@lwrjs/client-modules 0.23.6 → 0.23.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1511,7 +1511,7 @@ const {
|
|
|
1511
1511
|
const PromiseResolve$LWS = PromiseCtor$LWS.resolve.bind(PromiseCtor$LWS);
|
|
1512
1512
|
const PromiseReject$LWS = PromiseCtor$LWS.reject.bind(PromiseCtor$LWS);
|
|
1513
1513
|
const trustedResources$LWS = toSafeSet$LWS(new SetCtor$LWS$1());
|
|
1514
|
-
/*! version: 0.28.
|
|
1514
|
+
/*! version: 0.28.3 */
|
|
1515
1515
|
|
|
1516
1516
|
/*!
|
|
1517
1517
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -2261,6 +2261,7 @@ const {
|
|
|
2261
2261
|
} = ReflectGetOwnPropertyDescriptor$LWS(HTMLAnchorElementProto$LWS, 'href');
|
|
2262
2262
|
const HTMLAnchorElementProtoPathnameGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLAnchorElementProto$LWS, 'pathname');
|
|
2263
2263
|
const HTMLAnchorElementProtoProtocolGetter$LWS = ObjectLookupOwnGetter$LWS$1(HTMLAnchorElementProto$LWS, 'protocol');
|
|
2264
|
+
const HTMLAnchorElementProtoProtocolSetter$LWS = ObjectLookupOwnSetter$LWS(HTMLAnchorElementProto$LWS, 'protocol');
|
|
2264
2265
|
const {
|
|
2265
2266
|
prototype: HTMLButtonElementProto$LWS
|
|
2266
2267
|
} = HTMLButtonElement;
|
|
@@ -2514,7 +2515,7 @@ const {
|
|
|
2514
2515
|
const XhrProtoResponseTextGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'responseText');
|
|
2515
2516
|
const XhrProtoStatusGetter$LWS = ObjectLookupOwnGetter$LWS$1(XhrProto$LWS, 'status');
|
|
2516
2517
|
ObjectLookupOwnSetter$LWS(XhrProto$LWS, 'withCredentials');
|
|
2517
|
-
/*! version: 0.28.
|
|
2518
|
+
/*! version: 0.28.3 */
|
|
2518
2519
|
|
|
2519
2520
|
/*!
|
|
2520
2521
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -2542,7 +2543,21 @@ const DISALLOWED_ENDPOINTS_LIST$LWS = ['/aura', '/webruntime'];
|
|
|
2542
2543
|
const DISALLOWED_BROWSING_CONTEXT_ENDPOINTS_LIST$LWS = ['/chatter'];
|
|
2543
2544
|
const TRUSTED_DOMAINS_REG_EXP$LWS = /\.(force|salesforce|visualforce|documentforce|my\.site|salesforce-sites)\.com$/;
|
|
2544
2545
|
const URL_SCHEMES_LIST$LWS = toSafeArray$LWS$1(['about:', 'http:', 'https:']);
|
|
2545
|
-
|
|
2546
|
+
// Characters that browsers strip or ignore when resolving a URL, but that defeat
|
|
2547
|
+
// LWS's string-based scheme/endpoint checks if left in place. A leading invisible
|
|
2548
|
+
// character (e.g. U+200B before "javascript:") makes the URL parser treat the input
|
|
2549
|
+
// as authority-relative, leaving the scheme empty so the allowlist check is fooled;
|
|
2550
|
+
// an embedded one (e.g. "/se\u200btup") slips past endpoint denylist matching.
|
|
2551
|
+
// Stripping them before parsing closes both for every URL-bearing distortion at once.
|
|
2552
|
+
//
|
|
2553
|
+
// \p{Cc} - control characters (covers \t \n \r and the NULL byte)
|
|
2554
|
+
// \p{Cf} - format characters (zero-width space/joiners, soft hyphen, BOM, bidi marks
|
|
2555
|
+
// U+200E/U+200F/U+202A-U+202E, word joiner, etc.)
|
|
2556
|
+
// \u034f - combining grapheme joiner (category Mn, not Cc/Cf, but perceptually
|
|
2557
|
+
// invisible and ignored by the URL parser, so listed explicitly)
|
|
2558
|
+
// \u2028 - line separator (category Zl, not covered by Cc)
|
|
2559
|
+
// \u2029 - paragraph separator (category Zp, not covered by Cc)
|
|
2560
|
+
const strippableURLCharsRegExp$LWS = /[\0-\x1F\x7F-\x9F\xAD\u034F\u0600-\u0605\u061C\u06DD\u070F\u0890\u0891\u08E2\u180E\u200B-\u200F\u2028-\u202E\u2060-\u2064\u2066-\u206F\uFEFF\uFFF9-\uFFFB\u{110BD}\u{110CD}\u{13430}-\u{1343F}\u{1BCA0}-\u{1BCA3}\u{1D173}-\u{1D17A}\u{E0001}\u{E0020}-\u{E007F}]/gu;
|
|
2546
2561
|
const normalizerAnchor$LWS = ReflectApply$LWS$1(DocumentProtoCreateElement$LWS$1, rootDocument$LWS, ['a']);
|
|
2547
2562
|
function isSameOriginURL$LWS(resourceValue$LWS) {
|
|
2548
2563
|
let validParsedURL$LWS;
|
|
@@ -2566,13 +2581,18 @@ function isAttemptingToExploitURL$LWS(resourceValue$LWS) {
|
|
|
2566
2581
|
const locationHref$LWS = rootWindow$LWS$1.location.href;
|
|
2567
2582
|
return loweredResourceValue$LWS === '/' || loweredResourceValue$LWS[0] === '#' || loweredResourceValue$LWS[0] === '?' || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}#`]) || ReflectApply$LWS$1(StringProtoStartsWith$LWS, loweredResourceValue$LWS, [`${locationHref$LWS}?`]);
|
|
2568
2583
|
}
|
|
2569
|
-
// Validates that a URL doesn't target disallowed endpoints
|
|
2584
|
+
// Validates that a URL doesn't target disallowed endpoints.
|
|
2570
2585
|
// @TODO: W-7302311 Make paths and domains configurable.
|
|
2571
2586
|
function isAllowedEndpointURL$LWS(parsedURL$LWS) {
|
|
2572
2587
|
const loweredPathname$LWS = ReflectApply$LWS$1(StringProtoToLowerCase$LWS, parsedURL$LWS.pathname, []);
|
|
2573
2588
|
// This MUST be done inside the function because the gate may not be enabled when the
|
|
2574
2589
|
// module code is loaded and evaluated (as would be the case for test environments)
|
|
2575
2590
|
if (isGaterEnabledFeature$LWS('changesSince.262')) {
|
|
2591
|
+
// Cross-origin URLs bypass the denylist — they cannot carry the user's session
|
|
2592
|
+
// credentials to this instance's platform-internal endpoints (W-23009170).
|
|
2593
|
+
if (!isSameOriginURL$LWS(parsedURL$LWS.normalizedURL)) {
|
|
2594
|
+
return true;
|
|
2595
|
+
}
|
|
2576
2596
|
DISALLOWED_ENDPOINTS_LIST$LWS.push('/_nc_external', '/force', '/setup');
|
|
2577
2597
|
}
|
|
2578
2598
|
for (let i$LWS = 0, {
|
|
@@ -2623,7 +2643,7 @@ function sanitizeURLForElement$LWS(url$LWS) {
|
|
|
2623
2643
|
return resolveURL$LWS(sanitizeURLString$LWS(url$LWS));
|
|
2624
2644
|
}
|
|
2625
2645
|
function sanitizeURLString$LWS(urlString$LWS) {
|
|
2626
|
-
return urlString$LWS === '' ? urlString$LWS : ReflectApply$LWS$1(StringProtoReplace$LWS, urlString$LWS, [
|
|
2646
|
+
return urlString$LWS === '' ? urlString$LWS : ReflectApply$LWS$1(StringProtoReplace$LWS, urlString$LWS, [strippableURLCharsRegExp$LWS, '']);
|
|
2627
2647
|
}
|
|
2628
2648
|
// Per the HTML spec, srcset candidates are comma-delimited. A candidate is a
|
|
2629
2649
|
// URL optionally followed by whitespace and a width/density descriptor like
|
|
@@ -2663,7 +2683,7 @@ function sanitizeSrcsetAndValidateEndpoints$LWS(rawSrcset$LWS) {
|
|
|
2663
2683
|
}
|
|
2664
2684
|
return sanitized$LWS;
|
|
2665
2685
|
}
|
|
2666
|
-
/*! version: 0.28.
|
|
2686
|
+
/*! version: 0.28.3 */
|
|
2667
2687
|
|
|
2668
2688
|
/*! @license DOMPurify 3.2.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.4/LICENSE */
|
|
2669
2689
|
|
|
@@ -4075,7 +4095,7 @@ try {
|
|
|
4075
4095
|
// swallow
|
|
4076
4096
|
}
|
|
4077
4097
|
const trusted = createPolicy('trusted', policyOptions);
|
|
4078
|
-
/*! version: 0.28.
|
|
4098
|
+
/*! version: 0.28.3 */
|
|
4079
4099
|
|
|
4080
4100
|
/*!
|
|
4081
4101
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -4384,7 +4404,7 @@ function blobSanitizer$LWS(sandboxKey$LWS) {
|
|
|
4384
4404
|
}
|
|
4385
4405
|
return getSanitizerForConfig$LWS(sandboxKey$LWS, 'STRING_BLOB_HTML');
|
|
4386
4406
|
}
|
|
4387
|
-
/*! version: 0.28.
|
|
4407
|
+
/*! version: 0.28.3 */
|
|
4388
4408
|
|
|
4389
4409
|
/*!
|
|
4390
4410
|
* Copyright (C) 2023 salesforce.com, inc.
|
|
@@ -4593,7 +4613,7 @@ function createScriptSrcURLSetter$LWS(targetElement$LWS) {
|
|
|
4593
4613
|
ReflectApply$LWS$1(ElementProtoSetAttributeNS$LWS, targetElement$LWS, [attributeNamespaceURI$LWS, attributeName$LWS, src$LWS]);
|
|
4594
4614
|
};
|
|
4595
4615
|
}
|
|
4596
|
-
/*! version: 0.28.
|
|
4616
|
+
/*! version: 0.28.3 */
|
|
4597
4617
|
|
|
4598
4618
|
/*!
|
|
4599
4619
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -8237,6 +8257,151 @@ function initDistortionEventTargetDispatchEvent$LWS({
|
|
|
8237
8257
|
return [originalDispatchEvent$LWS, dispatchEvent$LWS];
|
|
8238
8258
|
};
|
|
8239
8259
|
}
|
|
8260
|
+
|
|
8261
|
+
// W-22602807: shared helper for distorting an iframe contentWindow realm's
|
|
8262
|
+
// function-invocation primitives (Function.prototype.call/apply/bind,
|
|
8263
|
+
// Reflect.apply/construct).
|
|
8264
|
+
//
|
|
8265
|
+
// The cross-realm leak: sandbox code obtains a same-origin iframe's invocation
|
|
8266
|
+
// primitive and uses it to invoke a constructor/evaluator. The callee can
|
|
8267
|
+
// arrive as a RAW callable whose realm's `document` is undistorted, so
|
|
8268
|
+
// `document.cookie` in a compiled body resolves to the native getter and leaks
|
|
8269
|
+
// the top-level cookie.
|
|
8270
|
+
//
|
|
8271
|
+
// Containment tracks the OUTERMOST primitive actually invoked through the
|
|
8272
|
+
// membrane (composition depth is irrelevant: in `apply.call(F, ...)` only the
|
|
8273
|
+
// outer `.call` is invoked). So every invocation primitive reachable on the
|
|
8274
|
+
// iframe realm must be distorted. Each re-resolves the callee (the function
|
|
8275
|
+
// being invoked) to its distorted counterpart in the ROOT record's map when
|
|
8276
|
+
// one exists, then delegates to the native primitive — so a raw native
|
|
8277
|
+
// Function/eval reached cross-realm becomes the sandbox-distorted version,
|
|
8278
|
+
// while ordinary usage is an untouched passthrough.
|
|
8279
|
+
// Returns the host iframe element if `globalObject
|
|
8280
|
+
// ` is a same-origin iframe
|
|
8281
|
+
// contentWindow realm (the only realm we distort), else undefined. Gated on
|
|
8282
|
+
// changesSince.264: when the gate is off, no entry is installed and the
|
|
8283
|
+
// primitive keeps its native behavior. One check here covers all five
|
|
8284
|
+
// invocation-primitive distortions.
|
|
8285
|
+
function getDistortableFrameElement$LWS(globalObject$LWS) {
|
|
8286
|
+
if (!isGaterEnabledFeature$LWS('changesSince.264')) {
|
|
8287
|
+
return undefined;
|
|
8288
|
+
}
|
|
8289
|
+
let frameElement$LWS;
|
|
8290
|
+
try {
|
|
8291
|
+
frameElement$LWS = ReflectApply$LWS$1(WindowFrameElementGetter$LWS, globalObject$LWS, []);
|
|
8292
|
+
} catch (_unused2$LWS) {
|
|
8293
|
+
// Cross-origin / non-window realm: not our target.
|
|
8294
|
+
return undefined;
|
|
8295
|
+
}
|
|
8296
|
+
return frameElement$LWS || undefined;
|
|
8297
|
+
}
|
|
8298
|
+
// Re-resolve `callee` to its distorted counterpart from the root distortion
|
|
8299
|
+
// map, if one exists; otherwise return it unchanged.
|
|
8300
|
+
//
|
|
8301
|
+
// This reads the assembled `root.distortions` map at invocation time — the same
|
|
8302
|
+
// map the near-membrane's distortionCallback consults. That is deliberate: a
|
|
8303
|
+
// foreign invocation primitive can deliver a callee (e.g. the sandbox `Function`
|
|
8304
|
+
// ctor) that has crossed the membrane as a RAW reference, bypassing the
|
|
8305
|
+
// distortion the membrane would normally apply on a direct call. Looking the
|
|
8306
|
+
// callee up in the map re-attaches that distortion. We rely on the map's
|
|
8307
|
+
// invariant that a callable key maps to a callable replacement; the
|
|
8308
|
+
// `distorted !== callee` check skips identity mappings (e.g. `document`,
|
|
8309
|
+
// `location`, the global object, which map to themselves), and the invocation
|
|
8310
|
+
// primitives require a callable target regardless, so a non-callable could
|
|
8311
|
+
// never be reached here without throwing at the call site.
|
|
8312
|
+
function substituteDistortedCallee$LWS(root$LWS, callee$LWS) {
|
|
8313
|
+
const distorted$LWS = root$LWS.distortions.get(callee$LWS);
|
|
8314
|
+
if (distorted$LWS !== undefined && distorted$LWS !== callee$LWS) {
|
|
8315
|
+
return distorted$LWS;
|
|
8316
|
+
}
|
|
8317
|
+
return callee$LWS;
|
|
8318
|
+
}
|
|
8319
|
+
|
|
8320
|
+
// W-22602807: distort an iframe contentWindow realm's Function.prototype.apply.
|
|
8321
|
+
// See cross-realm-invocation.ts for the threat model.
|
|
8322
|
+
function initDistortionFunctionApply$LWS({
|
|
8323
|
+
globalObject: {
|
|
8324
|
+
Function: {
|
|
8325
|
+
prototype: {
|
|
8326
|
+
apply: originalApply$LWS
|
|
8327
|
+
}
|
|
8328
|
+
}
|
|
8329
|
+
}
|
|
8330
|
+
}) {
|
|
8331
|
+
return function distortionFunctionApply$LWS({
|
|
8332
|
+
globalObject: globalObject$LWS,
|
|
8333
|
+
root: root$LWS
|
|
8334
|
+
}) {
|
|
8335
|
+
if (!getDistortableFrameElement$LWS(globalObject$LWS)) {
|
|
8336
|
+
return undefined;
|
|
8337
|
+
}
|
|
8338
|
+
return [originalApply$LWS,
|
|
8339
|
+
// `this` is the callee; (thisArg, argsArray) its binding and args.
|
|
8340
|
+
// `apply` accepts a null/undefined argsArray, which ReflectApply
|
|
8341
|
+
// rejects, so normalize to [].
|
|
8342
|
+
function apply$LWS(thisArg$LWS, argsArray$LWS) {
|
|
8343
|
+
return ReflectApply$LWS$1(substituteDistortedCallee$LWS(root$LWS, this), thisArg$LWS, argsArray$LWS == null ? [] : argsArray$LWS);
|
|
8344
|
+
}];
|
|
8345
|
+
};
|
|
8346
|
+
}
|
|
8347
|
+
|
|
8348
|
+
// W-22602807: distort an iframe contentWindow realm's Function.prototype.bind.
|
|
8349
|
+
// See cross-realm-invocation.ts for the threat model.
|
|
8350
|
+
//
|
|
8351
|
+
// bind defers invocation: it returns a bound function invoked later. We
|
|
8352
|
+
// substitute the callee for its distorted counterpart FIRST, then bind that,
|
|
8353
|
+
// so the returned bound function wraps the sandbox-distorted callee.
|
|
8354
|
+
function initDistortionFunctionBind$LWS({
|
|
8355
|
+
globalObject: {
|
|
8356
|
+
Function: {
|
|
8357
|
+
prototype: {
|
|
8358
|
+
bind: originalBind$LWS
|
|
8359
|
+
}
|
|
8360
|
+
}
|
|
8361
|
+
}
|
|
8362
|
+
}) {
|
|
8363
|
+
return function distortionFunctionBind$LWS({
|
|
8364
|
+
globalObject: globalObject$LWS,
|
|
8365
|
+
root: root$LWS
|
|
8366
|
+
}) {
|
|
8367
|
+
if (!getDistortableFrameElement$LWS(globalObject$LWS)) {
|
|
8368
|
+
return undefined;
|
|
8369
|
+
}
|
|
8370
|
+
return [originalBind$LWS,
|
|
8371
|
+
// `this` is the callee; (thisArg, ...boundArgs) the binding and
|
|
8372
|
+
// partially-applied args. Bind the substituted callee with the
|
|
8373
|
+
// sandbox-realm bind so the result is a sandbox-realm bound function.
|
|
8374
|
+
function bind$LWS(thisArg$LWS, ...boundArgs$LWS) {
|
|
8375
|
+
return ReflectApply$LWS$1(FunctionProtoBind$LWS, substituteDistortedCallee$LWS(root$LWS, this), [thisArg$LWS, ...boundArgs$LWS]);
|
|
8376
|
+
}];
|
|
8377
|
+
};
|
|
8378
|
+
}
|
|
8379
|
+
|
|
8380
|
+
// W-22602807: distort an iframe contentWindow realm's Function.prototype.call.
|
|
8381
|
+
// See cross-realm-invocation.ts for the threat model.
|
|
8382
|
+
function initDistortionFunctionCall$LWS({
|
|
8383
|
+
globalObject: {
|
|
8384
|
+
Function: {
|
|
8385
|
+
prototype: {
|
|
8386
|
+
call: originalCall$LWS
|
|
8387
|
+
}
|
|
8388
|
+
}
|
|
8389
|
+
}
|
|
8390
|
+
}) {
|
|
8391
|
+
return function distortionFunctionCall$LWS({
|
|
8392
|
+
globalObject: globalObject$LWS,
|
|
8393
|
+
root: root$LWS
|
|
8394
|
+
}) {
|
|
8395
|
+
if (!getDistortableFrameElement$LWS(globalObject$LWS)) {
|
|
8396
|
+
return undefined;
|
|
8397
|
+
}
|
|
8398
|
+
return [originalCall$LWS,
|
|
8399
|
+
// `this` is the callee; (thisArg, ...args) its binding and arguments.
|
|
8400
|
+
function call$LWS(thisArg$LWS, ...args$LWS) {
|
|
8401
|
+
return ReflectApply$LWS$1(substituteDistortedCallee$LWS(root$LWS, this), thisArg$LWS, args$LWS);
|
|
8402
|
+
}];
|
|
8403
|
+
};
|
|
8404
|
+
}
|
|
8240
8405
|
function initDistortionFunction$LWS({
|
|
8241
8406
|
UNCOMPILED_CONTEXT: UNCOMPILED_CONTEXT$LWS,
|
|
8242
8407
|
globalObject: {
|
|
@@ -8337,11 +8502,35 @@ function initDistortionHistoryReplaceState$LWS({
|
|
|
8337
8502
|
};
|
|
8338
8503
|
}
|
|
8339
8504
|
|
|
8340
|
-
//
|
|
8341
|
-
|
|
8342
|
-
|
|
8505
|
+
// Only schemes that can trigger arbitrary JavaScript execution when an anchor is
|
|
8506
|
+
// navigated are blocked. Everything else (mailto:, tel:, sms:, http:, https:,
|
|
8507
|
+
// blob:, about:, relative urls) is permitted: those navigate or hand off to an
|
|
8508
|
+
// external app and cannot execute script.
|
|
8509
|
+
// eslint-disable-next-line no-script-url
|
|
8510
|
+
const ANCHOR_BLOCKED_URL_SCHEMES_LIST$LWS = toSafeArray$LWS$1(['data:', 'javascript:', 'vbscript:']);
|
|
8511
|
+
const ANCHOR_BLOCKED_SCHEME_ERROR_MESSAGE$LWS = 'HTMLAnchorElement href does not support data:, javascript: or vbscript: schemes.';
|
|
8512
|
+
// The scheme is read back through the browser's own URL parser via the
|
|
8513
|
+
// normalizer anchor, so case/whitespace/zero-width evasion variants resolve to
|
|
8514
|
+
// the same normalized protocol the browser would execute. A payload that does
|
|
8515
|
+
// not normalize to a blocked scheme is also not executed as one by the browser.
|
|
8516
|
+
function normalizedSchemeIsBlocked$LWS() {
|
|
8517
|
+
return ANCHOR_BLOCKED_URL_SCHEMES_LIST$LWS.includes(ReflectApply$LWS$1(HTMLAnchorElementProtoProtocolGetter$LWS, normalizerAnchor$LWS, []));
|
|
8518
|
+
}
|
|
8519
|
+
// Guards the `href` setter / `href` attribute: the whole URL is assigned to the
|
|
8520
|
+
// normalizer, then its resolved protocol is checked.
|
|
8521
|
+
function isBlockedAnchorHref$LWS(url$LWS) {
|
|
8343
8522
|
ReflectApply$LWS$1(HTMLAnchorElementProtoHrefSetter$LWS, normalizerAnchor$LWS, [url$LWS]);
|
|
8344
|
-
return
|
|
8523
|
+
return normalizedSchemeIsBlocked$LWS();
|
|
8524
|
+
}
|
|
8525
|
+
// Guards the `protocol` setter: `a.protocol = value` resolves against the
|
|
8526
|
+
// anchor's current href, so the same current href is replayed onto the
|
|
8527
|
+
// normalizer before applying the new scheme. This mirrors exactly what the
|
|
8528
|
+
// native setter would produce, on a throwaway anchor.
|
|
8529
|
+
function isBlockedAnchorProtocolChange$LWS(anchor$LWS, value$LWS) {
|
|
8530
|
+
const currentHref$LWS = ReflectApply$LWS$1(HTMLAnchorElementProtoHrefGetter$LWS, anchor$LWS, []);
|
|
8531
|
+
ReflectApply$LWS$1(HTMLAnchorElementProtoHrefSetter$LWS, normalizerAnchor$LWS, [currentHref$LWS]);
|
|
8532
|
+
ReflectApply$LWS$1(HTMLAnchorElementProtoProtocolSetter$LWS, normalizerAnchor$LWS, [value$LWS]);
|
|
8533
|
+
return normalizedSchemeIsBlocked$LWS();
|
|
8345
8534
|
}
|
|
8346
8535
|
function initDistortionHTMLAnchorElementHrefSetter$LWS({
|
|
8347
8536
|
globalObject: {
|
|
@@ -8352,8 +8541,8 @@ function initDistortionHTMLAnchorElementHrefSetter$LWS({
|
|
|
8352
8541
|
function href$LWS(value$LWS) {
|
|
8353
8542
|
const urlString$LWS = sanitizeURLForElement$LWS(value$LWS);
|
|
8354
8543
|
if (isGaterEnabledFeature$LWS('htmlAnchorElementHrefValidation')) {
|
|
8355
|
-
if (
|
|
8356
|
-
throw new LockerSecurityError$LWS(
|
|
8544
|
+
if (isBlockedAnchorHref$LWS(urlString$LWS)) {
|
|
8545
|
+
throw new LockerSecurityError$LWS(ANCHOR_BLOCKED_SCHEME_ERROR_MESSAGE$LWS);
|
|
8357
8546
|
}
|
|
8358
8547
|
const parsedURL$LWS = parseURL$LWS(urlString$LWS);
|
|
8359
8548
|
if (!isAllowedEndpointURL$LWS(parsedURL$LWS)) {
|
|
@@ -8371,6 +8560,25 @@ function initDistortionHTMLAnchorElementHrefSetter$LWS({
|
|
|
8371
8560
|
return distortionEntry$LWS;
|
|
8372
8561
|
};
|
|
8373
8562
|
}
|
|
8563
|
+
function initDistortionHTMLAnchorElementProtocolSetter$LWS({
|
|
8564
|
+
globalObject: {
|
|
8565
|
+
HTMLAnchorElement: HTMLAnchorElement$LWS
|
|
8566
|
+
}
|
|
8567
|
+
}) {
|
|
8568
|
+
const originalProtocolSetter$LWS = ObjectLookupOwnSetter$LWS(HTMLAnchorElement$LWS.prototype, 'protocol');
|
|
8569
|
+
function protocol$LWS(value$LWS) {
|
|
8570
|
+
if (isGaterEnabledFeature$LWS('changesSince.264')) {
|
|
8571
|
+
if (isBlockedAnchorProtocolChange$LWS(this, value$LWS)) {
|
|
8572
|
+
throw new LockerSecurityError$LWS(ANCHOR_BLOCKED_SCHEME_ERROR_MESSAGE$LWS);
|
|
8573
|
+
}
|
|
8574
|
+
}
|
|
8575
|
+
ReflectApply$LWS$1(originalProtocolSetter$LWS, this, [value$LWS]);
|
|
8576
|
+
}
|
|
8577
|
+
const distortionEntry$LWS = [originalProtocolSetter$LWS, protocol$LWS];
|
|
8578
|
+
return function distortionHTMLAnchorElementProtocolSetter$LWS() {
|
|
8579
|
+
return distortionEntry$LWS;
|
|
8580
|
+
};
|
|
8581
|
+
}
|
|
8374
8582
|
function initDistortionHTMLBaseElementHrefSetter$LWS({
|
|
8375
8583
|
globalObject: {
|
|
8376
8584
|
HTMLBaseElement: HTMLBaseElement$LWS
|
|
@@ -8848,7 +9056,7 @@ function enforceSandboxAllowScriptsForSameOriginIframeRealm$LWS(iframe$LWS, srcV
|
|
|
8848
9056
|
if (!isSameOriginURL$LWS(srcValue$LWS)) {
|
|
8849
9057
|
return;
|
|
8850
9058
|
}
|
|
8851
|
-
} catch (
|
|
9059
|
+
} catch (_unused3$LWS) {
|
|
8852
9060
|
/* empty */
|
|
8853
9061
|
}
|
|
8854
9062
|
if (!ReflectApply$LWS$1(DOMTokenListProtoContains$LWS, sandboxTokenList$LWS, [ALLOW_SCRIPTS_TOKEN$LWS])) {
|
|
@@ -11640,6 +11848,63 @@ function initDistortionRangeToString$LWS({
|
|
|
11640
11848
|
return distortionEntry$LWS;
|
|
11641
11849
|
};
|
|
11642
11850
|
}
|
|
11851
|
+
|
|
11852
|
+
// W-22602807: distort an iframe contentWindow realm's Reflect.apply.
|
|
11853
|
+
// See Function/cross-realm-invocation.ts for the threat model.
|
|
11854
|
+
//
|
|
11855
|
+
// Unlike Function.prototype.apply, the callee is the FIRST ARGUMENT (not
|
|
11856
|
+
// `this`) and the invocation never routes through Function.prototype.call, so
|
|
11857
|
+
// it is an independent doorway that must be distorted separately.
|
|
11858
|
+
function initDistortionReflectApply$LWS({
|
|
11859
|
+
globalObject: {
|
|
11860
|
+
Reflect: {
|
|
11861
|
+
apply: originalReflectApply$LWS
|
|
11862
|
+
}
|
|
11863
|
+
}
|
|
11864
|
+
}) {
|
|
11865
|
+
return function distortionReflectApply$LWS({
|
|
11866
|
+
globalObject: globalObject$LWS,
|
|
11867
|
+
root: root$LWS
|
|
11868
|
+
}) {
|
|
11869
|
+
if (!getDistortableFrameElement$LWS(globalObject$LWS)) {
|
|
11870
|
+
return undefined;
|
|
11871
|
+
}
|
|
11872
|
+
return [originalReflectApply$LWS, function apply$LWS(target$LWS, thisArg$LWS, argsArray$LWS) {
|
|
11873
|
+
return ReflectApply$LWS$1(substituteDistortedCallee$LWS(root$LWS, target$LWS), thisArg$LWS, argsArray$LWS == null ? [] : argsArray$LWS);
|
|
11874
|
+
}];
|
|
11875
|
+
};
|
|
11876
|
+
}
|
|
11877
|
+
|
|
11878
|
+
// W-22602807: distort an iframe contentWindow realm's Reflect.construct.
|
|
11879
|
+
// See Function/cross-realm-invocation.ts for the threat model.
|
|
11880
|
+
//
|
|
11881
|
+
// Construct semantics (not call): the callee is the FIRST ARGUMENT and is
|
|
11882
|
+
// invoked as a constructor. Substitute it for its distorted counterpart, then
|
|
11883
|
+
// construct with the sandbox-realm Reflect.construct, preserving the optional
|
|
11884
|
+
// newTarget argument.
|
|
11885
|
+
function initDistortionReflectConstruct$LWS({
|
|
11886
|
+
globalObject: {
|
|
11887
|
+
Reflect: {
|
|
11888
|
+
construct: originalReflectConstruct$LWS
|
|
11889
|
+
}
|
|
11890
|
+
}
|
|
11891
|
+
}) {
|
|
11892
|
+
return function distortionReflectConstruct$LWS({
|
|
11893
|
+
globalObject: globalObject$LWS,
|
|
11894
|
+
root: root$LWS
|
|
11895
|
+
}) {
|
|
11896
|
+
if (!getDistortableFrameElement$LWS(globalObject$LWS)) {
|
|
11897
|
+
return undefined;
|
|
11898
|
+
}
|
|
11899
|
+
return [originalReflectConstruct$LWS, function construct$LWS(target$LWS, argsArray$LWS, newTarget$LWS) {
|
|
11900
|
+
const substituted$LWS = substituteDistortedCallee$LWS(root$LWS, target$LWS);
|
|
11901
|
+
if (arguments.length > 2) {
|
|
11902
|
+
return ReflectConstruct$LWS(substituted$LWS, argsArray$LWS == null ? [] : argsArray$LWS, newTarget$LWS);
|
|
11903
|
+
}
|
|
11904
|
+
return ReflectConstruct$LWS(substituted$LWS, argsArray$LWS == null ? [] : argsArray$LWS);
|
|
11905
|
+
}];
|
|
11906
|
+
};
|
|
11907
|
+
}
|
|
11643
11908
|
function initDistortionReportingObserverCtor$LWS({
|
|
11644
11909
|
globalObject: {
|
|
11645
11910
|
ReportingObserver: originalReportingObserverCtor$LWS
|
|
@@ -12287,7 +12552,7 @@ function createDistortionStorageFactoryInitializer$LWS(storageName$LWS) {
|
|
|
12287
12552
|
try {
|
|
12288
12553
|
originalStorageObject$LWS = globalObject$LWS[storageName$LWS];
|
|
12289
12554
|
// eslint-disable-next-line no-empty
|
|
12290
|
-
} catch (
|
|
12555
|
+
} catch (_unused4$LWS) {}
|
|
12291
12556
|
// istanbul ignore if: currently unreachable via tests
|
|
12292
12557
|
if (!isObject$LWS$1(originalStorageObject$LWS)) {
|
|
12293
12558
|
return noop$LWS$1;
|
|
@@ -12713,7 +12978,7 @@ function initDistortionTrustedTypePolicyFactoryCreatePolicy$LWS({
|
|
|
12713
12978
|
try {
|
|
12714
12979
|
// istanbul ignore next: needs default platform behavior test
|
|
12715
12980
|
return ReflectApply$LWS$1(originalCreatePolicy$LWS, this, args$LWS);
|
|
12716
|
-
} catch (
|
|
12981
|
+
} catch (_unused5$LWS) {
|
|
12717
12982
|
// istanbul ignore next: this is tested, but currently cannot be tested in the coverage environment
|
|
12718
12983
|
consoleWarn$LWS(`${createTrustedTypesExceptionMessage$LWS(name$LWS)} Substituting with Lightning Web Security policy.`);
|
|
12719
12984
|
}
|
|
@@ -12786,7 +13051,7 @@ function initDistortionURLCreateObjectURL$LWS({
|
|
|
12786
13051
|
ReflectApply$LWS$1(XhrProtoOpen$LWS, xhr$LWS, ['GET', outURL$LWS, false]);
|
|
12787
13052
|
try {
|
|
12788
13053
|
ReflectApply$LWS$1(XhrProtoSend$LWS, xhr$LWS, []);
|
|
12789
|
-
} catch (
|
|
13054
|
+
} catch (_unused6$LWS) {
|
|
12790
13055
|
throw new LockerSecurityError$LWS(`Unable to verify ${toSafeTemplateStringValue$LWS(blobObject$LWS)} is secure.`);
|
|
12791
13056
|
}
|
|
12792
13057
|
const responseText$LWS = ReflectApply$LWS$1(XhrProtoResponseTextGetter$LWS, xhr$LWS, []);
|
|
@@ -13573,7 +13838,7 @@ initDistortionDOMTokenListAdd$LWS, initDistortionDOMTokenListReplace$LWS, initDi
|
|
|
13573
13838
|
// Element
|
|
13574
13839
|
initDistortionElementAttributesGetter$LWS, initDistortionElementGetInnerHTML$LWS, initDistortionElementInnerHTMLGetter$LWS, initDistortionElementOuterHTMLGetter$LWS, initDistortionElementRemove$LWS, initDistortionElementRemoveAttribute$LWS, initDistortionElementRemoveAttributeNS$LWS, initDistortionElementRemoveAttributeNode$LWS, initDistortionElementReplaceChildren$LWS, initDistortionElementReplaceWith$LWS,
|
|
13575
13840
|
// Function
|
|
13576
|
-
initDistortionFunction$LWS,
|
|
13841
|
+
initDistortionFunction$LWS, initDistortionFunctionApply$LWS, initDistortionFunctionBind$LWS, initDistortionFunctionCall$LWS,
|
|
13577
13842
|
// History
|
|
13578
13843
|
initDistortionHistoryPushState$LWS, initDistortionHistoryReplaceState$LWS,
|
|
13579
13844
|
// HTMLElement
|
|
@@ -13626,6 +13891,8 @@ initDistortionPromiseAll$LWS, initDistortionPromiseAllSettled$LWS, initDistortio
|
|
|
13626
13891
|
initDistortionNotificationCtor$LWS,
|
|
13627
13892
|
// Range
|
|
13628
13893
|
initDistortionRangeCloneContents$LWS, initDistortionRangeCloneRange$LWS, initDistortionRangeDeleteContents$LWS, initDistortionRangeExtractContents$LWS, initDistortionRangeGetBoundingClientRect$LWS, initDistortionRangeInsertNode$LWS, initDistortionRangeSelectNode$LWS, initDistortionRangeSelectNodeContents$LWS, initDistortionRangeSetEnd$LWS, initDistortionRangeSetEndAfter$LWS, initDistortionRangeSetEndBefore$LWS, initDistortionRangeSetStart$LWS, initDistortionRangeSetStartAfter$LWS, initDistortionRangeSetStartBefore$LWS, initDistortionRangeSurroundContents$LWS, initDistortionRangeToString$LWS,
|
|
13894
|
+
// Reflect
|
|
13895
|
+
initDistortionReflectApply$LWS, initDistortionReflectConstruct$LWS,
|
|
13629
13896
|
// Selection
|
|
13630
13897
|
initDistortionSelectionAnchorNodeGetter$LWS, initDistortionSelectionCollapse$LWS, initDistortionSelectionExtend$LWS, initDistortionSelectionFocusNodeGetter$LWS, initDistortionSelectionSelectAllChildren$LWS, initDistortionSelectionSetBaseAndExtent$LWS, initDistortionSelectionSetPosition$LWS, initDistortionSelectionToString$LWS,
|
|
13631
13898
|
// ServiceWorkerContainer
|
|
@@ -13678,7 +13945,7 @@ initDistortionEventComposedPath$LWS, initDistortionEventPathGetter$LWS,
|
|
|
13678
13945
|
// EventTarget
|
|
13679
13946
|
initDistortionEventTargetAddEventListener$LWS, initDistortionEventTargetDispatchEvent$LWS,
|
|
13680
13947
|
// HTMLAnchorElement
|
|
13681
|
-
initDistortionHTMLAnchorElementHrefSetter$LWS,
|
|
13948
|
+
initDistortionHTMLAnchorElementHrefSetter$LWS, initDistortionHTMLAnchorElementProtocolSetter$LWS,
|
|
13682
13949
|
// HTMLBaseElement
|
|
13683
13950
|
initDistortionHTMLBaseElementHrefSetter$LWS,
|
|
13684
13951
|
// HTMLBodyElement
|
|
@@ -13751,7 +14018,7 @@ const SVGElementProtoBlockedProperties$LWS = ['nonce'];
|
|
|
13751
14018
|
const UIEventProtoBlockedProperties$LWS = ['rangeParent'];
|
|
13752
14019
|
const WindowBlockedProperties$LWS = ['find', 'requestFileSystem', 'webkitRequestFileSystem'];
|
|
13753
14020
|
const XSLTProcessorProtoBlockedProperties$LWS = ['transformToDocument', 'transformToFragment'];
|
|
13754
|
-
/*! version: 0.28.
|
|
14021
|
+
/*! version: 0.28.3 */
|
|
13755
14022
|
|
|
13756
14023
|
/*!
|
|
13757
14024
|
* Copyright (C) 2021 salesforce.com, inc.
|
|
@@ -13760,7 +14027,7 @@ let pdpSchema$LWS;
|
|
|
13760
14027
|
function getPdpSchema$LWS() {
|
|
13761
14028
|
return pdpSchema$LWS;
|
|
13762
14029
|
}
|
|
13763
|
-
/*! version: 0.28.
|
|
14030
|
+
/*! version: 0.28.3 */
|
|
13764
14031
|
|
|
13765
14032
|
/*!
|
|
13766
14033
|
* Copyright (C) 2019 salesforce.com, inc.
|
|
@@ -19154,7 +19421,7 @@ function toSourceText$LWS(value$LWS, sourceType$LWS) {
|
|
|
19154
19421
|
// tools from mistaking the regexp or the replacement string for an
|
|
19155
19422
|
// actual source mapping URL.
|
|
19156
19423
|
/\/\/# sandbox(?=MappingURL=.*?\s*$)/, '//# source']);
|
|
19157
|
-
sourceText$LWS = `\n//# LWS Version = "0.28.
|
|
19424
|
+
sourceText$LWS = `\n//# LWS Version = "0.28.3"\n${sourceText$LWS}`;
|
|
19158
19425
|
return sourceType$LWS === 1 /* SourceType.Module */ && indexOfPragma$LWS(sourceText$LWS, 'use strict') === -1 ?
|
|
19159
19426
|
// Append "'use strict'" to the extracted function body so it is
|
|
19160
19427
|
// evaluated in strict mode.
|
|
@@ -19988,7 +20255,7 @@ function wrapPlatformResourceLoader$LWS(dep$LWS, key$LWS) {
|
|
|
19988
20255
|
depRegistry$LWS.set(dep$LWS, secureDep$LWS);
|
|
19989
20256
|
return secureDep$LWS;
|
|
19990
20257
|
}
|
|
19991
|
-
/*! version: 0.28.
|
|
20258
|
+
/*! version: 0.28.3 */
|
|
19992
20259
|
|
|
19993
20260
|
export { $LWS, CORE_SANDBOX_KEY$LWS as CORE_SANDBOX_KEY, createRootWindowSandboxRecord$LWS as createRootWindowSandboxRecord, evaluateFunction$LWS as evaluateFunction, evaluateInCoreSandbox$LWS as evaluateInCoreSandbox, evaluateInSandbox$LWS as evaluateInSandbox, trusted, wrapDependency$LWS as wrapDependency };
|
|
19994
20261
|
//# sourceMappingURL=lockerSandbox.js.map
|
package/package.json
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
"publishConfig": {
|
|
5
5
|
"access": "public"
|
|
6
6
|
},
|
|
7
|
-
"version": "0.23.
|
|
7
|
+
"version": "0.23.7",
|
|
8
8
|
"homepage": "https://developer.salesforce.com/docs/platform/lwr/overview",
|
|
9
9
|
"repository": {
|
|
10
10
|
"type": "git",
|
|
@@ -33,11 +33,11 @@
|
|
|
33
33
|
"build:minify": "node scripts/minify-bundles.mjs"
|
|
34
34
|
},
|
|
35
35
|
"dependencies": {
|
|
36
|
-
"@locker/sandbox": "0.28.
|
|
37
|
-
"@lwrjs/shared-utils": "0.23.
|
|
36
|
+
"@locker/sandbox": "0.28.3",
|
|
37
|
+
"@lwrjs/shared-utils": "0.23.7"
|
|
38
38
|
},
|
|
39
39
|
"devDependencies": {
|
|
40
|
-
"@lwrjs/types": "0.23.
|
|
40
|
+
"@lwrjs/types": "0.23.7",
|
|
41
41
|
"@rollup/plugin-node-resolve": "^15.2.3",
|
|
42
42
|
"@rollup/plugin-sucrase": "^5.1.0",
|
|
43
43
|
"@rollup/plugin-terser": "^0.4.4",
|
|
@@ -70,5 +70,5 @@
|
|
|
70
70
|
"volta": {
|
|
71
71
|
"extends": "../../../package.json"
|
|
72
72
|
},
|
|
73
|
-
"gitHead": "
|
|
73
|
+
"gitHead": "0d3feeddda81c7d6c6e6165fcb97654aa925bcea"
|
|
74
74
|
}
|