npm - @openui5/sap.ui.support - Versions diffs - 1.147.0 → 1.147.1 - Mend

@openui5/sap.ui.support 1.147.0 → 1.147.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@openui5/sap.ui.support",
-  "version": "1.147.0",
+  "version": "1.147.1",
   "description": "OpenUI5 UI Library sap.ui.support",
   "author": "SAP SE (https://www.sap.com)",
   "license": "Apache-2.0",
@@ -14,10 +14,10 @@
     "url": "https://github.com/UI5/openui5.git"
   },
   "dependencies": {
-    "@openui5/sap.m": "1.147.0",
-    "@openui5/sap.ui.codeeditor": "1.147.0",
-    "@openui5/sap.ui.core": "1.147.0",
-    "@openui5/sap.ui.fl": "1.147.0",
-    "@openui5/sap.ui.layout": "1.147.0"
+    "@openui5/sap.m": "1.147.1",
+    "@openui5/sap.ui.codeeditor": "1.147.1",
+    "@openui5/sap.ui.core": "1.147.1",
+    "@openui5/sap.ui.fl": "1.147.1",
+    "@openui5/sap.ui.layout": "1.147.1"
   }
 }

package/src/sap/ui/support/.library CHANGED Viewed

@@ -6,7 +6,7 @@
 	<copyright>OpenUI5
  * (c) Copyright 2026 SAP SE or an SAP affiliate company.
  * Licensed under the Apache License, Version 2.0 - see LICENSE.txt.</copyright>
-	<version>1.147.0</version>
+	<version>1.147.1</version>
 	<documentation>UI5 library: sap.ui.support</documentation>

package/src/sap/ui/support/RuleAnalyzer.js CHANGED Viewed

@@ -32,7 +32,7 @@ sap.ui.define([
 		 * @namespace
 		 * @alias sap.ui.support.RuleAnalyzer
 		 * @author SAP SE
-		 * @version 1.147.0
+		 * @version 1.147.1
 		 * @public
 		 */
 		var RuleAnalyzer = {

package/src/sap/ui/support/jQuery.sap.support.js CHANGED Viewed

@@ -38,7 +38,7 @@ sap.ui.define(["sap/ui/thirdparty/jquery",
 		 * @namespace
 		 * @deprecated Since version 1.60.0. Please use sap/ui/support/RuleAnalyzer instead.
 		 * @author SAP SE
-		 * @version 1.147.0
+		 * @version 1.147.1
 		 * @public
 		 */
 		jQuery.sap.support = {

package/src/sap/ui/support/library.js CHANGED Viewed

@@ -23,7 +23,7 @@ sap.ui.define(["sap/ui/core/Lib", "sap/ui/base/DataType", "sap/ui/core/library"]
 	 * @namespace
 	 * @alias sap.ui.support
 	 * @author SAP SE
-	 * @version 1.147.0
+	 * @version 1.147.1
 	 * @since 1.50
 	 * @public
 	 */
@@ -38,7 +38,7 @@ sap.ui.define(["sap/ui/core/Lib", "sap/ui/base/DataType", "sap/ui/core/library"]
 		controls: [],
 		elements: [],
 		noLibraryCSS: true,
-		version: "1.147.0",
+		version: "1.147.1",
 		extensions: {
 			//Configuration used for rule loading of Support Assistant
 			"sap.ui.support": {

package/src/sap/ui/support/supportRules/RuleSet.js CHANGED Viewed

@@ -34,7 +34,7 @@ function (Log, Version, library, storage) {
 	 * @private
 	 * @alias sap.ui.support.RuleSet
 	 * @author SAP SE
-	 * @version 1.147.0
+	 * @version 1.147.1
 	 * @param {object} oSettings Name of the initiated
 	 */
 	var RuleSet = function (oSettings) {

package/src/sap/ui/support/supportRules/Storage.js CHANGED Viewed

@@ -53,7 +53,7 @@ sap.ui.define([
 	 *
 	 * @name sap.ui.support.Storage
 	 * @author SAP SE.
-	 * @version 1.147.0
+	 * @version 1.147.1
 	 * @private
 	 */
 	return /** @lends sap.ui.support.Storage */ {

package/src/sap/ui/support/supportRules/WindowCommunicationBus.js CHANGED Viewed

@@ -24,7 +24,7 @@ sap.ui.define([
 	 * @class
 	 * @alias sap.ui.support.WindowCommunicationBus
 	 * @author SAP SE
-	 * @version 1.147.0
+	 * @version 1.147.1
 	 * @private
 	 */
 	var WindowCommunicationBus = BaseObject.extend("sap.ui.support.supportRules.WindowCommunicationBus", {
@@ -127,37 +127,78 @@ sap.ui.define([
 	};
 	/**
-	 * validate messages published from external window to application window (i.e. from tool frame to opener window)
-	 * no validation needed the other way (i.e. from opener window to tool frame)
+	 * Compare the origins of two URLs. Returns false if either value is not a valid URL.
+	 * @private
+	 * @param {string} sOriginA First URL string
+	 * @param {string} sOriginB Second URL string
+	 * @returns {boolean} true if both URLs have the same origin
+	 */
+	WindowCommunicationBus._compareOrigins = function (sOriginA, sOriginB) {
+		try {
+			return new URL(sOriginA).origin === new URL(sOriginB).origin;
+		} catch (e) {
+			return false;
+		}
+	};
+	/**
+	 * Validate messages received from external windows.
+	 * Both directions are validated:
+	 * - Tool frame: validates origin of messages from opener window
+	 * - Application window: validates origin, frame identifier, and URL path of messages from tool frame
 	 * @private
 	 * @param {EventListener} eMessage Event fired by the channels attached to the WindowCommunicationBus
 	 * @returns {boolean} true if the message is valid
 	 */
 	WindowCommunicationBus.prototype._validate = function (eMessage) {
+		// 1. Validate origin
+		// tool frame: validate against the configured opener origin
 		if (isEmptyObject(this._frame)) {
-			// there are no channels associated with this bus, or
-			// when loaded in a tool frame, the CommumnicationBus class will always have an empty 'frame' object.
-			// in this case, a message is sent from the opener to the tool frame and no validation is necessary
+			const sExpectedOrigin = this._oConfig.getOrigin();
+			if (sExpectedOrigin) {
+				return WindowCommunicationBus._compareOrigins(eMessage.origin, sExpectedOrigin);
+			}
 			return true;
 		}
-		// when a message is sent from a tool frame to the application (opener) window,
-		// the message should have the correct details, validating that it comes from a known tool frame
+		// application window: validate against the known tool frame origin
+		if (!WindowCommunicationBus._compareOrigins(eMessage.origin, this._frame.origin)) {
+			return false;
+		}
-		// check if the frame ID (number represented as string) is the same
-		var bMatchIdentifier = eMessage.data._frameIdentifier === this._frame.identifier;
+		// 2. Validate frame identifier
+		if (eMessage.data._frameIdentifier !== this._frame.identifier) {
+			return false;
+		}
-		// check if the URL matches: 1. check if the domain name matches - should be case insensitive
-		var oOriginRegExp = new RegExp("^" + this._frame.origin + "$", "i");
-		var bMatchOrigin = oOriginRegExp.exec(eMessage.origin);
+		// 3. Validate URL path
+		// Compare parsed pathnames to avoid substring-matching attacks.
+		// The frame URL may be absolute or relative — strip query string and relative segments
+		// to extract the path portion, then verify the message origin's pathname ends with it.
+		try {
+			const oOriginUrl = new URL(eMessage.data._origin);
+			const iFrameUrlQuery = this._frame.url.indexOf("?");
+			const sFrameUrlWithoutQuery = this._frame.url.substring(0, iFrameUrlQuery).replace(/\.\.\//g, "").replace(/\.\//g, "");
+			// extract just the pathname: parse as URL if absolute, otherwise use the cleaned string as-is
+			let sFramePath;
+			try {
+				sFramePath = new URL(sFrameUrlWithoutQuery).pathname;
+			} catch (e) {
+				// relative URL — use cleaned string directly as a path suffix
+				sFramePath = sFrameUrlWithoutQuery;
+			}
-		// check if the URL matches: 2. check if the path to the iframe matches.
-		// if the frame URL is relative to the parent window's URL, remove relative path segments
-		var iFrameUrlQuery = this._frame.url.indexOf("?");
-		var sFrameUrl = this._frame.url.substr(0, iFrameUrlQuery).replace(/\.\.\//g, "").replace(/\.\//g, "") + this._frame.url.substr(iFrameUrlQuery);
-		var bMatchUrl = eMessage.data._origin.indexOf(sFrameUrl) > -1;
+			if (!oOriginUrl.pathname.endsWith(sFramePath)) {
+				return false;
+			}
+		} catch (e) {
+			return false;
+		}
-		return bMatchIdentifier && bMatchOrigin && bMatchUrl;
+		return true;
 	};
 	WindowCommunicationBus.prototype._getFrameIdentifier = function () {

package/src/sap/ui/support/supportRules/ui/controllers/PresetsController.js CHANGED Viewed

@@ -93,7 +93,7 @@ sap.ui.define([
 	 *
 	 * @extends sap.ui.support.supportRules.ui.controllers.BaseController
 	 * @author SAP SE
-	 * @version 1.147.0
+	 * @version 1.147.1
 	 * @private
 	 * @alias sap.ui.support.supportRules.ui.controllers.PresetsController
 	 */

package/src/sap/ui/support/supportRules/util/EvalUtils.js CHANGED Viewed

@@ -1,4 +1,4 @@
-/* eslint-disable no-eval */
+/* eslint-disable no-new-func */
 /*!
  * OpenUI5
@@ -9,11 +9,12 @@
 sap.ui.define([], function () {
 	"use strict";
-	var bIsEvalAllowed;
+	let bIsEvalAllowed;
-	// Checks if eval can be used in the current platform (based on CSP restrictions)
+	// Checks if the Function constructor can be used in the current platform (based on CSP restrictions)
 	try {
-		eval("");
+		// eslint-disable-next-line no-new
+		new Function("");
 		bIsEvalAllowed = true;
 	} catch (e) {
 		bIsEvalAllowed = false;
@@ -34,11 +35,7 @@ sap.ui.define([], function () {
 		 * @throws Error why eval failed, for example invalid syntax
 		 */
 		evalFunction: function (sFunction) {
-			var fn;
-			eval("fn = " + sFunction);
-			return fn;
+			return new Function("return (" + sFunction + ")")();
 		}
 	};
-});
+});