@lwrjs/client-modules 0.22.16 → 0.22.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1510,7 +1510,7 @@ const {
|
|
|
1510
1510
|
const PromiseResolve$LWS = PromiseCtor$LWS.resolve.bind(PromiseCtor$LWS);
|
|
1511
1511
|
const PromiseReject$LWS = PromiseCtor$LWS.reject.bind(PromiseCtor$LWS);
|
|
1512
1512
|
const trustedResources$LWS = toSafeSet$LWS(new SetCtor$LWS$1());
|
|
1513
|
-
/*! version: 0.27.
|
|
1513
|
+
/*! version: 0.27.7 */
|
|
1514
1514
|
|
|
1515
1515
|
/*!
|
|
1516
1516
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -1954,6 +1954,69 @@ const DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS = /<!doctype\s+\S+\s*\[/;
|
|
|
1954
1954
|
// Matches: <!DOCTYPE root SYSTEM "..."> or <!DOCTYPE root PUBLIC "..." "...">
|
|
1955
1955
|
// External DTDs can define entities that get expanded with malicious content.
|
|
1956
1956
|
const DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS = /<!doctype\s+\S+\s+(?:system|public)\s/;
|
|
1957
|
+
const DOCTYPE_OPENER$LWS = '<!doctype';
|
|
1958
|
+
const PI_OPENER$LWS = '<?';
|
|
1959
|
+
const PI_CLOSER$LWS = '?>';
|
|
1960
|
+
const COMMENT_OPENER$LWS = '<!--';
|
|
1961
|
+
const COMMENT_CLOSER$LWS = '-->';
|
|
1962
|
+
// Locate a DOCTYPE that sits in the document prolog — the only position where a
|
|
1963
|
+
// DTD is actually parsed and where entity definitions can take effect. A DTD is
|
|
1964
|
+
// only meaningful before the root element's start tag; anything after the root
|
|
1965
|
+
// element opens (text, CDATA sections, comments, processing instructions) is
|
|
1966
|
+
// inert character data and can never act as a DTD, no matter what it spells.
|
|
1967
|
+
//
|
|
1968
|
+
// Returns the prolog slice beginning at the DOCTYPE so the existing
|
|
1969
|
+
// dangerous-form regexes can classify it, or null when the prolog contains no
|
|
1970
|
+
// DOCTYPE. Walks the prolog token by token, skipping the XML declaration and
|
|
1971
|
+
// processing instructions (`<?...?>`) and comments (`<!-- ... -->`), and stops
|
|
1972
|
+
// at the first other `<` — that is the root element's start tag. Skipping
|
|
1973
|
+
// comments here is what defeats the `<!-- <![CDATA[ -->` decoy: a real prolog
|
|
1974
|
+
// DOCTYPE after a comment is still found, and a DOCTYPE buried inside a comment
|
|
1975
|
+
// is correctly ignored.
|
|
1976
|
+
function findPrologDoctype$LWS(normalizedInput$LWS) {
|
|
1977
|
+
const {
|
|
1978
|
+
length: length$LWS
|
|
1979
|
+
} = normalizedInput$LWS;
|
|
1980
|
+
let index$LWS = 0;
|
|
1981
|
+
while (index$LWS < length$LWS) {
|
|
1982
|
+
const char$LWS = ReflectApply$LWS$1(StringProtoCharAt$LWS, normalizedInput$LWS, [index$LWS]);
|
|
1983
|
+
// Skip insignificant whitespace between prolog tokens.
|
|
1984
|
+
if (char$LWS === ' ' || char$LWS === '\t' || char$LWS === '\n' || char$LWS === '\r') {
|
|
1985
|
+
index$LWS += 1;
|
|
1986
|
+
continue;
|
|
1987
|
+
}
|
|
1988
|
+
// Anything that is not a markup-opening `<` at this point is either the
|
|
1989
|
+
// start of the root element's content model or malformed; in both cases
|
|
1990
|
+
// there is no prolog DOCTYPE to find.
|
|
1991
|
+
if (char$LWS !== '<') {
|
|
1992
|
+
return null;
|
|
1993
|
+
}
|
|
1994
|
+
if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [DOCTYPE_OPENER$LWS, index$LWS])) {
|
|
1995
|
+
return ReflectApply$LWS$1(StringProtoSlice$LWS$1, normalizedInput$LWS, [index$LWS]);
|
|
1996
|
+
}
|
|
1997
|
+
if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [COMMENT_OPENER$LWS, index$LWS])) {
|
|
1998
|
+
const closerOffset$LWS = ReflectApply$LWS$1(StringProtoIndexOf$LWS, normalizedInput$LWS, [COMMENT_CLOSER$LWS, index$LWS + COMMENT_OPENER$LWS.length]);
|
|
1999
|
+
// Unterminated comment: no well-formed prolog DOCTYPE can follow.
|
|
2000
|
+
if (closerOffset$LWS === -1) {
|
|
2001
|
+
return null;
|
|
2002
|
+
}
|
|
2003
|
+
index$LWS = closerOffset$LWS + COMMENT_CLOSER$LWS.length;
|
|
2004
|
+
continue;
|
|
2005
|
+
}
|
|
2006
|
+
if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [PI_OPENER$LWS, index$LWS])) {
|
|
2007
|
+
const closerOffset$LWS = ReflectApply$LWS$1(StringProtoIndexOf$LWS, normalizedInput$LWS, [PI_CLOSER$LWS, index$LWS + PI_OPENER$LWS.length]);
|
|
2008
|
+
if (closerOffset$LWS === -1) {
|
|
2009
|
+
return null;
|
|
2010
|
+
}
|
|
2011
|
+
index$LWS = closerOffset$LWS + PI_CLOSER$LWS.length;
|
|
2012
|
+
continue;
|
|
2013
|
+
}
|
|
2014
|
+
// First `<` that is not a PI, comment, or DOCTYPE is the root element
|
|
2015
|
+
// start tag. The prolog has ended without a DOCTYPE.
|
|
2016
|
+
return null;
|
|
2017
|
+
}
|
|
2018
|
+
return null;
|
|
2019
|
+
}
|
|
1957
2020
|
/* eslint-disable no-underscore-dangle */
|
|
1958
2021
|
class Validator$LWS {
|
|
1959
2022
|
constructor(document$LWS, {
|
|
@@ -1970,12 +2033,28 @@ class Validator$LWS {
|
|
|
1970
2033
|
// Detect XML External Entity (XXE) injection attacks via DOCTYPE declarations.
|
|
1971
2034
|
// Attackers can embed malicious script content inside ENTITY definitions that
|
|
1972
2035
|
// get expanded when the XML/SVG is rendered, bypassing DOMPurify sanitization.
|
|
2036
|
+
//
|
|
2037
|
+
// A DTD only takes effect when it appears in the document prolog (before the
|
|
2038
|
+
// root element). The original guard scanned the entire input for a dangerous
|
|
2039
|
+
// DOCTYPE substring, which also rejected benign documents that merely quote a
|
|
2040
|
+
// DOCTYPE as inert text — inside a CDATA section, an XML comment, or element
|
|
2041
|
+
// text. The prolog-aware path keeps the dangerous-form classification
|
|
2042
|
+
// (internal subset, SYSTEM/PUBLIC external reference) exactly as-is, but only
|
|
2043
|
+
// applies it to a DOCTYPE that actually sits in the prolog. When the gate is
|
|
2044
|
+
// off, the original whole-input scan is preserved.
|
|
1973
2045
|
// eslint-disable-next-line class-methods-use-this
|
|
1974
2046
|
this.isXMLEntityAttack = input$LWS => {
|
|
1975
2047
|
const normalizedInput$LWS = normalizeInput$LWS(input$LWS, ' ');
|
|
1976
2048
|
// Block DOCTYPE with:
|
|
1977
2049
|
// - Internal DTD subset (e.g., <!DOCTYPE svg [<!ENTITY foo "...">]>)
|
|
1978
2050
|
// - SYSTEM or PUBLIC external entity references
|
|
2051
|
+
if (isGaterEnabledFeature$LWS('xmlEntityAttackPrologScan')) {
|
|
2052
|
+
const prologDoctype$LWS = findPrologDoctype$LWS(normalizedInput$LWS);
|
|
2053
|
+
if (prologDoctype$LWS === null) {
|
|
2054
|
+
return false;
|
|
2055
|
+
}
|
|
2056
|
+
return ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS, [prologDoctype$LWS]) || ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS, [prologDoctype$LWS]);
|
|
2057
|
+
}
|
|
1979
2058
|
return ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS, [normalizedInput$LWS]) || ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS, [normalizedInput$LWS]);
|
|
1980
2059
|
};
|
|
1981
2060
|
// Detect namespaced script elements that execute in XML contexts.
|
|
@@ -2377,7 +2456,7 @@ const {
|
|
|
2377
2456
|
const XhrProtoResponseTextGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'responseText');
|
|
2378
2457
|
const XhrProtoStatusGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'status');
|
|
2379
2458
|
ObjectLookupOwnSetter$LWS(XhrProto$LWS, 'withCredentials');
|
|
2380
|
-
/*! version: 0.27.
|
|
2459
|
+
/*! version: 0.27.7 */
|
|
2381
2460
|
|
|
2382
2461
|
/*!
|
|
2383
2462
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -2429,13 +2508,18 @@ function isAttemptingToExploitURL$LWS(resourceValue$LWS) {
|
|
|
2429
2508
|
const locationHref$LWS = rootWindow$LWS$1.location.href;
|
|
2430
2509
|
return loweredResourceValue$LWS === '/' || loweredResourceValue$LWS[0] === '#' || loweredResourceValue$LWS[0] === '?' || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}#`]) || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}?`]);
|
|
2431
2510
|
}
|
|
2432
|
-
// Validates that a URL doesn't target disallowed endpoints
|
|
2511
|
+
// Validates that a URL doesn't target disallowed endpoints.
|
|
2433
2512
|
// @TODO: W-7302311 Make paths and domains configurable.
|
|
2434
2513
|
function isAllowedEndpointURL$LWS(parsedURL$LWS) {
|
|
2435
2514
|
const loweredPathname$LWS = ReflectApply$LWS$1(StringProtoToLowerCase$LWS, parsedURL$LWS.pathname, []);
|
|
2436
2515
|
// This MUST be done inside the function because the gate may not be enabled when the
|
|
2437
2516
|
// module code is loaded and evaluated (as would be the case for test environments)
|
|
2438
2517
|
if (isGaterEnabledFeature$LWS('changesSince.262')) {
|
|
2518
|
+
// Cross-origin URLs bypass the denylist — they cannot carry the user's session
|
|
2519
|
+
// credentials to this instance's platform-internal endpoints (W-23009170).
|
|
2520
|
+
if (!isSameOriginURL$LWS(parsedURL$LWS.normalizedURL)) {
|
|
2521
|
+
return true;
|
|
2522
|
+
}
|
|
2439
2523
|
DISALLOWED_ENDPOINTS_LIST$LWS.push('/_nc_external', '/force', '/setup');
|
|
2440
2524
|
}
|
|
2441
2525
|
for (let i$LWS = 0, {
|
|
@@ -2488,7 +2572,7 @@ function sanitizeURLForElement$LWS(url$LWS) {
|
|
|
2488
2572
|
function sanitizeURLString$LWS(urlString$LWS) {
|
|
2489
2573
|
return urlString$LWS === '' ? urlString$LWS : ReflectApply$LWS$1(StringProtoReplace$LWS, urlString$LWS, [newlinesAndTabsRegExp$LWS, '']);
|
|
2490
2574
|
}
|
|
2491
|
-
/*! version: 0.27.
|
|
2575
|
+
/*! version: 0.27.7 */
|
|
2492
2576
|
|
|
2493
2577
|
/*! @license DOMPurify 3.2.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.4/LICENSE */
|
|
2494
2578
|
|
|
@@ -3900,7 +3984,7 @@ try {
|
|
|
3900
3984
|
// swallow
|
|
3901
3985
|
}
|
|
3902
3986
|
const trusted = createPolicy('trusted', policyOptions);
|
|
3903
|
-
/*! version: 0.27.
|
|
3987
|
+
/*! version: 0.27.7 */
|
|
3904
3988
|
|
|
3905
3989
|
/*!
|
|
3906
3990
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -4176,7 +4260,7 @@ function blobSanitizer$LWS(sandboxKey$LWS) {
|
|
|
4176
4260
|
}
|
|
4177
4261
|
return getSanitizerForConfig$LWS(sandboxKey$LWS, 'STRING_BLOB_HTML');
|
|
4178
4262
|
}
|
|
4179
|
-
/*! version: 0.27.
|
|
4263
|
+
/*! version: 0.27.7 */
|
|
4180
4264
|
|
|
4181
4265
|
/*!
|
|
4182
4266
|
* Copyright (C) 2023 salesforce.com, inc.
|
|
@@ -4385,7 +4469,7 @@ function createScriptSrcURLSetter$LWS(targetElement$LWS) {
|
|
|
4385
4469
|
ReflectApply$LWS$1(ElementProtoSetAttributeNS$LWS, targetElement$LWS, [attributeNamespaceURI$LWS, attributeName$LWS, src$LWS]);
|
|
4386
4470
|
};
|
|
4387
4471
|
}
|
|
4388
|
-
/*! version: 0.27.
|
|
4472
|
+
/*! version: 0.27.7 */
|
|
4389
4473
|
|
|
4390
4474
|
/*!
|
|
4391
4475
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -6084,7 +6168,7 @@ function initDistortionDocumentCreateTreeWalker$LWS({
|
|
|
6084
6168
|
const {
|
|
6085
6169
|
0: root$LWS
|
|
6086
6170
|
} = args$LWS;
|
|
6087
|
-
if (isGaterEnabledFeature$LWS('
|
|
6171
|
+
if (isGaterEnabledFeature$LWS('restrictCreateTreeWalker') && root$LWS && isSharedElement$B$LWS(root$LWS)) {
|
|
6088
6172
|
throw new LockerSecurityError$LWS(`Cannot create TreeWalker rooted at shared element ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, root$LWS, [])}.`);
|
|
6089
6173
|
}
|
|
6090
6174
|
return ReflectApply$LWS$1(originalCreateTreeWalker$LWS, this, args$LWS);
|
|
@@ -11859,7 +11943,7 @@ const SVGElementProtoBlockedProperties$LWS = ['nonce'];
|
|
|
11859
11943
|
const UIEventProtoBlockedProperties$LWS = ['rangeParent'];
|
|
11860
11944
|
const WindowBlockedProperties$LWS = ['find', 'requestFileSystem', 'webkitRequestFileSystem'];
|
|
11861
11945
|
const XSLTProcessorProtoBlockedProperties$LWS = ['transformToDocument', 'transformToFragment'];
|
|
11862
|
-
/*! version: 0.27.
|
|
11946
|
+
/*! version: 0.27.7 */
|
|
11863
11947
|
|
|
11864
11948
|
/*!
|
|
11865
11949
|
* Copyright (C) 2021 salesforce.com, inc.
|
|
@@ -11868,7 +11952,7 @@ let pdpSchema$LWS;
|
|
|
11868
11952
|
function getPdpSchema$LWS() {
|
|
11869
11953
|
return pdpSchema$LWS;
|
|
11870
11954
|
}
|
|
11871
|
-
/*! version: 0.27.
|
|
11955
|
+
/*! version: 0.27.7 */
|
|
11872
11956
|
|
|
11873
11957
|
/*!
|
|
11874
11958
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -17215,7 +17299,7 @@ function toSourceText$LWS(value$LWS, sourceType$LWS) {
|
|
|
17215
17299
|
// tools from mistaking the regexp or the replacement string for an
|
|
17216
17300
|
// actual source mapping URL.
|
|
17217
17301
|
/\/\/# sandbox(?=MappingURL=.*?\s*$)/, '//# source']);
|
|
17218
|
-
sourceText$LWS = `\n//# LWS Version = "0.27.
|
|
17302
|
+
sourceText$LWS = `\n//# LWS Version = "0.27.7"\n${sourceText$LWS}`;
|
|
17219
17303
|
return sourceType$LWS === 1 /* SourceType.Module */ && indexOfPragma$LWS(sourceText$LWS, 'use strict') === -1 ?
|
|
17220
17304
|
// Append "'use strict'" to the extracted function body so it is
|
|
17221
17305
|
// evaluated in strict mode.
|
|
@@ -18011,7 +18095,7 @@ function wrapPlatformResourceLoader$LWS(dep$LWS, key$LWS) {
|
|
|
18011
18095
|
depRegistry$LWS.set(dep$LWS, secureDep$LWS);
|
|
18012
18096
|
return secureDep$LWS;
|
|
18013
18097
|
}
|
|
18014
|
-
/*! version: 0.27.
|
|
18098
|
+
/*! version: 0.27.7 */
|
|
18015
18099
|
|
|
18016
18100
|
const loaderDefine = (globalThis ).LWR.define;
|
|
18017
18101
|
|
|
@@ -1510,7 +1510,7 @@ const {
|
|
|
1510
1510
|
const PromiseResolve$LWS = PromiseCtor$LWS.resolve.bind(PromiseCtor$LWS);
|
|
1511
1511
|
const PromiseReject$LWS = PromiseCtor$LWS.reject.bind(PromiseCtor$LWS);
|
|
1512
1512
|
const trustedResources$LWS = toSafeSet$LWS(new SetCtor$LWS$1());
|
|
1513
|
-
/*! version: 0.27.
|
|
1513
|
+
/*! version: 0.27.7 */
|
|
1514
1514
|
|
|
1515
1515
|
/*!
|
|
1516
1516
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -1954,6 +1954,69 @@ const DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS = /<!doctype\s+\S+\s*\[/;
|
|
|
1954
1954
|
// Matches: <!DOCTYPE root SYSTEM "..."> or <!DOCTYPE root PUBLIC "..." "...">
|
|
1955
1955
|
// External DTDs can define entities that get expanded with malicious content.
|
|
1956
1956
|
const DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS = /<!doctype\s+\S+\s+(?:system|public)\s/;
|
|
1957
|
+
const DOCTYPE_OPENER$LWS = '<!doctype';
|
|
1958
|
+
const PI_OPENER$LWS = '<?';
|
|
1959
|
+
const PI_CLOSER$LWS = '?>';
|
|
1960
|
+
const COMMENT_OPENER$LWS = '<!--';
|
|
1961
|
+
const COMMENT_CLOSER$LWS = '-->';
|
|
1962
|
+
// Locate a DOCTYPE that sits in the document prolog — the only position where a
|
|
1963
|
+
// DTD is actually parsed and where entity definitions can take effect. A DTD is
|
|
1964
|
+
// only meaningful before the root element's start tag; anything after the root
|
|
1965
|
+
// element opens (text, CDATA sections, comments, processing instructions) is
|
|
1966
|
+
// inert character data and can never act as a DTD, no matter what it spells.
|
|
1967
|
+
//
|
|
1968
|
+
// Returns the prolog slice beginning at the DOCTYPE so the existing
|
|
1969
|
+
// dangerous-form regexes can classify it, or null when the prolog contains no
|
|
1970
|
+
// DOCTYPE. Walks the prolog token by token, skipping the XML declaration and
|
|
1971
|
+
// processing instructions (`<?...?>`) and comments (`<!-- ... -->`), and stops
|
|
1972
|
+
// at the first other `<` — that is the root element's start tag. Skipping
|
|
1973
|
+
// comments here is what defeats the `<!-- <![CDATA[ -->` decoy: a real prolog
|
|
1974
|
+
// DOCTYPE after a comment is still found, and a DOCTYPE buried inside a comment
|
|
1975
|
+
// is correctly ignored.
|
|
1976
|
+
function findPrologDoctype$LWS(normalizedInput$LWS) {
|
|
1977
|
+
const {
|
|
1978
|
+
length: length$LWS
|
|
1979
|
+
} = normalizedInput$LWS;
|
|
1980
|
+
let index$LWS = 0;
|
|
1981
|
+
while (index$LWS < length$LWS) {
|
|
1982
|
+
const char$LWS = ReflectApply$LWS$1(StringProtoCharAt$LWS, normalizedInput$LWS, [index$LWS]);
|
|
1983
|
+
// Skip insignificant whitespace between prolog tokens.
|
|
1984
|
+
if (char$LWS === ' ' || char$LWS === '\t' || char$LWS === '\n' || char$LWS === '\r') {
|
|
1985
|
+
index$LWS += 1;
|
|
1986
|
+
continue;
|
|
1987
|
+
}
|
|
1988
|
+
// Anything that is not a markup-opening `<` at this point is either the
|
|
1989
|
+
// start of the root element's content model or malformed; in both cases
|
|
1990
|
+
// there is no prolog DOCTYPE to find.
|
|
1991
|
+
if (char$LWS !== '<') {
|
|
1992
|
+
return null;
|
|
1993
|
+
}
|
|
1994
|
+
if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [DOCTYPE_OPENER$LWS, index$LWS])) {
|
|
1995
|
+
return ReflectApply$LWS$1(StringProtoSlice$LWS$1, normalizedInput$LWS, [index$LWS]);
|
|
1996
|
+
}
|
|
1997
|
+
if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [COMMENT_OPENER$LWS, index$LWS])) {
|
|
1998
|
+
const closerOffset$LWS = ReflectApply$LWS$1(StringProtoIndexOf$LWS, normalizedInput$LWS, [COMMENT_CLOSER$LWS, index$LWS + COMMENT_OPENER$LWS.length]);
|
|
1999
|
+
// Unterminated comment: no well-formed prolog DOCTYPE can follow.
|
|
2000
|
+
if (closerOffset$LWS === -1) {
|
|
2001
|
+
return null;
|
|
2002
|
+
}
|
|
2003
|
+
index$LWS = closerOffset$LWS + COMMENT_CLOSER$LWS.length;
|
|
2004
|
+
continue;
|
|
2005
|
+
}
|
|
2006
|
+
if (ReflectApply$LWS$1(StringProtoStartsWith$LWS, normalizedInput$LWS, [PI_OPENER$LWS, index$LWS])) {
|
|
2007
|
+
const closerOffset$LWS = ReflectApply$LWS$1(StringProtoIndexOf$LWS, normalizedInput$LWS, [PI_CLOSER$LWS, index$LWS + PI_OPENER$LWS.length]);
|
|
2008
|
+
if (closerOffset$LWS === -1) {
|
|
2009
|
+
return null;
|
|
2010
|
+
}
|
|
2011
|
+
index$LWS = closerOffset$LWS + PI_CLOSER$LWS.length;
|
|
2012
|
+
continue;
|
|
2013
|
+
}
|
|
2014
|
+
// First `<` that is not a PI, comment, or DOCTYPE is the root element
|
|
2015
|
+
// start tag. The prolog has ended without a DOCTYPE.
|
|
2016
|
+
return null;
|
|
2017
|
+
}
|
|
2018
|
+
return null;
|
|
2019
|
+
}
|
|
1957
2020
|
/* eslint-disable no-underscore-dangle */
|
|
1958
2021
|
class Validator$LWS {
|
|
1959
2022
|
constructor(document$LWS, {
|
|
@@ -1970,12 +2033,28 @@ class Validator$LWS {
|
|
|
1970
2033
|
// Detect XML External Entity (XXE) injection attacks via DOCTYPE declarations.
|
|
1971
2034
|
// Attackers can embed malicious script content inside ENTITY definitions that
|
|
1972
2035
|
// get expanded when the XML/SVG is rendered, bypassing DOMPurify sanitization.
|
|
2036
|
+
//
|
|
2037
|
+
// A DTD only takes effect when it appears in the document prolog (before the
|
|
2038
|
+
// root element). The original guard scanned the entire input for a dangerous
|
|
2039
|
+
// DOCTYPE substring, which also rejected benign documents that merely quote a
|
|
2040
|
+
// DOCTYPE as inert text — inside a CDATA section, an XML comment, or element
|
|
2041
|
+
// text. The prolog-aware path keeps the dangerous-form classification
|
|
2042
|
+
// (internal subset, SYSTEM/PUBLIC external reference) exactly as-is, but only
|
|
2043
|
+
// applies it to a DOCTYPE that actually sits in the prolog. When the gate is
|
|
2044
|
+
// off, the original whole-input scan is preserved.
|
|
1973
2045
|
// eslint-disable-next-line class-methods-use-this
|
|
1974
2046
|
this.isXMLEntityAttack = input$LWS => {
|
|
1975
2047
|
const normalizedInput$LWS = normalizeInput$LWS(input$LWS, ' ');
|
|
1976
2048
|
// Block DOCTYPE with:
|
|
1977
2049
|
// - Internal DTD subset (e.g., <!DOCTYPE svg [<!ENTITY foo "...">]>)
|
|
1978
2050
|
// - SYSTEM or PUBLIC external entity references
|
|
2051
|
+
if (isGaterEnabledFeature$LWS('xmlEntityAttackPrologScan')) {
|
|
2052
|
+
const prologDoctype$LWS = findPrologDoctype$LWS(normalizedInput$LWS);
|
|
2053
|
+
if (prologDoctype$LWS === null) {
|
|
2054
|
+
return false;
|
|
2055
|
+
}
|
|
2056
|
+
return ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS, [prologDoctype$LWS]) || ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS, [prologDoctype$LWS]);
|
|
2057
|
+
}
|
|
1979
2058
|
return ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_WITH_INTERNAL_SUBSET_REGEX$LWS, [normalizedInput$LWS]) || ReflectApply$LWS$1(RegExpProtoTest$LWS$1, DOCTYPE_EXTERNAL_ENTITY_REGEX$LWS, [normalizedInput$LWS]);
|
|
1980
2059
|
};
|
|
1981
2060
|
// Detect namespaced script elements that execute in XML contexts.
|
|
@@ -2377,7 +2456,7 @@ const {
|
|
|
2377
2456
|
const XhrProtoResponseTextGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'responseText');
|
|
2378
2457
|
const XhrProtoStatusGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'status');
|
|
2379
2458
|
ObjectLookupOwnSetter$LWS(XhrProto$LWS, 'withCredentials');
|
|
2380
|
-
/*! version: 0.27.
|
|
2459
|
+
/*! version: 0.27.7 */
|
|
2381
2460
|
|
|
2382
2461
|
/*!
|
|
2383
2462
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -2429,13 +2508,18 @@ function isAttemptingToExploitURL$LWS(resourceValue$LWS) {
|
|
|
2429
2508
|
const locationHref$LWS = rootWindow$LWS$1.location.href;
|
|
2430
2509
|
return loweredResourceValue$LWS === '/' || loweredResourceValue$LWS[0] === '#' || loweredResourceValue$LWS[0] === '?' || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}#`]) || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}?`]);
|
|
2431
2510
|
}
|
|
2432
|
-
// Validates that a URL doesn't target disallowed endpoints
|
|
2511
|
+
// Validates that a URL doesn't target disallowed endpoints.
|
|
2433
2512
|
// @TODO: W-7302311 Make paths and domains configurable.
|
|
2434
2513
|
function isAllowedEndpointURL$LWS(parsedURL$LWS) {
|
|
2435
2514
|
const loweredPathname$LWS = ReflectApply$LWS$1(StringProtoToLowerCase$LWS, parsedURL$LWS.pathname, []);
|
|
2436
2515
|
// This MUST be done inside the function because the gate may not be enabled when the
|
|
2437
2516
|
// module code is loaded and evaluated (as would be the case for test environments)
|
|
2438
2517
|
if (isGaterEnabledFeature$LWS('changesSince.262')) {
|
|
2518
|
+
// Cross-origin URLs bypass the denylist — they cannot carry the user's session
|
|
2519
|
+
// credentials to this instance's platform-internal endpoints (W-23009170).
|
|
2520
|
+
if (!isSameOriginURL$LWS(parsedURL$LWS.normalizedURL)) {
|
|
2521
|
+
return true;
|
|
2522
|
+
}
|
|
2439
2523
|
DISALLOWED_ENDPOINTS_LIST$LWS.push('/_nc_external', '/force', '/setup');
|
|
2440
2524
|
}
|
|
2441
2525
|
for (let i$LWS = 0, {
|
|
@@ -2488,7 +2572,7 @@ function sanitizeURLForElement$LWS(url$LWS) {
|
|
|
2488
2572
|
function sanitizeURLString$LWS(urlString$LWS) {
|
|
2489
2573
|
return urlString$LWS === '' ? urlString$LWS : ReflectApply$LWS$1(StringProtoReplace$LWS, urlString$LWS, [newlinesAndTabsRegExp$LWS, '']);
|
|
2490
2574
|
}
|
|
2491
|
-
/*! version: 0.27.
|
|
2575
|
+
/*! version: 0.27.7 */
|
|
2492
2576
|
|
|
2493
2577
|
/*! @license DOMPurify 3.2.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.4/LICENSE */
|
|
2494
2578
|
|
|
@@ -3900,7 +3984,7 @@ try {
|
|
|
3900
3984
|
// swallow
|
|
3901
3985
|
}
|
|
3902
3986
|
const trusted = createPolicy('trusted', policyOptions);
|
|
3903
|
-
/*! version: 0.27.
|
|
3987
|
+
/*! version: 0.27.7 */
|
|
3904
3988
|
|
|
3905
3989
|
/*!
|
|
3906
3990
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -4176,7 +4260,7 @@ function blobSanitizer$LWS(sandboxKey$LWS) {
|
|
|
4176
4260
|
}
|
|
4177
4261
|
return getSanitizerForConfig$LWS(sandboxKey$LWS, 'STRING_BLOB_HTML');
|
|
4178
4262
|
}
|
|
4179
|
-
/*! version: 0.27.
|
|
4263
|
+
/*! version: 0.27.7 */
|
|
4180
4264
|
|
|
4181
4265
|
/*!
|
|
4182
4266
|
* Copyright (C) 2023 salesforce.com, inc.
|
|
@@ -4385,7 +4469,7 @@ function createScriptSrcURLSetter$LWS(targetElement$LWS) {
|
|
|
4385
4469
|
ReflectApply$LWS$1(ElementProtoSetAttributeNS$LWS, targetElement$LWS, [attributeNamespaceURI$LWS, attributeName$LWS, src$LWS]);
|
|
4386
4470
|
};
|
|
4387
4471
|
}
|
|
4388
|
-
/*! version: 0.27.
|
|
4472
|
+
/*! version: 0.27.7 */
|
|
4389
4473
|
|
|
4390
4474
|
/*!
|
|
4391
4475
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -6084,7 +6168,7 @@ function initDistortionDocumentCreateTreeWalker$LWS({
|
|
|
6084
6168
|
const {
|
|
6085
6169
|
0: root$LWS
|
|
6086
6170
|
} = args$LWS;
|
|
6087
|
-
if (isGaterEnabledFeature$LWS('
|
|
6171
|
+
if (isGaterEnabledFeature$LWS('restrictCreateTreeWalker') && root$LWS && isSharedElement$B$LWS(root$LWS)) {
|
|
6088
6172
|
throw new LockerSecurityError$LWS(`Cannot create TreeWalker rooted at shared element ${ReflectApply$LWS$1(NodeProtoNodeNameGetter$LWS, root$LWS, [])}.`);
|
|
6089
6173
|
}
|
|
6090
6174
|
return ReflectApply$LWS$1(originalCreateTreeWalker$LWS, this, args$LWS);
|
|
@@ -11859,7 +11943,7 @@ const SVGElementProtoBlockedProperties$LWS = ['nonce'];
|
|
|
11859
11943
|
const UIEventProtoBlockedProperties$LWS = ['rangeParent'];
|
|
11860
11944
|
const WindowBlockedProperties$LWS = ['find', 'requestFileSystem', 'webkitRequestFileSystem'];
|
|
11861
11945
|
const XSLTProcessorProtoBlockedProperties$LWS = ['transformToDocument', 'transformToFragment'];
|
|
11862
|
-
/*! version: 0.27.
|
|
11946
|
+
/*! version: 0.27.7 */
|
|
11863
11947
|
|
|
11864
11948
|
/*!
|
|
11865
11949
|
* Copyright (C) 2021 salesforce.com, inc.
|
|
@@ -11868,7 +11952,7 @@ let pdpSchema$LWS;
|
|
|
11868
11952
|
function getPdpSchema$LWS() {
|
|
11869
11953
|
return pdpSchema$LWS;
|
|
11870
11954
|
}
|
|
11871
|
-
/*! version: 0.27.
|
|
11955
|
+
/*! version: 0.27.7 */
|
|
11872
11956
|
|
|
11873
11957
|
/*!
|
|
11874
11958
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -17217,7 +17301,7 @@ function toSourceText$LWS(value$LWS, sourceType$LWS) {
|
|
|
17217
17301
|
// tools from mistaking the regexp or the replacement string for an
|
|
17218
17302
|
// actual source mapping URL.
|
|
17219
17303
|
/\/\/# sandbox(?=MappingURL=.*?\s*$)/, '//# source']);
|
|
17220
|
-
sourceText$LWS = `\n//# LWS Version = "0.27.
|
|
17304
|
+
sourceText$LWS = `\n//# LWS Version = "0.27.7"\n${sourceText$LWS}`;
|
|
17221
17305
|
return sourceType$LWS === 1 /* SourceType.Module */ && indexOfPragma$LWS(sourceText$LWS, 'use strict') === -1 ?
|
|
17222
17306
|
// Append "'use strict'" to the extracted function body so it is
|
|
17223
17307
|
// evaluated in strict mode.
|
|
@@ -18043,7 +18127,7 @@ function wrapPlatformResourceLoader$LWS(dep$LWS, key$LWS) {
|
|
|
18043
18127
|
depRegistry$LWS.set(dep$LWS, secureDep$LWS);
|
|
18044
18128
|
return secureDep$LWS;
|
|
18045
18129
|
}
|
|
18046
|
-
/*! version: 0.27.
|
|
18130
|
+
/*! version: 0.27.7 */
|
|
18047
18131
|
|
|
18048
18132
|
export { $LWS, CORE_SANDBOX_KEY$LWS as CORE_SANDBOX_KEY, createRootWindowSandboxRecord$LWS as createRootWindowSandboxRecord, evaluateFunction$LWS as evaluateFunction, evaluateInCoreSandbox$LWS as evaluateInCoreSandbox, evaluateInSandbox$LWS as evaluateInSandbox, trusted, wrapDependency$LWS as wrapDependency };
|
|
18049
18133
|
//# sourceMappingURL=lockerSandbox.js.map
|
package/package.json
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
"publishConfig": {
|
|
5
5
|
"access": "public"
|
|
6
6
|
},
|
|
7
|
-
"version": "0.22.
|
|
7
|
+
"version": "0.22.17",
|
|
8
8
|
"homepage": "https://developer.salesforce.com/docs/platform/lwr/overview",
|
|
9
9
|
"repository": {
|
|
10
10
|
"type": "git",
|
|
@@ -33,11 +33,11 @@
|
|
|
33
33
|
"build:minify": "node scripts/minify-bundles.mjs"
|
|
34
34
|
},
|
|
35
35
|
"dependencies": {
|
|
36
|
-
"@locker/sandbox": "0.27.
|
|
37
|
-
"@lwrjs/shared-utils": "0.22.
|
|
36
|
+
"@locker/sandbox": "0.27.7",
|
|
37
|
+
"@lwrjs/shared-utils": "0.22.17"
|
|
38
38
|
},
|
|
39
39
|
"devDependencies": {
|
|
40
|
-
"@lwrjs/types": "0.22.
|
|
40
|
+
"@lwrjs/types": "0.22.17",
|
|
41
41
|
"@rollup/plugin-node-resolve": "^15.2.3",
|
|
42
42
|
"@rollup/plugin-sucrase": "^5.0.2",
|
|
43
43
|
"@rollup/plugin-terser": "^0.4.4",
|
|
@@ -70,5 +70,5 @@
|
|
|
70
70
|
"volta": {
|
|
71
71
|
"extends": "../../../package.json"
|
|
72
72
|
},
|
|
73
|
-
"gitHead": "
|
|
73
|
+
"gitHead": "cb61c362e500a24542c00ed1f751c288d258d42b"
|
|
74
74
|
}
|