@lwrjs/client-modules 0.22.16 → 0.22.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1510,7 +1510,7 @@ const {
1510
1510
  const PromiseResolve$LWS = PromiseCtor$LWS.resolve.bind(PromiseCtor$LWS);
1511
1511
  const PromiseReject$LWS = PromiseCtor$LWS.reject.bind(PromiseCtor$LWS);
1512
1512
  const trustedResources$LWS = toSafeSet$LWS(new SetCtor$LWS$1());
1513
- /*! version: 0.27.5 */
1513
+ /*! version: 0.27.7 */
1514
1514
 
1515
1515
  /*!
1516
1516
  * Copyright (C) 2019 salesforce.com, inc.
@@ -1954,6 +1954,69 @@ const DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS = /<!doctype\s+\S+\s*\[/;
1954
1954
  // Matches: <!DOCTYPE root SYSTEM "..."> or <!DOCTYPE root PUBLIC "..." "...">
1955
1955
  // External DTDs can define entities that get expanded with malicious content.
1956
1956
  const DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS = /<!doctype\s+\S+\s+(?:system|public)\s/;
1957
+ const DOCTYPE_OPENER$LWS = '<!doctype';
1958
+ const PI_OPENER$LWS = '<?';
1959
+ const PI_CLOSER$LWS = '?>';
1960
+ const COMMENT_OPENER$LWS = '<!--';
1961
+ const COMMENT_CLOSER$LWS = '-->';
1962
+ // Locate a DOCTYPE that sits in the document prolog — the only position where a
1963
+ // DTD is actually parsed and where entity definitions can take effect. A DTD is
1964
+ // only meaningful before the root element's start tag; anything after the root
1965
+ // element opens (text, CDATA sections, comments, processing instructions) is
1966
+ // inert character data and can never act as a DTD, no matter what it spells.
1967
+ //
1968
+ // Returns the prolog slice beginning at the DOCTYPE so the existing
1969
+ // dangerous-form regexes can classify it, or null when the prolog contains no
1970
+ // DOCTYPE. Walks the prolog token by token, skipping the XML declaration and
1971
+ // processing instructions (`<?...?>`) and comments (`<!-- ... -->`), and stops
1972
+ // at the first other `<` — that is the root element's start tag. Skipping
1973
+ // comments here is what defeats the `<!-- <![CDATA[ -->` decoy: a real prolog
1974
+ // DOCTYPE after a comment is still found, and a DOCTYPE buried inside a comment
1975
+ // is correctly ignored.
1976
+ function findPrologDoctype$LWS(normalizedInput$LWS) {
1977
+ const {
1978
+ length: length$LWS
1979
+ } = normalizedInput$LWS;
1980
+ let index$LWS = 0;
1981
+ while (index$LWS < length$LWS) {
1982
+ const char$LWS = ReflectApply$LWS$1(StringProtoCharAt$LWS, normalizedInput$LWS, [index$LWS]);
1983
+ // Skip insignificant whitespace between prolog tokens.
1984
+ if (char$LWS === ' ' || char$LWS === '\t' || char$LWS === '\n' || char$LWS === '\r') {
1985
+ index$LWS += 1;
1986
+ continue;
1987
+ }
1988
+ // Anything that is not a markup-opening `<` at this point is either the
1989
+ // start of the root element's content model or malformed; in both cases
1990
+ // there is no prolog DOCTYPE to find.
1991
+ if (char$LWS !== '<') {
1992
+ return null;
1993
+ }
1994
+ if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [DOCTYPE_OPENER$LWS, index$LWS])) {
1995
+ return ReflectApply$LWS$1(StringProtoSlice$LWS$1, normalizedInput$LWS, [index$LWS]);
1996
+ }
1997
+ if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [COMMENT_OPENER$LWS, index$LWS])) {
1998
+ const closerOffset$LWS = ReflectApply$LWS$1(StringProtoIndexOf$LWS, normalizedInput$LWS, [COMMENT_CLOSER$LWS, index$LWS + COMMENT_OPENER$LWS.length]);
1999
+ // Unterminated comment: no well-formed prolog DOCTYPE can follow.
2000
+ if (closerOffset$LWS === -1) {
2001
+ return null;
2002
+ }
2003
+ index$LWS = closerOffset$LWS + COMMENT_CLOSER$LWS.length;
2004
+ continue;
2005
+ }
2006
+ if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [PI_OPENER$LWS, index$LWS])) {
2007
+ const closerOffset$LWS = ReflectApply$LWS$1(StringProtoIndexOf$LWS, normalizedInput$LWS, [PI_CLOSER$LWS, index$LWS + PI_OPENER$LWS.length]);
2008
+ if (closerOffset$LWS === -1) {
2009
+ return null;
2010
+ }
2011
+ index$LWS = closerOffset$LWS + PI_CLOSER$LWS.length;
2012
+ continue;
2013
+ }
2014
+ // First `<` that is not a PI, comment, or DOCTYPE is the root element
2015
+ // start tag. The prolog has ended without a DOCTYPE.
2016
+ return null;
2017
+ }
2018
+ return null;
2019
+ }
1957
2020
  /* eslint-disable no-underscore-dangle */
1958
2021
  class Validator$LWS {
1959
2022
  constructor(document$LWS, {
@@ -1970,12 +2033,28 @@ class Validator$LWS {
1970
2033
  // Detect XML External Entity (XXE) injection attacks via DOCTYPE declarations.
1971
2034
  // Attackers can embed malicious script content inside ENTITY definitions that
1972
2035
  // get expanded when the XML/SVG is rendered, bypassing DOMPurify sanitization.
2036
+ //
2037
+ // A DTD only takes effect when it appears in the document prolog (before the
2038
+ // root element). The original guard scanned the entire input for a dangerous
2039
+ // DOCTYPE substring, which also rejected benign documents that merely quote a
2040
+ // DOCTYPE as inert text — inside a CDATA section, an XML comment, or element
2041
+ // text. The prolog-aware path keeps the dangerous-form classification
2042
+ // (internal subset, SYSTEM/PUBLIC external reference) exactly as-is, but only
2043
+ // applies it to a DOCTYPE that actually sits in the prolog. When the gate is
2044
+ // off, the original whole-input scan is preserved.
1973
2045
  // eslint-disable-next-line class-methods-use-this
1974
2046
  this.isXMLEntityAttack = input$LWS => {
1975
2047
  const normalizedInput$LWS = normalizeInput$LWS(input$LWS, ' ');
1976
2048
  // Block DOCTYPE with:
1977
2049
  // - Internal DTD subset (e.g., <!DOCTYPE svg [<!ENTITY foo "...">]>)
1978
2050
  // - SYSTEM or PUBLIC external entity references
2051
+ if (isGaterEnabledFeature$LWS('xmlEntityAttackPrologScan')) {
2052
+ const prologDoctype$LWS = findPrologDoctype$LWS(normalizedInput$LWS);
2053
+ if (prologDoctype$LWS === null) {
2054
+ return false;
2055
+ }
2056
+ return ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS, [prologDoctype$LWS]) || ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS, [prologDoctype$LWS]);
2057
+ }
1979
2058
  return ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS, [normalizedInput$LWS]) || ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS, [normalizedInput$LWS]);
1980
2059
  };
1981
2060
  // Detect namespaced script elements that execute in XML contexts.
@@ -2377,7 +2456,7 @@ const {
2377
2456
  const XhrProtoResponseTextGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'responseText');
2378
2457
  const XhrProtoStatusGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'status');
2379
2458
  ObjectLookupOwnSetter$LWS(XhrProto$LWS, 'withCredentials');
2380
- /*! version: 0.27.5 */
2459
+ /*! version: 0.27.7 */
2381
2460
 
2382
2461
  /*!
2383
2462
  * Copyright (C) 2019 salesforce.com, inc.
@@ -2429,13 +2508,18 @@ function isAttemptingToExploitURL$LWS(resourceValue$LWS) {
2429
2508
  const locationHref$LWS = rootWindow$LWS$1.location.href;
2430
2509
  return loweredResourceValue$LWS === '/' || loweredResourceValue$LWS[0] === '#' || loweredResourceValue$LWS[0] === '?' || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}#`]) || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}?`]);
2431
2510
  }
2432
- // Validates that a URL doesn't target disallowed endpoints
2511
+ // Validates that a URL doesn't target disallowed endpoints.
2433
2512
  // @TODO: W-7302311 Make paths and domains configurable.
2434
2513
  function isAllowedEndpointURL$LWS(parsedURL$LWS) {
2435
2514
  const loweredPathname$LWS = ReflectApply$LWS$1(StringProtoToLowerCase$LWS, parsedURL$LWS.pathname, []);
2436
2515
  // This MUST be done inside the function because the gate may not be enabled when the
2437
2516
  // module code is loaded and evaluated (as would be the case for test environments)
2438
2517
  if (isGaterEnabledFeature$LWS('changesSince.262')) {
2518
+ // Cross-origin URLs bypass the denylist — they cannot carry the user's session
2519
+ // credentials to this instance's platform-internal endpoints (W-23009170).
2520
+ if (!isSameOriginURL$LWS(parsedURL$LWS.normalizedURL)) {
2521
+ return true;
2522
+ }
2439
2523
  DISALLOWED_ENDPOINTS_LIST$LWS.push('/_nc_external', '/force', '/setup');
2440
2524
  }
2441
2525
  for (let i$LWS = 0, {
@@ -2488,7 +2572,7 @@ function sanitizeURLForElement$LWS(url$LWS) {
2488
2572
  function sanitizeURLString$LWS(urlString$LWS) {
2489
2573
  return urlString$LWS === '' ? urlString$LWS : ReflectApply$LWS$1(StringProtoReplace$LWS, urlString$LWS, [newlinesAndTabsRegExp$LWS, '']);
2490
2574
  }
2491
- /*! version: 0.27.5 */
2575
+ /*! version: 0.27.7 */
2492
2576
 
2493
2577
  /*! @license DOMPurify 3.2.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.4/LICENSE */
2494
2578
 
@@ -3900,7 +3984,7 @@ try {
3900
3984
  // swallow
3901
3985
  }
3902
3986
  const trusted = createPolicy('trusted', policyOptions);
3903
- /*! version: 0.27.5 */
3987
+ /*! version: 0.27.7 */
3904
3988
 
3905
3989
  /*!
3906
3990
  * Copyright (C) 2019 salesforce.com, inc.
@@ -4176,7 +4260,7 @@ function blobSanitizer$LWS(sandboxKey$LWS) {
4176
4260
  }
4177
4261
  return getSanitizerForConfig$LWS(sandboxKey$LWS, 'STRING_BLOB_HTML');
4178
4262
  }
4179
- /*! version: 0.27.5 */
4263
+ /*! version: 0.27.7 */
4180
4264
 
4181
4265
  /*!
4182
4266
  * Copyright (C) 2023 salesforce.com, inc.
@@ -4385,7 +4469,7 @@ function createScriptSrcURLSetter$LWS(targetElement$LWS) {
4385
4469
  ReflectApply$LWS$1(ElementProtoSetAttributeNS$LWS, targetElement$LWS, [attributeNamespaceURI$LWS, attributeName$LWS, src$LWS]);
4386
4470
  };
4387
4471
  }
4388
- /*! version: 0.27.5 */
4472
+ /*! version: 0.27.7 */
4389
4473
 
4390
4474
  /*!
4391
4475
  * Copyright (C) 2019 salesforce.com, inc.
@@ -6084,7 +6168,7 @@ function initDistortionDocumentCreateTreeWalker$LWS({
6084
6168
  const {
6085
6169
  0: root$LWS
6086
6170
  } = args$LWS;
6087
- if (isGaterEnabledFeature$LWS('changesSince.262') && root$LWS && isSharedElement$B$LWS(root$LWS)) {
6171
+ if (isGaterEnabledFeature$LWS('restrictCreateTreeWalker') && root$LWS && isSharedElement$B$LWS(root$LWS)) {
6088
6172
  throw new LockerSecurityError$LWS(`Cannot create TreeWalker rooted at shared element ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, root$LWS, [])}.`);
6089
6173
  }
6090
6174
  return ReflectApply$LWS$1(originalCreateTreeWalker$LWS, this, args$LWS);
@@ -11859,7 +11943,7 @@ const SVGElementProtoBlockedProperties$LWS = ['nonce'];
11859
11943
  const UIEventProtoBlockedProperties$LWS = ['rangeParent'];
11860
11944
  const WindowBlockedProperties$LWS = ['find', 'requestFileSystem', 'webkitRequestFileSystem'];
11861
11945
  const XSLTProcessorProtoBlockedProperties$LWS = ['transformToDocument', 'transformToFragment'];
11862
- /*! version: 0.27.5 */
11946
+ /*! version: 0.27.7 */
11863
11947
 
11864
11948
  /*!
11865
11949
  * Copyright (C) 2021 salesforce.com, inc.
@@ -11868,7 +11952,7 @@ let pdpSchema$LWS;
11868
11952
  function getPdpSchema$LWS() {
11869
11953
  return pdpSchema$LWS;
11870
11954
  }
11871
- /*! version: 0.27.5 */
11955
+ /*! version: 0.27.7 */
11872
11956
 
11873
11957
  /*!
11874
11958
  * Copyright (C) 2019 salesforce.com, inc.
@@ -17215,7 +17299,7 @@ function toSourceText$LWS(value$LWS, sourceType$LWS) {
17215
17299
  // tools from mistaking the regexp or the replacement string for an
17216
17300
  // actual source mapping URL.
17217
17301
  /\/\/# sandbox(?=MappingURL=.*?\s*$)/, '//# source']);
17218
- sourceText$LWS = `\n//# LWS Version = "0.27.5"\n${sourceText$LWS}`;
17302
+ sourceText$LWS = `\n//# LWS Version = "0.27.7"\n${sourceText$LWS}`;
17219
17303
  return sourceType$LWS === 1 /* SourceType.Module */ && indexOfPragma$LWS(sourceText$LWS, 'use strict') === -1 ?
17220
17304
  // Append "'use strict'" to the extracted function body so it is
17221
17305
  // evaluated in strict mode.
@@ -18011,7 +18095,7 @@ function wrapPlatformResourceLoader$LWS(dep$LWS, key$LWS) {
18011
18095
  depRegistry$LWS.set(dep$LWS, secureDep$LWS);
18012
18096
  return secureDep$LWS;
18013
18097
  }
18014
- /*! version: 0.27.5 */
18098
+ /*! version: 0.27.7 */
18015
18099
 
18016
18100
  const loaderDefine = (globalThis ).LWR.define;
18017
18101
 
@@ -1510,7 +1510,7 @@ const {
1510
1510
  const PromiseResolve$LWS = PromiseCtor$LWS.resolve.bind(PromiseCtor$LWS);
1511
1511
  const PromiseReject$LWS = PromiseCtor$LWS.reject.bind(PromiseCtor$LWS);
1512
1512
  const trustedResources$LWS = toSafeSet$LWS(new SetCtor$LWS$1());
1513
- /*! version: 0.27.5 */
1513
+ /*! version: 0.27.7 */
1514
1514
 
1515
1515
  /*!
1516
1516
  * Copyright (C) 2019 salesforce.com, inc.
@@ -1954,6 +1954,69 @@ const DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS = /<!doctype\s+\S+\s*\[/;
1954
1954
  // Matches: <!DOCTYPE root SYSTEM "..."> or <!DOCTYPE root PUBLIC "..." "...">
1955
1955
  // External DTDs can define entities that get expanded with malicious content.
1956
1956
  const DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS = /<!doctype\s+\S+\s+(?:system|public)\s/;
1957
+ const DOCTYPE_OPENER$LWS = '<!doctype';
1958
+ const PI_OPENER$LWS = '<?';
1959
+ const PI_CLOSER$LWS = '?>';
1960
+ const COMMENT_OPENER$LWS = '<!--';
1961
+ const COMMENT_CLOSER$LWS = '-->';
1962
+ // Locate a DOCTYPE that sits in the document prolog — the only position where a
1963
+ // DTD is actually parsed and where entity definitions can take effect. A DTD is
1964
+ // only meaningful before the root element's start tag; anything after the root
1965
+ // element opens (text, CDATA sections, comments, processing instructions) is
1966
+ // inert character data and can never act as a DTD, no matter what it spells.
1967
+ //
1968
+ // Returns the prolog slice beginning at the DOCTYPE so the existing
1969
+ // dangerous-form regexes can classify it, or null when the prolog contains no
1970
+ // DOCTYPE. Walks the prolog token by token, skipping the XML declaration and
1971
+ // processing instructions (`<?...?>`) and comments (`<!-- ... -->`), and stops
1972
+ // at the first other `<` — that is the root element's start tag. Skipping
1973
+ // comments here is what defeats the `<!-- <![CDATA[ -->` decoy: a real prolog
1974
+ // DOCTYPE after a comment is still found, and a DOCTYPE buried inside a comment
1975
+ // is correctly ignored.
1976
+ function findPrologDoctype$LWS(normalizedInput$LWS) {
1977
+ const {
1978
+ length: length$LWS
1979
+ } = normalizedInput$LWS;
1980
+ let index$LWS = 0;
1981
+ while (index$LWS < length$LWS) {
1982
+ const char$LWS = ReflectApply$LWS$1(StringProtoCharAt$LWS, normalizedInput$LWS, [index$LWS]);
1983
+ // Skip insignificant whitespace between prolog tokens.
1984
+ if (char$LWS === ' ' || char$LWS === '\t' || char$LWS === '\n' || char$LWS === '\r') {
1985
+ index$LWS += 1;
1986
+ continue;
1987
+ }
1988
+ // Anything that is not a markup-opening `<` at this point is either the
1989
+ // start of the root element's content model or malformed; in both cases
1990
+ // there is no prolog DOCTYPE to find.
1991
+ if (char$LWS !== '<') {
1992
+ return null;
1993
+ }
1994
+ if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [DOCTYPE_OPENER$LWS, index$LWS])) {
1995
+ return ReflectApply$LWS$1(StringProtoSlice$LWS$1, normalizedInput$LWS, [index$LWS]);
1996
+ }
1997
+ if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [COMMENT_OPENER$LWS, index$LWS])) {
1998
+ const closerOffset$LWS = ReflectApply$LWS$1(StringProtoIndexOf$LWS, normalizedInput$LWS, [COMMENT_CLOSER$LWS, index$LWS + COMMENT_OPENER$LWS.length]);
1999
+ // Unterminated comment: no well-formed prolog DOCTYPE can follow.
2000
+ if (closerOffset$LWS === -1) {
2001
+ return null;
2002
+ }
2003
+ index$LWS = closerOffset$LWS + COMMENT_CLOSER$LWS.length;
2004
+ continue;
2005
+ }
2006
+ if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [PI_OPENER$LWS, index$LWS])) {
2007
+ const closerOffset$LWS = ReflectApply$LWS$1(StringProtoIndexOf$LWS, normalizedInput$LWS, [PI_CLOSER$LWS, index$LWS + PI_OPENER$LWS.length]);
2008
+ if (closerOffset$LWS === -1) {
2009
+ return null;
2010
+ }
2011
+ index$LWS = closerOffset$LWS + PI_CLOSER$LWS.length;
2012
+ continue;
2013
+ }
2014
+ // First `<` that is not a PI, comment, or DOCTYPE is the root element
2015
+ // start tag. The prolog has ended without a DOCTYPE.
2016
+ return null;
2017
+ }
2018
+ return null;
2019
+ }
1957
2020
  /* eslint-disable no-underscore-dangle */
1958
2021
  class Validator$LWS {
1959
2022
  constructor(document$LWS, {
@@ -1970,12 +2033,28 @@ class Validator$LWS {
1970
2033
  // Detect XML External Entity (XXE) injection attacks via DOCTYPE declarations.
1971
2034
  // Attackers can embed malicious script content inside ENTITY definitions that
1972
2035
  // get expanded when the XML/SVG is rendered, bypassing DOMPurify sanitization.
2036
+ //
2037
+ // A DTD only takes effect when it appears in the document prolog (before the
2038
+ // root element). The original guard scanned the entire input for a dangerous
2039
+ // DOCTYPE substring, which also rejected benign documents that merely quote a
2040
+ // DOCTYPE as inert text — inside a CDATA section, an XML comment, or element
2041
+ // text. The prolog-aware path keeps the dangerous-form classification
2042
+ // (internal subset, SYSTEM/PUBLIC external reference) exactly as-is, but only
2043
+ // applies it to a DOCTYPE that actually sits in the prolog. When the gate is
2044
+ // off, the original whole-input scan is preserved.
1973
2045
  // eslint-disable-next-line class-methods-use-this
1974
2046
  this.isXMLEntityAttack = input$LWS => {
1975
2047
  const normalizedInput$LWS = normalizeInput$LWS(input$LWS, ' ');
1976
2048
  // Block DOCTYPE with:
1977
2049
  // - Internal DTD subset (e.g., <!DOCTYPE svg [<!ENTITY foo "...">]>)
1978
2050
  // - SYSTEM or PUBLIC external entity references
2051
+ if (isGaterEnabledFeature$LWS('xmlEntityAttackPrologScan')) {
2052
+ const prologDoctype$LWS = findPrologDoctype$LWS(normalizedInput$LWS);
2053
+ if (prologDoctype$LWS === null) {
2054
+ return false;
2055
+ }
2056
+ return ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS, [prologDoctype$LWS]) || ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS, [prologDoctype$LWS]);
2057
+ }
1979
2058
  return ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS, [normalizedInput$LWS]) || ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS, [normalizedInput$LWS]);
1980
2059
  };
1981
2060
  // Detect namespaced script elements that execute in XML contexts.
@@ -2377,7 +2456,7 @@ const {
2377
2456
  const XhrProtoResponseTextGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'responseText');
2378
2457
  const XhrProtoStatusGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'status');
2379
2458
  ObjectLookupOwnSetter$LWS(XhrProto$LWS, 'withCredentials');
2380
- /*! version: 0.27.5 */
2459
+ /*! version: 0.27.7 */
2381
2460
 
2382
2461
  /*!
2383
2462
  * Copyright (C) 2019 salesforce.com, inc.
@@ -2429,13 +2508,18 @@ function isAttemptingToExploitURL$LWS(resourceValue$LWS) {
2429
2508
  const locationHref$LWS = rootWindow$LWS$1.location.href;
2430
2509
  return loweredResourceValue$LWS === '/' || loweredResourceValue$LWS[0] === '#' || loweredResourceValue$LWS[0] === '?' || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}#`]) || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}?`]);
2431
2510
  }
2432
- // Validates that a URL doesn't target disallowed endpoints
2511
+ // Validates that a URL doesn't target disallowed endpoints.
2433
2512
  // @TODO: W-7302311 Make paths and domains configurable.
2434
2513
  function isAllowedEndpointURL$LWS(parsedURL$LWS) {
2435
2514
  const loweredPathname$LWS = ReflectApply$LWS$1(StringProtoToLowerCase$LWS, parsedURL$LWS.pathname, []);
2436
2515
  // This MUST be done inside the function because the gate may not be enabled when the
2437
2516
  // module code is loaded and evaluated (as would be the case for test environments)
2438
2517
  if (isGaterEnabledFeature$LWS('changesSince.262')) {
2518
+ // Cross-origin URLs bypass the denylist — they cannot carry the user's session
2519
+ // credentials to this instance's platform-internal endpoints (W-23009170).
2520
+ if (!isSameOriginURL$LWS(parsedURL$LWS.normalizedURL)) {
2521
+ return true;
2522
+ }
2439
2523
  DISALLOWED_ENDPOINTS_LIST$LWS.push('/_nc_external', '/force', '/setup');
2440
2524
  }
2441
2525
  for (let i$LWS = 0, {
@@ -2488,7 +2572,7 @@ function sanitizeURLForElement$LWS(url$LWS) {
2488
2572
  function sanitizeURLString$LWS(urlString$LWS) {
2489
2573
  return urlString$LWS === '' ? urlString$LWS : ReflectApply$LWS$1(StringProtoReplace$LWS, urlString$LWS, [newlinesAndTabsRegExp$LWS, '']);
2490
2574
  }
2491
- /*! version: 0.27.5 */
2575
+ /*! version: 0.27.7 */
2492
2576
 
2493
2577
  /*! @license DOMPurify 3.2.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.4/LICENSE */
2494
2578
 
@@ -3900,7 +3984,7 @@ try {
3900
3984
  // swallow
3901
3985
  }
3902
3986
  const trusted = createPolicy('trusted', policyOptions);
3903
- /*! version: 0.27.5 */
3987
+ /*! version: 0.27.7 */
3904
3988
 
3905
3989
  /*!
3906
3990
  * Copyright (C) 2019 salesforce.com, inc.
@@ -4176,7 +4260,7 @@ function blobSanitizer$LWS(sandboxKey$LWS) {
4176
4260
  }
4177
4261
  return getSanitizerForConfig$LWS(sandboxKey$LWS, 'STRING_BLOB_HTML');
4178
4262
  }
4179
- /*! version: 0.27.5 */
4263
+ /*! version: 0.27.7 */
4180
4264
 
4181
4265
  /*!
4182
4266
  * Copyright (C) 2023 salesforce.com, inc.
@@ -4385,7 +4469,7 @@ function createScriptSrcURLSetter$LWS(targetElement$LWS) {
4385
4469
  ReflectApply$LWS$1(ElementProtoSetAttributeNS$LWS, targetElement$LWS, [attributeNamespaceURI$LWS, attributeName$LWS, src$LWS]);
4386
4470
  };
4387
4471
  }
4388
- /*! version: 0.27.5 */
4472
+ /*! version: 0.27.7 */
4389
4473
 
4390
4474
  /*!
4391
4475
  * Copyright (C) 2019 salesforce.com, inc.
@@ -6084,7 +6168,7 @@ function initDistortionDocumentCreateTreeWalker$LWS({
6084
6168
  const {
6085
6169
  0: root$LWS
6086
6170
  } = args$LWS;
6087
- if (isGaterEnabledFeature$LWS('changesSince.262') && root$LWS && isSharedElement$B$LWS(root$LWS)) {
6171
+ if (isGaterEnabledFeature$LWS('restrictCreateTreeWalker') && root$LWS && isSharedElement$B$LWS(root$LWS)) {
6088
6172
  throw new LockerSecurityError$LWS(`Cannot create TreeWalker rooted at shared element ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, root$LWS, [])}.`);
6089
6173
  }
6090
6174
  return ReflectApply$LWS$1(originalCreateTreeWalker$LWS, this, args$LWS);
@@ -11859,7 +11943,7 @@ const SVGElementProtoBlockedProperties$LWS = ['nonce'];
11859
11943
  const UIEventProtoBlockedProperties$LWS = ['rangeParent'];
11860
11944
  const WindowBlockedProperties$LWS = ['find', 'requestFileSystem', 'webkitRequestFileSystem'];
11861
11945
  const XSLTProcessorProtoBlockedProperties$LWS = ['transformToDocument', 'transformToFragment'];
11862
- /*! version: 0.27.5 */
11946
+ /*! version: 0.27.7 */
11863
11947
 
11864
11948
  /*!
11865
11949
  * Copyright (C) 2021 salesforce.com, inc.
@@ -11868,7 +11952,7 @@ let pdpSchema$LWS;
11868
11952
  function getPdpSchema$LWS() {
11869
11953
  return pdpSchema$LWS;
11870
11954
  }
11871
- /*! version: 0.27.5 */
11955
+ /*! version: 0.27.7 */
11872
11956
 
11873
11957
  /*!
11874
11958
  * Copyright (C) 2019 salesforce.com, inc.
@@ -17217,7 +17301,7 @@ function toSourceText$LWS(value$LWS, sourceType$LWS) {
17217
17301
  // tools from mistaking the regexp or the replacement string for an
17218
17302
  // actual source mapping URL.
17219
17303
  /\/\/# sandbox(?=MappingURL=.*?\s*$)/, '//# source']);
17220
- sourceText$LWS = `\n//# LWS Version = "0.27.5"\n${sourceText$LWS}`;
17304
+ sourceText$LWS = `\n//# LWS Version = "0.27.7"\n${sourceText$LWS}`;
17221
17305
  return sourceType$LWS === 1 /* SourceType.Module */ && indexOfPragma$LWS(sourceText$LWS, 'use strict') === -1 ?
17222
17306
  // Append "'use strict'" to the extracted function body so it is
17223
17307
  // evaluated in strict mode.
@@ -18043,7 +18127,7 @@ function wrapPlatformResourceLoader$LWS(dep$LWS, key$LWS) {
18043
18127
  depRegistry$LWS.set(dep$LWS, secureDep$LWS);
18044
18128
  return secureDep$LWS;
18045
18129
  }
18046
- /*! version: 0.27.5 */
18130
+ /*! version: 0.27.7 */
18047
18131
 
18048
18132
  export { $LWS, CORE_SANDBOX_KEY$LWS as CORE_SANDBOX_KEY, createRootWindowSandboxRecord$LWS as createRootWindowSandboxRecord, evaluateFunction$LWS as evaluateFunction, evaluateInCoreSandbox$LWS as evaluateInCoreSandbox, evaluateInSandbox$LWS as evaluateInSandbox, trusted, wrapDependency$LWS as wrapDependency };
18049
18133
  //# sourceMappingURL=lockerSandbox.js.map
package/package.json CHANGED
@@ -4,7 +4,7 @@
4
4
  "publishConfig": {
5
5
  "access": "public"
6
6
  },
7
- "version": "0.22.16",
7
+ "version": "0.22.17",
8
8
  "homepage": "https://developer.salesforce.com/docs/platform/lwr/overview",
9
9
  "repository": {
10
10
  "type": "git",
@@ -33,11 +33,11 @@
33
33
  "build:minify": "node scripts/minify-bundles.mjs"
34
34
  },
35
35
  "dependencies": {
36
- "@locker/sandbox": "0.27.5",
37
- "@lwrjs/shared-utils": "0.22.16"
36
+ "@locker/sandbox": "0.27.7",
37
+ "@lwrjs/shared-utils": "0.22.17"
38
38
  },
39
39
  "devDependencies": {
40
- "@lwrjs/types": "0.22.16",
40
+ "@lwrjs/types": "0.22.17",
41
41
  "@rollup/plugin-node-resolve": "^15.2.3",
42
42
  "@rollup/plugin-sucrase": "^5.0.2",
43
43
  "@rollup/plugin-terser": "^0.4.4",
@@ -70,5 +70,5 @@
70
70
  "volta": {
71
71
  "extends": "../../../package.json"
72
72
  },
73
- "gitHead": "347e219234c5b3ee39c8388e0258e8be656ea12f"
73
+ "gitHead": "cb61c362e500a24542c00ed1f751c288d258d42b"
74
74
  }