null, false);
|
|
3271
|
+
const _createNodeIterator = function _createNodeIterator(root) {
|
|
3272
|
+
return createNodeIterator.call(root.ownerDocument || root, root,
|
|
3273
|
+
// eslint-disable-next-line no-bitwise
|
|
3274
|
+
NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION | NodeFilter.SHOW_CDATA_SECTION, null);
|
|
3209
3275
|
};
|
|
3276
|
+
|
|
3210
3277
|
/**
|
|
3211
3278
|
* _isClobbered
|
|
3212
3279
|
*
|
|
3213
3280
|
* @param {Node} elm element to check for clobbering attacks
|
|
3214
3281
|
* @return {Boolean} true if clobbered, false if safe
|
|
3215
3282
|
*/
|
|
3216
|
-
|
|
3217
|
-
|
|
3218
3283
|
const _isClobbered = function _isClobbered(elm) {
|
|
3219
3284
|
return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
|
|
3220
3285
|
};
|
|
3286
|
+
|
|
3221
3287
|
/**
|
|
3222
|
-
*
|
|
3288
|
+
* Checks whether the given object is a DOM node.
|
|
3223
3289
|
*
|
|
3224
|
-
* @param {Node}
|
|
3290
|
+
* @param {Node} object object to check whether it's a DOM node
|
|
3225
3291
|
* @return {Boolean} true is object is a DOM node
|
|
3226
3292
|
*/
|
|
3227
|
-
|
|
3228
|
-
|
|
3229
3293
|
const _isNode = function _isNode(object) {
|
|
3230
|
-
return typeof Node === '
|
|
3294
|
+
return typeof Node === 'function' && object instanceof Node;
|
|
3231
3295
|
};
|
|
3296
|
+
|
|
3232
3297
|
/**
|
|
3233
3298
|
* _executeHook
|
|
3234
3299
|
* Execute user configurable hooks
|
|
@@ -3237,17 +3302,15 @@ function createDOMPurify() {
|
|
|
3237
3302
|
* @param {Node} currentNode node to work on with the hook
|
|
3238
3303
|
* @param {Object} data additional hook parameters
|
|
3239
3304
|
*/
|
|
3240
|
-
|
|
3241
|
-
|
|
3242
3305
|
const _executeHook = function _executeHook(entryPoint, currentNode, data) {
|
|
3243
3306
|
if (!hooks[entryPoint]) {
|
|
3244
3307
|
return;
|
|
3245
3308
|
}
|
|
3246
|
-
|
|
3247
3309
|
arrayForEach(hooks[entryPoint], hook => {
|
|
3248
3310
|
hook.call(DOMPurify, currentNode, data, CONFIG);
|
|
3249
3311
|
});
|
|
3250
3312
|
};
|
|
3313
|
+
|
|
3251
3314
|
/**
|
|
3252
3315
|
* _sanitizeElements
|
|
3253
3316
|
*
|
|
@@ -3258,94 +3321,93 @@ function createDOMPurify() {
|
|
|
3258
3321
|
* @param {Node} currentNode to check for permission to exist
|
|
3259
3322
|
* @return {Boolean} true if node was killed, false if left alive
|
|
3260
3323
|
*/
|
|
3261
|
-
|
|
3262
|
-
|
|
3263
3324
|
const _sanitizeElements = function _sanitizeElements(currentNode) {
|
|
3264
|
-
let content;
|
|
3265
|
-
/* Execute a hook if present */
|
|
3325
|
+
let content = null;
|
|
3266
3326
|
|
|
3327
|
+
/* Execute a hook if present */
|
|
3267
3328
|
_executeHook('beforeSanitizeElements', currentNode, null);
|
|
3268
|
-
/* Check if element is clobbered or can clobber */
|
|
3269
|
-
|
|
3270
3329
|
|
|
3330
|
+
/* Check if element is clobbered or can clobber */
|
|
3271
3331
|
if (_isClobbered(currentNode)) {
|
|
3272
3332
|
_forceRemove(currentNode);
|
|
3273
|
-
|
|
3274
3333
|
return true;
|
|
3275
3334
|
}
|
|
3276
|
-
/* Now let's check the element's type and name */
|
|
3277
|
-
|
|
3278
3335
|
|
|
3336
|
+
/* Now let's check the element's type and name */
|
|
3279
3337
|
const tagName = transformCaseFunc(currentNode.nodeName);
|
|
3280
|
-
/* Execute a hook if present */
|
|
3281
3338
|
|
|
3339
|
+
/* Execute a hook if present */
|
|
3282
3340
|
_executeHook('uponSanitizeElement', currentNode, {
|
|
3283
3341
|
tagName,
|
|
3284
3342
|
allowedTags: ALLOWED_TAGS
|
|
3285
3343
|
});
|
|
3286
|
-
/* Detect mXSS attempts abusing namespace confusion */
|
|
3287
|
-
|
|
3288
3344
|
|
|
3289
|
-
|
|
3345
|
+
/* Detect mXSS attempts abusing namespace confusion */
|
|
3346
|
+
if (currentNode.hasChildNodes() && !_isNode(currentNode.firstElementChild) && regExpTest(/<[/\w]/g, currentNode.innerHTML) && regExpTest(/<[/\w]/g, currentNode.textContent)) {
|
|
3290
3347
|
_forceRemove(currentNode);
|
|
3348
|
+
return true;
|
|
3349
|
+
}
|
|
3291
3350
|
|
|
3351
|
+
/* Remove any occurrence of processing instructions */
|
|
3352
|
+
if (currentNode.nodeType === NODE_TYPE.progressingInstruction) {
|
|
3353
|
+
_forceRemove(currentNode);
|
|
3292
3354
|
return true;
|
|
3293
3355
|
}
|
|
3294
|
-
/* Remove element if anything forbids its presence */
|
|
3295
3356
|
|
|
3357
|
+
/* Remove any kind of possibly harmful comments */
|
|
3358
|
+
if (SAFE_FOR_XML && currentNode.nodeType === NODE_TYPE.comment && regExpTest(/<[/\w]/g, currentNode.data)) {
|
|
3359
|
+
_forceRemove(currentNode);
|
|
3360
|
+
return true;
|
|
3361
|
+
}
|
|
3296
3362
|
|
|
3363
|
+
/* Remove element if anything forbids its presence */
|
|
3297
3364
|
if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {
|
|
3298
3365
|
/* Check if we have a custom element to handle */
|
|
3299
|
-
if (!FORBID_TAGS[tagName] &&
|
|
3300
|
-
if (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, tagName))
|
|
3301
|
-
|
|
3366
|
+
if (!FORBID_TAGS[tagName] && _isBasicCustomElement(tagName)) {
|
|
3367
|
+
if (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, tagName)) {
|
|
3368
|
+
return false;
|
|
3369
|
+
}
|
|
3370
|
+
if (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(tagName)) {
|
|
3371
|
+
return false;
|
|
3372
|
+
}
|
|
3302
3373
|
}
|
|
3303
|
-
/* Keep content except for bad-listed elements */
|
|
3304
|
-
|
|
3305
3374
|
|
|
3375
|
+
/* Keep content except for bad-listed elements */
|
|
3306
3376
|
if (KEEP_CONTENT && !FORBID_CONTENTS[tagName]) {
|
|
3307
3377
|
const parentNode = getParentNode(currentNode) || currentNode.parentNode;
|
|
3308
3378
|
const childNodes = getChildNodes(currentNode) || currentNode.childNodes;
|
|
3309
|
-
|
|
3310
3379
|
if (childNodes && parentNode) {
|
|
3311
3380
|
const childCount = childNodes.length;
|
|
3312
|
-
|
|
3313
3381
|
for (let i = childCount - 1; i >= 0; --i) {
|
|
3314
|
-
|
|
3382
|
+
const childClone = cloneNode(childNodes[i], true);
|
|
3383
|
+
childClone.__removalCount = (currentNode.__removalCount || 0) + 1;
|
|
3384
|
+
parentNode.insertBefore(childClone, getNextSibling(currentNode));
|
|
3315
3385
|
}
|
|
3316
3386
|
}
|
|
3317
3387
|
}
|
|
3318
|
-
|
|
3319
3388
|
_forceRemove(currentNode);
|
|
3320
|
-
|
|
3321
3389
|
return true;
|
|
3322
3390
|
}
|
|
3323
|
-
/* Check whether element has a valid namespace */
|
|
3324
|
-
|
|
3325
3391
|
|
|
3392
|
+
/* Check whether element has a valid namespace */
|
|
3326
3393
|
if (currentNode instanceof Element && !_checkValidNamespace(currentNode)) {
|
|
3327
3394
|
_forceRemove(currentNode);
|
|
3328
|
-
|
|
3329
3395
|
return true;
|
|
3330
3396
|
}
|
|
3331
|
-
/* Make sure that older browsers don't get fallback-tag mXSS */
|
|
3332
|
-
|
|
3333
3397
|
|
|
3398
|
+
/* Make sure that older browsers don't get fallback-tag mXSS */
|
|
3334
3399
|
if ((tagName === 'noscript' || tagName === 'noembed' || tagName === 'noframes') && regExpTest(/<\/no(script|embed|frames)/i, currentNode.innerHTML)) {
|
|
3335
3400
|
_forceRemove(currentNode);
|
|
3336
|
-
|
|
3337
3401
|
return true;
|
|
3338
3402
|
}
|
|
3339
|
-
/* Sanitize element content to be template-safe */
|
|
3340
|
-
|
|
3341
3403
|
|
|
3342
|
-
|
|
3404
|
+
/* Sanitize element content to be template-safe */
|
|
3405
|
+
if (SAFE_FOR_TEMPLATES && currentNode.nodeType === NODE_TYPE.text) {
|
|
3343
3406
|
/* Get the element's text content */
|
|
3344
3407
|
content = currentNode.textContent;
|
|
3345
|
-
|
|
3346
|
-
|
|
3347
|
-
|
|
3348
|
-
|
|
3408
|
+
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
|
|
3409
|
+
content = stringReplace(content, expr, ' ');
|
|
3410
|
+
});
|
|
3349
3411
|
if (currentNode.textContent !== content) {
|
|
3350
3412
|
arrayPush(DOMPurify.removed, {
|
|
3351
3413
|
element: currentNode.cloneNode()
|
|
@@ -3353,13 +3415,12 @@ function createDOMPurify() {
|
|
|
3353
3415
|
currentNode.textContent = content;
|
|
3354
3416
|
}
|
|
3355
3417
|
}
|
|
3356
|
-
/* Execute a hook if present */
|
|
3357
|
-
|
|
3358
3418
|
|
|
3419
|
+
/* Execute a hook if present */
|
|
3359
3420
|
_executeHook('afterSanitizeElements', currentNode, null);
|
|
3360
|
-
|
|
3361
3421
|
return false;
|
|
3362
3422
|
};
|
|
3423
|
+
|
|
3363
3424
|
/**
|
|
3364
3425
|
* _isValidAttribute
|
|
3365
3426
|
*
|
|
@@ -3369,47 +3430,46 @@ function createDOMPurify() {
|
|
|
3369
3430
|
* @return {Boolean} Returns true if `value` is valid, otherwise false.
|
|
3370
3431
|
*/
|
|
3371
3432
|
// eslint-disable-next-line complexity
|
|
3372
|
-
|
|
3373
|
-
|
|
3374
3433
|
const _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
|
|
3375
3434
|
/* Make sure attribute cannot clobber */
|
|
3376
3435
|
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
|
|
3377
3436
|
return false;
|
|
3378
3437
|
}
|
|
3438
|
+
|
|
3379
3439
|
/* Allow valid data-* attributes: At least one character after "-"
|
|
3380
3440
|
(https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
|
|
3381
3441
|
XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
|
|
3382
3442
|
We don't need to check the value; it's always URI safe. */
|
|
3383
|
-
|
|
3384
|
-
|
|
3385
3443
|
if (ALLOW_DATA_ATTR && !FORBID_ATTR[lcName] && regExpTest(DATA_ATTR, lcName)) ; else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR, lcName)) ; else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) {
|
|
3386
|
-
if (
|
|
3444
|
+
if (
|
|
3445
|
+
// First condition does a very basic check if a) it's basically a valid custom element tagname AND
|
|
3387
3446
|
// b) if the tagName passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck
|
|
3388
3447
|
// and c) if the attribute name passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.attributeNameCheck
|
|
3389
|
-
|
|
3448
|
+
_isBasicCustomElement(lcTag) && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, lcTag) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(lcTag)) && (CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.attributeNameCheck, lcName) || CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.attributeNameCheck(lcName)) ||
|
|
3449
|
+
// Alternative, second condition checks if it's an `is`-attribute, AND
|
|
3390
3450
|
// the value passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck
|
|
3391
3451
|
lcName === 'is' && CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, value) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(value))) ; else {
|
|
3392
3452
|
return false;
|
|
3393
3453
|
}
|
|
3394
3454
|
/* Check value is safe. First, is attr inert? If so, is safe */
|
|
3395
|
-
|
|
3396
3455
|
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if (value) {
|
|
3397
3456
|
return false;
|
|
3398
3457
|
} else ;
|
|
3399
|
-
|
|
3400
3458
|
return true;
|
|
3401
3459
|
};
|
|
3460
|
+
|
|
3402
3461
|
/**
|
|
3403
|
-
*
|
|
3462
|
+
* _isBasicCustomElement
|
|
3404
3463
|
* checks if at least one dash is included in tagName, and it's not the first char
|
|
3405
3464
|
* for more sophisticated checking see https://github.com/sindresorhus/validate-element-name
|
|
3465
|
+
*
|
|
3406
3466
|
* @param {string} tagName name of the tag of the node to sanitize
|
|
3467
|
+
* @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
|
|
3407
3468
|
*/
|
|
3408
|
-
|
|
3409
|
-
|
|
3410
|
-
const _basicCustomElementTest = function _basicCustomElementTest(tagName) {
|
|
3411
|
-
return tagName.indexOf('-') > 0;
|
|
3469
|
+
const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
|
|
3470
|
+
return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
|
|
3412
3471
|
};
|
|
3472
|
+
|
|
3413
3473
|
/**
|
|
3414
3474
|
* _sanitizeAttributes
|
|
3415
3475
|
*
|
|
@@ -3420,107 +3480,94 @@ function createDOMPurify() {
|
|
|
3420
3480
|
*
|
|
3421
3481
|
* @param {Node} currentNode to sanitize
|
|
3422
3482
|
*/
|
|
3423
|
-
|
|
3424
|
-
|
|
3425
3483
|
const _sanitizeAttributes = function _sanitizeAttributes(currentNode) {
|
|
3426
|
-
let attr;
|
|
3427
|
-
let value;
|
|
3428
|
-
let lcName;
|
|
3429
|
-
let l;
|
|
3430
3484
|
/* Execute a hook if present */
|
|
3431
|
-
|
|
3432
3485
|
_executeHook('beforeSanitizeAttributes', currentNode, null);
|
|
3433
|
-
|
|
3434
3486
|
const {
|
|
3435
3487
|
attributes
|
|
3436
3488
|
} = currentNode;
|
|
3437
|
-
/* Check if we have attributes; if not we might have a text node */
|
|
3438
3489
|
|
|
3490
|
+
/* Check if we have attributes; if not we might have a text node */
|
|
3439
3491
|
if (!attributes) {
|
|
3440
3492
|
return;
|
|
3441
3493
|
}
|
|
3442
|
-
|
|
3443
3494
|
const hookEvent = {
|
|
3444
3495
|
attrName: '',
|
|
3445
3496
|
attrValue: '',
|
|
3446
3497
|
keepAttr: true,
|
|
3447
3498
|
allowedAttributes: ALLOWED_ATTR
|
|
3448
3499
|
};
|
|
3449
|
-
l = attributes.length;
|
|
3450
|
-
/* Go backwards over all attributes; safely remove bad ones */
|
|
3500
|
+
let l = attributes.length;
|
|
3451
3501
|
|
|
3502
|
+
/* Go backwards over all attributes; safely remove bad ones */
|
|
3452
3503
|
while (l--) {
|
|
3453
|
-
attr = attributes[l];
|
|
3504
|
+
const attr = attributes[l];
|
|
3454
3505
|
const {
|
|
3455
3506
|
name,
|
|
3456
|
-
namespaceURI
|
|
3507
|
+
namespaceURI,
|
|
3508
|
+
value: attrValue
|
|
3457
3509
|
} = attr;
|
|
3458
|
-
|
|
3459
|
-
|
|
3460
|
-
/* Execute a hook if present */
|
|
3510
|
+
const lcName = transformCaseFunc(name);
|
|
3511
|
+
let value = name === 'value' ? attrValue : stringTrim(attrValue);
|
|
3461
3512
|
|
|
3513
|
+
/* Execute a hook if present */
|
|
3462
3514
|
hookEvent.attrName = lcName;
|
|
3463
3515
|
hookEvent.attrValue = value;
|
|
3464
3516
|
hookEvent.keepAttr = true;
|
|
3465
3517
|
hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
|
|
3466
|
-
|
|
3467
3518
|
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
|
|
3468
|
-
|
|
3469
3519
|
value = hookEvent.attrValue;
|
|
3470
|
-
/* Did the hooks approve of the attribute? */
|
|
3471
3520
|
|
|
3472
|
-
|
|
3521
|
+
/* Work around a security issue with comments inside attributes */
|
|
3522
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
3523
|
+
_removeAttribute(name, currentNode);
|
|
3473
3524
|
continue;
|
|
3474
3525
|
}
|
|
3475
|
-
/* Remove attribute */
|
|
3476
|
-
|
|
3477
3526
|
|
|
3478
|
-
_removeAttribute(name, currentNode);
|
|
3479
3527
|
/* Did the hooks approve of the attribute? */
|
|
3528
|
+
if (hookEvent.forceKeepAttr) {
|
|
3529
|
+
continue;
|
|
3530
|
+
}
|
|
3480
3531
|
|
|
3532
|
+
/* Remove attribute */
|
|
3533
|
+
_removeAttribute(name, currentNode);
|
|
3481
3534
|
|
|
3535
|
+
/* Did the hooks approve of the attribute? */
|
|
3482
3536
|
if (!hookEvent.keepAttr) {
|
|
3483
3537
|
continue;
|
|
3484
3538
|
}
|
|
3485
|
-
/* Work around a security issue in jQuery 3.0 */
|
|
3486
|
-
|
|
3487
3539
|
|
|
3540
|
+
/* Work around a security issue in jQuery 3.0 */
|
|
3488
3541
|
if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
|
|
3489
3542
|
_removeAttribute(name, currentNode);
|
|
3490
|
-
|
|
3491
3543
|
continue;
|
|
3492
3544
|
}
|
|
3493
|
-
/* Sanitize attribute content to be template-safe */
|
|
3494
|
-
|
|
3495
3545
|
|
|
3546
|
+
/* Sanitize attribute content to be template-safe */
|
|
3496
3547
|
if (SAFE_FOR_TEMPLATES) {
|
|
3497
|
-
|
|
3498
|
-
|
|
3499
|
-
|
|
3548
|
+
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
|
|
3549
|
+
value = stringReplace(value, expr, ' ');
|
|
3550
|
+
});
|
|
3500
3551
|
}
|
|
3501
|
-
/* Is `value` valid for this attribute? */
|
|
3502
|
-
|
|
3503
3552
|
|
|
3553
|
+
/* Is `value` valid for this attribute? */
|
|
3504
3554
|
const lcTag = transformCaseFunc(currentNode.nodeName);
|
|
3505
|
-
|
|
3506
3555
|
if (!_isValidAttribute(lcTag, lcName, value)) {
|
|
3507
3556
|
continue;
|
|
3508
3557
|
}
|
|
3558
|
+
|
|
3509
3559
|
/* Full DOM Clobbering protection via namespace isolation,
|
|
3510
3560
|
* Prefix id and name attributes with `user-content-`
|
|
3511
3561
|
*/
|
|
3512
|
-
|
|
3513
|
-
|
|
3514
3562
|
if (SANITIZE_NAMED_PROPS && (lcName === 'id' || lcName === 'name')) {
|
|
3515
3563
|
// Remove the attribute with this value
|
|
3516
|
-
_removeAttribute(name, currentNode);
|
|
3517
|
-
|
|
3564
|
+
_removeAttribute(name, currentNode);
|
|
3518
3565
|
|
|
3566
|
+
// Prefix the value and later re-create the attribute with the sanitized value
|
|
3519
3567
|
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
3520
3568
|
}
|
|
3521
|
-
/* Handle attributes that require Trusted Types */
|
|
3522
|
-
|
|
3523
3569
|
|
|
3570
|
+
/* Handle attributes that require Trusted Types */
|
|
3524
3571
|
if (trustedTypesPolicy && typeof trustedTypes === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
3525
3572
|
if (namespaceURI) ; else {
|
|
3526
3573
|
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
@@ -3529,7 +3576,6 @@ function createDOMPurify() {
|
|
|
3529
3576
|
value = trustedTypesPolicy.createHTML(value);
|
|
3530
3577
|
break;
|
|
3531
3578
|
}
|
|
3532
|
-
|
|
3533
3579
|
case 'TrustedScriptURL':
|
|
3534
3580
|
{
|
|
3535
3581
|
value = trustedTypesPolicy.createScriptURL(value);
|
|
@@ -3538,9 +3584,8 @@ function createDOMPurify() {
|
|
|
3538
3584
|
}
|
|
3539
3585
|
}
|
|
3540
3586
|
}
|
|
3541
|
-
/* Handle invalid data-* attribute set by try-catching it */
|
|
3542
|
-
|
|
3543
3587
|
|
|
3588
|
+
/* Handle invalid data-* attribute set by try-catching it */
|
|
3544
3589
|
try {
|
|
3545
3590
|
if (namespaceURI) {
|
|
3546
3591
|
currentNode.setAttributeNS(namespaceURI, name, value);
|
|
@@ -3548,88 +3593,77 @@ function createDOMPurify() {
|
|
|
3548
3593
|
/* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
|
|
3549
3594
|
currentNode.setAttribute(name, value);
|
|
3550
3595
|
}
|
|
3551
|
-
|
|
3552
|
-
|
|
3596
|
+
if (_isClobbered(currentNode)) {
|
|
3597
|
+
_forceRemove(currentNode);
|
|
3598
|
+
} else {
|
|
3599
|
+
arrayPop(DOMPurify.removed);
|
|
3600
|
+
}
|
|
3553
3601
|
} catch (_) {}
|
|
3554
3602
|
}
|
|
3555
|
-
/* Execute a hook if present */
|
|
3556
|
-
|
|
3557
3603
|
|
|
3604
|
+
/* Execute a hook if present */
|
|
3558
3605
|
_executeHook('afterSanitizeAttributes', currentNode, null);
|
|
3559
3606
|
};
|
|
3607
|
+
|
|
3560
3608
|
/**
|
|
3561
3609
|
* _sanitizeShadowDOM
|
|
3562
3610
|
*
|
|
3563
3611
|
* @param {DocumentFragment} fragment to iterate over recursively
|
|
3564
3612
|
*/
|
|
3565
|
-
|
|
3566
|
-
|
|
3567
3613
|
const _sanitizeShadowDOM = function _sanitizeShadowDOM(fragment) {
|
|
3568
|
-
let shadowNode;
|
|
3614
|
+
let shadowNode = null;
|
|
3615
|
+
const shadowIterator = _createNodeIterator(fragment);
|
|
3569
3616
|
|
|
3570
|
-
const shadowIterator = _createIterator(fragment);
|
|
3571
3617
|
/* Execute a hook if present */
|
|
3572
|
-
|
|
3573
|
-
|
|
3574
3618
|
_executeHook('beforeSanitizeShadowDOM', fragment, null);
|
|
3575
|
-
|
|
3576
3619
|
while (shadowNode = shadowIterator.nextNode()) {
|
|
3577
3620
|
/* Execute a hook if present */
|
|
3578
3621
|
_executeHook('uponSanitizeShadowNode', shadowNode, null);
|
|
3579
|
-
/* Sanitize tags and elements */
|
|
3580
|
-
|
|
3581
3622
|
|
|
3623
|
+
/* Sanitize tags and elements */
|
|
3582
3624
|
if (_sanitizeElements(shadowNode)) {
|
|
3583
3625
|
continue;
|
|
3584
3626
|
}
|
|
3585
|
-
/* Deep shadow DOM detected */
|
|
3586
|
-
|
|
3587
3627
|
|
|
3628
|
+
/* Deep shadow DOM detected */
|
|
3588
3629
|
if (shadowNode.content instanceof DocumentFragment) {
|
|
3589
3630
|
_sanitizeShadowDOM(shadowNode.content);
|
|
3590
3631
|
}
|
|
3591
|
-
/* Check attributes, sanitize if necessary */
|
|
3592
|
-
|
|
3593
3632
|
|
|
3633
|
+
/* Check attributes, sanitize if necessary */
|
|
3594
3634
|
_sanitizeAttributes(shadowNode);
|
|
3595
3635
|
}
|
|
3596
|
-
/* Execute a hook if present */
|
|
3597
|
-
|
|
3598
3636
|
|
|
3637
|
+
/* Execute a hook if present */
|
|
3599
3638
|
_executeHook('afterSanitizeShadowDOM', fragment, null);
|
|
3600
3639
|
};
|
|
3640
|
+
|
|
3601
3641
|
/**
|
|
3602
3642
|
* Sanitize
|
|
3603
3643
|
* Public method providing core sanitation functionality
|
|
3604
3644
|
*
|
|
3605
3645
|
* @param {String|Node} dirty string or DOM node
|
|
3606
|
-
* @param {Object}
|
|
3646
|
+
* @param {Object} cfg object
|
|
3607
3647
|
*/
|
|
3608
3648
|
// eslint-disable-next-line complexity
|
|
3609
|
-
|
|
3610
|
-
|
|
3611
3649
|
DOMPurify.sanitize = function (dirty) {
|
|
3612
3650
|
let cfg = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
|
|
3613
|
-
let body;
|
|
3614
|
-
let importedNode;
|
|
3615
|
-
let currentNode;
|
|
3616
|
-
let returnNode;
|
|
3651
|
+
let body = null;
|
|
3652
|
+
let importedNode = null;
|
|
3653
|
+
let currentNode = null;
|
|
3654
|
+
let returnNode = null;
|
|
3617
3655
|
/* Make sure we have a string to sanitize.
|
|
3618
3656
|
DO NOT return early, as this will return the wrong type if
|
|
3619
3657
|
the user has requested a DOM object rather than a string */
|
|
3620
|
-
|
|
3621
3658
|
IS_EMPTY_INPUT = !dirty;
|
|
3622
|
-
|
|
3623
3659
|
if (IS_EMPTY_INPUT) {
|
|
3624
3660
|
dirty = '<!-->';
|
|
3625
3661
|
}
|
|
3626
|
-
/* Stringify, in case dirty is an object */
|
|
3627
|
-
|
|
3628
3662
|
|
|
3663
|
+
/* Stringify, in case dirty is an object */
|
|
3629
3664
|
if (typeof dirty !== 'string' && !_isNode(dirty)) {
|
|
3630
3665
|
if (typeof dirty.toString === 'function') {
|
|
3631
3666
|
dirty = dirty.toString();
|
|
3632
|
-
|
|
3633
3667
|
if (typeof dirty !== 'string') {
|
|
3634
3668
|
throw typeErrorCreate('dirty is not a string, aborting');
|
|
3635
3669
|
}
|
|
@@ -3637,33 +3671,28 @@ function createDOMPurify() {
|
|
|
3637
3671
|
throw typeErrorCreate('toString is not a function');
|
|
3638
3672
|
}
|
|
3639
3673
|
}
|
|
3640
|
-
/* Return dirty HTML if DOMPurify cannot run */
|
|
3641
|
-
|
|
3642
3674
|
|
|
3675
|
+
/* Return dirty HTML if DOMPurify cannot run */
|
|
3643
3676
|
if (!DOMPurify.isSupported) {
|
|
3644
3677
|
return dirty;
|
|
3645
3678
|
}
|
|
3646
|
-
/* Assign config vars */
|
|
3647
|
-
|
|
3648
3679
|
|
|
3680
|
+
/* Assign config vars */
|
|
3649
3681
|
if (!SET_CONFIG) {
|
|
3650
3682
|
_parseConfig(cfg);
|
|
3651
3683
|
}
|
|
3652
|
-
/* Clean up removed elements */
|
|
3653
|
-
|
|
3654
3684
|
|
|
3685
|
+
/* Clean up removed elements */
|
|
3655
3686
|
DOMPurify.removed = [];
|
|
3656
|
-
/* Check if dirty is correctly typed for IN_PLACE */
|
|
3657
3687
|
|
|
3688
|
+
/* Check if dirty is correctly typed for IN_PLACE */
|
|
3658
3689
|
if (typeof dirty === 'string') {
|
|
3659
3690
|
IN_PLACE = false;
|
|
3660
3691
|
}
|
|
3661
|
-
|
|
3662
3692
|
if (IN_PLACE) {
|
|
3663
3693
|
/* Do some early pre-sanitization to avoid unsafe root nodes */
|
|
3664
3694
|
if (dirty.nodeName) {
|
|
3665
3695
|
const tagName = transformCaseFunc(dirty.nodeName);
|
|
3666
|
-
|
|
3667
3696
|
if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {
|
|
3668
3697
|
throw typeErrorCreate('root node is forbidden and cannot be sanitized in-place');
|
|
3669
3698
|
}
|
|
@@ -3673,8 +3702,7 @@ function createDOMPurify() {
|
|
|
3673
3702
|
elements being stripped by the parser */
|
|
3674
3703
|
body = _initDocument('<!---->');
|
|
3675
3704
|
importedNode = body.ownerDocument.importNode(dirty, true);
|
|
3676
|
-
|
|
3677
|
-
if (importedNode.nodeType === 1 && importedNode.nodeName === 'BODY') {
|
|
3705
|
+
if (importedNode.nodeType === NODE_TYPE.element && importedNode.nodeName === 'BODY') {
|
|
3678
3706
|
/* Node is already a body, use as is */
|
|
3679
3707
|
body = importedNode;
|
|
3680
3708
|
} else if (importedNode.nodeName === 'HTML') {
|
|
@@ -3685,62 +3713,54 @@ function createDOMPurify() {
|
|
|
3685
3713
|
}
|
|
3686
3714
|
} else {
|
|
3687
3715
|
/* Exit directly if we have nothing to do */
|
|
3688
|
-
if (!RETURN_DOM && !SAFE_FOR_TEMPLATES && !WHOLE_DOCUMENT &&
|
|
3716
|
+
if (!RETURN_DOM && !SAFE_FOR_TEMPLATES && !WHOLE_DOCUMENT &&
|
|
3717
|
+
// eslint-disable-next-line unicorn/prefer-includes
|
|
3689
3718
|
dirty.indexOf('<') === -1) {
|
|
3690
3719
|
return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(dirty) : dirty;
|
|
3691
3720
|
}
|
|
3692
|
-
/* Initialize the document to work on */
|
|
3693
|
-
|
|
3694
3721
|
|
|
3722
|
+
/* Initialize the document to work on */
|
|
3695
3723
|
body = _initDocument(dirty);
|
|
3696
|
-
/* Check we have a DOM node from the data */
|
|
3697
3724
|
|
|
3725
|
+
/* Check we have a DOM node from the data */
|
|
3698
3726
|
if (!body) {
|
|
3699
3727
|
return RETURN_DOM ? null : RETURN_TRUSTED_TYPE ? emptyHTML : '';
|
|
3700
3728
|
}
|
|
3701
3729
|
}
|
|
3702
|
-
/* Remove first element node (ours) if FORCE_BODY is set */
|
|
3703
|
-
|
|
3704
3730
|
|
|
3731
|
+
/* Remove first element node (ours) if FORCE_BODY is set */
|
|
3705
3732
|
if (body && FORCE_BODY) {
|
|
3706
3733
|
_forceRemove(body.firstChild);
|
|
3707
3734
|
}
|
|
3708
|
-
/* Get node iterator */
|
|
3709
3735
|
|
|
3736
|
+
/* Get node iterator */
|
|
3737
|
+
const nodeIterator = _createNodeIterator(IN_PLACE ? dirty : body);
|
|
3710
3738
|
|
|
3711
|
-
const nodeIterator = _createIterator(IN_PLACE ? dirty : body);
|
|
3712
3739
|
/* Now start iterating over the created document */
|
|
3713
|
-
|
|
3714
|
-
|
|
3715
3740
|
while (currentNode = nodeIterator.nextNode()) {
|
|
3716
3741
|
/* Sanitize tags and elements */
|
|
3717
3742
|
if (_sanitizeElements(currentNode)) {
|
|
3718
3743
|
continue;
|
|
3719
3744
|
}
|
|
3720
|
-
/* Shadow DOM detected, sanitize it */
|
|
3721
|
-
|
|
3722
3745
|
|
|
3746
|
+
/* Shadow DOM detected, sanitize it */
|
|
3723
3747
|
if (currentNode.content instanceof DocumentFragment) {
|
|
3724
3748
|
_sanitizeShadowDOM(currentNode.content);
|
|
3725
3749
|
}
|
|
3726
|
-
/* Check attributes, sanitize if necessary */
|
|
3727
|
-
|
|
3728
3750
|
|
|
3751
|
+
/* Check attributes, sanitize if necessary */
|
|
3729
3752
|
_sanitizeAttributes(currentNode);
|
|
3730
3753
|
}
|
|
3731
|
-
/* If we sanitized `dirty` in-place, return it. */
|
|
3732
|
-
|
|
3733
3754
|
|
|
3755
|
+
/* If we sanitized `dirty` in-place, return it. */
|
|
3734
3756
|
if (IN_PLACE) {
|
|
3735
3757
|
return dirty;
|
|
3736
3758
|
}
|
|
3737
|
-
/* Return sanitized string or DOM */
|
|
3738
|
-
|
|
3739
3759
|
|
|
3760
|
+
/* Return sanitized string or DOM */
|
|
3740
3761
|
if (RETURN_DOM) {
|
|
3741
3762
|
if (RETURN_DOM_FRAGMENT) {
|
|
3742
3763
|
returnNode = createDocumentFragment.call(body.ownerDocument);
|
|
3743
|
-
|
|
3744
3764
|
while (body.firstChild) {
|
|
3745
3765
|
// eslint-disable-next-line unicorn/prefer-dom-node-append
|
|
3746
3766
|
returnNode.appendChild(body.firstChild);
|
|
@@ -3748,7 +3768,6 @@ function createDOMPurify() {
|
|
|
3748
3768
|
} else {
|
|
3749
3769
|
returnNode = body;
|
|
3750
3770
|
}
|
|
3751
|
-
|
|
3752
3771
|
if (ALLOWED_ATTR.shadowroot || ALLOWED_ATTR.shadowrootmode) {
|
|
3753
3772
|
/*
|
|
3754
3773
|
AdoptNode() is not used because internal state is not reset
|
|
@@ -3759,73 +3778,66 @@ function createDOMPurify() {
|
|
|
3759
3778
|
*/
|
|
3760
3779
|
returnNode = importNode.call(originalDocument, returnNode, true);
|
|
3761
3780
|
}
|
|
3762
|
-
|
|
3763
3781
|
return returnNode;
|
|
3764
3782
|
}
|
|
3765
|
-
|
|
3766
3783
|
let serializedHTML = WHOLE_DOCUMENT ? body.outerHTML : body.innerHTML;
|
|
3767
|
-
/* Serialize doctype if allowed */
|
|
3768
3784
|
|
|
3785
|
+
/* Serialize doctype if allowed */
|
|
3769
3786
|
if (WHOLE_DOCUMENT && ALLOWED_TAGS['!doctype'] && body.ownerDocument && body.ownerDocument.doctype && body.ownerDocument.doctype.name && regExpTest(DOCTYPE_NAME, body.ownerDocument.doctype.name)) {
|
|
3770
3787
|
serializedHTML = '<!DOCTYPE ' + body.ownerDocument.doctype.name + '>\n' + serializedHTML;
|
|
3771
3788
|
}
|
|
3772
|
-
/* Sanitize final string template-safe */
|
|
3773
|
-
|
|
3774
3789
|
|
|
3790
|
+
/* Sanitize final string template-safe */
|
|
3775
3791
|
if (SAFE_FOR_TEMPLATES) {
|
|
3776
|
-
|
|
3777
|
-
|
|
3778
|
-
|
|
3792
|
+
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
|
|
3793
|
+
serializedHTML = stringReplace(serializedHTML, expr, ' ');
|
|
3794
|
+
});
|
|
3779
3795
|
}
|
|
3780
|
-
|
|
3781
3796
|
return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(serializedHTML) : serializedHTML;
|
|
3782
3797
|
};
|
|
3798
|
+
|
|
3783
3799
|
/**
|
|
3784
3800
|
* Public method to set the configuration once
|
|
3785
3801
|
* setConfig
|
|
3786
3802
|
*
|
|
3787
3803
|
* @param {Object} cfg configuration object
|
|
3788
3804
|
*/
|
|
3789
|
-
|
|
3790
|
-
|
|
3791
|
-
DOMPurify.setConfig = function (cfg) {
|
|
3805
|
+
DOMPurify.setConfig = function () {
|
|
3806
|
+
let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
|
|
3792
3807
|
_parseConfig(cfg);
|
|
3793
|
-
|
|
3794
3808
|
SET_CONFIG = true;
|
|
3795
3809
|
};
|
|
3810
|
+
|
|
3796
3811
|
/**
|
|
3797
3812
|
* Public method to remove the configuration
|
|
3798
3813
|
* clearConfig
|
|
3799
3814
|
*
|
|
3800
3815
|
*/
|
|
3801
|
-
|
|
3802
|
-
|
|
3803
3816
|
DOMPurify.clearConfig = function () {
|
|
3804
3817
|
CONFIG = null;
|
|
3805
3818
|
SET_CONFIG = false;
|
|
3806
3819
|
};
|
|
3820
|
+
|
|
3807
3821
|
/**
|
|
3808
3822
|
* Public method to check if an attribute value is valid.
|
|
3809
3823
|
* Uses last set config, if any. Otherwise, uses config defaults.
|
|
3810
3824
|
* isValidAttribute
|
|
3811
3825
|
*
|
|
3812
|
-
* @param {
|
|
3813
|
-
* @param {
|
|
3814
|
-
* @param {
|
|
3826
|
+
* @param {String} tag Tag name of containing element.
|
|
3827
|
+
* @param {String} attr Attribute name.
|
|
3828
|
+
* @param {String} value Attribute value.
|
|
3815
3829
|
* @return {Boolean} Returns true if `value` is valid. Otherwise, returns false.
|
|
3816
3830
|
*/
|
|
3817
|
-
|
|
3818
|
-
|
|
3819
3831
|
DOMPurify.isValidAttribute = function (tag, attr, value) {
|
|
3820
3832
|
/* Initialize shared config vars if necessary. */
|
|
3821
3833
|
if (!CONFIG) {
|
|
3822
3834
|
_parseConfig({});
|
|
3823
3835
|
}
|
|
3824
|
-
|
|
3825
3836
|
const lcTag = transformCaseFunc(tag);
|
|
3826
3837
|
const lcName = transformCaseFunc(attr);
|
|
3827
3838
|
return _isValidAttribute(lcTag, lcName, value);
|
|
3828
3839
|
};
|
|
3840
|
+
|
|
3829
3841
|
/**
|
|
3830
3842
|
* AddHook
|
|
3831
3843
|
* Public method to add DOMPurify hooks
|
|
@@ -3833,16 +3845,14 @@ function createDOMPurify() {
|
|
|
3833
3845
|
* @param {String} entryPoint entry point for the hook to add
|
|
3834
3846
|
* @param {Function} hookFunction function to execute
|
|
3835
3847
|
*/
|
|
3836
|
-
|
|
3837
|
-
|
|
3838
3848
|
DOMPurify.addHook = function (entryPoint, hookFunction) {
|
|
3839
3849
|
if (typeof hookFunction !== 'function') {
|
|
3840
3850
|
return;
|
|
3841
3851
|
}
|
|
3842
|
-
|
|
3843
3852
|
hooks[entryPoint] = hooks[entryPoint] || [];
|
|
3844
3853
|
arrayPush(hooks[entryPoint], hookFunction);
|
|
3845
3854
|
};
|
|
3855
|
+
|
|
3846
3856
|
/**
|
|
3847
3857
|
* RemoveHook
|
|
3848
3858
|
* Public method to remove a DOMPurify hook at a given entryPoint
|
|
@@ -3851,40 +3861,33 @@ function createDOMPurify() {
|
|
|
3851
3861
|
* @param {String} entryPoint entry point for the hook to remove
|
|
3852
3862
|
* @return {Function} removed(popped) hook
|
|
3853
3863
|
*/
|
|
3854
|
-
|
|
3855
|
-
|
|
3856
3864
|
DOMPurify.removeHook = function (entryPoint) {
|
|
3857
3865
|
if (hooks[entryPoint]) {
|
|
3858
3866
|
return arrayPop(hooks[entryPoint]);
|
|
3859
3867
|
}
|
|
3860
3868
|
};
|
|
3869
|
+
|
|
3861
3870
|
/**
|
|
3862
3871
|
* RemoveHooks
|
|
3863
3872
|
* Public method to remove all DOMPurify hooks at a given entryPoint
|
|
3864
3873
|
*
|
|
3865
3874
|
* @param {String} entryPoint entry point for the hooks to remove
|
|
3866
3875
|
*/
|
|
3867
|
-
|
|
3868
|
-
|
|
3869
3876
|
DOMPurify.removeHooks = function (entryPoint) {
|
|
3870
3877
|
if (hooks[entryPoint]) {
|
|
3871
3878
|
hooks[entryPoint] = [];
|
|
3872
3879
|
}
|
|
3873
3880
|
};
|
|
3881
|
+
|
|
3874
3882
|
/**
|
|
3875
3883
|
* RemoveAllHooks
|
|
3876
3884
|
* Public method to remove all DOMPurify hooks
|
|
3877
|
-
*
|
|
3878
3885
|
*/
|
|
3879
|
-
|
|
3880
|
-
|
|
3881
3886
|
DOMPurify.removeAllHooks = function () {
|
|
3882
3887
|
hooks = {};
|
|
3883
3888
|
};
|
|
3884
|
-
|
|
3885
3889
|
return DOMPurify;
|
|
3886
3890
|
}
|
|
3887
|
-
|
|
3888
3891
|
var purify = createDOMPurify();
|
|
3889
3892
|
|
|
3890
3893
|
/*!
|
|
@@ -3948,7 +3951,7 @@ try {
|
|
|
3948
3951
|
// swallow
|
|
3949
3952
|
}
|
|
3950
3953
|
const trusted = createPolicy('trusted', policyOptions);
|
|
3951
|
-
/*! version: 0.
|
|
3954
|
+
/*! version: 0.23.6 */
|
|
3952
3955
|
|
|
3953
3956
|
/*!
|
|
3954
3957
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -4079,7 +4082,7 @@ function sanitizeSvgTextReturnDOM$LWS(dirty$LWS) {
|
|
|
4079
4082
|
return svgSanitizer$LWS.sanitize(dirty$LWS);
|
|
4080
4083
|
}
|
|
4081
4084
|
function sanitizeSvgHref$LWS(url$LWS) {
|
|
4082
|
-
const urlAsString$LWS =
|
|
4085
|
+
const urlAsString$LWS = toSafeStringValue$LWS(url$LWS);
|
|
4083
4086
|
if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, urlAsString$LWS, ['#'])) {
|
|
4084
4087
|
return url$LWS;
|
|
4085
4088
|
}
|
|
@@ -4209,7 +4212,7 @@ function blobSanitizer$LWS(sandboxKey$LWS) {
|
|
|
4209
4212
|
}
|
|
4210
4213
|
return getSanitizerForConfig$LWS(sandboxKey$LWS, 'STRING_BLOB_HTML');
|
|
4211
4214
|
}
|
|
4212
|
-
/*! version: 0.
|
|
4215
|
+
/*! version: 0.23.6 */
|
|
4213
4216
|
|
|
4214
4217
|
/*!
|
|
4215
4218
|
* Copyright (C) 2023 salesforce.com, inc.
|
|
@@ -4407,7 +4410,7 @@ function encloseSrcSetter$LWS(targetElement$LWS) {
|
|
|
4407
4410
|
ReflectApply$LWS$1(ElementProtoSetAttributeNS$LWS, targetElement$LWS, [attributeNamespaceURI$LWS, attributeName$LWS, src$LWS]);
|
|
4408
4411
|
};
|
|
4409
4412
|
}
|
|
4410
|
-
/*! version: 0.
|
|
4413
|
+
/*! version: 0.23.6 */
|
|
4411
4414
|
|
|
4412
4415
|
/*!
|
|
4413
4416
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -4944,7 +4947,7 @@ function patchAttributes$LWS(instance$LWS, originalDefinition$LWS, definition$LW
|
|
|
4944
4947
|
}, ElementProtoRemoveAttribute$LWS);
|
|
4945
4948
|
instance$LWS.setAttribute = maskFunction$LWS(function setAttribute$LWS(attrName$LWS, value$LWS) {
|
|
4946
4949
|
const args$LWS = [attrName$LWS];
|
|
4947
|
-
const stringifiedValue$LWS =
|
|
4950
|
+
const stringifiedValue$LWS = toSafeStringValue$LWS(value$LWS);
|
|
4948
4951
|
const setAttributeArgs$LWS = [attrName$LWS, stringifiedValue$LWS];
|
|
4949
4952
|
// `observedAttributesDifference` is a safe Set.
|
|
4950
4953
|
if (observedAttributesDifference$LWS.has(attrName$LWS)) {
|
|
@@ -5153,6 +5156,64 @@ function setCustomElementsRegistry$LWS(document$LWS, key$LWS) {
|
|
|
5153
5156
|
currentRegistry$LWS = getSandboxCustomElementRegistry$LWS(document$LWS, key$LWS);
|
|
5154
5157
|
}
|
|
5155
5158
|
const DataTransferBlockedProperties$LWS = ['mozCursor', 'mozSourceNode', 'mozUserCancelled'];
|
|
5159
|
+
const elementShadowRootBySandboxKeyRegistry$LWS = {
|
|
5160
|
+
__proto__: null
|
|
5161
|
+
};
|
|
5162
|
+
function registerShadowRootInSandbox$LWS(sandboxKey$LWS, shadowRoot$LWS) {
|
|
5163
|
+
const {
|
|
5164
|
+
[sandboxKey$LWS]: elementShadowRootRegistry$LWS = toSafeWeakSet$LWS$1(new WeakSetCtor$LWS$1())
|
|
5165
|
+
} = elementShadowRootBySandboxKeyRegistry$LWS;
|
|
5166
|
+
elementShadowRootRegistry$LWS.add(shadowRoot$LWS);
|
|
5167
|
+
if (!elementShadowRootBySandboxKeyRegistry$LWS[sandboxKey$LWS]) {
|
|
5168
|
+
elementShadowRootBySandboxKeyRegistry$LWS[sandboxKey$LWS] = elementShadowRootRegistry$LWS;
|
|
5169
|
+
}
|
|
5170
|
+
}
|
|
5171
|
+
function isShadowRootAccessibleInThisSandbox$LWS(sandboxKey$LWS, shadowRoot$LWS) {
|
|
5172
|
+
const elementShadowRootRegistry$LWS = elementShadowRootBySandboxKeyRegistry$LWS[sandboxKey$LWS];
|
|
5173
|
+
if (!elementShadowRootRegistry$LWS) {
|
|
5174
|
+
return false;
|
|
5175
|
+
}
|
|
5176
|
+
return elementShadowRootRegistry$LWS.has(shadowRoot$LWS);
|
|
5177
|
+
}
|
|
5178
|
+
function isContainerWithinAShadowRootAccessibleInThisSandbox$LWS(key$LWS, container$LWS) {
|
|
5179
|
+
let parentNode$LWS = container$LWS;
|
|
5180
|
+
do {
|
|
5181
|
+
if (isShadowRootAccessibleInThisSandbox$LWS(key$LWS, parentNode$LWS)) {
|
|
5182
|
+
return true;
|
|
5183
|
+
}
|
|
5184
|
+
} while (parentNode$LWS = ReflectApply$LWS$1(NodeProtoParentNodeGetter$LWS, parentNode$LWS, []));
|
|
5185
|
+
return false;
|
|
5186
|
+
}
|
|
5187
|
+
function initDistortionAbstractRangeEndContainerGetter$LWS({
|
|
5188
|
+
globalObject: {
|
|
5189
|
+
AbstractRange: AbstractRange$LWS
|
|
5190
|
+
}
|
|
5191
|
+
}) {
|
|
5192
|
+
const originalEndContainerGetter$LWS = ObjectLookupOwnGetter$LWS$1(AbstractRange$LWS.prototype, 'endContainer');
|
|
5193
|
+
return function distortionEndContainerGetter$LWS({
|
|
5194
|
+
key: key$LWS
|
|
5195
|
+
}) {
|
|
5196
|
+
return [originalEndContainerGetter$LWS, function endContainer$LWS() {
|
|
5197
|
+
const realEndContainer$LWS = ReflectApply$LWS$1(originalEndContainerGetter$LWS, this, []);
|
|
5198
|
+
return isContainerWithinAShadowRootAccessibleInThisSandbox$LWS(key$LWS, realEndContainer$LWS) ? realEndContainer$LWS : null;
|
|
5199
|
+
}];
|
|
5200
|
+
};
|
|
5201
|
+
}
|
|
5202
|
+
function initDistortionAbstractRangeStartContainerGetter$LWS({
|
|
5203
|
+
globalObject: {
|
|
5204
|
+
AbstractRange: AbstractRange$LWS
|
|
5205
|
+
}
|
|
5206
|
+
}) {
|
|
5207
|
+
const originalStartContainerGetter$LWS = ObjectLookupOwnGetter$LWS$1(AbstractRange$LWS.prototype, 'startContainer');
|
|
5208
|
+
return function distortionStartContainerGetter$LWS({
|
|
5209
|
+
key: key$LWS
|
|
5210
|
+
}) {
|
|
5211
|
+
return [originalStartContainerGetter$LWS, function startContainer$LWS() {
|
|
5212
|
+
const realStartContainer$LWS = ReflectApply$LWS$1(originalStartContainerGetter$LWS, this, []);
|
|
5213
|
+
return isContainerWithinAShadowRootAccessibleInThisSandbox$LWS(key$LWS, realStartContainer$LWS) ? realStartContainer$LWS : null;
|
|
5214
|
+
}];
|
|
5215
|
+
};
|
|
5216
|
+
}
|
|
5156
5217
|
const attributeDistortionFactoriesCache$LWS = toSafeMap$LWS$1(new MapCtor$LWS$1());
|
|
5157
5218
|
const sandboxAttributeDistortionRegistryCache$LWS = toSafeWeakMap$LWS$1(new WeakMapCtor$LWS$1());
|
|
5158
5219
|
function finalizeAttributeDistortions$LWS(record$LWS) {
|
|
@@ -5361,11 +5422,10 @@ function initDistortionCacheStorageDelete$LWS({
|
|
|
5361
5422
|
return [originalDelete$LWS, function patchedDelete$LWS(...args$LWS) {
|
|
5362
5423
|
if (args$LWS.length) {
|
|
5363
5424
|
const {
|
|
5364
|
-
0:
|
|
5425
|
+
0: rawCacheName$LWS
|
|
5365
5426
|
} = args$LWS;
|
|
5366
|
-
|
|
5367
|
-
|
|
5368
|
-
}
|
|
5427
|
+
const cacheName$LWS = toSafeStringValue$LWS(rawCacheName$LWS);
|
|
5428
|
+
args$LWS[0] = prependNamespaceMarker$LWS(cacheName$LWS, key$LWS);
|
|
5369
5429
|
}
|
|
5370
5430
|
return ReflectApply$LWS$1(originalDelete$LWS, this, args$LWS);
|
|
5371
5431
|
}];
|
|
@@ -5390,11 +5450,10 @@ function initDistortionCacheStorageHas$LWS({
|
|
|
5390
5450
|
return [originalHas$LWS, function has$LWS(...args$LWS) {
|
|
5391
5451
|
if (args$LWS.length) {
|
|
5392
5452
|
const {
|
|
5393
|
-
0:
|
|
5453
|
+
0: rawCacheName$LWS
|
|
5394
5454
|
} = args$LWS;
|
|
5395
|
-
|
|
5396
|
-
|
|
5397
|
-
}
|
|
5455
|
+
const cacheName$LWS = toSafeStringValue$LWS(rawCacheName$LWS);
|
|
5456
|
+
args$LWS[0] = prependNamespaceMarker$LWS(cacheName$LWS, key$LWS);
|
|
5398
5457
|
}
|
|
5399
5458
|
return ReflectApply$LWS$1(originalHas$LWS, this, args$LWS);
|
|
5400
5459
|
}];
|
|
@@ -5464,14 +5523,13 @@ function initDistortionCacheStorageMatch$LWS({
|
|
|
5464
5523
|
// also be safely convertible to a string.
|
|
5465
5524
|
if (isObjectLike$LWS(matchOptions$LWS) && 'cacheName' in matchOptions$LWS) {
|
|
5466
5525
|
const {
|
|
5467
|
-
cacheName:
|
|
5526
|
+
cacheName: rawCacheName$LWS
|
|
5468
5527
|
} = matchOptions$LWS;
|
|
5469
|
-
|
|
5470
|
-
|
|
5471
|
-
|
|
5472
|
-
|
|
5473
|
-
|
|
5474
|
-
}
|
|
5528
|
+
const cacheName$LWS = toSafeStringValue$LWS(rawCacheName$LWS);
|
|
5529
|
+
const clonedOptions$LWS = shallowCloneOptions$LWS(matchOptions$LWS);
|
|
5530
|
+
clonedOptions$LWS.cacheName = prependNamespaceMarker$LWS(cacheName$LWS, key$LWS);
|
|
5531
|
+
args$LWS[1] = clonedOptions$LWS;
|
|
5532
|
+
return ReflectApply$LWS$1(originalMatch$LWS, this, args$LWS);
|
|
5475
5533
|
}
|
|
5476
5534
|
return PromiseReject$LWS(new LockerSecurityError$LWS("caches.match() expects 'options.cacheName' to be present."));
|
|
5477
5535
|
}];
|
|
@@ -5496,11 +5554,10 @@ function initDistortionCacheStorageOpen$LWS({
|
|
|
5496
5554
|
return [originalOpen$LWS, function open$LWS(...args$LWS) {
|
|
5497
5555
|
if (args$LWS.length) {
|
|
5498
5556
|
const {
|
|
5499
|
-
0:
|
|
5557
|
+
0: rawCacheName$LWS
|
|
5500
5558
|
} = args$LWS;
|
|
5501
|
-
|
|
5502
|
-
|
|
5503
|
-
}
|
|
5559
|
+
const cacheName$LWS = toSafeStringValue$LWS(rawCacheName$LWS);
|
|
5560
|
+
args$LWS[0] = prependNamespaceMarker$LWS(cacheName$LWS, key$LWS);
|
|
5504
5561
|
}
|
|
5505
5562
|
return ReflectApply$LWS$1(originalOpen$LWS, this, args$LWS);
|
|
5506
5563
|
}];
|
|
@@ -5646,11 +5703,26 @@ function isEventTargetRestricted$LWS(record$LWS, eventTarget$LWS, eventName$LWS)
|
|
|
5646
5703
|
if (restrictedEventTargetRegistry$LWS === undefined || restrictedEventTargetRegistry$LWS[eventName$LWS] === undefined) {
|
|
5647
5704
|
return false;
|
|
5648
5705
|
}
|
|
5649
|
-
|
|
5706
|
+
let possiblyRestrictedConstructor$LWS = getUnmaskedFunction$LWS(eventTarget$LWS.constructor);
|
|
5707
|
+
// Walk UP the proto chain to check if super classes have a restriction on this event.
|
|
5708
|
+
// This can happen in cases where HTMLElement is the event target constructor, but
|
|
5709
|
+
// the event listener is being added to HTMLDivElement. Since we obviously want to
|
|
5710
|
+
// block all listeners for an event being blocked at HTMLElement level, we need to
|
|
5711
|
+
// walk up from the HTMLDivElement until we find the constructor for which we
|
|
5712
|
+
// registered a restriction.
|
|
5713
|
+
while (possiblyRestrictedConstructor$LWS !== null) {
|
|
5714
|
+
if (restrictedEventTargetRegistry$LWS[eventName$LWS].has(possiblyRestrictedConstructor$LWS)) {
|
|
5715
|
+
return true;
|
|
5716
|
+
}
|
|
5717
|
+
// eslint-disable-next-line no-proto
|
|
5718
|
+
possiblyRestrictedConstructor$LWS = possiblyRestrictedConstructor$LWS.__proto__;
|
|
5719
|
+
}
|
|
5720
|
+
return false;
|
|
5650
5721
|
}
|
|
5651
5722
|
function registerEventTargetRestriction$LWS(record$LWS, EventTargetCtor$LWS, eventName$LWS) {
|
|
5723
|
+
const unmaskedEventTargetCtor$LWS = getUnmaskedFunction$LWS(EventTargetCtor$LWS);
|
|
5652
5724
|
// istanbul ignore if: this is a safety precaution that is unreachable via tests
|
|
5653
|
-
if (isEventTargetRestricted$LWS(record$LWS,
|
|
5725
|
+
if (isEventTargetRestricted$LWS(record$LWS, unmaskedEventTargetCtor$LWS.prototype, eventName$LWS)) {
|
|
5654
5726
|
return;
|
|
5655
5727
|
}
|
|
5656
5728
|
const {
|
|
@@ -5664,7 +5736,7 @@ function registerEventTargetRestriction$LWS(record$LWS, EventTargetCtor$LWS, eve
|
|
|
5664
5736
|
const {
|
|
5665
5737
|
[eventName$LWS]: restrictedEventTargetCtors$LWS = toSafeWeakSet$LWS$1(new WeakSetCtor$LWS$1())
|
|
5666
5738
|
} = restrictedEventTargetRegistry$LWS;
|
|
5667
|
-
restrictedEventTargetCtors$LWS.add(
|
|
5739
|
+
restrictedEventTargetCtors$LWS.add(unmaskedEventTargetCtor$LWS);
|
|
5668
5740
|
restrictedEventTargetRegistry$LWS[eventName$LWS] = restrictedEventTargetCtors$LWS;
|
|
5669
5741
|
restrictedEventTargetRegistryBySandboxKeyRegistry$LWS[key$LWS] = restrictedEventTargetRegistry$LWS;
|
|
5670
5742
|
}
|
|
@@ -6019,7 +6091,7 @@ function initDistortionDocumentDomainSetter$LWS({
|
|
|
6019
6091
|
};
|
|
6020
6092
|
}
|
|
6021
6093
|
const {
|
|
6022
|
-
isSharedElement: isSharedElement$
|
|
6094
|
+
isSharedElement: isSharedElement$s$LWS
|
|
6023
6095
|
} = rootValidator$LWS;
|
|
6024
6096
|
function throwLockerSecurityError$LWS(command$LWS, target$LWS) {
|
|
6025
6097
|
throw new LockerSecurityError$LWS(`Cannot execute command '${command$LWS}' on ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, target$LWS, [])}.`);
|
|
@@ -6046,7 +6118,7 @@ function initDistortionDocumentExecCommand$LWS({
|
|
|
6046
6118
|
length: length$LWS
|
|
6047
6119
|
} = args$LWS;
|
|
6048
6120
|
if (length$LWS >= 1) {
|
|
6049
|
-
const command$LWS =
|
|
6121
|
+
const command$LWS = toSafeStringValue$LWS(args$LWS[0]);
|
|
6050
6122
|
const loweredCommand$LWS = ReflectApply$LWS$1(StringProtoToLowerCase$LWS, command$LWS, []);
|
|
6051
6123
|
if (loweredCommand$LWS === 'selectall' && this === rootDocument$LWS) {
|
|
6052
6124
|
throwLockerSecurityError$LWS(command$LWS, this);
|
|
@@ -6065,7 +6137,7 @@ function initDistortionDocumentExecCommand$LWS({
|
|
|
6065
6137
|
// istanbul ignore else: external is the default sandbox type for coverage runs
|
|
6066
6138
|
if (type$LWS === 0 /* SandboxType.External */) {
|
|
6067
6139
|
const activeElement$LWS = ReflectApply$LWS$1(originalActiveElement$LWS, this, []);
|
|
6068
|
-
if (isSharedElement$
|
|
6140
|
+
if (isSharedElement$s$LWS(activeElement$LWS) && ReflectApply$LWS$1(originalIsContentEditable$LWS, activeElement$LWS, [])) {
|
|
6069
6141
|
throwLockerSecurityError$LWS(command$LWS, activeElement$LWS);
|
|
6070
6142
|
}
|
|
6071
6143
|
}
|
|
@@ -6180,8 +6252,8 @@ function initDistortionDOMParserParseFromString$LWS({
|
|
|
6180
6252
|
if (args$LWS.length >= 2) {
|
|
6181
6253
|
// Override the value of the first argument with a sanitized version
|
|
6182
6254
|
// of that argument.
|
|
6183
|
-
const string$LWS =
|
|
6184
|
-
const mimeType$LWS =
|
|
6255
|
+
const string$LWS = toSafeStringValue$LWS(args$LWS[0]);
|
|
6256
|
+
const mimeType$LWS = toSafeStringValue$LWS(args$LWS[1]);
|
|
6185
6257
|
let contentType$LWS;
|
|
6186
6258
|
switch (mimeType$LWS) {
|
|
6187
6259
|
case 'application/xhtml+xml':
|
|
@@ -6212,7 +6284,7 @@ function initDistortionDOMParserParseFromString$LWS({
|
|
|
6212
6284
|
};
|
|
6213
6285
|
}
|
|
6214
6286
|
const {
|
|
6215
|
-
isSharedElement: isSharedElement$
|
|
6287
|
+
isSharedElement: isSharedElement$r$LWS,
|
|
6216
6288
|
isAllowedSharedElementChild: isAllowedSharedElementChild$6$LWS
|
|
6217
6289
|
} = rootValidator$LWS;
|
|
6218
6290
|
function initDistortionElementAfter$LWS({
|
|
@@ -6227,13 +6299,13 @@ function initDistortionElementAfter$LWS({
|
|
|
6227
6299
|
}) {
|
|
6228
6300
|
const distortionEntry$LWS = [originalAfter$LWS, function after$LWS(...args$LWS) {
|
|
6229
6301
|
// istanbul ignore else: needs default platform behavior test
|
|
6230
|
-
if (isSharedElement$
|
|
6302
|
+
if (isSharedElement$r$LWS(this)) {
|
|
6231
6303
|
for (let i$LWS = 0, {
|
|
6232
6304
|
length: length$LWS
|
|
6233
6305
|
} = args$LWS; i$LWS < length$LWS; i$LWS += 1) {
|
|
6234
6306
|
const argValue$LWS = args$LWS[i$LWS];
|
|
6235
6307
|
if (!isAllowedSharedElementChild$6$LWS(argValue$LWS)) {
|
|
6236
|
-
const nodeNameOrString$LWS = argValue$LWS instanceof Node$LWS ? ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, argValue$LWS, []) : /* istanbul ignore next: currently unreachable via tests */
|
|
6308
|
+
const nodeNameOrString$LWS = argValue$LWS instanceof Node$LWS ? ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, argValue$LWS, []) : /* istanbul ignore next: currently unreachable via tests */toSafeStringValue$LWS(argValue$LWS);
|
|
6237
6309
|
throw new LockerSecurityError$LWS(`Cannot insert ${nodeNameOrString$LWS} after ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
6238
6310
|
}
|
|
6239
6311
|
}
|
|
@@ -6245,7 +6317,7 @@ function initDistortionElementAfter$LWS({
|
|
|
6245
6317
|
};
|
|
6246
6318
|
}
|
|
6247
6319
|
const {
|
|
6248
|
-
isSharedElement: isSharedElement$
|
|
6320
|
+
isSharedElement: isSharedElement$q$LWS,
|
|
6249
6321
|
isAllowedSharedElementChild: isAllowedSharedElementChild$5$LWS
|
|
6250
6322
|
} = rootValidator$LWS;
|
|
6251
6323
|
function initDistortionElementAppend$LWS({
|
|
@@ -6260,7 +6332,7 @@ function initDistortionElementAppend$LWS({
|
|
|
6260
6332
|
}) {
|
|
6261
6333
|
const distortionEntry$LWS = [originalAppend$LWS, function append$LWS(...args$LWS) {
|
|
6262
6334
|
// istanbul ignore else: needs default platform behavior test
|
|
6263
|
-
if (isSharedElement$
|
|
6335
|
+
if (isSharedElement$q$LWS(this)) {
|
|
6264
6336
|
// Element.prototype.append(...args) accepts an arbitrary number
|
|
6265
6337
|
// of arguments which can be comprised of Nodes and DOMStrings.
|
|
6266
6338
|
for (let i$LWS = 0, {
|
|
@@ -6271,7 +6343,7 @@ function initDistortionElementAppend$LWS({
|
|
|
6271
6343
|
// element child which is limited to script and link, an
|
|
6272
6344
|
// exception is thrown.
|
|
6273
6345
|
if (!isAllowedSharedElementChild$5$LWS(argValue$LWS)) {
|
|
6274
|
-
const nodeNameOrString$LWS = argValue$LWS instanceof Node$LWS ? ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, argValue$LWS, []) : /* istanbul ignore next: currently unreachable via tests */
|
|
6346
|
+
const nodeNameOrString$LWS = argValue$LWS instanceof Node$LWS ? ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, argValue$LWS, []) : /* istanbul ignore next: currently unreachable via tests */toSafeStringValue$LWS(argValue$LWS);
|
|
6275
6347
|
throw new LockerSecurityError$LWS(`Cannot append ${nodeNameOrString$LWS} to ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
6276
6348
|
}
|
|
6277
6349
|
}
|
|
@@ -6282,25 +6354,6 @@ function initDistortionElementAppend$LWS({
|
|
|
6282
6354
|
return distortionEntry$LWS;
|
|
6283
6355
|
};
|
|
6284
6356
|
}
|
|
6285
|
-
const elementShadowRootBySandboxKeyRegistry$LWS = {
|
|
6286
|
-
__proto__: null
|
|
6287
|
-
};
|
|
6288
|
-
function registerShadowRootInSandbox$LWS(sandboxKey$LWS, shadowRoot$LWS) {
|
|
6289
|
-
const {
|
|
6290
|
-
[sandboxKey$LWS]: elementShadowRootRegistry$LWS = toSafeWeakSet$LWS$1(new WeakSetCtor$LWS$1())
|
|
6291
|
-
} = elementShadowRootBySandboxKeyRegistry$LWS;
|
|
6292
|
-
elementShadowRootRegistry$LWS.add(shadowRoot$LWS);
|
|
6293
|
-
if (!elementShadowRootBySandboxKeyRegistry$LWS[sandboxKey$LWS]) {
|
|
6294
|
-
elementShadowRootBySandboxKeyRegistry$LWS[sandboxKey$LWS] = elementShadowRootRegistry$LWS;
|
|
6295
|
-
}
|
|
6296
|
-
}
|
|
6297
|
-
function isShadowRootAccessibleInThisSandbox$LWS(sandboxKey$LWS, shadowRoot$LWS) {
|
|
6298
|
-
const elementShadowRootRegistry$LWS = elementShadowRootBySandboxKeyRegistry$LWS[sandboxKey$LWS];
|
|
6299
|
-
if (!elementShadowRootRegistry$LWS) {
|
|
6300
|
-
return false;
|
|
6301
|
-
}
|
|
6302
|
-
return elementShadowRootRegistry$LWS.has(shadowRoot$LWS);
|
|
6303
|
-
}
|
|
6304
6357
|
function initDistortionElementAttachShadow$LWS({
|
|
6305
6358
|
globalObject: {
|
|
6306
6359
|
Element: {
|
|
@@ -6357,7 +6410,7 @@ function initDistortionElementAttributesGetter$LWS({
|
|
|
6357
6410
|
};
|
|
6358
6411
|
}
|
|
6359
6412
|
const {
|
|
6360
|
-
isSharedElement: isSharedElement$
|
|
6413
|
+
isSharedElement: isSharedElement$p$LWS,
|
|
6361
6414
|
isAllowedSharedElementChild: isAllowedSharedElementChild$4$LWS
|
|
6362
6415
|
} = rootValidator$LWS;
|
|
6363
6416
|
function initDistortionElementBefore$LWS({
|
|
@@ -6372,14 +6425,14 @@ function initDistortionElementBefore$LWS({
|
|
|
6372
6425
|
}) {
|
|
6373
6426
|
const distortionEntry$LWS = [originalBefore$LWS, function before$LWS(...args$LWS) {
|
|
6374
6427
|
// istanbul ignore else: needs default platform behavior test
|
|
6375
|
-
if (isSharedElement$
|
|
6428
|
+
if (isSharedElement$p$LWS(this)) {
|
|
6376
6429
|
for (let i$LWS = 0, {
|
|
6377
6430
|
length: length$LWS
|
|
6378
6431
|
} = args$LWS; i$LWS < length$LWS; i$LWS += 1) {
|
|
6379
6432
|
const argValue$LWS = args$LWS[i$LWS];
|
|
6380
6433
|
// istanbul ignore else: needs default platform behavior test
|
|
6381
6434
|
if (!isAllowedSharedElementChild$4$LWS(argValue$LWS)) {
|
|
6382
|
-
const nodeNameOrString$LWS = argValue$LWS instanceof Node$LWS ? ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, argValue$LWS, []) : /* istanbul ignore next: currently unreachable via tests */
|
|
6435
|
+
const nodeNameOrString$LWS = argValue$LWS instanceof Node$LWS ? ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, argValue$LWS, []) : /* istanbul ignore next: currently unreachable via tests */toSafeStringValue$LWS(argValue$LWS);
|
|
6383
6436
|
throw new LockerSecurityError$LWS(`Cannot insert ${nodeNameOrString$LWS} before ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
6384
6437
|
}
|
|
6385
6438
|
}
|
|
@@ -6433,7 +6486,7 @@ function initDistortionElementGetInnerHTML$LWS({
|
|
|
6433
6486
|
};
|
|
6434
6487
|
}
|
|
6435
6488
|
function scriptPropertySetters$LWS(incomingThis$LWS, property$LWS, valueAsTrustedString$LWS, originalScriptPropertyGetter$LWS, originalScriptPropertySetter$LWS, distortions$LWS, sandboxEvaluator$LWS, signedScriptHookSourceText$LWS) {
|
|
6436
|
-
const valueAsString$LWS =
|
|
6489
|
+
const valueAsString$LWS = toSafeStringValue$LWS(valueAsTrustedString$LWS);
|
|
6437
6490
|
if (!isScriptPropertyEvaluatorHookDefined$LWS(incomingThis$LWS)) {
|
|
6438
6491
|
const distortedScriptPropertyGetter$LWS = distortions$LWS.get(originalScriptPropertyGetter$LWS);
|
|
6439
6492
|
defineScriptAccessorProperty$LWS(incomingThis$LWS, property$LWS, distortedScriptPropertyGetter$LWS, originalScriptPropertySetter$LWS);
|
|
@@ -6463,8 +6516,8 @@ function scriptPropertySetters$LWS(incomingThis$LWS, property$LWS, valueAsTruste
|
|
|
6463
6516
|
return false;
|
|
6464
6517
|
}
|
|
6465
6518
|
const {
|
|
6466
|
-
isInherentlyUnsecure: isInherentlyUnsecure$
|
|
6467
|
-
isSharedElement: isSharedElement$
|
|
6519
|
+
isInherentlyUnsecure: isInherentlyUnsecure$2$LWS,
|
|
6520
|
+
isSharedElement: isSharedElement$o$LWS
|
|
6468
6521
|
} = rootValidator$LWS;
|
|
6469
6522
|
function initDistortionElementInnerHTMLSetter$LWS({
|
|
6470
6523
|
document: document$LWS,
|
|
@@ -6490,7 +6543,7 @@ function initDistortionElementInnerHTMLSetter$LWS({
|
|
|
6490
6543
|
const isOwnerXMLDocument$LWS = ReflectApply$LWS$1(NodeProtoOwnerDocumentGetter$LWS, this, []) instanceof XMLDocument$LWS;
|
|
6491
6544
|
if (!isOwnerXMLDocument$LWS) {
|
|
6492
6545
|
// istanbul ignore else: needs default platform behavior test
|
|
6493
|
-
if (isSharedElement$
|
|
6546
|
+
if (isSharedElement$o$LWS(this)) {
|
|
6494
6547
|
throw new LockerSecurityError$LWS(`Cannot set innerHTML of ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
6495
6548
|
}
|
|
6496
6549
|
if (this instanceof HTMLScriptElement$LWS || this instanceof SVGScriptElement) {
|
|
@@ -6507,7 +6560,7 @@ function initDistortionElementInnerHTMLSetter$LWS({
|
|
|
6507
6560
|
const contentType$LWS = this instanceof SVGElement$LWS ? ContentType$LWS.SVG : ContentType$LWS.HTML;
|
|
6508
6561
|
value$LWS = lwsInternalPolicy$LWS.createHTML(value$LWS, key$LWS, contentType$LWS);
|
|
6509
6562
|
}
|
|
6510
|
-
if (isInherentlyUnsecure$
|
|
6563
|
+
if (isInherentlyUnsecure$2$LWS(value$LWS)) {
|
|
6511
6564
|
throw new LockerSecurityError$LWS(`Cannot set 'innerHTML' using an unsecure ${toSafeTemplateStringValue$LWS(value$LWS)}.`);
|
|
6512
6565
|
}
|
|
6513
6566
|
ReflectApply$LWS$1(originalInnerHTMLSetter$LWS, this, [value$LWS]);
|
|
@@ -6515,7 +6568,7 @@ function initDistortionElementInnerHTMLSetter$LWS({
|
|
|
6515
6568
|
};
|
|
6516
6569
|
}
|
|
6517
6570
|
const {
|
|
6518
|
-
isSharedElement: isSharedElement$
|
|
6571
|
+
isSharedElement: isSharedElement$n$LWS,
|
|
6519
6572
|
isAllowedSharedElementChild: isAllowedSharedElementChild$3$LWS
|
|
6520
6573
|
} = rootValidator$LWS;
|
|
6521
6574
|
function initDistortionElementInsertAdjacentElement$LWS({
|
|
@@ -6534,7 +6587,7 @@ function initDistortionElementInsertAdjacentElement$LWS({
|
|
|
6534
6587
|
1: element$LWS
|
|
6535
6588
|
} = args$LWS;
|
|
6536
6589
|
// istanbul ignore else: needs default platform behavior test
|
|
6537
|
-
if (isSharedElement$
|
|
6590
|
+
if (isSharedElement$n$LWS(this) && !isAllowedSharedElementChild$3$LWS(element$LWS)) {
|
|
6538
6591
|
throw new LockerSecurityError$LWS(`Cannot insert ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, element$LWS, [])} adjacent to ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
6539
6592
|
}
|
|
6540
6593
|
}
|
|
@@ -6545,8 +6598,7 @@ function initDistortionElementInsertAdjacentElement$LWS({
|
|
|
6545
6598
|
};
|
|
6546
6599
|
}
|
|
6547
6600
|
const {
|
|
6548
|
-
|
|
6549
|
-
isSharedElement: isSharedElement$l$LWS
|
|
6601
|
+
isSharedElement: isSharedElement$m$LWS
|
|
6550
6602
|
} = rootValidator$LWS;
|
|
6551
6603
|
const allowedElementHTMLRegExp$LWS = /^\s*<(link|script|style)/i;
|
|
6552
6604
|
function initDistortionElementInsertAdjacentHTML$LWS({
|
|
@@ -6566,7 +6618,7 @@ function initDistortionElementInsertAdjacentHTML$LWS({
|
|
|
6566
6618
|
// istanbul ignore else: needs default platform behavior test
|
|
6567
6619
|
if (args$LWS.length > 1) {
|
|
6568
6620
|
const match$LWS = ReflectApply$LWS$1(StringProtoMatch$LWS, args$LWS[1], [allowedElementHTMLRegExp$LWS]);
|
|
6569
|
-
if (isSharedElement$
|
|
6621
|
+
if (isSharedElement$m$LWS(this) && match$LWS === null) {
|
|
6570
6622
|
throw new LockerSecurityError$LWS(`Cannot insert adjacent HTML to ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}`);
|
|
6571
6623
|
}
|
|
6572
6624
|
// This must be called to signal to the virtual
|
|
@@ -6576,17 +6628,13 @@ function initDistortionElementInsertAdjacentHTML$LWS({
|
|
|
6576
6628
|
setCustomElementsRegistry$LWS(document$LWS, key$LWS);
|
|
6577
6629
|
const contentType$LWS = this instanceof SVGElement ? ContentType$LWS.SVG : ContentType$LWS.HTML;
|
|
6578
6630
|
args$LWS[1] = lwsInternalPolicy$LWS.createHTML(args$LWS[1], key$LWS, contentType$LWS);
|
|
6579
|
-
if (isInherentlyUnsecure$2$LWS(args$LWS[1])) {
|
|
6580
|
-
throw new LockerSecurityError$LWS(`Cannot 'insertAdjacentHTML' using an unsecure ${toSafeTemplateStringValue$LWS(args$LWS[1])}.`);
|
|
6581
|
-
}
|
|
6582
6631
|
}
|
|
6583
6632
|
ReflectApply$LWS$1(originalInsertAdjacentHTML$LWS, this, args$LWS);
|
|
6584
6633
|
}];
|
|
6585
6634
|
};
|
|
6586
6635
|
}
|
|
6587
6636
|
const {
|
|
6588
|
-
|
|
6589
|
-
isSharedElement: isSharedElement$k$LWS
|
|
6637
|
+
isSharedElement: isSharedElement$l$LWS
|
|
6590
6638
|
} = rootValidator$LWS;
|
|
6591
6639
|
function initDistortionElementOuterHTMLSetter$LWS({
|
|
6592
6640
|
document: document$LWS,
|
|
@@ -6600,7 +6648,7 @@ function initDistortionElementOuterHTMLSetter$LWS({
|
|
|
6600
6648
|
}) {
|
|
6601
6649
|
return [originalOuterHTMLSetter$LWS, function outerHTML$LWS(value$LWS) {
|
|
6602
6650
|
// istanbul ignore else: needs default platform behavior test
|
|
6603
|
-
if (isSharedElement$
|
|
6651
|
+
if (isSharedElement$l$LWS(this)) {
|
|
6604
6652
|
throw new LockerSecurityError$LWS(`Cannot set outerHTML of ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
6605
6653
|
}
|
|
6606
6654
|
// This must be called to signal to the virtual
|
|
@@ -6609,15 +6657,12 @@ function initDistortionElementOuterHTMLSetter$LWS({
|
|
|
6609
6657
|
// association to this sandbox.
|
|
6610
6658
|
setCustomElementsRegistry$LWS(document$LWS, key$LWS);
|
|
6611
6659
|
const html$LWS = lwsInternalPolicy$LWS.createHTML(value$LWS, key$LWS, ContentType$LWS.HTML);
|
|
6612
|
-
if (isInherentlyUnsecure$1$LWS(html$LWS)) {
|
|
6613
|
-
throw new LockerSecurityError$LWS(`Cannot set 'outerHTML' using an unsecure ${toSafeTemplateStringValue$LWS(html$LWS)}.`);
|
|
6614
|
-
}
|
|
6615
6660
|
ReflectApply$LWS$1(originalOuterHTMLSetter$LWS, this, [html$LWS]);
|
|
6616
6661
|
}];
|
|
6617
6662
|
};
|
|
6618
6663
|
}
|
|
6619
6664
|
const {
|
|
6620
|
-
isSharedElement: isSharedElement$
|
|
6665
|
+
isSharedElement: isSharedElement$k$LWS,
|
|
6621
6666
|
isAllowedSharedElementChild: isAllowedSharedElementChild$2$LWS
|
|
6622
6667
|
} = rootValidator$LWS;
|
|
6623
6668
|
function initDistortionElementPrepend$LWS({
|
|
@@ -6632,7 +6677,7 @@ function initDistortionElementPrepend$LWS({
|
|
|
6632
6677
|
}) {
|
|
6633
6678
|
const distortionEntry$LWS = [originalPrepend$LWS, function prepend$LWS(...args$LWS) {
|
|
6634
6679
|
// istanbul ignore else: needs default platform behavior test
|
|
6635
|
-
if (isSharedElement$
|
|
6680
|
+
if (isSharedElement$k$LWS(this)) {
|
|
6636
6681
|
// Element.prototype.prepend(...args) accepts an arbitrary
|
|
6637
6682
|
// number of arguments which can be comprised of Nodes and
|
|
6638
6683
|
// DOMStrings.
|
|
@@ -6644,7 +6689,7 @@ function initDistortionElementPrepend$LWS({
|
|
|
6644
6689
|
// element child, which is limited to script and link, an
|
|
6645
6690
|
// exception is thrown.
|
|
6646
6691
|
if (!isAllowedSharedElementChild$2$LWS(argValue$LWS)) {
|
|
6647
|
-
const nodeNameOrString$LWS = argValue$LWS instanceof Node$LWS ? ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, argValue$LWS, []) : /* istanbul ignore next: currently unreachable via tests */
|
|
6692
|
+
const nodeNameOrString$LWS = argValue$LWS instanceof Node$LWS ? ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, argValue$LWS, []) : /* istanbul ignore next: currently unreachable via tests */toSafeStringValue$LWS(argValue$LWS);
|
|
6648
6693
|
throw new LockerSecurityError$LWS(`Cannot prepend ${nodeNameOrString$LWS} to ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
6649
6694
|
}
|
|
6650
6695
|
}
|
|
@@ -6656,7 +6701,7 @@ function initDistortionElementPrepend$LWS({
|
|
|
6656
6701
|
};
|
|
6657
6702
|
}
|
|
6658
6703
|
const {
|
|
6659
|
-
isSharedElement: isSharedElement$
|
|
6704
|
+
isSharedElement: isSharedElement$j$LWS
|
|
6660
6705
|
} = rootValidator$LWS;
|
|
6661
6706
|
function initDistortionElementRemove$LWS({
|
|
6662
6707
|
globalObject: {
|
|
@@ -6669,7 +6714,7 @@ function initDistortionElementRemove$LWS({
|
|
|
6669
6714
|
}) {
|
|
6670
6715
|
const distortionEntry$LWS = [originalRemove$LWS, function remove$LWS() {
|
|
6671
6716
|
// istanbul ignore else: needs default platform behavior test
|
|
6672
|
-
if (isSharedElement$
|
|
6717
|
+
if (isSharedElement$j$LWS(this)) {
|
|
6673
6718
|
throw new LockerSecurityError$LWS(`Cannot remove ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
6674
6719
|
}
|
|
6675
6720
|
ReflectApply$LWS$1(originalRemove$LWS, this, []);
|
|
@@ -6679,7 +6724,7 @@ function initDistortionElementRemove$LWS({
|
|
|
6679
6724
|
};
|
|
6680
6725
|
}
|
|
6681
6726
|
const {
|
|
6682
|
-
isSharedElement: isSharedElement$
|
|
6727
|
+
isSharedElement: isSharedElement$i$LWS
|
|
6683
6728
|
} = rootValidator$LWS;
|
|
6684
6729
|
function initDistortionElementReplaceChildren$LWS({
|
|
6685
6730
|
globalObject: {
|
|
@@ -6692,7 +6737,7 @@ function initDistortionElementReplaceChildren$LWS({
|
|
|
6692
6737
|
}) {
|
|
6693
6738
|
const distortionEntry$LWS = [originalReplaceChildren$LWS, function replaceChildren$LWS(...args$LWS) {
|
|
6694
6739
|
// istanbul ignore else: needs default platform behavior test
|
|
6695
|
-
if (isSharedElement$
|
|
6740
|
+
if (isSharedElement$i$LWS(this)) {
|
|
6696
6741
|
throw new LockerSecurityError$LWS(`Cannot replace children of ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
6697
6742
|
}
|
|
6698
6743
|
return ReflectApply$LWS$1(originalReplaceChildren$LWS, this, args$LWS);
|
|
@@ -6702,7 +6747,7 @@ function initDistortionElementReplaceChildren$LWS({
|
|
|
6702
6747
|
};
|
|
6703
6748
|
}
|
|
6704
6749
|
const {
|
|
6705
|
-
isSharedElement: isSharedElement$
|
|
6750
|
+
isSharedElement: isSharedElement$h$LWS
|
|
6706
6751
|
} = rootValidator$LWS;
|
|
6707
6752
|
function initDistortionElementReplaceWith$LWS({
|
|
6708
6753
|
globalObject: {
|
|
@@ -6715,7 +6760,7 @@ function initDistortionElementReplaceWith$LWS({
|
|
|
6715
6760
|
}) {
|
|
6716
6761
|
const distortionEntry$LWS = [originalReplaceWith$LWS, function replaceWith$LWS(...args$LWS) {
|
|
6717
6762
|
// istanbul ignore else: needs default platform behavior test
|
|
6718
|
-
if (isSharedElement$
|
|
6763
|
+
if (isSharedElement$h$LWS(this)) {
|
|
6719
6764
|
throw new LockerSecurityError$LWS(`Cannot replace ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
6720
6765
|
}
|
|
6721
6766
|
return ReflectApply$LWS$1(originalReplaceWith$LWS, this, args$LWS);
|
|
@@ -6736,8 +6781,8 @@ function initDistortionElementSetAttribute$LWS({
|
|
|
6736
6781
|
return function distortionElementSetAttribute$LWS(record$LWS) {
|
|
6737
6782
|
return [originalSetAttribute$LWS, function setAttribute$LWS(...args$LWS) {
|
|
6738
6783
|
if (args$LWS.length > 1) {
|
|
6739
|
-
const attrName$LWS = normalizeNamespacedAttributeName$LWS(
|
|
6740
|
-
const attrValue$LWS =
|
|
6784
|
+
const attrName$LWS = normalizeNamespacedAttributeName$LWS(toSafeStringValue$LWS(args$LWS[0]));
|
|
6785
|
+
const attrValue$LWS = toSafeStringValue$LWS(args$LWS[1]);
|
|
6741
6786
|
const distortion$LWS = getAttributeDistortion$LWS(record$LWS, this, attrName$LWS);
|
|
6742
6787
|
if (distortion$LWS) {
|
|
6743
6788
|
ReflectApply$LWS$1(distortion$LWS, this, [attrValue$LWS]);
|
|
@@ -6890,10 +6935,10 @@ function initDistortionElementSetAttributeNS$LWS({
|
|
|
6890
6935
|
0: attrNamespace$LWS
|
|
6891
6936
|
} = args$LWS;
|
|
6892
6937
|
if (attrNamespace$LWS !== null && attrNamespace$LWS !== undefined) {
|
|
6893
|
-
attrNamespace$LWS =
|
|
6938
|
+
attrNamespace$LWS = toSafeStringValue$LWS(attrNamespace$LWS);
|
|
6894
6939
|
}
|
|
6895
|
-
const attrName$LWS = normalizeNamespacedAttributeName$LWS(
|
|
6896
|
-
const attrValue$LWS =
|
|
6940
|
+
const attrName$LWS = normalizeNamespacedAttributeName$LWS(toSafeStringValue$LWS(args$LWS[1]));
|
|
6941
|
+
const attrValue$LWS = toSafeStringValue$LWS(args$LWS[2]);
|
|
6897
6942
|
const normalizedNamespace$LWS = normalizeNamespace$LWS(attrNamespace$LWS);
|
|
6898
6943
|
const distortion$LWS = getAttributeDistortion$LWS(record$LWS, this, attrName$LWS, normalizedNamespace$LWS);
|
|
6899
6944
|
// istanbul ignore else: needs default platform behavior test
|
|
@@ -6921,8 +6966,8 @@ function initDistortionElementSetAttributeNS$LWS({
|
|
|
6921
6966
|
};
|
|
6922
6967
|
}
|
|
6923
6968
|
const {
|
|
6924
|
-
isInherentlyUnsecure: isInherentlyUnsecure$LWS,
|
|
6925
|
-
isSharedElement: isSharedElement$
|
|
6969
|
+
isInherentlyUnsecure: isInherentlyUnsecure$1$LWS,
|
|
6970
|
+
isSharedElement: isSharedElement$g$LWS
|
|
6926
6971
|
} = rootValidator$LWS;
|
|
6927
6972
|
function initDistortionElementSetHTML$LWS({
|
|
6928
6973
|
document: document$LWS,
|
|
@@ -6948,7 +6993,7 @@ function initDistortionElementSetHTML$LWS({
|
|
|
6948
6993
|
const isOwnerXMLDocument$LWS = ReflectApply$LWS$1(NodeProtoOwnerDocumentGetter$LWS, this, []) instanceof XMLDocument$LWS;
|
|
6949
6994
|
if (!isOwnerXMLDocument$LWS) {
|
|
6950
6995
|
// istanbul ignore else: needs default platform behavior test
|
|
6951
|
-
if (isSharedElement$
|
|
6996
|
+
if (isSharedElement$g$LWS(this)) {
|
|
6952
6997
|
throw new LockerSecurityError$LWS(`Cannot setHTML of ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
6953
6998
|
}
|
|
6954
6999
|
// This must be called to signal to the virtual
|
|
@@ -6961,7 +7006,7 @@ function initDistortionElementSetHTML$LWS({
|
|
|
6961
7006
|
const value$LWS = args$LWS[0];
|
|
6962
7007
|
const contentType$LWS = this instanceof SVGElement$LWS ? ContentType$LWS.SVG : ContentType$LWS.HTML;
|
|
6963
7008
|
args$LWS[0] = lwsInternalPolicy$LWS.createHTML(value$LWS, key$LWS, contentType$LWS);
|
|
6964
|
-
if (isInherentlyUnsecure$LWS(args$LWS[0])) {
|
|
7009
|
+
if (isInherentlyUnsecure$1$LWS(args$LWS[0])) {
|
|
6965
7010
|
throw new LockerSecurityError$LWS(`Cannot 'setHTML' using an unsecure ${toSafeTemplateStringValue$LWS(args$LWS[0])}.`);
|
|
6966
7011
|
}
|
|
6967
7012
|
}
|
|
@@ -6969,6 +7014,68 @@ function initDistortionElementSetHTML$LWS({
|
|
|
6969
7014
|
}];
|
|
6970
7015
|
};
|
|
6971
7016
|
}
|
|
7017
|
+
const {
|
|
7018
|
+
isInherentlyUnsecure: isInherentlyUnsecure$LWS,
|
|
7019
|
+
isSharedElement: isSharedElement$f$LWS
|
|
7020
|
+
} = rootValidator$LWS;
|
|
7021
|
+
function initDistortionElementSetHTMLUnsafe$LWS({
|
|
7022
|
+
document: document$LWS,
|
|
7023
|
+
globalObject: {
|
|
7024
|
+
Element: Element$LWS,
|
|
7025
|
+
Element: {
|
|
7026
|
+
prototype: {
|
|
7027
|
+
setHTMLUnsafe: originalSetHTMLUnsafe$LWS
|
|
7028
|
+
}
|
|
7029
|
+
},
|
|
7030
|
+
HTMLScriptElement: HTMLScriptElement$LWS,
|
|
7031
|
+
SVGElement: SVGElement$LWS,
|
|
7032
|
+
XMLDocument: XMLDocument$LWS
|
|
7033
|
+
},
|
|
7034
|
+
root: {
|
|
7035
|
+
distortions: distortions$LWS
|
|
7036
|
+
}
|
|
7037
|
+
}) {
|
|
7038
|
+
// istanbul ignore if: currently unreachable via tests
|
|
7039
|
+
if (typeof originalSetHTMLUnsafe$LWS !== 'function') {
|
|
7040
|
+
return noop$LWS$1;
|
|
7041
|
+
}
|
|
7042
|
+
return function distortionElementSetHTMLUnsafe$LWS({
|
|
7043
|
+
key: key$LWS,
|
|
7044
|
+
sandboxEvaluator: sandboxEvaluator$LWS
|
|
7045
|
+
}) {
|
|
7046
|
+
const {
|
|
7047
|
+
get: originalInnerHTMLGetter$LWS,
|
|
7048
|
+
set: originalInnerHTMLSetter$LWS
|
|
7049
|
+
} = ReflectGetOwnPropertyDescriptor$LWS(Element$LWS.prototype, 'innerHTML');
|
|
7050
|
+
return [originalSetHTMLUnsafe$LWS, function innerHTML$LWS(value$LWS) {
|
|
7051
|
+
const isOwnerXMLDocument$LWS = ReflectApply$LWS$1(NodeProtoOwnerDocumentGetter$LWS, this, []) instanceof XMLDocument$LWS;
|
|
7052
|
+
if (!isOwnerXMLDocument$LWS) {
|
|
7053
|
+
// istanbul ignore else: needs default platform behavior test
|
|
7054
|
+
if (isSharedElement$f$LWS(this)) {
|
|
7055
|
+
throw new LockerSecurityError$LWS(`Cannot 'setHTMLUnsafe' of ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, this, [])}.`);
|
|
7056
|
+
}
|
|
7057
|
+
// This is necessary to support script.setHTMLUnsafe(...)
|
|
7058
|
+
if (this instanceof HTMLScriptElement$LWS || this instanceof SVGScriptElement) {
|
|
7059
|
+
const scriptWasNotEvaluatedInScriptPropertySetter$LWS = scriptPropertySetters$LWS(this, 'innerHTML', trusted.createScript(value$LWS), originalInnerHTMLGetter$LWS, originalInnerHTMLSetter$LWS, distortions$LWS, sandboxEvaluator$LWS, trusted.createScript(SCRIPT_HOOK_SOURCE_TEXT$LWS));
|
|
7060
|
+
if (scriptWasNotEvaluatedInScriptPropertySetter$LWS) {
|
|
7061
|
+
return;
|
|
7062
|
+
}
|
|
7063
|
+
}
|
|
7064
|
+
// This must be called to signal to the virtual
|
|
7065
|
+
// CustomElementRegistry that the next thing created
|
|
7066
|
+
// MAY CONTAIN a custom element, which must be marked for
|
|
7067
|
+
// association to this sandbox.
|
|
7068
|
+
setCustomElementsRegistry$LWS(document$LWS, key$LWS);
|
|
7069
|
+
const contentType$LWS = this instanceof SVGElement$LWS ? ContentType$LWS.SVG : ContentType$LWS.HTML;
|
|
7070
|
+
value$LWS = lwsInternalPolicy$LWS.createHTML(value$LWS, key$LWS, contentType$LWS);
|
|
7071
|
+
}
|
|
7072
|
+
if (isInherentlyUnsecure$LWS(value$LWS)) {
|
|
7073
|
+
throw new LockerSecurityError$LWS(`Cannot 'setHTMLUnsafe' using an unsecure ${toSafeTemplateStringValue$LWS(value$LWS)}.`);
|
|
7074
|
+
}
|
|
7075
|
+
ReflectApply$LWS$1(originalSetHTMLUnsafe$LWS, this, [value$LWS]);
|
|
7076
|
+
}];
|
|
7077
|
+
};
|
|
7078
|
+
}
|
|
6972
7079
|
function initDistortionElementShadowRootGetter$LWS({
|
|
6973
7080
|
globalObject: {
|
|
6974
7081
|
Element: Element$LWS
|
|
@@ -7004,7 +7111,7 @@ function initDistortionElementToggleAttribute$LWS({
|
|
|
7004
7111
|
} = args$LWS;
|
|
7005
7112
|
// istanbul ignore else: needs default platform behavior test
|
|
7006
7113
|
if (length$LWS > 0) {
|
|
7007
|
-
const attrName$LWS =
|
|
7114
|
+
const attrName$LWS = toSafeStringValue$LWS(args$LWS[0]);
|
|
7008
7115
|
const distortion$LWS = getAttributeDistortion$LWS(record$LWS, this, attrName$LWS);
|
|
7009
7116
|
// istanbul ignore else: needs default platform behavior test
|
|
7010
7117
|
if (distortion$LWS) {
|
|
@@ -7041,7 +7148,7 @@ function initDistortionEval$LWS({
|
|
|
7041
7148
|
}) {
|
|
7042
7149
|
return [originalEval$LWS, function (sourceText$LWS) {
|
|
7043
7150
|
throwIfMarkedAsUnsafeInChildWindow$LWS(virtualEnvironmentEvaluator$LWS, 'eval');
|
|
7044
|
-
return sandboxEvaluator$LWS(transformSourceText$LWS(
|
|
7151
|
+
return sandboxEvaluator$LWS(transformSourceText$LWS(toSafeStringValue$LWS(sourceText$LWS)), UNCOMPILED_CONTEXT$LWS);
|
|
7045
7152
|
}];
|
|
7046
7153
|
};
|
|
7047
7154
|
}
|
|
@@ -7125,7 +7232,7 @@ function initDistortionEventTargetAddEventListener$LWS({
|
|
|
7125
7232
|
// should fail if less than 2 arguments are provided.
|
|
7126
7233
|
// istanbul ignore else: needs default platform behavior test
|
|
7127
7234
|
if (length$LWS > 1) {
|
|
7128
|
-
const eventName$LWS =
|
|
7235
|
+
const eventName$LWS = toSafeStringValue$LWS(args$LWS[0]);
|
|
7129
7236
|
if (isEventTargetRestricted$LWS(record$LWS, this, eventName$LWS)) {
|
|
7130
7237
|
throw new LockerSecurityError$LWS(createEventListenerExceptionMessage$LWS(this, eventName$LWS));
|
|
7131
7238
|
}
|
|
@@ -7160,7 +7267,7 @@ function initDistortionFunction$LWS({
|
|
|
7160
7267
|
return ReflectApply$LWS$1(sandboxFuncCtor$LWS, this, []);
|
|
7161
7268
|
}
|
|
7162
7269
|
const lastIndex$LWS = length$LWS - 1;
|
|
7163
|
-
const funcBody$LWS =
|
|
7270
|
+
const funcBody$LWS = toSafeStringValue$LWS(args$LWS[lastIndex$LWS]);
|
|
7164
7271
|
// Validate parsing the function body.
|
|
7165
7272
|
ReflectApply$LWS$1(sandboxFuncCtor$LWS, this, [funcBody$LWS]);
|
|
7166
7273
|
// Make function body empty to create the wire-frame.
|
|
@@ -7316,6 +7423,16 @@ function initDistortionHTMLElementInnerTextSetter$LWS({
|
|
|
7316
7423
|
return distortionEntry$LWS;
|
|
7317
7424
|
};
|
|
7318
7425
|
}
|
|
7426
|
+
function initDistortionHTMLElementOnsecuritypolicyviolation$LWS({
|
|
7427
|
+
globalObject: {
|
|
7428
|
+
HTMLElement: {
|
|
7429
|
+
prototype: HTMLElementProto$LWS
|
|
7430
|
+
},
|
|
7431
|
+
HTMLElement: HTMLElement$LWS
|
|
7432
|
+
}
|
|
7433
|
+
}) {
|
|
7434
|
+
return createEventDistortionFactory$LWS(HTMLElementProto$LWS, HTMLElement$LWS, 'securitypolicyviolation');
|
|
7435
|
+
}
|
|
7319
7436
|
const {
|
|
7320
7437
|
isSharedElement: isSharedElement$d$LWS
|
|
7321
7438
|
} = rootValidator$LWS;
|
|
@@ -7405,12 +7522,77 @@ function initDistortionIFrameElementContentWindowGetter$LWS({
|
|
|
7405
7522
|
return distortionEntry$LWS;
|
|
7406
7523
|
};
|
|
7407
7524
|
}
|
|
7408
|
-
function
|
|
7409
|
-
|
|
7410
|
-
|
|
7411
|
-
|
|
7525
|
+
function initDistortionHTMLIFrameElementSandboxGetter$LWS({
|
|
7526
|
+
globalObject: {
|
|
7527
|
+
HTMLIFrameElement: HTMLIFrameElement$LWS
|
|
7528
|
+
}
|
|
7529
|
+
}) {
|
|
7530
|
+
const originalSandboxGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLIFrameElement$LWS.prototype, 'sandbox');
|
|
7531
|
+
return function distortionHTMLIFrameElementSandboxGetter$LWS({
|
|
7532
|
+
key: key$LWS
|
|
7533
|
+
}) {
|
|
7534
|
+
return [originalSandboxGetter$LWS, function sandbox$LWS() {
|
|
7535
|
+
const sandboxTokenList$LWS = ReflectApply$LWS$1(HTMLIFrameElementProtoSandboxGetter$LWS, this, []);
|
|
7536
|
+
if (isGaterEnabledFeature$LWS(ENABLE_SANDBOXED_SAMEORIGIN_IFRAME_GATE$LWS) && isNotAllowedToOverrideGaterEnabledFeature$LWS(key$LWS, ENABLE_SANDBOXED_SAMEORIGIN_IFRAME_GATE$LWS)) {
|
|
7537
|
+
// By returning a "copy" of the real "sandbox" DOMTokenList as an array of strings, LWS ensures
|
|
7538
|
+
// that the real "sandbox" DOMTokenList is not accessible from code within the LWS sandbox.
|
|
7539
|
+
return [...sandboxTokenList$LWS];
|
|
7540
|
+
}
|
|
7541
|
+
// istanbul ignore next: this line is untested because tests are run with all gates enabled.
|
|
7542
|
+
return sandboxTokenList$LWS;
|
|
7543
|
+
}];
|
|
7544
|
+
};
|
|
7545
|
+
}
|
|
7546
|
+
const ABOUT_BLANK_TOKEN$LWS = 'about:blank';
|
|
7547
|
+
const ALLOW_SAME_ORIGIN_TOKEN$LWS = 'allow-same-origin';
|
|
7548
|
+
const ALLOW_SCRIPTS_TOKEN$LWS = 'allow-scripts';
|
|
7549
|
+
const sameOriginSandboxedByLWS$LWS = toSafeWeakSet$LWS$1(new WeakSetCtor$LWS$1());
|
|
7550
|
+
function enforceSandboxAllowScriptsForSameOriginIframeRealm$LWS(iframe$LWS) {
|
|
7551
|
+
const sandboxTokenList$LWS = ReflectApply$LWS$1(HTMLIFrameElementProtoSandboxGetter$LWS, iframe$LWS, []);
|
|
7552
|
+
const srcValue$LWS = ReflectApply$LWS$1(HTMLIFrameElementProtoSrcGetter$LWS, iframe$LWS, []);
|
|
7553
|
+
// Before adding "allow-scripts", check that "allow-same-origin" isn't present. If it is,
|
|
7554
|
+
// throw an exception because LWS cannot allow an iframe created by component code to
|
|
7555
|
+
// have sandbox="allow-same-origin allow-scripts", because that would enable access to
|
|
7556
|
+
// the top level global object.
|
|
7557
|
+
if (ReflectApply$LWS$1(DOMTokenListProtoContains$LWS, sandboxTokenList$LWS, [ALLOW_SAME_ORIGIN_TOKEN$LWS])) {
|
|
7558
|
+
// Remove the 'allow-same-origin' sandbox token and throw an exception. This prevents
|
|
7559
|
+
// component code from wrapping the operation in a try catch and then exploiting
|
|
7560
|
+
// the iframe that may now have "allow-scripts allow-same-origin".
|
|
7561
|
+
ReflectApply$LWS$1(DOMTokenListProtoRemove$LWS, sandboxTokenList$LWS, [ALLOW_SAME_ORIGIN_TOKEN$LWS]);
|
|
7562
|
+
throw new LockerSecurityError$LWS('HTMLIFrameElement.sandbox cannot be set to "allow-same-origin"');
|
|
7563
|
+
}
|
|
7564
|
+
if (srcValue$LWS !== '' && srcValue$LWS !== ABOUT_BLANK_TOKEN$LWS) {
|
|
7565
|
+
// If there is a valid src value and it is not "about:blank", parse it and
|
|
7566
|
+
// compare it to the top level window's location.origin. We don't want to
|
|
7567
|
+
// impose the sandbox="allow-scripts" on cross-origin iframes.
|
|
7568
|
+
try {
|
|
7569
|
+
const srcUrlOrigin$LWS = ReflectApply$LWS$1(URLProtoOriginGetter$LWS, new URLCtor$LWS(srcValue$LWS), []);
|
|
7570
|
+
// If this iframe.src is cross-origin, let the browser take care of security.
|
|
7571
|
+
if (srcUrlOrigin$LWS && srcUrlOrigin$LWS !== rootWindow$LWS$1.location.origin) {
|
|
7572
|
+
return;
|
|
7573
|
+
}
|
|
7574
|
+
} catch (_unused2$LWS) {
|
|
7575
|
+
/* empty */
|
|
7576
|
+
}
|
|
7577
|
+
if (!ReflectApply$LWS$1(DOMTokenListProtoContains$LWS, sandboxTokenList$LWS, [ALLOW_SCRIPTS_TOKEN$LWS])) {
|
|
7578
|
+
// Track that LWS added this token
|
|
7579
|
+
sameOriginSandboxedByLWS$LWS.add(iframe$LWS);
|
|
7580
|
+
ReflectApply$LWS$1(DOMTokenListProtoAdd$LWS, sandboxTokenList$LWS, [ALLOW_SCRIPTS_TOKEN$LWS]);
|
|
7581
|
+
}
|
|
7582
|
+
} else {
|
|
7583
|
+
if (srcValue$LWS === ABOUT_BLANK_TOKEN$LWS && sameOriginSandboxedByLWS$LWS.has(iframe$LWS)) {
|
|
7584
|
+
// If the sandboxed code is navigated away from a same origin url,
|
|
7585
|
+
// to "about:blank", and the only token is the one we created,
|
|
7586
|
+
// then we can remove the sandbox attribute entirely.
|
|
7587
|
+
sameOriginSandboxedByLWS$LWS.delete(iframe$LWS);
|
|
7588
|
+
ReflectApply$LWS$1(DOMTokenListProtoRemove$LWS, sandboxTokenList$LWS, [ALLOW_SCRIPTS_TOKEN$LWS]);
|
|
7589
|
+
// If after removing ALLOW_SCRIPTS_TOKEN, the sandbox attribute is empty,
|
|
7590
|
+
// we can remove it entirely.
|
|
7591
|
+
if (ReflectApply$LWS$1(DOMTokenListProtoLengthGetter$LWS, sandboxTokenList$LWS, []) === 0) {
|
|
7592
|
+
ReflectApply$LWS$1(ElementProtoRemoveAttribute$LWS, iframe$LWS, ['sandbox']);
|
|
7593
|
+
}
|
|
7594
|
+
}
|
|
7412
7595
|
}
|
|
7413
|
-
ReflectApply$LWS$1(HTMLIFrameElementProtoSrcSetter$LWS, this, [urlString$LWS]);
|
|
7414
7596
|
}
|
|
7415
7597
|
function initDistortionHTMLIFrameElementSrcSetter$LWS({
|
|
7416
7598
|
globalObject: {
|
|
@@ -7418,10 +7600,40 @@ function initDistortionHTMLIFrameElementSrcSetter$LWS({
|
|
|
7418
7600
|
}
|
|
7419
7601
|
}) {
|
|
7420
7602
|
const originalSrcSetter$LWS = ObjectLookupOwnSetter$LWS(HTMLIFrameElement$LWS.prototype, 'src');
|
|
7421
|
-
const distortionMapEntry$LWS = [originalSrcSetter$LWS, src$LWS];
|
|
7422
7603
|
return function distortionHTMLIFrameElementSrcSetter$LWS(record$LWS) {
|
|
7604
|
+
function src$LWS(value$LWS) {
|
|
7605
|
+
const normalizedSrcValue$LWS = toSafeStringValue$LWS(value$LWS);
|
|
7606
|
+
// If the string being set to iframe.src is not an empty string, sanitize it for assignment
|
|
7607
|
+
// to iframe.src. If it is an empty string, let it be and proceed.
|
|
7608
|
+
// Otherwise, take no action.
|
|
7609
|
+
const urlString$LWS = normalizedSrcValue$LWS !== '' ? sanitizeURLForElement$LWS(normalizedSrcValue$LWS) : '';
|
|
7610
|
+
if (urlString$LWS && !isValidURLScheme$LWS(urlString$LWS)) {
|
|
7611
|
+
throw new LockerSecurityError$LWS('HTMLIFrameElement.src supports http://, https:// schemes, relative urls and about:blank.');
|
|
7612
|
+
}
|
|
7613
|
+
ReflectApply$LWS$1(HTMLIFrameElementProtoSrcSetter$LWS, this, [urlString$LWS]);
|
|
7614
|
+
if (isGaterEnabledFeature$LWS(ENABLE_SANDBOXED_SAMEORIGIN_IFRAME_GATE$LWS) && isNotAllowedToOverrideGaterEnabledFeature$LWS(record$LWS.key, ENABLE_SANDBOXED_SAMEORIGIN_IFRAME_GATE$LWS)) {
|
|
7615
|
+
enforceSandboxAllowScriptsForSameOriginIframeRealm$LWS(this);
|
|
7616
|
+
}
|
|
7617
|
+
}
|
|
7423
7618
|
registerAttributeDistortion$LWS(record$LWS, HTMLIFrameElement$LWS, 'src', NAMESPACE_DEFAULT$LWS, src$LWS);
|
|
7424
|
-
return
|
|
7619
|
+
return [originalSrcSetter$LWS, src$LWS];
|
|
7620
|
+
};
|
|
7621
|
+
}
|
|
7622
|
+
function initDistortionHTMLIFrameElementSandboxSetter$LWS({
|
|
7623
|
+
globalObject: {
|
|
7624
|
+
HTMLIFrameElement: HTMLIFrameElement$LWS
|
|
7625
|
+
}
|
|
7626
|
+
}) {
|
|
7627
|
+
const originalSandboxSetter$LWS = ObjectLookupOwnSetter$LWS(HTMLIFrameElement$LWS.prototype, 'sandbox');
|
|
7628
|
+
return function distortionHTMLIFrameElementSandboxSetter$LWS(record$LWS) {
|
|
7629
|
+
function sandbox$LWS(value$LWS) {
|
|
7630
|
+
ReflectApply$LWS$1(HTMLIFrameElementProtoSandboxSetter$LWS, this, [value$LWS]);
|
|
7631
|
+
if (isGaterEnabledFeature$LWS(ENABLE_SANDBOXED_SAMEORIGIN_IFRAME_GATE$LWS) && isNotAllowedToOverrideGaterEnabledFeature$LWS(record$LWS.key, ENABLE_SANDBOXED_SAMEORIGIN_IFRAME_GATE$LWS)) {
|
|
7632
|
+
enforceSandboxAllowScriptsForSameOriginIframeRealm$LWS(this);
|
|
7633
|
+
}
|
|
7634
|
+
}
|
|
7635
|
+
registerAttributeDistortion$LWS(record$LWS, HTMLIFrameElement$LWS, 'sandbox', NAMESPACE_DEFAULT$LWS, sandbox$LWS);
|
|
7636
|
+
return [originalSandboxSetter$LWS, sandbox$LWS];
|
|
7425
7637
|
};
|
|
7426
7638
|
}
|
|
7427
7639
|
const importRegExp$LWS = /import/i;
|
|
@@ -7436,7 +7648,7 @@ function initDistortionHTMLLinkElementRelSetter$LWS({
|
|
|
7436
7648
|
}) {
|
|
7437
7649
|
const originalRelSetter$LWS = ObjectLookupOwnSetter$LWS(HTMLLinkElement$LWS.prototype, 'rel');
|
|
7438
7650
|
function rel$LWS(value$LWS) {
|
|
7439
|
-
const valueAsString$LWS =
|
|
7651
|
+
const valueAsString$LWS = toSafeStringValue$LWS(value$LWS);
|
|
7440
7652
|
if (isValidRelValue$LWS(valueAsString$LWS)) {
|
|
7441
7653
|
ReflectApply$LWS$1(originalRelSetter$LWS, this, [valueAsString$LWS]);
|
|
7442
7654
|
return;
|
|
@@ -7457,7 +7669,7 @@ function initDistortionHTMLLinkElementRelListSetter$LWS({
|
|
|
7457
7669
|
}) {
|
|
7458
7670
|
const originalRelListSetter$LWS = ObjectLookupOwnSetter$LWS(HTMLLinkElement$LWS.prototype, 'relList');
|
|
7459
7671
|
const distortionEntry$LWS = [originalRelListSetter$LWS, function relList$LWS(relListValue$LWS) {
|
|
7460
|
-
const string$LWS = relList$LWS instanceof DOMTokenList$LWS ? /* istanbul ignore next: needs default platform behavior test */ReflectApply$LWS$1(DOMTokenListProtoValueGetter$LWS, relListValue$LWS, []) :
|
|
7672
|
+
const string$LWS = relList$LWS instanceof DOMTokenList$LWS ? /* istanbul ignore next: needs default platform behavior test */ReflectApply$LWS$1(DOMTokenListProtoValueGetter$LWS, relListValue$LWS, []) : toSafeStringValue$LWS(relListValue$LWS);
|
|
7461
7673
|
if (isValidRelValue$LWS(string$LWS)) {
|
|
7462
7674
|
ReflectApply$LWS$1(originalRelListSetter$LWS, this, [string$LWS]);
|
|
7463
7675
|
return;
|
|
@@ -7777,6 +7989,16 @@ function initDistortionIDBObjectStorePut$LWS({
|
|
|
7777
7989
|
return distortionEntry$LWS;
|
|
7778
7990
|
};
|
|
7779
7991
|
}
|
|
7992
|
+
function initDistortionMathMLElementOnsecuritypolicyviolation$LWS({
|
|
7993
|
+
globalObject: {
|
|
7994
|
+
MathMLElement: {
|
|
7995
|
+
prototype: MathMLElementProto$LWS
|
|
7996
|
+
},
|
|
7997
|
+
MathMLElement: MathMLElement$LWS
|
|
7998
|
+
}
|
|
7999
|
+
}) {
|
|
8000
|
+
return createEventDistortionFactory$LWS(MathMLElementProto$LWS, MathMLElement$LWS, 'securitypolicyviolation');
|
|
8001
|
+
}
|
|
7780
8002
|
function initDistortionMessagePortPostMessage$LWS({
|
|
7781
8003
|
globalObject: {
|
|
7782
8004
|
DOMException: DOMException$LWS,
|
|
@@ -7868,7 +8090,7 @@ function initDistortionNavigatorSendBeacon$LWS({
|
|
|
7868
8090
|
}) {
|
|
7869
8091
|
const distortionEntry$LWS = [originalSendBeacon$LWS, function sendBeacon$LWS(...args$LWS) {
|
|
7870
8092
|
if (args$LWS.length) {
|
|
7871
|
-
const parsedURL$LWS = parseURL$LWS(
|
|
8093
|
+
const parsedURL$LWS = parseURL$LWS(toSafeStringValue$LWS(args$LWS[0]));
|
|
7872
8094
|
if (!isValidURL$LWS(parsedURL$LWS)) {
|
|
7873
8095
|
throw new LockerSecurityError$LWS(`Cannot request disallowed endpoint: ${parsedURL$LWS.normalizedURL}`);
|
|
7874
8096
|
}
|
|
@@ -8389,7 +8611,7 @@ const {
|
|
|
8389
8611
|
isSharedElement: isSharedElement$5$LWS
|
|
8390
8612
|
} = rootValidator$LWS;
|
|
8391
8613
|
function createRangeProtoMethodDistortionFactoryInitializer$LWS(methodName$LWS) {
|
|
8392
|
-
return function
|
|
8614
|
+
return function initDistortionRangeProtoMethod$LWS({
|
|
8393
8615
|
globalObject: {
|
|
8394
8616
|
Range: {
|
|
8395
8617
|
// @ts-ignore: Prevent index type error.
|
|
@@ -8419,7 +8641,7 @@ function createRangeProtoMethodDistortionFactoryInitializer$LWS(methodName$LWS)
|
|
|
8419
8641
|
}
|
|
8420
8642
|
};
|
|
8421
8643
|
const distortionEntry$LWS = [originalMethod$LWS, distortion$LWS];
|
|
8422
|
-
return function
|
|
8644
|
+
return function distortionRangeProtoMethod$LWS() {
|
|
8423
8645
|
return distortionEntry$LWS;
|
|
8424
8646
|
};
|
|
8425
8647
|
};
|
|
@@ -8613,6 +8835,33 @@ function initDistortionShadowRootInnerHTMLSetter$LWS({
|
|
|
8613
8835
|
}];
|
|
8614
8836
|
};
|
|
8615
8837
|
}
|
|
8838
|
+
function initDistortionShadowRootSetHTMLUnsafe$LWS({
|
|
8839
|
+
document: document$LWS,
|
|
8840
|
+
globalObject: {
|
|
8841
|
+
ShadowRoot: {
|
|
8842
|
+
prototype: {
|
|
8843
|
+
setHTMLUnsafe: originalSetHTMLUnsafe$LWS
|
|
8844
|
+
}
|
|
8845
|
+
}
|
|
8846
|
+
}
|
|
8847
|
+
}) {
|
|
8848
|
+
// istanbul ignore if: currently unreachable via tests
|
|
8849
|
+
if (typeof originalSetHTMLUnsafe$LWS !== 'function') {
|
|
8850
|
+
return noop$LWS$1;
|
|
8851
|
+
}
|
|
8852
|
+
return function distortionShadowRootSetHTMLUnsafe$LWS({
|
|
8853
|
+
key: key$LWS
|
|
8854
|
+
}) {
|
|
8855
|
+
return [originalSetHTMLUnsafe$LWS, function setHTMLUnsafe$LWS(value$LWS) {
|
|
8856
|
+
// This must be called to signal to the virtual
|
|
8857
|
+
// CustomElementRegistry that the next thing created
|
|
8858
|
+
// MAY CONTAIN a custom element, which must be marked for
|
|
8859
|
+
// association to this sandbox.
|
|
8860
|
+
setCustomElementsRegistry$LWS(document$LWS, key$LWS);
|
|
8861
|
+
ReflectApply$LWS$1(originalSetHTMLUnsafe$LWS, this, [lwsInternalPolicy$LWS.createHTML(value$LWS, key$LWS, ContentType$LWS.HTML)]);
|
|
8862
|
+
}];
|
|
8863
|
+
};
|
|
8864
|
+
}
|
|
8616
8865
|
function SharedWorker$LWS(scriptURL$LWS) {
|
|
8617
8866
|
throw new LockerSecurityError$LWS(`Cannot create SharedWorker with ${toSafeTemplateStringValue$LWS(scriptURL$LWS)}.`);
|
|
8618
8867
|
}
|
|
@@ -8824,7 +9073,7 @@ class PatchedStorage$LWS {
|
|
|
8824
9073
|
storage: storage$LWS
|
|
8825
9074
|
} = getStorageMetaOrThrowInvalidInvocation$LWS(this);
|
|
8826
9075
|
if (args$LWS.length) {
|
|
8827
|
-
args$LWS[0] = prependStorageNamespaceMarker$LWS(
|
|
9076
|
+
args$LWS[0] = prependStorageNamespaceMarker$LWS(toSafeStringValue$LWS(args$LWS[0]), namespace$LWS);
|
|
8828
9077
|
}
|
|
8829
9078
|
return ReflectApply$LWS$1(StorageProtoGetItem$LWS, storage$LWS, args$LWS);
|
|
8830
9079
|
}
|
|
@@ -8834,8 +9083,8 @@ class PatchedStorage$LWS {
|
|
|
8834
9083
|
storage: storage$LWS
|
|
8835
9084
|
} = getStorageMetaOrThrowInvalidInvocation$LWS(this);
|
|
8836
9085
|
if (args$LWS.length > 1) {
|
|
8837
|
-
args$LWS[0] = prependStorageNamespaceMarker$LWS(
|
|
8838
|
-
args$LWS[1] =
|
|
9086
|
+
args$LWS[0] = prependStorageNamespaceMarker$LWS(toSafeStringValue$LWS(args$LWS[0]), namespace$LWS);
|
|
9087
|
+
args$LWS[1] = toSafeStringValue$LWS(args$LWS[1]);
|
|
8839
9088
|
}
|
|
8840
9089
|
ReflectApply$LWS$1(StorageProtoSetItem$LWS, storage$LWS, args$LWS);
|
|
8841
9090
|
}
|
|
@@ -8845,7 +9094,7 @@ class PatchedStorage$LWS {
|
|
|
8845
9094
|
storage: storage$LWS
|
|
8846
9095
|
} = getStorageMetaOrThrowInvalidInvocation$LWS(this);
|
|
8847
9096
|
if (args$LWS.length) {
|
|
8848
|
-
args$LWS[0] = prependStorageNamespaceMarker$LWS(
|
|
9097
|
+
args$LWS[0] = prependStorageNamespaceMarker$LWS(toSafeStringValue$LWS(args$LWS[0]), namespace$LWS);
|
|
8849
9098
|
}
|
|
8850
9099
|
ReflectApply$LWS$1(StorageProtoRemoveItem$LWS, storage$LWS, args$LWS);
|
|
8851
9100
|
}
|
|
@@ -8895,7 +9144,7 @@ function createDistortionStorageFactoryInitializer$LWS(storageName$LWS) {
|
|
|
8895
9144
|
try {
|
|
8896
9145
|
originalStorageObject$LWS = globalObject$LWS[storageName$LWS];
|
|
8897
9146
|
// eslint-disable-next-line no-empty
|
|
8898
|
-
} catch (
|
|
9147
|
+
} catch (_unused3$LWS) {}
|
|
8899
9148
|
// istanbul ignore if: currently unreachable via tests
|
|
8900
9149
|
if (!isObject$LWS$1(originalStorageObject$LWS)) {
|
|
8901
9150
|
return noop$LWS$1;
|
|
@@ -9115,6 +9364,16 @@ function initDistortionSVGElementDatasetGetter$LWS({
|
|
|
9115
9364
|
return distortionEntry$LWS;
|
|
9116
9365
|
};
|
|
9117
9366
|
}
|
|
9367
|
+
function initDistortionSVGElementOnsecuritypolicyviolation$LWS({
|
|
9368
|
+
globalObject: {
|
|
9369
|
+
SVGElement: {
|
|
9370
|
+
prototype: SVGElementProto$LWS
|
|
9371
|
+
},
|
|
9372
|
+
SVGElement: SVGElement$LWS
|
|
9373
|
+
}
|
|
9374
|
+
}) {
|
|
9375
|
+
return createEventDistortionFactory$LWS(SVGElementProto$LWS, SVGElement$LWS, 'securitypolicyviolation');
|
|
9376
|
+
}
|
|
9118
9377
|
function initDistortionSVGElementStyleGetter$LWS({
|
|
9119
9378
|
globalObject: {
|
|
9120
9379
|
SVGElement: SVGElement$LWS
|
|
@@ -9274,7 +9533,7 @@ function initDistortionTrustedTypePolicyFactoryCreatePolicy$LWS({
|
|
|
9274
9533
|
try {
|
|
9275
9534
|
// istanbul ignore next: needs default platform behavior test
|
|
9276
9535
|
return ReflectApply$LWS$1(originalCreatePolicy$LWS, this, args$LWS);
|
|
9277
|
-
} catch (
|
|
9536
|
+
} catch (_unused4$LWS) {
|
|
9278
9537
|
// istanbul ignore next: this is tested, but currently cannot be tested in the coverage environment
|
|
9279
9538
|
consoleWarn$LWS(`${createTrustedTypesExceptionMessage$LWS(name$LWS)} Substituting with Lightning Web Security policy.`);
|
|
9280
9539
|
}
|
|
@@ -9345,16 +9604,12 @@ function initDistortionURLCreateObjectURL$LWS({
|
|
|
9345
9604
|
ReflectApply$LWS$1(XhrProtoOpen$LWS, xhr$LWS, ['GET', outURL$LWS, false]);
|
|
9346
9605
|
try {
|
|
9347
9606
|
ReflectApply$LWS$1(XhrProtoSend$LWS, xhr$LWS, []);
|
|
9348
|
-
} catch (
|
|
9607
|
+
} catch (_unused5$LWS) {
|
|
9349
9608
|
throw new LockerSecurityError$LWS(`Unable to verify ${toSafeTemplateStringValue$LWS(blobObject$LWS)} is secure.`);
|
|
9350
9609
|
}
|
|
9351
9610
|
const responseText$LWS = ReflectApply$LWS$1(XhrProtoResponseTextGetter$LWS, xhr$LWS, []);
|
|
9352
|
-
// W-15987833
|
|
9353
|
-
if (isInherentlyUnsecure$LWS(responseText$LWS)) {
|
|
9354
|
-
throw new LockerSecurityError$LWS(createInsecureBlobErrorMessage$LWS(blobObject$LWS));
|
|
9355
|
-
}
|
|
9356
9611
|
const sanitized$LWS = sanitizer$LWS.sanitize(responseText$LWS);
|
|
9357
|
-
if (!isEqualDomString$LWS(trusted.createHTML(responseText$LWS), trusted.createHTML(sanitized$LWS))) {
|
|
9612
|
+
if (!isEqualDomString$LWS(trusted.createHTML(responseText$LWS), trusted.createHTML(sanitized$LWS)) || isInherentlyUnsecure$LWS(responseText$LWS)) {
|
|
9358
9613
|
URLRevokeObjectURL$LWS(outURL$LWS);
|
|
9359
9614
|
throw new LockerSecurityError$LWS(createInsecureBlobErrorMessage$LWS(blobObject$LWS));
|
|
9360
9615
|
}
|
|
@@ -9385,7 +9640,7 @@ function initDistortionWindowFetch$LWS({
|
|
|
9385
9640
|
// similar to link element's href.
|
|
9386
9641
|
parsedURL$LWS = parseURL$LWS(ReflectApply$LWS$1(RequestProtoURLGetter$LWS, url$LWS, []));
|
|
9387
9642
|
} else {
|
|
9388
|
-
parsedURL$LWS = parseURL$LWS(
|
|
9643
|
+
parsedURL$LWS = parseURL$LWS(toSafeStringValue$LWS(url$LWS));
|
|
9389
9644
|
url$LWS = parsedURL$LWS.normalizedURL;
|
|
9390
9645
|
args$LWS[0] = url$LWS;
|
|
9391
9646
|
}
|
|
@@ -9752,7 +10007,7 @@ function initDistortionWindowSetInterval$LWS({
|
|
|
9752
10007
|
} = args$LWS;
|
|
9753
10008
|
if (callback$LWS !== null && callback$LWS !== undefined && typeof callback$LWS !== 'function') {
|
|
9754
10009
|
// Snapshot callback source to prevent shapeshifting.
|
|
9755
|
-
const sourceText$LWS =
|
|
10010
|
+
const sourceText$LWS = toSafeStringValue$LWS(callback$LWS);
|
|
9756
10011
|
// Defer transforming source text asynchronously.
|
|
9757
10012
|
let transformedSourceText$LWS;
|
|
9758
10013
|
// Replace callback parameter.
|
|
@@ -9787,7 +10042,7 @@ function initDistortionWindowSetTimeout$LWS({
|
|
|
9787
10042
|
} = args$LWS;
|
|
9788
10043
|
if (callback$LWS !== null && callback$LWS !== undefined && typeof callback$LWS !== 'function') {
|
|
9789
10044
|
// Snapshot callback source to prevent shapeshifting.
|
|
9790
|
-
const sourceText$LWS =
|
|
10045
|
+
const sourceText$LWS = toSafeStringValue$LWS(callback$LWS);
|
|
9791
10046
|
// Replace callback parameter.
|
|
9792
10047
|
args$LWS[0] = () => {
|
|
9793
10048
|
// Defer transforming source text asynchronously.
|
|
@@ -9886,7 +10141,7 @@ function initDistortionXMLHttpRequestOpen$LWS({
|
|
|
9886
10141
|
// Let the native method handle missing parameters error or null/undefined URL case.
|
|
9887
10142
|
const url$LWS = args$LWS.length > 1 ? args$LWS[1] : undefined;
|
|
9888
10143
|
if (url$LWS !== null && url$LWS !== undefined) {
|
|
9889
|
-
const parsedURL$LWS = parseURL$LWS(
|
|
10144
|
+
const parsedURL$LWS = parseURL$LWS(toSafeStringValue$LWS(url$LWS));
|
|
9890
10145
|
if (!isValidURL$LWS(parsedURL$LWS)) {
|
|
9891
10146
|
throw new LockerSecurityError$LWS(`Cannot request disallowed endpoint: ${parsedURL$LWS.normalizedURL}`);
|
|
9892
10147
|
}
|
|
@@ -9980,7 +10235,7 @@ initDistortionHistoryPushState$LWS, initDistortionHistoryReplaceState$LWS,
|
|
|
9980
10235
|
// HTMLElement
|
|
9981
10236
|
initDistortionHTMLElementDatasetGetter$LWS, initDistortionHTMLElementInnerTextSetter$LWS, initDistortionHTMLElementOuterTextSetter$LWS, initDistortionHTMLElementStyleGetter$LWS,
|
|
9982
10237
|
// HTMLIFrameElement
|
|
9983
|
-
initDistortionIFrameElementContentDocumentGetter$LWS, initDistortionIFrameElementContentWindowGetter$LWS, initDistortionHTMLIFrameElementSrcSetter$LWS,
|
|
10238
|
+
initDistortionIFrameElementContentDocumentGetter$LWS, initDistortionIFrameElementContentWindowGetter$LWS, initDistortionHTMLIFrameElementSandboxGetter$LWS, initDistortionHTMLIFrameElementSandboxSetter$LWS, initDistortionHTMLIFrameElementSrcSetter$LWS,
|
|
9984
10239
|
// HTMLLinkElement
|
|
9985
10240
|
initDistortionHTMLLinkElementRelSetter$LWS, initDistortionHTMLLinkElementRelListSetter$LWS,
|
|
9986
10241
|
// HTMLObjectElement
|
|
@@ -10028,6 +10283,8 @@ initDistortionWorkerCtor$LWS, initDistortionWorkerProto$LWS,
|
|
|
10028
10283
|
// XHR
|
|
10029
10284
|
initDistortionXMLHttpRequestOpen$LWS];
|
|
10030
10285
|
const internalKeyedDistortionFactoryInitializers$LWS = [
|
|
10286
|
+
// AbstractRange
|
|
10287
|
+
initDistortionAbstractRangeEndContainerGetter$LWS, initDistortionAbstractRangeStartContainerGetter$LWS,
|
|
10031
10288
|
// Attr
|
|
10032
10289
|
initDistortionAttrValueSetter$LWS,
|
|
10033
10290
|
// Aura
|
|
@@ -10043,7 +10300,7 @@ initDistortionDocumentCookieGetter$LWS, initDistortionDocumentCookieSetter$LWS,
|
|
|
10043
10300
|
// DOMParser
|
|
10044
10301
|
initDistortionDOMParserParseFromString$LWS,
|
|
10045
10302
|
// Element
|
|
10046
|
-
initDistortionElementAttachShadow$LWS, initDistortionElementInnerHTMLSetter$LWS, initDistortionElementInsertAdjacentHTML$LWS, initDistortionElementOuterHTMLSetter$LWS, initDistortionElementSetAttribute$LWS, initDistortionElementSetAttributeNode$LWS, initDistortionElementSetAttributeNodeNS$LWS, initDistortionElementSetAttributeNS$LWS, initDistortionElementSetHTML$LWS, initDistortionElementShadowRootGetter$LWS, initDistortionElementToggleAttribute$LWS,
|
|
10303
|
+
initDistortionElementAttachShadow$LWS, initDistortionElementInnerHTMLSetter$LWS, initDistortionElementInsertAdjacentHTML$LWS, initDistortionElementOuterHTMLSetter$LWS, initDistortionElementSetAttribute$LWS, initDistortionElementSetAttributeNode$LWS, initDistortionElementSetAttributeNodeNS$LWS, initDistortionElementSetAttributeNS$LWS, initDistortionElementSetHTML$LWS, initDistortionElementSetHTMLUnsafe$LWS, initDistortionElementShadowRootGetter$LWS, initDistortionElementToggleAttribute$LWS,
|
|
10047
10304
|
// Eval
|
|
10048
10305
|
initDistortionEval$LWS,
|
|
10049
10306
|
// Event
|
|
@@ -10053,11 +10310,13 @@ initDistortionEventTargetAddEventListener$LWS,
|
|
|
10053
10310
|
// HTMLBodyElement
|
|
10054
10311
|
initDistortionHTMLBodyElementOnrejectionhandled$LWS, initDistortionHTMLBodyElementOnstorage$LWS, initDistortionHTMLBodyElementOnunhandledrejection$LWS,
|
|
10055
10312
|
// HTMLElement
|
|
10056
|
-
initDistortionHTMLElementCtor$LWS,
|
|
10313
|
+
initDistortionHTMLElementCtor$LWS, initDistortionHTMLElementOnsecuritypolicyviolation$LWS,
|
|
10057
10314
|
// HTMLFrameSetElement
|
|
10058
10315
|
initDistortionHTMLFrameSetElementOnrejectionhandled$LWS, initDistortionHTMLFrameSetElementOnstorage$LWS, initDistortionHTMLFrameSetElementOnunhandledrejection$LWS,
|
|
10059
10316
|
// HTMLScriptElement,
|
|
10060
10317
|
initDistortionHTMLScriptElementSrcSetter$LWS, initDistortionHTMLScriptElementTextSetter$LWS,
|
|
10318
|
+
// MathMLElement
|
|
10319
|
+
initDistortionMathMLElementOnsecuritypolicyviolation$LWS,
|
|
10061
10320
|
// NamedNodeMap
|
|
10062
10321
|
initDistortionNamedNodeMapSetNamedItem$LWS, initDistortionNamedNodeMapSetNamedItemNS$LWS,
|
|
10063
10322
|
// Node
|
|
@@ -10065,7 +10324,7 @@ initDistortionNodeValueSetter$LWS, initDistortionNodeTextContentGetter$LWS, init
|
|
|
10065
10324
|
// Range
|
|
10066
10325
|
initDistortionRangeCreateContextualFragment$LWS,
|
|
10067
10326
|
// ShadowRoot
|
|
10068
|
-
initDistortionShadowRootInnerHTMLSetter$LWS,
|
|
10327
|
+
initDistortionShadowRootInnerHTMLSetter$LWS, initDistortionShadowRootSetHTMLUnsafe$LWS,
|
|
10069
10328
|
// Storage
|
|
10070
10329
|
initDistortionLocalStorage$LWS, initDistortionSessionStorage$LWS,
|
|
10071
10330
|
// SVGAnimationElement
|
|
@@ -10073,7 +10332,7 @@ initDistortionSVGAnimateElementAttributeNameAttribute$LWS,
|
|
|
10073
10332
|
// SVGScriptElement
|
|
10074
10333
|
initDistortionSVGScriptElementHrefGetter$LWS, initDistortionSVGScriptElementHrefSetter$LWS,
|
|
10075
10334
|
// SVGSetElement
|
|
10076
|
-
initDistortionSVGSetElementAttributeNameAttribute$LWS,
|
|
10335
|
+
initDistortionSVGSetElementAttributeNameAttribute$LWS, initDistortionSVGElementOnsecuritypolicyviolation$LWS,
|
|
10077
10336
|
// URL
|
|
10078
10337
|
initDistortionURLCreateObjectURL$LWS,
|
|
10079
10338
|
// Window
|
|
@@ -10090,8 +10349,8 @@ initDistortionElementAfter$LWS, initDistortionElementAppend$LWS, initDistortionE
|
|
|
10090
10349
|
initDistortionNodeInsertBefore$LWS]);
|
|
10091
10350
|
const externalKeyedDistortionFactoryInitializers$LWS = internalKeyedDistortionFactoryInitializers$LWS;
|
|
10092
10351
|
const distortionFactoryInitializerToggleSwitches$LWS = toSafeMap$LWS$1(new MapCtor$LWS$1([[initDistortionCacheStorageDelete$LWS, 'caches'], [initDistortionCacheStorageHas$LWS, 'caches'], [initDistortionCacheStorageKeys$LWS, 'caches'], [initDistortionCacheStorageMatch$LWS, 'caches'], [initDistortionCacheStorageOpen$LWS, 'caches'], [initDistortionCookieStoreDelete$LWS, 'cookieStore'], [initDistortionCookieStoreGet$LWS, 'cookieStore'], [initDistortionCookieStoreGetAll$LWS, 'cookieStore'], [initDistortionCookieStoreOnChange$LWS, 'cookieStore'], [initDistortionCookieStoreSet$LWS, 'cookieStore'], [initDistortionCSSStyleRuleStyleGetter$LWS, 'style'], [initDistortionCustomElementRegistryDefine$LWS, 'customElements'], [initDistortionCustomElementRegistryGet$LWS, 'customElements'], [initDistortionCustomElementRegistryUpgrade$LWS, 'customElements'], [initDistortionCustomElementRegistryWhenDefined$LWS, 'customElements'], [initDistortionDocumentCookieGetter$LWS, 'documentCookie'], [initDistortionDocumentCookieSetter$LWS, 'documentCookie'], [initDistortionDocumentDomainSetter$LWS, 'documentDomain'], [initDistortionDocumentExecCommand$LWS, 'documentExecCommand'], [initDistortionDOMParserParseFromString$LWS, 'domParserParseFromString'], [initDistortionElementAfter$LWS, 'element'], [initDistortionElementAppend$LWS, 'element'], [initDistortionElementAttributesGetter$LWS, 'attributes'], [initDistortionElementBefore$LWS, 'element'], [initDistortionElementGetInnerHTML$LWS, 'innerHTML'], [initDistortionElementInnerHTMLSetter$LWS, 'innerHTML'], [initDistortionElementInsertAdjacentElement$LWS, 'element'], [initDistortionElementInsertAdjacentHTML$LWS, 'element'], [initDistortionElementOuterHTMLSetter$LWS, 'element'], [initDistortionElementPrepend$LWS, 'element'], [initDistortionElementRemove$LWS, 'element'], [initDistortionElementReplaceChildren$LWS, 'element'], [initDistortionElementReplaceWith$LWS, 'element'], [initDistortionElementSetAttribute$LWS, 'attributes'], [initDistortionElementSetAttributeNode$LWS, 'attributes'], [initDistortionElementSetAttributeNodeNS$LWS, 'attributes'], [initDistortionElementSetAttributeNS$LWS, 'attributes'], [initDistortionElementSetHTML$LWS, 'element'], [initDistortionElementToggleAttribute$LWS, 'attributes'], [initDistortionHistoryPushState$LWS, 'history'], [initDistortionHistoryReplaceState$LWS, 'history'], [initDistortionHTMLElementDatasetGetter$LWS, 'dataset'], [initDistortionHTMLElementStyleGetter$LWS, 'style'], [initDistortionHTMLScriptElementSrcGetter$LWS, 'script'], [initDistortionHTMLScriptElementSrcSetter$LWS, 'script'], [initDistortionHTMLScriptElementTextSetter$LWS, 'script'], [initDistortionIDBObjectStoreAdd$LWS, 'indexedDB'], [initDistortionIDBObjectStorePut$LWS, 'indexedDB'], [initDistortionLocalStorage$LWS, 'storage'], [initDistortionMessagePortPostMessage$LWS, 'postMessage'], [initDistortionNamedNodeMapSetNamedItem$LWS, 'attributes'], [initDistortionNamedNodeMapSetNamedItemNS$LWS, 'attributes'], [initDistortionNavigatorSendBeacon$LWS, 'navigatorSendBeacon'], [initDistortionNodeInsertBefore$LWS, 'node'], [initDistortionNodeRemoveChild$LWS, 'node'], [initDistortionNodeReplaceChild$LWS, 'node'], [initDistortionNodeTextContentGetter$LWS, 'node'], [initDistortionNodeTextContentSetter$LWS, 'node'], [initDistortionNodeValueSetter$LWS, 'node'], [initDistortionNotificationCtor$LWS, 'notification'], [initDistortionPerformanceMark$LWS, 'performance'], [initDistortionPerformanceMarkCtor$LWS, 'performance'], [initDistortionPerformanceMeasure$LWS, 'performance'], [initDistortionRangeCreateContextualFragment$LWS, 'range'], [initDistortionRangeDeleteContents$LWS, 'range'], [initDistortionRangeExtractContents$LWS, 'range'], [initDistortionRangeInsertNode$LWS, 'range'], [initDistortionRangeSelectNode$LWS, 'range'], [initDistortionRangeSelectNodeContents$LWS, 'range'], [initDistortionRangeSetEnd$LWS, 'range'], [initDistortionRangeSetEndAfter$LWS, 'range'], [initDistortionRangeSetEndBefore$LWS, 'range'], [initDistortionRangeSetStart$LWS, 'range'], [initDistortionRangeSetStartAfter$LWS, 'range'], [initDistortionRangeSetStartBefore$LWS, 'range'], [initDistortionRangeSurroundContents$LWS, 'range'], [initDistortionSelectionCollapse$LWS, 'selection'], [initDistortionSelectionExtend$LWS, 'selection'], [initDistortionSelectionSelectAllChildren$LWS, 'selection'], [initDistortionSelectionSetBaseAndExtent$LWS, 'selection'], [initDistortionSelectionSetPosition$LWS, 'selection'], [initDistortionSessionStorage$LWS, 'storage'], [initDistortionShadowRootInnerHTMLSetter$LWS, 'innerHTML'], [initDistortionStorage$LWS, 'storage'], [initDistortionStorageClear$LWS, 'storage'], [initDistortionStorageGetItem$LWS, 'storage'], [initDistortionStorageKey$LWS, 'storage'], [initDistortionStorageLength$LWS, 'storage'], [initDistortionStorageRemoveItem$LWS, 'storage'], [initDistortionStorageSetItem$LWS, 'storage'], [initDistortionSVGElementDatasetGetter$LWS, 'dataset'], [initDistortionSVGElementStyleGetter$LWS, 'style'], [initDistortionSVGScriptElementHrefGetter$LWS, 'script'], [initDistortionSVGScriptElementHrefSetter$LWS, 'script'], [initDistortionWindowFetch$LWS, 'windowFetch'], [initDistortionWindowFramesGetter$LWS, 'windowFrames'], [initDistortionWindowGetComputedStyle$LWS, 'style'], [initDistortionWindowLengthGetter$LWS, 'windowFrames'], [initDistortionWindowPostMessage$LWS, 'postMessage'], [initDistortionWindowSetInterval$LWS, 'setInterval'], [initDistortionWindowSetTimeout$LWS, 'setTimeout'], [initDistortionXMLHttpRequestResponseGetter$LWS, 'xhr'], [initDistortionXMLHttpRequestResponseXMLGetter$LWS, 'xhr']]));
|
|
10093
|
-
const DocumentBlockedProperties$LWS = ['createProcessingInstruction', 'exitFullscreen', 'fullscreen', 'fullscreenElement', 'fullscreenEnabled', 'mozCancelFullScreen', 'mozFullScreen', 'mozFullScreenElement', 'mozFullScreenEnabled', 'onfullscreenchange', 'onfullscreenerror', 'onmozfullscreenchange', 'onmozfullscreenerror', 'onrejectionhandled', 'onunhandledrejection', 'parseHTMLUnsafe', 'releaseCapture', 'releaseEvents', 'webkitFullScreenKeyboardInputAllowed', 'write', 'writeln'];
|
|
10094
|
-
const ElementBlockedProperties$LWS = ['mozRequestFullScreen', 'onfullscreenchange', 'onfullscreenerror', 'requestFullscreen', '
|
|
10352
|
+
const DocumentBlockedProperties$LWS = ['createProcessingInstruction', 'exitFullscreen', 'fullscreen', 'fullscreenElement', 'fullscreenEnabled', 'mozCancelFullScreen', 'mozFullScreen', 'mozFullScreenElement', 'mozFullScreenEnabled', 'onfullscreenchange', 'onfullscreenerror', 'onmozfullscreenchange', 'onmozfullscreenerror', 'onrejectionhandled', 'onunhandledrejection', 'parseHTMLUnsafe', 'releaseCapture', 'releaseEvents', 'requestStorageAccess', 'webkitFullScreenKeyboardInputAllowed', 'write', 'writeln'];
|
|
10353
|
+
const ElementBlockedProperties$LWS = ['mozRequestFullScreen', 'onfullscreenchange', 'onfullscreenerror', 'requestFullscreen', 'webkitRequestFullScreen', 'webkitRequestFullscreen'];
|
|
10095
10354
|
const EventBlockedProperties$LWS = ['originalTarget', 'explicitOriginalTarget'];
|
|
10096
10355
|
const HTMLElementBlockedAttributes$LWS = ['nonce'];
|
|
10097
10356
|
const HTMLElementBlockedProperties$LWS = ['nonce', 'onrejectionhandled', 'onunhandledrejection'];
|
|
@@ -10108,7 +10367,7 @@ const SVGElementBlockedProperties$LWS = ['nonce'];
|
|
|
10108
10367
|
const UIEventBlockedProperties$LWS = ['rangeParent'];
|
|
10109
10368
|
const WindowBlockedProperties$LWS = ['find', 'requestFileSystem', 'webkitRequestFileSystem'];
|
|
10110
10369
|
const XSLTProcessorBlockedProperties$LWS = ['transformToDocument', 'transformToFragment'];
|
|
10111
|
-
/*! version: 0.
|
|
10370
|
+
/*! version: 0.23.6 */
|
|
10112
10371
|
|
|
10113
10372
|
/*!
|
|
10114
10373
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -14768,7 +15027,7 @@ class VirtualEnvironment$LWS {
|
|
|
14768
15027
|
* problematic, and requires a lot more work to guarantee that objects from both sides
|
|
14769
15028
|
* can be considered equivalents (without identity discontinuity).
|
|
14770
15029
|
*/
|
|
14771
|
-
function getESGlobalKeys$LWS(
|
|
15030
|
+
function getESGlobalKeys$LWS(maxPerfMode$LWS) {
|
|
14772
15031
|
const ESGlobalKeys$LWS = [
|
|
14773
15032
|
// *** 19.1 Value Properties of the Global Object
|
|
14774
15033
|
'globalThis', 'Infinity', 'NaN', 'undefined',
|
|
@@ -14784,8 +15043,7 @@ function getESGlobalKeys$LWS(remapTypedArrays$LWS = true) {
|
|
|
14784
15043
|
// 'EvalError', // Reflective
|
|
14785
15044
|
'FinalizationRegistry',
|
|
14786
15045
|
// 'Function', // dangerous & Reflective
|
|
14787
|
-
|
|
14788
|
-
'Number',
|
|
15046
|
+
'Map', 'Number',
|
|
14789
15047
|
// 'Object', // Reflective
|
|
14790
15048
|
// Allow blue `Promise` constructor to overwrite the Red one so that promises
|
|
14791
15049
|
// created by the `Promise` constructor or APIs like `fetch` will work.
|
|
@@ -14793,15 +15051,11 @@ function getESGlobalKeys$LWS(remapTypedArrays$LWS = true) {
|
|
|
14793
15051
|
// 'Proxy', // Reflective
|
|
14794
15052
|
// 'RangeError', // Reflective
|
|
14795
15053
|
// 'ReferenceError', // Reflective
|
|
14796
|
-
'RegExp',
|
|
14797
|
-
// 'Set', // Remapped
|
|
14798
|
-
'String', 'Symbol',
|
|
15054
|
+
'RegExp', 'Set', 'String', 'Symbol',
|
|
14799
15055
|
// 'SyntaxError', // Reflective
|
|
14800
15056
|
// 'TypeError', // Reflective
|
|
14801
15057
|
// 'URIError', // Reflective
|
|
14802
|
-
|
|
14803
|
-
// 'WeakSet', // Remapped
|
|
14804
|
-
'WeakRef',
|
|
15058
|
+
'WeakMap', 'WeakSet', 'WeakRef',
|
|
14805
15059
|
// *** 18.4 Other Properties of the Global Object
|
|
14806
15060
|
// 'Atomics', // Remapped
|
|
14807
15061
|
'JSON', 'Math', 'Reflect',
|
|
@@ -14810,16 +15064,22 @@ function getESGlobalKeys$LWS(remapTypedArrays$LWS = true) {
|
|
|
14810
15064
|
// *** ECMA-402
|
|
14811
15065
|
// 'Intl', // Remapped
|
|
14812
15066
|
];
|
|
14813
|
-
|
|
14814
|
-
|
|
15067
|
+
// This set is for maxPerfMode, all of these must be from the same global object
|
|
15068
|
+
const maxPerfModeKeys$LWS = {
|
|
15069
|
+
intrinsics: ['ArrayBuffer', 'Atomics', 'BigInt64Array', 'BigUint64Array', 'DataView', 'Float32Array', 'Float64Array', 'Int16Array', 'Int32Array', 'Int8Array', 'SharedArrayBuffer', 'Uint16Array', 'Uint32Array', 'Uint8Array', 'Uint8ClampedArray'],
|
|
15070
|
+
// Ideally these should come from browser-realm, that's a code reorg improvement for later
|
|
15071
|
+
browser: ['Blob', 'crypto', 'Crypto', 'File', 'FileReader', 'SubtleCrypto', 'URL']
|
|
15072
|
+
};
|
|
15073
|
+
if (maxPerfMode$LWS) {
|
|
15074
|
+
ESGlobalKeys$LWS.push(...maxPerfModeKeys$LWS.intrinsics, ...maxPerfModeKeys$LWS.browser);
|
|
14815
15075
|
}
|
|
14816
15076
|
return ESGlobalKeys$LWS;
|
|
14817
15077
|
}
|
|
14818
15078
|
// These are foundational things that should never be wrapped but are equivalent
|
|
14819
15079
|
// @TODO: Revisit this list.
|
|
14820
15080
|
const ReflectiveIntrinsicObjectNames$LWS = ['AggregateError', 'Array', 'Error', 'EvalError', 'Function', 'Object', 'Proxy', 'RangeError', 'ReferenceError', 'SyntaxError', 'TypeError', 'URIError', 'eval', 'globalThis'];
|
|
14821
|
-
function getESGlobalsAndReflectiveIntrinsicObjectNames$LWS(
|
|
14822
|
-
const ESGlobalKeys$LWS = getESGlobalKeys$LWS(
|
|
15081
|
+
function getESGlobalsAndReflectiveIntrinsicObjectNames$LWS(maxPerfMode$LWS) {
|
|
15082
|
+
const ESGlobalKeys$LWS = getESGlobalKeys$LWS(maxPerfMode$LWS);
|
|
14823
15083
|
return toSafeArray$LWS([...ESGlobalKeys$LWS, ...ReflectiveIntrinsicObjectNames$LWS]);
|
|
14824
15084
|
}
|
|
14825
15085
|
function getGlobalObjectOwnKeys$LWS(source$LWS) {
|
|
@@ -14832,9 +15092,9 @@ function getGlobalObjectOwnKeys$LWS(source$LWS) {
|
|
|
14832
15092
|
}
|
|
14833
15093
|
return ownKeys$LWS;
|
|
14834
15094
|
}
|
|
14835
|
-
function assignFilteredGlobalDescriptorsFromPropertyDescriptorMap$LWS(descs$LWS, source$LWS,
|
|
15095
|
+
function assignFilteredGlobalDescriptorsFromPropertyDescriptorMap$LWS(descs$LWS, source$LWS, maxPerfMode$LWS) {
|
|
14836
15096
|
const ownKeys$LWS = getGlobalObjectOwnKeys$LWS(source$LWS);
|
|
14837
|
-
const ESGlobalsAndReflectiveIntrinsicObjectNames$LWS = getESGlobalsAndReflectiveIntrinsicObjectNames$LWS(
|
|
15097
|
+
const ESGlobalsAndReflectiveIntrinsicObjectNames$LWS = getESGlobalsAndReflectiveIntrinsicObjectNames$LWS(maxPerfMode$LWS);
|
|
14838
15098
|
for (let i$LWS = 0, {
|
|
14839
15099
|
length: length$LWS
|
|
14840
15100
|
} = ownKeys$LWS; i$LWS < length$LWS; i$LWS += 1) {
|
|
@@ -14857,11 +15117,11 @@ function assignFilteredGlobalDescriptorsFromPropertyDescriptorMap$LWS(descs$LWS,
|
|
|
14857
15117
|
}
|
|
14858
15118
|
return descs$LWS;
|
|
14859
15119
|
}
|
|
14860
|
-
function getFilteredGlobalOwnKeys$LWS(source$LWS,
|
|
15120
|
+
function getFilteredGlobalOwnKeys$LWS(source$LWS, maxPerfMode$LWS) {
|
|
14861
15121
|
const result$LWS = [];
|
|
14862
15122
|
let resultOffset$LWS = 0;
|
|
14863
15123
|
const ownKeys$LWS = getGlobalObjectOwnKeys$LWS(source$LWS);
|
|
14864
|
-
const ESGlobalsAndReflectiveIntrinsicObjectNames$LWS = getESGlobalsAndReflectiveIntrinsicObjectNames$LWS(
|
|
15124
|
+
const ESGlobalsAndReflectiveIntrinsicObjectNames$LWS = getESGlobalsAndReflectiveIntrinsicObjectNames$LWS(maxPerfMode$LWS);
|
|
14865
15125
|
for (let i$LWS = 0, {
|
|
14866
15126
|
length: length$LWS
|
|
14867
15127
|
} = ownKeys$LWS; i$LWS < length$LWS; i$LWS += 1) {
|
|
@@ -14935,18 +15195,8 @@ function getCachedGlobalObjectReferences$LWS(globalObject$LWS) {
|
|
|
14935
15195
|
blueDocumentToRecordMap$LWS.set(document$LWS, record$LWS);
|
|
14936
15196
|
return record$LWS;
|
|
14937
15197
|
}
|
|
14938
|
-
function filterWindowKeys$LWS(keys$LWS
|
|
15198
|
+
function filterWindowKeys$LWS(keys$LWS) {
|
|
14939
15199
|
const excludedKeys$LWS = new SetCtor$LWS(['document', 'location', 'top', 'window']);
|
|
14940
|
-
// Crypto and typed arrays must be from the same global object
|
|
14941
|
-
if (remapTypedArrays$LWS === false) {
|
|
14942
|
-
excludedKeys$LWS.add('crypto');
|
|
14943
|
-
excludedKeys$LWS.add('Crypto');
|
|
14944
|
-
excludedKeys$LWS.add('SubtleCrypto');
|
|
14945
|
-
excludedKeys$LWS.add('Blob');
|
|
14946
|
-
excludedKeys$LWS.add('File');
|
|
14947
|
-
excludedKeys$LWS.add('FileReader');
|
|
14948
|
-
excludedKeys$LWS.add('URL');
|
|
14949
|
-
}
|
|
14950
15200
|
const result$LWS = [];
|
|
14951
15201
|
let resultOffset$LWS = 0;
|
|
14952
15202
|
for (let i$LWS = 0, {
|
|
@@ -14987,7 +15237,7 @@ function filterWindowKeys$LWS(keys$LWS, remapTypedArrays$LWS) {
|
|
|
14987
15237
|
* that will be installed (via the membrane) as global descriptors in
|
|
14988
15238
|
* the red realm.
|
|
14989
15239
|
*/
|
|
14990
|
-
function removeWindowDescriptors$LWS(unsafeDescs$LWS
|
|
15240
|
+
function removeWindowDescriptors$LWS(unsafeDescs$LWS) {
|
|
14991
15241
|
// Remove unforgeable descriptors that cannot be installed.
|
|
14992
15242
|
ReflectDeleteProperty$LWS(unsafeDescs$LWS, 'document');
|
|
14993
15243
|
ReflectDeleteProperty$LWS(unsafeDescs$LWS, 'location');
|
|
@@ -14995,16 +15245,6 @@ function removeWindowDescriptors$LWS(unsafeDescs$LWS, remapTypedArrays$LWS) {
|
|
|
14995
15245
|
ReflectDeleteProperty$LWS(unsafeDescs$LWS, 'window');
|
|
14996
15246
|
// Remove other browser specific unforgeables.
|
|
14997
15247
|
ReflectDeleteProperty$LWS(unsafeDescs$LWS, 'chrome');
|
|
14998
|
-
// Crypto and typed arrays must be from the same global object
|
|
14999
|
-
if (remapTypedArrays$LWS === false) {
|
|
15000
|
-
ReflectDeleteProperty$LWS(unsafeDescs$LWS, 'crypto');
|
|
15001
|
-
ReflectDeleteProperty$LWS(unsafeDescs$LWS, 'Crypto');
|
|
15002
|
-
ReflectDeleteProperty$LWS(unsafeDescs$LWS, 'SubtleCrypto');
|
|
15003
|
-
ReflectDeleteProperty$LWS(unsafeDescs$LWS, 'Blob');
|
|
15004
|
-
ReflectDeleteProperty$LWS(unsafeDescs$LWS, 'File');
|
|
15005
|
-
ReflectDeleteProperty$LWS(unsafeDescs$LWS, 'FileReader');
|
|
15006
|
-
ReflectDeleteProperty$LWS(unsafeDescs$LWS, 'URL');
|
|
15007
|
-
}
|
|
15008
15248
|
return unsafeDescs$LWS;
|
|
15009
15249
|
}
|
|
15010
15250
|
/**
|
|
@@ -15045,7 +15285,7 @@ function createIframeVirtualEnvironment$LWS(globalObject$LWS, providedOptions$LW
|
|
|
15045
15285
|
instrumentation: instrumentation$LWS,
|
|
15046
15286
|
keepAlive: keepAlive$LWS = true,
|
|
15047
15287
|
liveTargetCallback: liveTargetCallback$LWS,
|
|
15048
|
-
|
|
15288
|
+
maxPerfMode: maxPerfMode$LWS = false,
|
|
15049
15289
|
signSourceCallback: signSourceCallback$LWS
|
|
15050
15290
|
// eslint-disable-next-line prefer-object-spread
|
|
15051
15291
|
} = ObjectAssign$LWS({
|
|
@@ -15054,7 +15294,7 @@ function createIframeVirtualEnvironment$LWS(globalObject$LWS, providedOptions$LW
|
|
|
15054
15294
|
const iframe$LWS = createDetachableIframe$LWS(blueRefs$LWS.document);
|
|
15055
15295
|
const redWindow$LWS = ReflectApply$LWS(HTMLIFrameElementProtoContentWindowGetter$LWS, iframe$LWS, []);
|
|
15056
15296
|
const shouldUseDefaultGlobalOwnKeys$LWS = typeof globalObjectShape$LWS !== 'object' || globalObjectShape$LWS === null;
|
|
15057
|
-
const defaultGlobalOwnKeys$LWS = filterWindowKeys$LWS(getFilteredGlobalOwnKeys$LWS(redWindow$LWS,
|
|
15297
|
+
const defaultGlobalOwnKeys$LWS = filterWindowKeys$LWS(getFilteredGlobalOwnKeys$LWS(redWindow$LWS, maxPerfMode$LWS));
|
|
15058
15298
|
let blueConnector$LWS = blueCreateHooksCallbackCache$LWS.get(blueRefs$LWS.document);
|
|
15059
15299
|
if (blueConnector$LWS === undefined) {
|
|
15060
15300
|
blueConnector$LWS = createBlueConnector$LWS(globalObject$LWS);
|
|
@@ -15095,7 +15335,7 @@ function createIframeVirtualEnvironment$LWS(globalObject$LWS, providedOptions$LW
|
|
|
15095
15335
|
// window.__proto__.__proto__.__proto__ (aka EventTarget.prototype)
|
|
15096
15336
|
env$LWS.link('__proto__', '__proto__', '__proto__');
|
|
15097
15337
|
env$LWS.remapProto(blueRefs$LWS.document, blueRefs$LWS.DocumentProto);
|
|
15098
|
-
env$LWS.lazyRemapProperties(blueRefs$LWS.window, shouldUseDefaultGlobalOwnKeys$LWS ? defaultGlobalOwnKeys$LWS : filterWindowKeys$LWS(getFilteredGlobalOwnKeys$LWS(globalObjectShape$LWS
|
|
15338
|
+
env$LWS.lazyRemapProperties(blueRefs$LWS.window, shouldUseDefaultGlobalOwnKeys$LWS ? defaultGlobalOwnKeys$LWS : filterWindowKeys$LWS(getFilteredGlobalOwnKeys$LWS(globalObjectShape$LWS, maxPerfMode$LWS)),
|
|
15099
15339
|
// Chromium based browsers have a bug that nulls the result of `window`
|
|
15100
15340
|
// getters in detached iframes when the property descriptor of `window.window`
|
|
15101
15341
|
// is retrieved.
|
|
@@ -15103,8 +15343,8 @@ function createIframeVirtualEnvironment$LWS(globalObject$LWS, providedOptions$LW
|
|
|
15103
15343
|
keepAlive$LWS ? undefined : unforgeablePoisonedWindowKeys$LWS);
|
|
15104
15344
|
if (endowments$LWS) {
|
|
15105
15345
|
const filteredEndowments$LWS = {};
|
|
15106
|
-
assignFilteredGlobalDescriptorsFromPropertyDescriptorMap$LWS(filteredEndowments$LWS, endowments$LWS,
|
|
15107
|
-
removeWindowDescriptors$LWS(filteredEndowments$LWS
|
|
15346
|
+
assignFilteredGlobalDescriptorsFromPropertyDescriptorMap$LWS(filteredEndowments$LWS, endowments$LWS, maxPerfMode$LWS);
|
|
15347
|
+
removeWindowDescriptors$LWS(filteredEndowments$LWS);
|
|
15108
15348
|
env$LWS.remapProperties(blueRefs$LWS.window, filteredEndowments$LWS);
|
|
15109
15349
|
}
|
|
15110
15350
|
// We intentionally skip remapping Window.prototype because there is nothing
|
|
@@ -15391,7 +15631,7 @@ function createEvalHelpersFactoryArgs$LWS(record$LWS) {
|
|
|
15391
15631
|
// DOM per url per sandbox.
|
|
15392
15632
|
// istanbul ignore next: currently unreachable via tests, platformResourceLoader testing is exclusively done in AMD format mode
|
|
15393
15633
|
function loadScript$LWS(_thisArg$LWS, url$LWS) {
|
|
15394
|
-
const urlResolved$LWS = resolveURL$LWS(
|
|
15634
|
+
const urlResolved$LWS = resolveURL$LWS(toSafeStringValue$LWS(url$LWS));
|
|
15395
15635
|
const scripts$LWS = ReflectApply$LWS$1(ElementProtoQuerySelectorAll$LWS, head$LWS, ['script']);
|
|
15396
15636
|
for (let i$LWS = 0, {
|
|
15397
15637
|
length: length$LWS
|
|
@@ -15431,7 +15671,7 @@ function createEvalHelpersFactoryArgs$LWS(record$LWS) {
|
|
|
15431
15671
|
// per url for all the sandboxes.
|
|
15432
15672
|
// istanbul ignore next: currently unreachable via tests, platformResourceLoader testing is exclusively done in AMD format mode
|
|
15433
15673
|
function loadStyle$LWS(_thisArg$LWS, url$LWS) {
|
|
15434
|
-
const urlResolved$LWS = resolveURL$LWS(
|
|
15674
|
+
const urlResolved$LWS = resolveURL$LWS(toSafeStringValue$LWS(url$LWS));
|
|
15435
15675
|
let link$LWS = ReflectApply$LWS$1(ElementProtoQuerySelector$LWS, head$LWS, [`link[href=${enquote$LWS(urlResolved$LWS)}]`]);
|
|
15436
15676
|
if (link$LWS) {
|
|
15437
15677
|
var _resourceStatusCache$2$LWS;
|
|
@@ -15454,7 +15694,7 @@ function createEvalHelpersFactoryArgs$LWS(record$LWS) {
|
|
|
15454
15694
|
}];
|
|
15455
15695
|
}
|
|
15456
15696
|
function toSourceText$LWS(value$LWS, sourceType$LWS) {
|
|
15457
|
-
let sourceText$LWS = typeof value$LWS === 'function' ? extractFunctionBodySource$LWS(value$LWS) :
|
|
15697
|
+
let sourceText$LWS = typeof value$LWS === 'function' ? extractFunctionBodySource$LWS(value$LWS) : toSafeStringValue$LWS(value$LWS);
|
|
15458
15698
|
// We workaround bundlers, like Rollup, aggressively stripping inline source
|
|
15459
15699
|
// maps by compiling them with the name "sandboxMappingURL". At runtime the
|
|
15460
15700
|
// name is changed so the inline source map is registered.
|
|
@@ -15463,7 +15703,7 @@ function toSourceText$LWS(value$LWS, sourceType$LWS) {
|
|
|
15463
15703
|
// tools from mistaking the regexp or the replacement string for an
|
|
15464
15704
|
// actual source mapping URL.
|
|
15465
15705
|
/\/\/# sandbox(?=MappingURL=.*?\s*$)/, '//# source']);
|
|
15466
|
-
sourceText$LWS = `\n//# LWS Version = "0.
|
|
15706
|
+
sourceText$LWS = `\n//# LWS Version = "0.23.6"\n${sourceText$LWS}`;
|
|
15467
15707
|
return sourceType$LWS === 1 /* SourceType.Module */ && indexOfPragma$LWS(sourceText$LWS, 'use strict') === -1 ?
|
|
15468
15708
|
// Append "'use strict'" to the extracted function body so it is
|
|
15469
15709
|
// evaluated in strict mode.
|
|
@@ -15556,13 +15796,9 @@ function createVirtualEnvironment$LWS(record$LWS) {
|
|
|
15556
15796
|
},
|
|
15557
15797
|
type: type$LWS
|
|
15558
15798
|
} = record$LWS;
|
|
15559
|
-
|
|
15560
|
-
|
|
15561
|
-
|
|
15562
|
-
remapTypedArrays$LWS = false;
|
|
15563
|
-
} else if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, key$LWS, ['devopsimpkg'])) {
|
|
15564
|
-
remapTypedArrays$LWS = false;
|
|
15565
|
-
}
|
|
15799
|
+
const maxPerfMode$LWS = isGaterEnabledFeature$LWS(ENABLE_MAX_PERF_MODE_GATE$LWS) ||
|
|
15800
|
+
// 'devopsimpkg*' or exact 'omnistudio' will override INTO maxPerfMode
|
|
15801
|
+
isAllowedToOverrideGaterEnabledFeature$LWS(key$LWS, ENABLE_MAX_PERF_MODE_GATE$LWS);
|
|
15566
15802
|
return createIframeVirtualEnvironment$LWS(globalObject$LWS, {
|
|
15567
15803
|
defaultPolicy: {
|
|
15568
15804
|
createScript:
|
|
@@ -15652,10 +15888,10 @@ function createVirtualEnvironment$LWS(record$LWS) {
|
|
|
15652
15888
|
// accessible from inside the sandbox.
|
|
15653
15889
|
ObjectAssign$LWS$1({}, DEFAULT_ENDOWMENTS_DESCRIPTOR_MAP$LWS, ObjectGetOwnPropertyDescriptors$LWS(endowments$LWS)) : DEFAULT_ENDOWMENTS_DESCRIPTOR_MAP$LWS,
|
|
15654
15890
|
instrumentation: instrumentation$LWS,
|
|
15655
|
-
|
|
15891
|
+
maxPerfMode: maxPerfMode$LWS,
|
|
15656
15892
|
keepAlive:
|
|
15657
15893
|
// istanbul ignore next: cannot test isLockerFeatureEnabled
|
|
15658
|
-
|
|
15894
|
+
maxPerfMode$LWS && isLockerFeatureEnabled$LWS('isLockerNextForOmnistudioEnabled') || IFRAME_KEEP_ALIVE_FLAG$LWS,
|
|
15659
15895
|
liveTargetCallback: isTargetLive$LWS,
|
|
15660
15896
|
signSourceCallback: sourceText$LWS => trusted.createScript(sourceText$LWS)
|
|
15661
15897
|
});
|
|
@@ -15681,6 +15917,7 @@ function createRootWindowSandboxRecord$LWS({
|
|
|
15681
15917
|
if (record$LWS) {
|
|
15682
15918
|
return record$LWS;
|
|
15683
15919
|
}
|
|
15920
|
+
// istanbul ignore next: instrumentation is not tested
|
|
15684
15921
|
const LOCKER_INSTRUMENTATION_FLAG$LWS =
|
|
15685
15922
|
// In the future we can preface the LOCKER_INSTRUMENTATION_FLAG
|
|
15686
15923
|
// definition with a LOCKER_UNMINIFIED_FLAG check to have instrumentation
|
|
@@ -15987,24 +16224,30 @@ function internalEvaluateInSandbox$LWS(evaluateOptions$LWS) {
|
|
|
15987
16224
|
}
|
|
15988
16225
|
let result$LWS;
|
|
15989
16226
|
const sourceText$LWS = toSourceText$LWS(source$LWS, sourceType$LWS);
|
|
16227
|
+
// istanbul ignore next: instrumentation is not tested
|
|
15990
16228
|
const activity$LWS = LOCKER_INSTRUMENTATION_FLAG$LWS ? instrumentation$LWS == null ? void 0 : instrumentation$LWS.startActivity('lws.evaluate') : undefined;
|
|
15991
16229
|
try {
|
|
15992
16230
|
// Protecting against errors during evaluation can guarantee the state
|
|
15993
16231
|
// of the EvalContext to avoid leaking context values
|
|
15994
16232
|
result$LWS = virtualEnvironmentEvaluator$LWS(sourceText$LWS);
|
|
16233
|
+
// istanbul ignore next: instrumentation is not tested
|
|
15995
16234
|
instrumentation$LWS == null || instrumentation$LWS.incrementCounter == null || instrumentation$LWS.incrementCounter('lws.evaluate', 1, false);
|
|
15996
16235
|
} catch (error) {
|
|
16236
|
+
// istanbul ignore next: instrumentation is not tested
|
|
15997
16237
|
instrumentation$LWS == null || instrumentation$LWS.incrementCounter == null || instrumentation$LWS.incrementCounter('lws.evaluate', 1, true);
|
|
16238
|
+
// istanbul ignore next: instrumentation is not tested
|
|
15998
16239
|
activity$LWS == null || activity$LWS.error({
|
|
15999
16240
|
sandboxKey: key$LWS,
|
|
16000
16241
|
error
|
|
16001
16242
|
});
|
|
16243
|
+
// istanbul ignore next: instrumentation is not tested
|
|
16002
16244
|
activity$LWS == null || activity$LWS.stop();
|
|
16003
16245
|
throw error;
|
|
16004
16246
|
} finally {
|
|
16005
16247
|
clearEvalContext$LWS();
|
|
16006
16248
|
clearEvalHelpers$LWS();
|
|
16007
16249
|
}
|
|
16250
|
+
// istanbul ignore next: instrumentation is not tested
|
|
16008
16251
|
activity$LWS == null || activity$LWS.stop();
|
|
16009
16252
|
return result$LWS;
|
|
16010
16253
|
}
|
|
@@ -16147,7 +16390,7 @@ function wrapPlatformResourceLoader$LWS(dep$LWS, key$LWS) {
|
|
|
16147
16390
|
depRegistry$LWS.set(dep$LWS, secureDep$LWS);
|
|
16148
16391
|
return secureDep$LWS;
|
|
16149
16392
|
}
|
|
16150
|
-
/*! version: 0.
|
|
16393
|
+
/*! version: 0.23.6 */
|
|
16151
16394
|
|
|
16152
16395
|
const loaderDefine = globalThis.LWR.define;
|
|
16153
16396
|
|