npm - @p4ulcristian/iris-layout - Versions diffs - 0.2.0 → 0.2.2 - Mend

@p4ulcristian/iris-layout 0.2.0 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (201) hide show

package/dist/cljs-runtime/goog.html.safestyle.js ADDED Viewed

@@ -0,0 +1,175 @@
+import "./cljs_env.js";
+import "./goog.string.const.js";
+import "./goog.html.safeurl.js";
+import "./goog.string.typedstring.js";
+import "./goog.asserts.asserts.js";
+import "./goog.string.internal.js";
+goog.loadModule(function(exports) {
+  function sanitizePropertyValue(value) {
+    if (value instanceof SafeUrl) {
+      const url = SafeUrl.unwrap(value);
+      return 'url("' + url.replace(/</g, "%3c").replace(/[\\"]/g, "\\$\x26") + '")';
+    }
+    const result = value instanceof Const ? Const.unwrap(value) : sanitizePropertyValueString(String(value));
+    if (/[{;}]/.test(result)) {
+      throw new AssertionError("Value does not allow [{;}], got: %s.", [result]);
+    }
+    return result;
+  }
+  function sanitizePropertyValueString(value) {
+    const valueWithoutFunctions = value.replace(FUNCTIONS_RE, "$1").replace(FUNCTIONS_RE, "$1").replace(URL_RE, "url");
+    if (!VALUE_RE.test(valueWithoutFunctions)) {
+      fail(`String value allows only ${VALUE_ALLOWED_CHARS}` + " and simple functions, got: " + value);
+      return SafeStyle.INNOCUOUS_STRING;
+    } else if (COMMENT_RE.test(value)) {
+      fail(`String value disallows comments, got: ${value}`);
+      return SafeStyle.INNOCUOUS_STRING;
+    } else if (!hasBalancedQuotes(value)) {
+      fail(`String value requires balanced quotes, got: ${value}`);
+      return SafeStyle.INNOCUOUS_STRING;
+    } else if (!hasBalancedSquareBrackets(value)) {
+      fail("String value requires balanced square brackets and one" + " identifier per pair of brackets, got: " + value);
+      return SafeStyle.INNOCUOUS_STRING;
+    }
+    return sanitizeUrl(value);
+  }
+  function hasBalancedQuotes(value) {
+    let outsideSingle = true;
+    let outsideDouble = true;
+    for (let i = 0; i < value.length; i++) {
+      const c = value.charAt(i);
+      if (c == "'" && outsideDouble) {
+        outsideSingle = !outsideSingle;
+      } else if (c == '"' && outsideSingle) {
+        outsideDouble = !outsideDouble;
+      }
+    }
+    return outsideSingle && outsideDouble;
+  }
+  function hasBalancedSquareBrackets(value) {
+    let outside = true;
+    const tokenRe = /^[-_a-zA-Z0-9]$/;
+    for (let i = 0; i < value.length; i++) {
+      const c = value.charAt(i);
+      if (c == "]") {
+        if (outside) {
+          return false;
+        }
+        outside = true;
+      } else if (c == "[") {
+        if (!outside) {
+          return false;
+        }
+        outside = false;
+      } else if (!outside && !tokenRe.test(c)) {
+        return false;
+      }
+    }
+    return outside;
+  }
+  function sanitizeUrl(value) {
+    return value.replace(URL_RE, (match, before, url, after) => {
+      let quote = "";
+      url = url.replace(/^(['"])(.*)\1$/, (match, start, inside) => {
+        quote = start;
+        return inside;
+      });
+      const sanitized = SafeUrl.sanitize(url).getTypedStringValue();
+      return before + quote + sanitized + quote + after;
+    });
+  }
+  "use strict";
+  goog.module("goog.html.SafeStyle");
+  goog.module.declareLegacyNamespace();
+  const Const = goog.require("goog.string.Const");
+  const SafeUrl = goog.require("goog.html.SafeUrl");
+  const TypedString = goog.require("goog.string.TypedString");
+  const {AssertionError, assert, fail} = goog.require("goog.asserts");
+  const {contains, endsWith} = goog.require("goog.string.internal");
+  const CONSTRUCTOR_TOKEN_PRIVATE = {};
+  class SafeStyle {
+    constructor(value, token) {
+      this.privateDoNotAccessOrElseSafeStyleWrappedValue_ = token === CONSTRUCTOR_TOKEN_PRIVATE ? value : "";
+      this.implementsGoogStringTypedString = true;
+    }
+    static fromConstant(style) {
+      const styleString = Const.unwrap(style);
+      if (styleString.length === 0) {
+        return SafeStyle.EMPTY;
+      }
+      assert(endsWith(styleString, ";"), `Last character of style string is not ';': ${styleString}`);
+      assert(contains(styleString, ":"), "Style string must contain at least one ':', to " + 'specify a "name: value" pair: ' + styleString);
+      return SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(styleString);
+    }
+    getTypedStringValue() {
+      return this.privateDoNotAccessOrElseSafeStyleWrappedValue_;
+    }
+    toString() {
+      return this.privateDoNotAccessOrElseSafeStyleWrappedValue_.toString();
+    }
+    static unwrap(safeStyle) {
+      if (safeStyle instanceof SafeStyle && safeStyle.constructor === SafeStyle) {
+        return safeStyle.privateDoNotAccessOrElseSafeStyleWrappedValue_;
+      } else {
+        fail(`expected object of type SafeStyle, got '${safeStyle}` + "' of type " + goog.typeOf(safeStyle));
+        return "type_error:SafeStyle";
+      }
+    }
+    static createSafeStyleSecurityPrivateDoNotAccessOrElse(style) {
+      return new SafeStyle(style, CONSTRUCTOR_TOKEN_PRIVATE);
+    }
+    static create(map) {
+      let style = "";
+      for (let name in map) {
+        if (Object.prototype.hasOwnProperty.call(map, name)) {
+          if (!/^[-_a-zA-Z0-9]+$/.test(name)) {
+            throw new Error(`Name allows only [-_a-zA-Z0-9], got: ${name}`);
+          }
+          let value = map[name];
+          if (value == null) {
+            continue;
+          }
+          if (Array.isArray(value)) {
+            value = value.map(sanitizePropertyValue).join(" ");
+          } else {
+            value = sanitizePropertyValue(value);
+          }
+          style = style + `${name}:${value};`;
+        }
+      }
+      if (!style) {
+        return SafeStyle.EMPTY;
+      }
+      return SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(style);
+    }
+    static concat(var_args) {
+      let style = "";
+      const addArgument = argument => {
+        if (Array.isArray(argument)) {
+          argument.forEach(addArgument);
+        } else {
+          style = style + SafeStyle.unwrap(argument);
+        }
+      };
+      Array.prototype.forEach.call(arguments, addArgument);
+      if (!style) {
+        return SafeStyle.EMPTY;
+      }
+      return SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(style);
+    }
+  }
+  SafeStyle.EMPTY = SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse("");
+  SafeStyle.INNOCUOUS_STRING = "zClosurez";
+  SafeStyle.PropertyValue;
+  SafeStyle.PropertyMap;
+  const VALUE_ALLOWED_CHARS = "[-+,.\"'%_!#/ a-zA-Z0-9\\[\\]]";
+  const VALUE_RE = new RegExp(`^${VALUE_ALLOWED_CHARS}+\$`);
+  const URL_RE = new RegExp("\\b(url\\([ \t\n]*)(" + "'[ -\x26(-\\[\\]-~]*'" + '|"[ !#-\\[\\]-~]*"' + "|[!#-\x26*-\\[\\]-~]*" + ")([ \t\n]*\\))", "g");
+  const ALLOWED_FUNCTIONS = ["calc", "cubic-bezier", "fit-content", "hsl", "hsla", "linear-gradient", "matrix", "minmax", "radial-gradient", "repeat", "rgb", "rgba", "(rotate|scale|translate)(X|Y|Z|3d)?", "steps", "var"];
+  const FUNCTIONS_RE = new RegExp("\\b(" + ALLOWED_FUNCTIONS.join("|") + ")" + "\\([-+*/0-9a-zA-Z.%#\\[\\], ]+\\)", "g");
+  const COMMENT_RE = /\/\*/;
+  exports = SafeStyle;
+  return exports;
+});
+//# sourceMappingURL=goog.html.safestyle.js.map

package/dist/cljs-runtime/goog.html.safestyle.js.map ADDED Viewed

@@ -0,0 +1,9 @@
+{
+"version":3,
+"file":"goog.html.safestyle.js",
+"lineCount":168,
+"mappings":"AAAA,IAAA,CAAA,UAAA,CAAA,QAAA,CAAA,OAAA,CAAA;AA8WAA,UAASA,sBAAqB,CAACC,KAAD,CAAQ;AACpC,QAAIA,KAAJ,YAAqBC,OAArB,CAA8B;AAC5B,YAAMC,MAAMD,OAAQE,CAAAA,MAAR,CAAeH,KAAf,CAAZ;AACA,aAAO,OAAP,GAAiBE,GAAIE,CAAAA,OAAJ,CAAY,IAAZ,EAAkB,KAAlB,CAAyBA,CAAAA,OAAzB,CAAiC,QAAjC,EAA2C,SAA3C,CAAjB,GAAsE,IAAtE;AAF4B;AAI9B,UAAMC,SAASL,KAAA,YAAiBM,KAAjB,GACXA,KAAMH,CAAAA,MAAN,CAAaH,KAAb,CADW,GAEXO,2BAAA,CAA4BC,MAAA,CAAOR,KAAP,CAA5B,CAFJ;AAKA,QAAI,OAAQS,CAAAA,IAAR,CAAaJ,MAAb,CAAJ;AACE,YAAM,IAAIK,cAAJ,CAAmB,sCAAnB,EAA2D,CAACL,MAAD,CAA3D,CAAN;AADF;AAGA,WAAOA,MAAP;AAboC;AAsBtCE,UAASA,4BAA2B,CAACP,KAAD,CAAQ;AAG1C,UAAMW,wBAAwBX,KAAMI,CAAAA,OAAN,CAAcQ,YAAd,EAA4B,IAA5B,CACKR,CAAAA,OADL,CACaQ,YADb,EAC2B,IAD3B,CAEKR,CAAAA,OAFL,CAEaS,MAFb,EAEqB,KAFrB,CAA9B;AAGA,QAAI,CAACC,QAASL,CAAAA,IAAT,CAAcE,qBAAd,CAAL,CAA2C;AACzCI,UAAA,CACK,4BAA2BC,mBAA3B,EADL,GAEI,8BAFJ,GAEqChB,KAFrC,CAAA;AAGA,aAAOiB,SAAUC,CAAAA,gBAAjB;AAJyC,KAA3C,KAKO,KAAIC,UAAWV,CAAAA,IAAX,CAAgBT,KAAhB,CAAJ,CAA4B;AACjCe,UAAA,CAAM,yCAAwCf,KAAxC,EAAN,CAAA;AACA,aAAOiB,SAAUC,CAAAA,gBAAjB;AAFiC,KAA5B,KAGA,KAAI,CAACE,iBAAA,CAAkBpB,KAAlB,CAAL,CAA+B;AACpCe,UAAA,CAAM,+CAA8Cf,KAA9C,EAAN,CAAA;AACA,aAAOiB,SAAUC,CAAAA,gBAAjB;AAFoC,KAA/B,KAGA,KAAI,CAACG,yBAAA,CAA0BrB,KAA1B,CAAL,CAAuC;AAC5Ce,UAAA,CACI,wDADJ,GAEI,yCAFJ,GAEgDf,KAFhD,CAAA;AAGA,aAAOiB,SAAUC,CAAAA,gBAAjB;AAJ4C;AAM9C,WAAOI,WAAA,CAAYtB,KAAZ,CAAP;AAvB0C;AAoC5CoB,UAASA,kBAAiB,CAACpB,KAAD,CAAQ;AAChC,QAAIuB,gBAAgB,IAApB;AACA,QAAIC,gBAAgB,IAApB;AACA,SAAK,IAAIC,IAAI,CAAb,EAAgBA,CAAhB,GAAoBzB,KAAM0B,CAAAA,MAA1B,EAAkCD,CAAA,EAAlC,CAAuC;AACrC,YAAME,IAAI3B,KAAM4B,CAAAA,MAAN,CAAaH,CAAb,CAAV;AACA,UAAIE,CAAJ,IAAS,GAAT,IAAiBH,aAAjB;AACED,qBAAA,GAAgB,CAACA,aAAjB;AADF,YAEO,KAAII,CAAJ,IAAS,GAAT,IAAgBJ,aAAhB;AACLC,qBAAA,GAAgB,CAACA,aAAjB;AADK;AAJ8B;AAQvC,WAAOD,aAAP,IAAwBC,aAAxB;AAXgC;AA0BlCH,UAASA,0BAAyB,CAACrB,KAAD,CAAQ;AACxC,QAAI6B,UAAU,IAAd;AACA,UAAMC,UAAU,iBAAhB;AACA,SAAK,IAAIL,IAAI,CAAb,EAAgBA,CAAhB,GAAoBzB,KAAM0B,CAAAA,MAA1B,EAAkCD,CAAA,EAAlC,CAAuC;AACrC,YAAME,IAAI3B,KAAM4B,CAAAA,MAAN,CAAaH,CAAb,CAAV;AACA,UAAIE,CAAJ,IAAS,GAAT,CAAc;AACZ,YAAIE,OAAJ;AAAa,iBAAO,KAAP;AAAb;AACAA,eAAA,GAAU,IAAV;AAFY,OAAd,KAGO,KAAIF,CAAJ,IAAS,GAAT,CAAc;AACnB,YAAI,CAACE,OAAL;AAAc,iBAAO,KAAP;AAAd;AACAA,eAAA,GAAU,KAAV;AAFmB,OAAd,KAGA,KAAI,CAACA,OAAL,IAAgB,CAACC,OAAQrB,CAAAA,IAAR,CAAakB,CAAb,CAAjB;AACL,eAAO,KAAP;AADK;AAR8B;AAYvC,WAAOE,OAAP;AAfwC;AA4G1CP,UAASA,YAAW,CAACtB,KAAD,CAAQ;AAC1B,WAAOA,KAAMI,CAAAA,OAAN,CAAcS,MAAd,EAAsB,CAACkB,KAAD,EAAQC,MAAR,EAAgB9B,GAAhB,EAAqB+B,KAArB,CAAA,IAA+B;AAC1D,UAAIC,QAAQ,EAAZ;AACAhC,SAAA,GAAMA,GAAIE,CAAAA,OAAJ,CAAY,gBAAZ,EAA8B,CAAC2B,KAAD,EAAQI,KAAR,EAAeC,MAAf,CAAA,IAA0B;AAC5DF,aAAA,GAAQC,KAAR;AACA,eAAOC,MAAP;AAF4D,OAAxD,CAAN;AAIA,YAAMC,YAAYpC,OAAQqC,CAAAA,QAAR,CAAiBpC,GAAjB,CAAsBqC,CAAAA,mBAAtB,EAAlB;AACA,aAAOP,MAAP,GAAgBE,KAAhB,GAAwBG,SAAxB,GAAoCH,KAApC,GAA4CD,KAA5C;AAP0D,KAArD,CAAP;AAD0B;AA9iB5B,cAAA;AAYAO,MAAKC,CAAAA,MAAL,CAAY,qBAAZ,CAAA;AACAD,MAAKC,CAAAA,MAAOC,CAAAA,sBAAZ,EAAA;AAEA,QAAMpC,QAAQkC,IAAKG,CAAAA,OAAL,CAAa,mBAAb,CAAd;AACA,QAAM1C,UAAUuC,IAAKG,CAAAA,OAAL,CAAa,mBAAb,CAAhB;AACA,QAAMC,cAAcJ,IAAKG,CAAAA,OAAL,CAAa,yBAAb,CAApB;AACA,QAAM,CAACjC,cAAD,EAAiBmC,MAAjB,EAAyB9B,IAAzB,CAAA,GAAiCyB,IAAKG,CAAAA,OAAL,CAAa,cAAb,CAAvC;AACA,QAAM,CAACG,QAAD,EAAWC,QAAX,CAAA,GAAuBP,IAAKG,CAAAA,OAAL,CAAa,sBAAb,CAA7B;AAQA,QAAMK,4BAA4B,EAAlC;AAuFA,OAAM/B,UAAN;AAKEgC,eAAW,CAACjD,KAAD,EAAQkD,KAAR,CAAe;AAOxB,UAAKC,CAAAA,8CAAL,GACKD,KAAD,KAAWF,yBAAX,GAAwChD,KAAxC,GAAgD,EADpD;AAOA,UAAKoD,CAAAA,+BAAL,GAAuC,IAAvC;AAdwB;AAqCnBC,uBAAY,CAACC,KAAD,CAAQ;AACzB,YAAMC,cAAcjD,KAAMH,CAAAA,MAAN,CAAamD,KAAb,CAApB;AACA,UAAIC,WAAY7B,CAAAA,MAAhB,KAA2B,CAA3B;AACE,eAAOT,SAAUuC,CAAAA,KAAjB;AADF;AAGAX,YAAA,CACIE,QAAA,CAASQ,WAAT,EAAsB,GAAtB,CADJ,EAEK,8CAA6CA,WAA7C,EAFL,CAAA;AAGAV,YAAA,CACIC,QAAA,CAASS,WAAT,EAAsB,GAAtB,CADJ,EAEI,iDAFJ,GAGQ,gCAHR,GAG2CA,WAH3C,CAAA;AAIA,aAAOtC,SAAUwC,CAAAA,+CAAV,CACHF,WADG,CAAP;AAZyB;AAuC3BhB,uBAAmB,EAAG;AACpB,aAAO,IAAKY,CAAAA,8CAAZ;AADoB;AAetBO,YAAQ,EAAG;AACT,aAAO,IAAKP,CAAAA,8CAA+CO,CAAAA,QAApD,EAAP;AADS;AAeJvD,iBAAM,CAACwD,SAAD,CAAY;AAQvB,UAAIA,SAAJ,YAAyB1C,SAAzB,IAAsC0C,SAAUV,CAAAA,WAAhD,KAAgEhC,SAAhE;AACE,eAAO0C,SAAUR,CAAAA,8CAAjB;AADF,YAEO;AACLpC,YAAA,CACK,2CAA0C4C,SAA1C,EADL,GAEI,YAFJ,GAEoBnB,IAAKoB,CAAAA,MAAL,CAAYD,SAAZ,CAFpB,CAAA;AAGA,eAAO,sBAAP;AAJK;AAVgB;AA0BlBF,0DAA+C,CAACH,KAAD,CAAQ;AAC5D,aAAO,IAAIrC,SAAJ,CAAcqC,KAAd,EAAqBN,yBAArB,CAAP;AAD4D;AAqBvDa,iBAAM,CAACC,GAAD,CAAM;AACjB,UAAIR,QAAQ,EAAZ;AACA,WAAK,IAAIS,IAAT,GAAiBD,IAAjB;AAEE,YAAIE,MAAOC,CAAAA,SAAUC,CAAAA,cAAeC,CAAAA,IAAhC,CAAqCL,GAArC,EAA0CC,IAA1C,CAAJ,CAAqD;AACnD,cAAI,CAAC,kBAAmBtD,CAAAA,IAAnB,CAAwBsD,IAAxB,CAAL;AACE,kBAAM,IAAIK,KAAJ,CAAW,wCAAuCL,IAAvC,EAAX,CAAN;AADF;AAGA,cAAI/D,QAAQ8D,GAAA,CAAIC,IAAJ,CAAZ;AACA,cAAI/D,KAAJ,IAAa,IAAb;AACE;AADF;AAGA,cAAIqE,KAAMC,CAAAA,OAAN,CAActE,KAAd,CAAJ;AACEA,iBAAA,GAAQA,KAAM8D,CAAAA,GAAN,CAAU/D,qBAAV,CAAiCwE,CAAAA,IAAjC,CAAsC,GAAtC,CAAR;AADF;AAGEvE,iBAAA,GAAQD,qBAAA,CAAsBC,KAAtB,CAAR;AAHF;AAKAsD,eAAA,GAAAA,KAAA,GAAU,GAAES,IAAF,IAAU/D,KAAV,GAAV;AAbmD;AAFvD;AAkBA,UAAI,CAACsD,KAAL;AACE,eAAOrC,SAAUuC,CAAAA,KAAjB;AADF;AAGA,aAAOvC,SAAUwC,CAAAA,+CAAV,CAA0DH,KAA1D,CAAP;AAvBiB;AAgCZkB,iBAAM,CAACC,QAAD,CAAW;AACtB,UAAInB,QAAQ,EAAZ;AAKA,YAAMoB,cAAcC,QAAAD,IAAY;AAC9B,YAAIL,KAAMC,CAAAA,OAAN,CAAcK,QAAd,CAAJ;AACEA,kBAASC,CAAAA,OAAT,CAAiBF,WAAjB,CAAA;AADF;AAGEpB,eAAA,GAAAA,KAAA,GAASrC,SAAUd,CAAAA,MAAV,CAAiBwE,QAAjB,CAAT;AAHF;AAD8B,OAAhC;AAQAN,WAAMJ,CAAAA,SAAUW,CAAAA,OAAQT,CAAAA,IAAxB,CAA6BU,SAA7B,EAAwCH,WAAxC,CAAA;AACA,UAAI,CAACpB,KAAL;AACE,eAAOrC,SAAUuC,CAAAA,KAAjB;AADF;AAGA,aAAOvC,SAAUwC,CAAAA,+CAAV,CAA0DH,KAA1D,CAAP;AAlBsB;AA9L1B;AAwNArC,WAAUuC,CAAAA,KAAV,GAAkBvC,SAAUwC,CAAAA,+CAAV,CAA0D,EAA1D,CAAlB;AAQAxC,WAAUC,CAAAA,gBAAV,GAA6B,WAA7B;AAOAD,WAAU6D,CAAAA,aAAV;AAYA7D,WAAU8D,CAAAA,WAAV;AAoHA,QAAM/D,sBAAsB,gCAA5B;AAgBA,QAAMF,WAAW,IAAIkE,MAAJ,CAAY,IAAGhE,mBAAH,KAAZ,CAAjB;AAUA,QAAMH,SAAS,IAAImE,MAAJ,CACX,sBADW,GAEP,uBAFO,GAGP,oBAHO,GAIP,uBAJO,GAKP,gBALO,EAMX,GANW,CAAf;AAYA,QAAMC,oBAAoB,CACxB,MADwB,EAExB,cAFwB,EAGxB,aAHwB,EAIxB,KAJwB,EAKxB,MALwB,EAMxB,iBANwB,EAOxB,QAPwB,EAQxB,QARwB,EASxB,iBATwB,EAUxB,QAVwB,EAWxB,KAXwB,EAYxB,MAZwB,EAaxB,qCAbwB,EAcxB,OAdwB,EAexB,KAfwB,CAA1B;AAuBA,QAAMrE,eAAe,IAAIoE,MAAJ,CACjB,MADiB,GACRC,iBAAkBV,CAAAA,IAAlB,CAAuB,GAAvB,CADQ,GACsB,GADtB,GAEb,mCAFa,EAGjB,GAHiB,CAArB;AAUA,QAAMpD,aAAa,MAAnB;AA2BA+D,SAAA,GAAUjE,SAAV;AA3jBA,SAAA,OAAA;AAAA,CAAA,CAAA;;",
+"sources":["goog/html/safestyle.js"],
+"sourcesContent":["/**\n * @license\n * Copyright The Closure Library Authors.\n * SPDX-License-Identifier: Apache-2.0\n */\n\n/**\n * @fileoverview The SafeStyle type and its builders.\n *\n * TODO(xtof): Link to document stating type contract.\n */\n\ngoog.module('goog.html.SafeStyle');\ngoog.module.declareLegacyNamespace();\n\nconst Const = goog.require('goog.string.Const');\nconst SafeUrl = goog.require('goog.html.SafeUrl');\nconst TypedString = goog.require('goog.string.TypedString');\nconst {AssertionError, assert, fail} = goog.require('goog.asserts');\nconst {contains, endsWith} = goog.require('goog.string.internal');\n\n/**\n * Token used to ensure that object is created only from this file. No code\n * outside of this file can access this token.\n * @type {!Object}\n * @const\n */\nconst CONSTRUCTOR_TOKEN_PRIVATE = {};\n\n/**\n * A string-like object which represents a sequence of CSS declarations\n * (`propertyName1: propertyvalue1; propertyName2: propertyValue2; ...`)\n * and that carries the security type contract that its value, as a string,\n * will not cause untrusted script execution (XSS) when evaluated as CSS in a\n * browser.\n *\n * Instances of this type must be created via the factory methods\n * (`SafeStyle.create` or `SafeStyle.fromConstant`)\n * and not by invoking its constructor. The constructor intentionally takes an\n * extra parameter that cannot be constructed outside of this file and the type\n * is immutable; hence only a default instance corresponding to the empty string\n * can be obtained via constructor invocation.\n *\n * SafeStyle's string representation can safely be:\n * <ul>\n *   <li>Interpolated as the content of a *quoted* HTML style attribute.\n *       However, the SafeStyle string *must be HTML-attribute-escaped* before\n *       interpolation.\n *   <li>Interpolated as the content of a {}-wrapped block within a stylesheet.\n *       '<' characters in the SafeStyle string *must be CSS-escaped* before\n *       interpolation. The SafeStyle string is also guaranteed not to be able\n *       to introduce new properties or elide existing ones.\n *   <li>Interpolated as the content of a {}-wrapped block within an HTML\n *       &lt;style&gt; element. '<' characters in the SafeStyle string\n *       *must be CSS-escaped* before interpolation.\n *   <li>Assigned to the style property of a DOM node. The SafeStyle string\n *       should not be escaped before being assigned to the property.\n * </ul>\n *\n * A SafeStyle may never contain literal angle brackets. Otherwise, it could\n * be unsafe to place a SafeStyle into a &lt;style&gt; tag (where it can't\n * be HTML escaped). For example, if the SafeStyle containing\n * `font: 'foo &lt;style/&gt;&lt;script&gt;evil&lt;/script&gt;'` were\n * interpolated within a &lt;style&gt; tag, this would then break out of the\n * style context into HTML.\n *\n * A SafeStyle may contain literal single or double quotes, and as such the\n * entire style string must be escaped when used in a style attribute (if\n * this were not the case, the string could contain a matching quote that\n * would escape from the style attribute).\n *\n * Values of this type must be composable, i.e. for any two values\n * `style1` and `style2` of this type,\n * `SafeStyle.unwrap(style1) +\n * SafeStyle.unwrap(style2)` must itself be a value that satisfies\n * the SafeStyle type constraint. This requirement implies that for any value\n * `style` of this type, `SafeStyle.unwrap(style)` must\n * not end in a \"property value\" or \"property name\" context. For example,\n * a value of `background:url(\"` or `font-` would not satisfy the\n * SafeStyle contract. This is because concatenating such strings with a\n * second value that itself does not contain unsafe CSS can result in an\n * overall string that does. For example, if `javascript:evil())\"` is\n * appended to `background:url(\"}, the resulting string may result in\n * the execution of a malicious script.\n *\n * TODO(mlourenco): Consider whether we should implement UTF-8 interchange\n * validity checks and blacklisting of newlines (including Unicode ones) and\n * other whitespace characters (\\t, \\f). Document here if so and also update\n * SafeStyle.fromConstant().\n *\n * The following example values comply with this type's contract:\n * <ul>\n *   <li><pre>width: 1em;</pre>\n *   <li><pre>height:1em;</pre>\n *   <li><pre>width: 1em;height: 1em;</pre>\n *   <li><pre>background:url('http://url');</pre>\n * </ul>\n * In addition, the empty string is safe for use in a CSS attribute.\n *\n * The following example values do NOT comply with this type's contract:\n * <ul>\n *   <li><pre>background: red</pre> (missing a trailing semi-colon)\n *   <li><pre>background:</pre> (missing a value and a trailing semi-colon)\n *   <li><pre>1em</pre> (missing an attribute name, which provides context for\n *       the value)\n * </ul>\n *\n * @see SafeStyle#create\n * @see SafeStyle#fromConstant\n * @see http://www.w3.org/TR/css3-syntax/\n * @final\n * @struct\n * @implements {TypedString}\n */\nclass SafeStyle {\n  /**\n   * @param {string} value\n   * @param {!Object} token package-internal implementation detail.\n   */\n  constructor(value, token) {\n    /**\n     * The contained value of this SafeStyle.  The field has a purposely\n     * ugly name to make (non-compiled) code that attempts to directly access\n     * this field stand out.\n     * @private {string}\n     */\n    this.privateDoNotAccessOrElseSafeStyleWrappedValue_ =\n        (token === CONSTRUCTOR_TOKEN_PRIVATE) ? value : '';\n\n    /**\n     * @override\n     * @const {boolean}\n     */\n    this.implementsGoogStringTypedString = true;\n  }\n\n\n  /**\n   * Creates a SafeStyle object from a compile-time constant string.\n   *\n   * `style` should be in the format\n   * `name: value; [name: value; ...]` and must not have any < or >\n   * characters in it. This is so that SafeStyle's contract is preserved,\n   * allowing the SafeStyle to correctly be interpreted as a sequence of CSS\n   * declarations and without affecting the syntactic structure of any\n   * surrounding CSS and HTML.\n   *\n   * This method performs basic sanity checks on the format of `style`\n   * but does not constrain the format of `name` and `value`, except\n   * for disallowing tag characters.\n   *\n   * @param {!Const} style A compile-time-constant string from which\n   *     to create a SafeStyle.\n   * @return {!SafeStyle} A SafeStyle object initialized to\n   *     `style`.\n   */\n  static fromConstant(style) {\n    const styleString = Const.unwrap(style);\n    if (styleString.length === 0) {\n      return SafeStyle.EMPTY;\n    }\n    assert(\n        endsWith(styleString, ';'),\n        `Last character of style string is not ';': ${styleString}`);\n    assert(\n        contains(styleString, ':'),\n        'Style string must contain at least one \\':\\', to ' +\n            'specify a \"name: value\" pair: ' + styleString);\n    return SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(\n        styleString);\n  };\n\n\n  /**\n   * Returns this SafeStyle's value as a string.\n   *\n   * IMPORTANT: In code where it is security relevant that an object's type is\n   * indeed `SafeStyle`, use `SafeStyle.unwrap` instead of\n   * this method. If in doubt, assume that it's security relevant. In\n   * particular, note that goog.html functions which return a goog.html type do\n   * not guarantee the returned instance is of the right type. For example:\n   *\n   * <pre>\n   * var fakeSafeHtml = new String('fake');\n   * fakeSafeHtml.__proto__ = goog.html.SafeHtml.prototype;\n   * var newSafeHtml = goog.html.SafeHtml.htmlEscape(fakeSafeHtml);\n   * // newSafeHtml is just an alias for fakeSafeHtml, it's passed through by\n   * // goog.html.SafeHtml.htmlEscape() as fakeSafeHtml\n   * // instanceof goog.html.SafeHtml.\n   * </pre>\n   *\n   * @return {string}\n   * @see SafeStyle#unwrap\n   * @override\n   */\n  getTypedStringValue() {\n    return this.privateDoNotAccessOrElseSafeStyleWrappedValue_;\n  }\n\n\n  /**\n   * Returns a string-representation of this value.\n   *\n   * To obtain the actual string value wrapped in a SafeStyle, use\n   * `SafeStyle.unwrap`.\n   *\n   * @return {string}\n   * @see SafeStyle#unwrap\n   * @override\n   */\n  toString() {\n    return this.privateDoNotAccessOrElseSafeStyleWrappedValue_.toString();\n  }\n\n\n  /**\n   * Performs a runtime check that the provided object is indeed a\n   * SafeStyle object, and returns its value.\n   *\n   * @param {!SafeStyle} safeStyle The object to extract from.\n   * @return {string} The safeStyle object's contained string, unless\n   *     the run-time type check fails. In that case, `unwrap` returns an\n   *     innocuous string, or, if assertions are enabled, throws\n   *     `AssertionError`.\n   */\n  static unwrap(safeStyle) {\n    // Perform additional Run-time type-checking to ensure that\n    // safeStyle is indeed an instance of the expected type.  This\n    // provides some additional protection against security bugs due to\n    // application code that disables type checks.\n    // Specifically, the following checks are performed:\n    // 1. The object is an instance of the expected type.\n    // 2. The object is not an instance of a subclass.\n    if (safeStyle instanceof SafeStyle && safeStyle.constructor === SafeStyle) {\n      return safeStyle.privateDoNotAccessOrElseSafeStyleWrappedValue_;\n    } else {\n      fail(\n          `expected object of type SafeStyle, got '${safeStyle}` +\n          '\\' of type ' + goog.typeOf(safeStyle));\n      return 'type_error:SafeStyle';\n    }\n  }\n\n\n  /**\n   * Package-internal utility method to create SafeStyle instances.\n   *\n   * @param {string} style The string to initialize the SafeStyle object with.\n   * @return {!SafeStyle} The initialized SafeStyle object.\n   * @package\n   */\n  static createSafeStyleSecurityPrivateDoNotAccessOrElse(style) {\n    return new SafeStyle(style, CONSTRUCTOR_TOKEN_PRIVATE);\n  }\n\n  /**\n   * Creates a new SafeStyle object from the properties specified in the map.\n   * @param {!SafeStyle.PropertyMap} map Mapping of property names to\n   *     their values, for example {'margin': '1px'}. Names must consist of\n   *     [-_a-zA-Z0-9]. Values might be strings consisting of\n   *     [-,.'\"%_!# a-zA-Z0-9[\\]], where \", ', and [] must be properly balanced.\n   *     We also allow simple functions like rgb() and url() which sanitizes its\n   *     contents. Other values must be wrapped in Const. URLs might\n   *     be passed as SafeUrl which will be wrapped into url(\"\"). We\n   *     also support array whose elements are joined with ' '. Null value\n   * causes skipping the property.\n   * @return {!SafeStyle}\n   * @throws {!Error} If invalid name is provided.\n   * @throws {!AssertionError} If invalid value is provided. With\n   *     disabled assertions, invalid value is replaced by\n   *     SafeStyle.INNOCUOUS_STRING.\n   */\n  static create(map) {\n    let style = '';\n    for (let name in map) {\n      // https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/hasOwnProperty#Using_hasOwnProperty_as_a_property_name\n      if (Object.prototype.hasOwnProperty.call(map, name)) {\n        if (!/^[-_a-zA-Z0-9]+$/.test(name)) {\n          throw new Error(`Name allows only [-_a-zA-Z0-9], got: ${name}`);\n        }\n        let value = map[name];\n        if (value == null) {\n          continue;\n        }\n        if (Array.isArray(value)) {\n          value = value.map(sanitizePropertyValue).join(' ');\n        } else {\n          value = sanitizePropertyValue(value);\n        }\n        style += `${name}:${value};`;\n      }\n    }\n    if (!style) {\n      return SafeStyle.EMPTY;\n    }\n    return SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(style);\n  };\n\n  /**\n   * Creates a new SafeStyle object by concatenating the values.\n   * @param {...(!SafeStyle|!Array<!SafeStyle>)} var_args\n   *     SafeStyles to concatenate.\n   * @return {!SafeStyle}\n   */\n  static concat(var_args) {\n    let style = '';\n\n    /**\n     * @param {!SafeStyle|!Array<!SafeStyle>} argument\n     */\n    const addArgument = argument => {\n      if (Array.isArray(argument)) {\n        argument.forEach(addArgument);\n      } else {\n        style += SafeStyle.unwrap(argument);\n      }\n    };\n\n    Array.prototype.forEach.call(arguments, addArgument);\n    if (!style) {\n      return SafeStyle.EMPTY;\n    }\n    return SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(style);\n  };\n}\n\n/**\n * A SafeStyle instance corresponding to the empty string.\n * @const {!SafeStyle}\n */\nSafeStyle.EMPTY = SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse('');\n\n\n/**\n * The innocuous string generated by SafeStyle.create when passed\n * an unsafe value.\n * @const {string}\n */\nSafeStyle.INNOCUOUS_STRING = 'zClosurez';\n\n\n/**\n * A single property value.\n * @typedef {string|!Const|!SafeUrl}\n */\nSafeStyle.PropertyValue;\n\n\n/**\n * Mapping of property names to their values.\n * We don't support numbers even though some values might be numbers (e.g.\n * line-height or 0 for any length). The reason is that most numeric values need\n * units (e.g. '1px') and allowing numbers could cause users forgetting about\n * them.\n * @typedef {!Object<string, ?SafeStyle.PropertyValue|\n *     ?Array<!SafeStyle.PropertyValue>>}\n */\nSafeStyle.PropertyMap;\n\n\n\n/**\n * Checks and converts value to string.\n * @param {!SafeStyle.PropertyValue} value\n * @return {string}\n */\nfunction sanitizePropertyValue(value) {\n  if (value instanceof SafeUrl) {\n    const url = SafeUrl.unwrap(value);\n    return 'url(\"' + url.replace(/</g, '%3c').replace(/[\\\\\"]/g, '\\\\$&') + '\")';\n  }\n  const result = value instanceof Const ?\n      Const.unwrap(value) :\n      sanitizePropertyValueString(String(value));\n  // These characters can be used to change context and we don't want that even\n  // with const values.\n  if (/[{;}]/.test(result)) {\n    throw new AssertionError('Value does not allow [{;}], got: %s.', [result]);\n  }\n  return result;\n}\n\n\n/**\n * Checks string value.\n * @param {string} value\n * @return {string}\n */\nfunction sanitizePropertyValueString(value) {\n  // Some CSS property values permit nested functions. We allow one level of\n  // nesting, and all nested functions must also be in the FUNCTIONS_RE_ list.\n  const valueWithoutFunctions = value.replace(FUNCTIONS_RE, '$1')\n                                    .replace(FUNCTIONS_RE, '$1')\n                                    .replace(URL_RE, 'url');\n  if (!VALUE_RE.test(valueWithoutFunctions)) {\n    fail(\n        `String value allows only ${VALUE_ALLOWED_CHARS}` +\n        ' and simple functions, got: ' + value);\n    return SafeStyle.INNOCUOUS_STRING;\n  } else if (COMMENT_RE.test(value)) {\n    fail(`String value disallows comments, got: ${value}`);\n    return SafeStyle.INNOCUOUS_STRING;\n  } else if (!hasBalancedQuotes(value)) {\n    fail(`String value requires balanced quotes, got: ${value}`);\n    return SafeStyle.INNOCUOUS_STRING;\n  } else if (!hasBalancedSquareBrackets(value)) {\n    fail(\n        'String value requires balanced square brackets and one' +\n        ' identifier per pair of brackets, got: ' + value);\n    return SafeStyle.INNOCUOUS_STRING;\n  }\n  return sanitizeUrl(value);\n}\n\n\n/**\n * Checks that quotes (\" and ') are properly balanced inside a string. Assumes\n * that neither escape (\\) nor any other character that could result in\n * breaking out of a string parsing context are allowed;\n * see http://www.w3.org/TR/css3-syntax/#string-token-diagram.\n * @param {string} value Untrusted CSS property value.\n * @return {boolean} True if property value is safe with respect to quote\n *     balancedness.\n */\nfunction hasBalancedQuotes(value) {\n  let outsideSingle = true;\n  let outsideDouble = true;\n  for (let i = 0; i < value.length; i++) {\n    const c = value.charAt(i);\n    if (c == '\\'' && outsideDouble) {\n      outsideSingle = !outsideSingle;\n    } else if (c == '\"' && outsideSingle) {\n      outsideDouble = !outsideDouble;\n    }\n  }\n  return outsideSingle && outsideDouble;\n}\n\n\n/**\n * Checks that square brackets ([ and ]) are properly balanced inside a string,\n * and that the content in the square brackets is one ident-token;\n * see https://www.w3.org/TR/css-syntax-3/#ident-token-diagram.\n * For practicality, and in line with other restrictions posed on SafeStyle\n * strings, we restrict the character set allowable in the ident-token to\n * [-_a-zA-Z0-9].\n * @param {string} value Untrusted CSS property value.\n * @return {boolean} True if property value is safe with respect to square\n *     bracket balancedness.\n */\nfunction hasBalancedSquareBrackets(value) {\n  let outside = true;\n  const tokenRe = /^[-_a-zA-Z0-9]$/;\n  for (let i = 0; i < value.length; i++) {\n    const c = value.charAt(i);\n    if (c == ']') {\n      if (outside) return false;  // Unbalanced ].\n      outside = true;\n    } else if (c == '[') {\n      if (!outside) return false;  // No nesting.\n      outside = false;\n    } else if (!outside && !tokenRe.test(c)) {\n      return false;\n    }\n  }\n  return outside;\n}\n\n\n/**\n * Characters allowed in VALUE_RE.\n * @type {string}\n */\nconst VALUE_ALLOWED_CHARS = '[-+,.\"\\'%_!#/ a-zA-Z0-9\\\\[\\\\]]';\n\n\n/**\n * Regular expression for safe values.\n * Quotes (\" and ') are allowed, but a check must be done elsewhere to ensure\n * they're balanced.\n * Square brackets ([ and ]) are allowed, but a check must be done elsewhere\n * to ensure they're balanced. The content inside a pair of square brackets must\n * be one alphanumeric identifier.\n * ',' allows multiple values to be assigned to the same property\n * (e.g. background-attachment or font-family) and hence could allow\n * multiple values to get injected, but that should pose no risk of XSS.\n * The expression checks only for XSS safety, not for CSS validity.\n * @const {!RegExp}\n */\nconst VALUE_RE = new RegExp(`^${VALUE_ALLOWED_CHARS}+\\$`);\n\n\n/**\n * Regular expression for url(). We support URLs allowed by\n * https://www.w3.org/TR/css-syntax-3/#url-token-diagram without using escape\n * sequences. Use percent-encoding if you need to use special characters like\n * backslash.\n * @const {!RegExp}\n */\nconst URL_RE = new RegExp(\n    '\\\\b(url\\\\([ \\t\\n]*)(' +\n        '\\'[ -&(-\\\\[\\\\]-~]*\\'' +  // Printable characters except ' and \\.\n        '|\"[ !#-\\\\[\\\\]-~]*\"' +    // Printable characters except \" and \\.\n        '|[!#-&*-\\\\[\\\\]-~]*' +    // Printable characters except [ \"'()\\\\].\n        ')([ \\t\\n]*\\\\))',\n    'g');\n\n/**\n * Names of functions allowed in FUNCTIONS_RE.\n * @const {!Array<string>}\n */\nconst ALLOWED_FUNCTIONS = [\n  'calc',\n  'cubic-bezier',\n  'fit-content',\n  'hsl',\n  'hsla',\n  'linear-gradient',\n  'matrix',\n  'minmax',\n  'radial-gradient',\n  'repeat',\n  'rgb',\n  'rgba',\n  '(rotate|scale|translate)(X|Y|Z|3d)?',\n  'steps',\n  'var',\n];\n\n\n/**\n * Regular expression for simple functions.\n * @const {!RegExp}\n */\nconst FUNCTIONS_RE = new RegExp(\n    '\\\\b(' + ALLOWED_FUNCTIONS.join('|') + ')' +\n        '\\\\([-+*/0-9a-zA-Z.%#\\\\[\\\\], ]+\\\\)',\n    'g');\n\n\n/**\n * Regular expression for comments. These are disallowed in CSS property values.\n * @const {!RegExp}\n */\nconst COMMENT_RE = /\\/\\*/;\n\n\n/**\n * Sanitize URLs inside url().\n * NOTE: We could also consider using CSS.escape once that's available in the\n * browsers. However, loosely matching URL e.g. with url\\(.*\\) and then escaping\n * the contents would result in a slightly different language than CSS leading\n * to confusion of users. E.g. url(\")\") is valid in CSS but it would be invalid\n * as seen by our parser. On the other hand, url(\\) is invalid in CSS but our\n * parser would be fine with it.\n * @param {string} value Untrusted CSS property value.\n * @return {string}\n */\nfunction sanitizeUrl(value) {\n  return value.replace(URL_RE, (match, before, url, after) => {\n    let quote = '';\n    url = url.replace(/^(['\"])(.*)\\1$/, (match, start, inside) => {\n      quote = start;\n      return inside;\n    });\n    const sanitized = SafeUrl.sanitize(url).getTypedStringValue();\n    return before + quote + sanitized + quote + after;\n  });\n}\n\n\nexports = SafeStyle;\n"],
+"names":["sanitizePropertyValue","value","SafeUrl","url","unwrap","replace","result","Const","sanitizePropertyValueString","String","test","AssertionError","valueWithoutFunctions","FUNCTIONS_RE","URL_RE","VALUE_RE","fail","VALUE_ALLOWED_CHARS","SafeStyle","INNOCUOUS_STRING","COMMENT_RE","hasBalancedQuotes","hasBalancedSquareBrackets","sanitizeUrl","outsideSingle","outsideDouble","i","length","c","charAt","outside","tokenRe","match","before","after","quote","start","inside","sanitized","sanitize","getTypedStringValue","goog","module","declareLegacyNamespace","require","TypedString","assert","contains","endsWith","CONSTRUCTOR_TOKEN_PRIVATE","constructor","token","privateDoNotAccessOrElseSafeStyleWrappedValue_","implementsGoogStringTypedString","fromConstant","style","styleString","EMPTY","createSafeStyleSecurityPrivateDoNotAccessOrElse","toString","safeStyle","typeOf","create","map","name","Object","prototype","hasOwnProperty","call","Error","Array","isArray","join","concat","var_args","addArgument","argument","forEach","arguments","PropertyValue","PropertyMap","RegExp","ALLOWED_FUNCTIONS","exports"]
+}

package/dist/cljs-runtime/goog.html.safestylesheet.js ADDED Viewed

@@ -0,0 +1,99 @@
+import "./cljs_env.js";
+import "./goog.string.const.js";
+import "./goog.html.safestyle.js";
+import "./goog.string.typedstring.js";
+import "./goog.object.object.js";
+import "./goog.asserts.asserts.js";
+import "./goog.string.internal.js";
+goog.loadModule(function(exports) {
+  "use strict";
+  goog.module("goog.html.SafeStyleSheet");
+  goog.module.declareLegacyNamespace();
+  const Const = goog.require("goog.string.Const");
+  const SafeStyle = goog.require("goog.html.SafeStyle");
+  const TypedString = goog.require("goog.string.TypedString");
+  const googObject = goog.require("goog.object");
+  const {assert, fail} = goog.require("goog.asserts");
+  const {contains} = goog.require("goog.string.internal");
+  const CONSTRUCTOR_TOKEN_PRIVATE = {};
+  class SafeStyleSheet {
+    constructor(value, token) {
+      this.privateDoNotAccessOrElseSafeStyleSheetWrappedValue_ = token === CONSTRUCTOR_TOKEN_PRIVATE ? value : "";
+      this.implementsGoogStringTypedString = true;
+    }
+    toString() {
+      return this.privateDoNotAccessOrElseSafeStyleSheetWrappedValue_.toString();
+    }
+    static createRule(selector, style) {
+      if (contains(selector, "\x3c")) {
+        throw new Error(`Selector does not allow '<', got: ${selector}`);
+      }
+      const selectorToCheck = selector.replace(/('|")((?!\1)[^\r\n\f\\]|\\[\s\S])*\1/g, "");
+      if (!/^[-_a-zA-Z0-9#.:* ,>+~[\]()=^$|]+$/.test(selectorToCheck)) {
+        throw new Error("Selector allows only [-_a-zA-Z0-9#.:* ,\x3e+~[\\]()\x3d^$|] and " + "strings, got: " + selector);
+      }
+      if (!SafeStyleSheet.hasBalancedBrackets_(selectorToCheck)) {
+        throw new Error("() and [] in selector must be balanced, got: " + selector);
+      }
+      if (!(style instanceof SafeStyle)) {
+        style = SafeStyle.create(style);
+      }
+      const styleSheet = `${selector}{` + SafeStyle.unwrap(style).replace(/</g, "\\3C ") + "}";
+      return SafeStyleSheet.createSafeStyleSheetSecurityPrivateDoNotAccessOrElse(styleSheet);
+    }
+    static hasBalancedBrackets_(s) {
+      const brackets = {"(":")", "[":"]"};
+      const expectedBrackets = [];
+      for (let i = 0; i < s.length; i++) {
+        const ch = s[i];
+        if (brackets[ch]) {
+          expectedBrackets.push(brackets[ch]);
+        } else if (googObject.contains(brackets, ch)) {
+          if (expectedBrackets.pop() != ch) {
+            return false;
+          }
+        }
+      }
+      return expectedBrackets.length == 0;
+    }
+    static concat(var_args) {
+      let result = "";
+      const addArgument = argument => {
+        if (Array.isArray(argument)) {
+          argument.forEach(addArgument);
+        } else {
+          result = result + SafeStyleSheet.unwrap(argument);
+        }
+      };
+      Array.prototype.forEach.call(arguments, addArgument);
+      return SafeStyleSheet.createSafeStyleSheetSecurityPrivateDoNotAccessOrElse(result);
+    }
+    static fromConstant(styleSheet) {
+      const styleSheetString = Const.unwrap(styleSheet);
+      if (styleSheetString.length === 0) {
+        return SafeStyleSheet.EMPTY;
+      }
+      assert(!contains(styleSheetString, "\x3c"), `Forbidden '<' character in style sheet string: ${styleSheetString}`);
+      return SafeStyleSheet.createSafeStyleSheetSecurityPrivateDoNotAccessOrElse(styleSheetString);
+    }
+    getTypedStringValue() {
+      return this.privateDoNotAccessOrElseSafeStyleSheetWrappedValue_;
+    }
+    static unwrap(safeStyleSheet) {
+      if (safeStyleSheet instanceof SafeStyleSheet && safeStyleSheet.constructor === SafeStyleSheet) {
+        return safeStyleSheet.privateDoNotAccessOrElseSafeStyleSheetWrappedValue_;
+      } else {
+        fail("expected object of type SafeStyleSheet, got '" + safeStyleSheet + "' of type " + goog.typeOf(safeStyleSheet));
+        return "type_error:SafeStyleSheet";
+      }
+    }
+    static createSafeStyleSheetSecurityPrivateDoNotAccessOrElse(styleSheet) {
+      return new SafeStyleSheet(styleSheet, CONSTRUCTOR_TOKEN_PRIVATE);
+    }
+  }
+  SafeStyleSheet.EMPTY = SafeStyleSheet.createSafeStyleSheetSecurityPrivateDoNotAccessOrElse("");
+  exports = SafeStyleSheet;
+  return exports;
+});
+//# sourceMappingURL=goog.html.safestylesheet.js.map

package/dist/cljs-runtime/goog.html.safestylesheet.js.map ADDED Viewed

@@ -0,0 +1,9 @@
+{
+"version":3,
+"file":"goog.html.safestylesheet.js",
+"lineCount":91,
+"mappings":"AAAA,IAAA,CAAA,UAAA,CAAA,QAAA,CAAA,OAAA,CAAA;AAAA,cAAA;AAYAA,MAAKC,CAAAA,MAAL,CAAY,0BAAZ,CAAA;AACAD,MAAKC,CAAAA,MAAOC,CAAAA,sBAAZ,EAAA;AAEA,QAAMC,QAAQH,IAAKI,CAAAA,OAAL,CAAa,mBAAb,CAAd;AACA,QAAMC,YAAYL,IAAKI,CAAAA,OAAL,CAAa,qBAAb,CAAlB;AACA,QAAME,cAAcN,IAAKI,CAAAA,OAAL,CAAa,yBAAb,CAApB;AACA,QAAMG,aAAaP,IAAKI,CAAAA,OAAL,CAAa,aAAb,CAAnB;AACA,QAAM,CAACI,MAAD,EAASC,IAAT,CAAA,GAAiBT,IAAKI,CAAAA,OAAL,CAAa,cAAb,CAAvB;AACA,QAAM,CAACM,QAAD,CAAA,GAAaV,IAAKI,CAAAA,OAAL,CAAa,sBAAb,CAAnB;AAOA,QAAMO,4BAA4B,EAAlC;AA0CA,OAAMC,eAAN;AAKEC,eAAW,CAACC,KAAD,EAAQC,KAAR,CAAe;AAOxB,UAAKC,CAAAA,mDAAL,GACKD,KAAD,KAAWJ,yBAAX,GAAwCG,KAAxC,GAAgD,EADpD;AAOA,UAAKG,CAAAA,+BAAL,GAAuC,IAAvC;AAdwB;AA2B1BC,YAAQ,EAAG;AACT,aAAO,IAAKF,CAAAA,mDAAoDE,CAAAA,QAAzD,EAAP;AADS;AAeJC,qBAAU,CAACC,QAAD,EAAWC,KAAX,CAAkB;AACjC,UAAIX,QAAA,CAASU,QAAT,EAAmB,MAAnB,CAAJ;AACE,cAAM,IAAIE,KAAJ,CAAW,qCAAoCF,QAApC,EAAX,CAAN;AADF;AAKA,YAAMG,kBACFH,QAASI,CAAAA,OAAT,CAAiB,uCAAjB,EAA0D,EAA1D,CADJ;AAIA,UAAI,CAAC,oCAAqCC,CAAAA,IAArC,CAA0CF,eAA1C,CAAL;AACE,cAAM,IAAID,KAAJ,CACF,kEADE,GAEF,gBAFE,GAEiBF,QAFjB,CAAN;AADF;AAOA,UAAI,CAACR,cAAec,CAAAA,oBAAf,CAAoCH,eAApC,CAAL;AACE,cAAM,IAAID,KAAJ,CACF,+CADE,GACgDF,QADhD,CAAN;AADF;AAKA,UAAI,EAAEC,KAAF,YAAmBhB,SAAnB,CAAJ;AACEgB,aAAA,GAAQhB,SAAUsB,CAAAA,MAAV,CAAiBN,KAAjB,CAAR;AADF;AAGA,YAAMO,aACD,GAAER,QAAF,GADCQ,GACevB,SAAUwB,CAAAA,MAAV,CAAiBR,KAAjB,CAAwBG,CAAAA,OAAxB,CAAgC,IAAhC,EAAsC,OAAtC,CADfI,GACgE,GADtE;AAEA,aAAOhB,cAAekB,CAAAA,oDAAf,CACHF,UADG,CAAP;AA3BiC;AAqC5BF,+BAAoB,CAACK,CAAD,CAAI;AAC7B,YAAMC,WAAW,CAAC,IAAK,GAAN,EAAW,IAAK,GAAhB,CAAjB;AACA,YAAMC,mBAAmB,EAAzB;AACA,WAAK,IAAIC,IAAI,CAAb,EAAgBA,CAAhB,GAAoBH,CAAEI,CAAAA,MAAtB,EAA8BD,CAAA,EAA9B,CAAmC;AACjC,cAAME,KAAKL,CAAA,CAAEG,CAAF,CAAX;AACA,YAAIF,QAAA,CAASI,EAAT,CAAJ;AACEH,0BAAiBI,CAAAA,IAAjB,CAAsBL,QAAA,CAASI,EAAT,CAAtB,CAAA;AADF,cAEO,KAAI7B,UAAWG,CAAAA,QAAX,CAAoBsB,QAApB,EAA8BI,EAA9B,CAAJ;AACL,cAAIH,gBAAiBK,CAAAA,GAAjB,EAAJ,IAA8BF,EAA9B;AACE,mBAAO,KAAP;AADF;AADK;AAJ0B;AAUnC,aAAOH,gBAAiBE,CAAAA,MAAxB,IAAkC,CAAlC;AAb6B;AAsBxBI,iBAAM,CAACC,QAAD,CAAW;AACtB,UAAIC,SAAS,EAAb;AAMA,YAAMC,cAAcC,QAAAD,IAAY;AAC9B,YAAIE,KAAMC,CAAAA,OAAN,CAAcF,QAAd,CAAJ;AACEA,kBAASG,CAAAA,OAAT,CAAiBJ,WAAjB,CAAA;AADF;AAGED,gBAAA,GAAAA,MAAA,GAAU7B,cAAeiB,CAAAA,MAAf,CAAsBc,QAAtB,CAAV;AAHF;AAD8B,OAAhC;AAQAC,WAAMG,CAAAA,SAAUD,CAAAA,OAAQE,CAAAA,IAAxB,CAA6BC,SAA7B,EAAwCP,WAAxC,CAAA;AACA,aAAO9B,cAAekB,CAAAA,oDAAf,CACHW,MADG,CAAP;AAhBsB;AA+BjBS,uBAAY,CAACtB,UAAD,CAAa;AAC9B,YAAMuB,mBAAmBhD,KAAM0B,CAAAA,MAAN,CAAaD,UAAb,CAAzB;AACA,UAAIuB,gBAAiBhB,CAAAA,MAArB,KAAgC,CAAhC;AACE,eAAOvB,cAAewC,CAAAA,KAAtB;AADF;AAKA5C,YAAA,CACI,CAACE,QAAA,CAASyC,gBAAT,EAA2B,MAA3B,CADL,EAEK,kDAAiDA,gBAAjD,EAFL,CAAA;AAGA,aAAOvC,cAAekB,CAAAA,oDAAf,CACHqB,gBADG,CAAP;AAV8B;AAmChCE,uBAAmB,EAAG;AACpB,aAAO,IAAKrC,CAAAA,mDAAZ;AADoB;AAcfa,iBAAM,CAACyB,cAAD,CAAiB;AAQ5B,UAAIA,cAAJ,YAA8B1C,cAA9B,IACI0C,cAAezC,CAAAA,WADnB,KACmCD,cADnC;AAEE,eAAO0C,cAAetC,CAAAA,mDAAtB;AAFF,YAGO;AACLP,YAAA,CACI,+CADJ,GACuD6C,cADvD,GAEI,YAFJ,GAEoBtD,IAAKuD,CAAAA,MAAL,CAAYD,cAAZ,CAFpB,CAAA;AAGA,eAAO,2BAAP;AAJK;AAXqB;AA2BvBxB,+DAAoD,CAACF,UAAD,CAAa;AACtE,aAAO,IAAIhB,cAAJ,CAAmBgB,UAAnB,EAA+BjB,yBAA/B,CAAP;AADsE;AArN1E;AA8NAC,gBAAewC,CAAAA,KAAf,GACIxC,cAAekB,CAAAA,oDAAf,CAAoE,EAApE,CADJ;AAIA0B,SAAA,GAAU5C,cAAV;AAvSA,SAAA,OAAA;AAAA,CAAA,CAAA;;",
+"sources":["goog/html/safestylesheet.js"],
+"sourcesContent":["/**\n * @license\n * Copyright The Closure Library Authors.\n * SPDX-License-Identifier: Apache-2.0\n */\n\n/**\n * @fileoverview The SafeStyleSheet type and its builders.\n *\n * TODO(xtof): Link to document stating type contract.\n */\n\ngoog.module('goog.html.SafeStyleSheet');\ngoog.module.declareLegacyNamespace();\n\nconst Const = goog.require('goog.string.Const');\nconst SafeStyle = goog.require('goog.html.SafeStyle');\nconst TypedString = goog.require('goog.string.TypedString');\nconst googObject = goog.require('goog.object');\nconst {assert, fail} = goog.require('goog.asserts');\nconst {contains} = goog.require('goog.string.internal');\n\n/**\n * Token used to ensure that object is created only from this file. No code\n * outside of this file can access this token.\n * @const {!Object}\n */\nconst CONSTRUCTOR_TOKEN_PRIVATE = {};\n\n/**\n * A string-like object which represents a CSS style sheet and that carries the\n * security type contract that its value, as a string, will not cause untrusted\n * script execution (XSS) when evaluated as CSS in a browser.\n *\n * Instances of this type must be created via the factory method\n * `SafeStyleSheet.fromConstant` and not by invoking its constructor. The\n * constructor intentionally takes an extra parameter that cannot be constructed\n * outside of this file and the type is immutable; hence only a default instance\n * corresponding to the empty string can be obtained via constructor invocation.\n *\n * A SafeStyleSheet's string representation can safely be interpolated as the\n * content of a style element within HTML. The SafeStyleSheet string should\n * not be escaped before interpolation.\n *\n * Values of this type must be composable, i.e. for any two values\n * `styleSheet1` and `styleSheet2` of this type,\n * `SafeStyleSheet.unwrap(styleSheet1) + SafeStyleSheet.unwrap(styleSheet2)`\n * must itself be a value that satisfies the SafeStyleSheet type constraint.\n * This requirement implies that for any value `styleSheet` of this type,\n * `SafeStyleSheet.unwrap(styleSheet1)` must end in\n * \"beginning of rule\" context.\n *\n * A SafeStyleSheet can be constructed via security-reviewed unchecked\n * conversions. In this case producers of SafeStyleSheet must ensure themselves\n * that the SafeStyleSheet does not contain unsafe script. Note in particular\n * that `&lt;` is dangerous, even when inside CSS strings, and so should\n * always be forbidden or CSS-escaped in user controlled input. For example, if\n * `&lt;/style&gt;&lt;script&gt;evil&lt;/script&gt;\"` were interpolated\n * inside a CSS string, it would break out of the context of the original\n * style element and `evil` would execute. Also note that within an HTML\n * style (raw text) element, HTML character references, such as\n * `&amp;lt;`, are not allowed. See\n * http://www.w3.org/TR/html5/scripting-1.html#restrictions-for-contents-of-script-elements\n * (similar considerations apply to the style element).\n *\n * @see SafeStyleSheet#fromConstant\n * @final\n * @implements {TypedString}\n */\nclass SafeStyleSheet {\n  /**\n   * @param {string} value\n   * @param {!Object} token package-internal implementation detail.\n   */\n  constructor(value, token) {\n    /**\n     * The contained value of this SafeStyleSheet.  The field has a purposely\n     * ugly name to make (non-compiled) code that attempts to directly access\n     * this field stand out.\n     * @private {string}\n     */\n    this.privateDoNotAccessOrElseSafeStyleSheetWrappedValue_ =\n        (token === CONSTRUCTOR_TOKEN_PRIVATE) ? value : '';\n\n    /**\n     * @override\n     * @const\n     */\n    this.implementsGoogStringTypedString = true;\n  }\n\n  /**\n   * Returns a string-representation of this value.\n   *\n   * To obtain the actual string value wrapped in a SafeStyleSheet, use\n   * `SafeStyleSheet.unwrap`.\n   *\n   * @return {string}\n   * @see SafeStyleSheet#unwrap\n   * @override\n   */\n  toString() {\n    return this.privateDoNotAccessOrElseSafeStyleSheetWrappedValue_.toString();\n  }\n\n  /**\n   * Creates a style sheet consisting of one selector and one style definition.\n   * Use {@link SafeStyleSheet.concat} to create longer style sheets.\n   * This function doesn't support @import, @media and similar constructs.\n   * @param {string} selector CSS selector, e.g. '#id' or 'tag .class, #id'. We\n   *     support CSS3 selectors: https://w3.org/TR/css3-selectors/#selectors.\n   * @param {!SafeStyle.PropertyMap|!SafeStyle} style Style\n   *     definition associated with the selector.\n   * @return {!SafeStyleSheet}\n   * @throws {!Error} If invalid selector is provided.\n   */\n  static createRule(selector, style) {\n    if (contains(selector, '<')) {\n      throw new Error(`Selector does not allow '<', got: ${selector}`);\n    }\n\n    // Remove strings.\n    const selectorToCheck =\n        selector.replace(/('|\")((?!\\1)[^\\r\\n\\f\\\\]|\\\\[\\s\\S])*\\1/g, '');\n\n    // Check characters allowed in CSS3 selectors.\n    if (!/^[-_a-zA-Z0-9#.:* ,>+~[\\]()=^$|]+$/.test(selectorToCheck)) {\n      throw new Error(\n          'Selector allows only [-_a-zA-Z0-9#.:* ,>+~[\\\\]()=^$|] and ' +\n          'strings, got: ' + selector);\n    }\n\n    // Check balanced () and [].\n    if (!SafeStyleSheet.hasBalancedBrackets_(selectorToCheck)) {\n      throw new Error(\n          '() and [] in selector must be balanced, got: ' + selector);\n    }\n\n    if (!(style instanceof SafeStyle)) {\n      style = SafeStyle.create(style);\n    }\n    const styleSheet =\n        `${selector}{` + SafeStyle.unwrap(style).replace(/</g, '\\\\3C ') + '}';\n    return SafeStyleSheet.createSafeStyleSheetSecurityPrivateDoNotAccessOrElse(\n        styleSheet);\n  }\n\n  /**\n   * Checks if a string has balanced () and [] brackets.\n   * @param {string} s String to check.\n   * @return {boolean}\n   * @private\n   */\n  static hasBalancedBrackets_(s) {\n    const brackets = {'(': ')', '[': ']'};\n    const expectedBrackets = [];\n    for (let i = 0; i < s.length; i++) {\n      const ch = s[i];\n      if (brackets[ch]) {\n        expectedBrackets.push(brackets[ch]);\n      } else if (googObject.contains(brackets, ch)) {\n        if (expectedBrackets.pop() != ch) {\n          return false;\n        }\n      }\n    }\n    return expectedBrackets.length == 0;\n  }\n\n  /**\n   * Creates a new SafeStyleSheet object by concatenating values.\n   * @param {...(!SafeStyleSheet|!Array<!SafeStyleSheet>)}\n   *     var_args Values to concatenate.\n   * @return {!SafeStyleSheet}\n   */\n  static concat(var_args) {\n    let result = '';\n\n    /**\n     * @param {!SafeStyleSheet|!Array<!SafeStyleSheet>}\n     *     argument\n     */\n    const addArgument = argument => {\n      if (Array.isArray(argument)) {\n        argument.forEach(addArgument);\n      } else {\n        result += SafeStyleSheet.unwrap(argument);\n      }\n    };\n\n    Array.prototype.forEach.call(arguments, addArgument);\n    return SafeStyleSheet.createSafeStyleSheetSecurityPrivateDoNotAccessOrElse(\n        result);\n  }\n\n  /**\n   * Creates a SafeStyleSheet object from a compile-time constant string.\n   *\n   * `styleSheet` must not have any &lt; characters in it, so that\n   * the syntactic structure of the surrounding HTML is not affected.\n   *\n   * @param {!Const} styleSheet A compile-time-constant string from\n   *     which to create a SafeStyleSheet.\n   * @return {!SafeStyleSheet} A SafeStyleSheet object initialized to\n   *     `styleSheet`.\n   */\n  static fromConstant(styleSheet) {\n    const styleSheetString = Const.unwrap(styleSheet);\n    if (styleSheetString.length === 0) {\n      return SafeStyleSheet.EMPTY;\n    }\n    // > is a valid character in CSS selectors and there's no strict need to\n    // block it if we already block <.\n    assert(\n        !contains(styleSheetString, '<'),\n        `Forbidden '<' character in style sheet string: ${styleSheetString}`);\n    return SafeStyleSheet.createSafeStyleSheetSecurityPrivateDoNotAccessOrElse(\n        styleSheetString);\n  }\n\n  /**\n   * Returns this SafeStyleSheet's value as a string.\n   *\n   * IMPORTANT: In code where it is security relevant that an object's type is\n   * indeed `SafeStyleSheet`, use `SafeStyleSheet.unwrap`\n   * instead of this method. If in doubt, assume that it's security relevant. In\n   * particular, note that goog.html functions which return a goog.html type do\n   * not guarantee the returned instance is of the right type. For example:\n   *\n   * <pre>\n   * var fakeSafeHtml = new String('fake');\n   * fakeSafeHtml.__proto__ = goog.html.SafeHtml.prototype;\n   * var newSafeHtml = goog.html.SafeHtml.htmlEscape(fakeSafeHtml);\n   * // newSafeHtml is just an alias for fakeSafeHtml, it's passed through by\n   * // goog.html.SafeHtml.htmlEscape() as fakeSafeHtml\n   * // instanceof goog.html.SafeHtml.\n   * </pre>\n   *\n   * @see SafeStyleSheet#unwrap\n   * @override\n   */\n  getTypedStringValue() {\n    return this.privateDoNotAccessOrElseSafeStyleSheetWrappedValue_;\n  }\n\n  /**\n   * Performs a runtime check that the provided object is indeed a\n   * SafeStyleSheet object, and returns its value.\n   *\n   * @param {!SafeStyleSheet} safeStyleSheet The object to extract from.\n   * @return {string} The safeStyleSheet object's contained string, unless\n   *     the run-time type check fails. In that case, `unwrap` returns an\n   *     innocuous string, or, if assertions are enabled, throws\n   *     `asserts.AssertionError`.\n   */\n  static unwrap(safeStyleSheet) {\n    // Perform additional Run-time type-checking to ensure that\n    // safeStyleSheet is indeed an instance of the expected type.  This\n    // provides some additional protection against security bugs due to\n    // application code that disables type checks.\n    // Specifically, the following checks are performed:\n    // 1. The object is an instance of the expected type.\n    // 2. The object is not an instance of a subclass.\n    if (safeStyleSheet instanceof SafeStyleSheet &&\n        safeStyleSheet.constructor === SafeStyleSheet) {\n      return safeStyleSheet.privateDoNotAccessOrElseSafeStyleSheetWrappedValue_;\n    } else {\n      fail(\n          'expected object of type SafeStyleSheet, got \\'' + safeStyleSheet +\n          '\\' of type ' + goog.typeOf(safeStyleSheet));\n      return 'type_error:SafeStyleSheet';\n    }\n  }\n\n  /**\n   * Package-internal utility method to create SafeStyleSheet instances.\n   *\n   * @param {string} styleSheet The string to initialize the SafeStyleSheet\n   *     object with.\n   * @return {!SafeStyleSheet} The initialized SafeStyleSheet object.\n   * @package\n   */\n  static createSafeStyleSheetSecurityPrivateDoNotAccessOrElse(styleSheet) {\n    return new SafeStyleSheet(styleSheet, CONSTRUCTOR_TOKEN_PRIVATE);\n  }\n}\n\n/**\n * A SafeStyleSheet instance corresponding to the empty string.\n * @const {!SafeStyleSheet}\n */\nSafeStyleSheet.EMPTY =\n    SafeStyleSheet.createSafeStyleSheetSecurityPrivateDoNotAccessOrElse('');\n\n\nexports = SafeStyleSheet;\n"],
+"names":["goog","module","declareLegacyNamespace","Const","require","SafeStyle","TypedString","googObject","assert","fail","contains","CONSTRUCTOR_TOKEN_PRIVATE","SafeStyleSheet","constructor","value","token","privateDoNotAccessOrElseSafeStyleSheetWrappedValue_","implementsGoogStringTypedString","toString","createRule","selector","style","Error","selectorToCheck","replace","test","hasBalancedBrackets_","create","styleSheet","unwrap","createSafeStyleSheetSecurityPrivateDoNotAccessOrElse","s","brackets","expectedBrackets","i","length","ch","push","pop","concat","var_args","result","addArgument","argument","Array","isArray","forEach","prototype","call","arguments","fromConstant","styleSheetString","EMPTY","getTypedStringValue","safeStyleSheet","typeOf","exports"]
+}

package/dist/cljs-runtime/goog.html.safeurl.js ADDED Viewed

@@ -0,0 +1,231 @@
+import "./cljs_env.js";
+import "./goog.asserts.asserts.js";
+import "./goog.fs.url.js";
+import "./goog.html.trustedresourceurl.js";
+import "./goog.string.const.js";
+import "./goog.string.typedstring.js";
+import "./goog.string.internal.js";
+goog.provide("goog.html.SafeUrl");
+goog.require("goog.asserts");
+goog.require("goog.fs.url");
+goog.require("goog.html.TrustedResourceUrl");
+goog.require("goog.string.Const");
+goog.require("goog.string.TypedString");
+goog.require("goog.string.internal");
+goog.html.SafeUrl = class {
+  constructor(value, token) {
+    this.privateDoNotAccessOrElseSafeUrlWrappedValue_ = token === goog.html.SafeUrl.CONSTRUCTOR_TOKEN_PRIVATE_ ? value : "";
+  }
+  toString() {
+    return this.privateDoNotAccessOrElseSafeUrlWrappedValue_.toString();
+  }
+};
+goog.html.SafeUrl.INNOCUOUS_STRING = "about:invalid#zClosurez";
+goog.html.SafeUrl.prototype.implementsGoogStringTypedString = true;
+goog.html.SafeUrl.prototype.getTypedStringValue = function() {
+  return this.privateDoNotAccessOrElseSafeUrlWrappedValue_.toString();
+};
+goog.html.SafeUrl.unwrap = function(safeUrl) {
+  if (safeUrl instanceof goog.html.SafeUrl && safeUrl.constructor === goog.html.SafeUrl) {
+    return safeUrl.privateDoNotAccessOrElseSafeUrlWrappedValue_;
+  } else {
+    goog.asserts.fail("expected object of type SafeUrl, got '" + safeUrl + "' of type " + goog.typeOf(safeUrl));
+    return "type_error:SafeUrl";
+  }
+};
+goog.html.SafeUrl.fromConstant = function(url) {
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(goog.string.Const.unwrap(url));
+};
+goog.html.SAFE_MIME_TYPE_PATTERN_ = new RegExp("^(?:audio/(?:3gpp2|3gpp|aac|L16|midi|mp3|mp4|mpeg|oga|ogg|opus|x-m4a|x-matroska|x-wav|wav|webm)|" + "font/\\w+|" + "image/(?:bmp|gif|jpeg|jpg|png|tiff|webp|x-icon|heic|heif)|" + "video/(?:mpeg|mp4|ogg|webm|quicktime|x-matroska))" + '(?:;\\w+\x3d(?:\\w+|"[\\w;,\x3d ]+"))*$', "i");
+goog.html.SafeUrl.isSafeMimeType = function(mimeType) {
+  return goog.html.SAFE_MIME_TYPE_PATTERN_.test(mimeType);
+};
+goog.html.SafeUrl.fromBlob = function(blob) {
+  var url = goog.html.SafeUrl.isSafeMimeType(blob.type) ? goog.fs.url.createObjectUrl(blob) : goog.html.SafeUrl.INNOCUOUS_STRING;
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(url);
+};
+goog.html.SafeUrl.revokeObjectUrl = function(safeUrl) {
+  var url = safeUrl.getTypedStringValue();
+  if (url !== goog.html.SafeUrl.INNOCUOUS_STRING) {
+    goog.fs.url.revokeObjectUrl(url);
+  }
+};
+goog.html.SafeUrl.fromMediaSource = function(mediaSource) {
+  goog.asserts.assert("MediaSource" in goog.global, "No support for MediaSource");
+  const url = mediaSource instanceof MediaSource ? goog.fs.url.createObjectUrl(mediaSource) : goog.html.SafeUrl.INNOCUOUS_STRING;
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(url);
+};
+goog.html.DATA_URL_PATTERN_ = /^data:(.*);base64,[a-z0-9+\/]+=*$/i;
+goog.html.SafeUrl.tryFromDataUrl = function(dataUrl) {
+  dataUrl = String(dataUrl);
+  var filteredDataUrl = dataUrl.replace(/(%0A|%0D)/g, "");
+  var match = filteredDataUrl.match(goog.html.DATA_URL_PATTERN_);
+  if (match) {
+    return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(filteredDataUrl);
+  }
+  return null;
+};
+goog.html.SafeUrl.fromDataUrl = function(dataUrl) {
+  return goog.html.SafeUrl.tryFromDataUrl(dataUrl) || goog.html.SafeUrl.INNOCUOUS_URL;
+};
+goog.html.SafeUrl.fromTelUrl = function(telUrl) {
+  if (!goog.string.internal.caseInsensitiveStartsWith(telUrl, "tel:")) {
+    telUrl = goog.html.SafeUrl.INNOCUOUS_STRING;
+  }
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(telUrl);
+};
+goog.html.SIP_URL_PATTERN_ = new RegExp("^sip[s]?:[+a-z0-9_.!$%\x26'*\\/\x3d^`{|}~-]+@([a-z0-9-]+\\.)+[a-z0-9]{2,63}$", "i");
+goog.html.SafeUrl.fromSipUrl = function(sipUrl) {
+  if (!goog.html.SIP_URL_PATTERN_.test(decodeURIComponent(sipUrl))) {
+    sipUrl = goog.html.SafeUrl.INNOCUOUS_STRING;
+  }
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(sipUrl);
+};
+goog.html.SafeUrl.fromFacebookMessengerUrl = function(facebookMessengerUrl) {
+  if (!goog.string.internal.caseInsensitiveStartsWith(facebookMessengerUrl, "fb-messenger://share")) {
+    facebookMessengerUrl = goog.html.SafeUrl.INNOCUOUS_STRING;
+  }
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(facebookMessengerUrl);
+};
+goog.html.SafeUrl.fromWhatsAppUrl = function(whatsAppUrl) {
+  if (!goog.string.internal.caseInsensitiveStartsWith(whatsAppUrl, "whatsapp://send")) {
+    whatsAppUrl = goog.html.SafeUrl.INNOCUOUS_STRING;
+  }
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(whatsAppUrl);
+};
+goog.html.SafeUrl.fromSmsUrl = function(smsUrl) {
+  if (!goog.string.internal.caseInsensitiveStartsWith(smsUrl, "sms:") || !goog.html.SafeUrl.isSmsUrlBodyValid_(smsUrl)) {
+    smsUrl = goog.html.SafeUrl.INNOCUOUS_STRING;
+  }
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(smsUrl);
+};
+goog.html.SafeUrl.isSmsUrlBodyValid_ = function(smsUrl) {
+  var hash = smsUrl.indexOf("#");
+  if (hash > 0) {
+    smsUrl = smsUrl.substring(0, hash);
+  }
+  var bodyParams = smsUrl.match(/[?&]body=/gi);
+  if (!bodyParams) {
+    return true;
+  }
+  if (bodyParams.length > 1) {
+    return false;
+  }
+  var bodyValue = smsUrl.match(/[?&]body=([^&]*)/)[1];
+  if (!bodyValue) {
+    return true;
+  }
+  try {
+    decodeURIComponent(bodyValue);
+  } catch (error) {
+    return false;
+  }
+  return /^(?:[a-z0-9\-_.~]|%[0-9a-f]{2})+$/i.test(bodyValue);
+};
+goog.html.SafeUrl.fromSshUrl = function(sshUrl) {
+  if (!goog.string.internal.caseInsensitiveStartsWith(sshUrl, "ssh://")) {
+    sshUrl = goog.html.SafeUrl.INNOCUOUS_STRING;
+  }
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(sshUrl);
+};
+goog.html.SafeUrl.sanitizeChromeExtensionUrl = function(url, extensionId) {
+  return goog.html.SafeUrl.sanitizeExtensionUrl_(/^chrome-extension:\/\/([^\/]+)\//, url, extensionId);
+};
+goog.html.SafeUrl.sanitizeFirefoxExtensionUrl = function(url, extensionId) {
+  return goog.html.SafeUrl.sanitizeExtensionUrl_(/^moz-extension:\/\/([^\/]+)\//, url, extensionId);
+};
+goog.html.SafeUrl.sanitizeEdgeExtensionUrl = function(url, extensionId) {
+  return goog.html.SafeUrl.sanitizeExtensionUrl_(/^ms-browser-extension:\/\/([^\/]+)\//, url, extensionId);
+};
+goog.html.SafeUrl.sanitizeExtensionUrl_ = function(scheme, url, extensionId) {
+  var matches = scheme.exec(url);
+  if (!matches) {
+    url = goog.html.SafeUrl.INNOCUOUS_STRING;
+  } else {
+    var extractedExtensionId = matches[1];
+    var acceptedExtensionIds;
+    if (extensionId instanceof goog.string.Const) {
+      acceptedExtensionIds = [goog.string.Const.unwrap(extensionId)];
+    } else {
+      acceptedExtensionIds = extensionId.map(function unwrap(x) {
+        return goog.string.Const.unwrap(x);
+      });
+    }
+    if (acceptedExtensionIds.indexOf(extractedExtensionId) == -1) {
+      url = goog.html.SafeUrl.INNOCUOUS_STRING;
+    }
+  }
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(url);
+};
+goog.html.SafeUrl.fromTrustedResourceUrl = function(trustedResourceUrl) {
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(goog.html.TrustedResourceUrl.unwrap(trustedResourceUrl));
+};
+goog.html.SAFE_URL_PATTERN_ = /^(?:(?:https?|mailto|ftp):|[^:/?#]*(?:[/?#]|$))/i;
+goog.html.SafeUrl.SAFE_URL_PATTERN = goog.html.SAFE_URL_PATTERN_;
+goog.html.SafeUrl.trySanitize = function(url) {
+  if (url instanceof goog.html.SafeUrl) {
+    return url;
+  }
+  if (typeof url == "object" && url.implementsGoogStringTypedString) {
+    url = url.getTypedStringValue();
+  } else {
+    url = String(url);
+  }
+  if (!goog.html.SAFE_URL_PATTERN_.test(url)) {
+    return goog.html.SafeUrl.tryFromDataUrl(url);
+  }
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(url);
+};
+goog.html.SafeUrl.sanitize = function(url) {
+  return goog.html.SafeUrl.trySanitize(url) || goog.html.SafeUrl.INNOCUOUS_URL;
+};
+goog.html.SafeUrl.sanitizeAssertUnchanged = function(url, opt_allowDataUrl) {
+  if (url instanceof goog.html.SafeUrl) {
+    return url;
+  } else if (typeof url == "object" && url.implementsGoogStringTypedString) {
+    url = url.getTypedStringValue();
+  } else {
+    url = String(url);
+  }
+  if (opt_allowDataUrl && /^data:/i.test(url)) {
+    var safeUrl = goog.html.SafeUrl.fromDataUrl(url);
+    if (safeUrl.getTypedStringValue() == url) {
+      return safeUrl;
+    }
+  }
+  if (!goog.asserts.assert(goog.html.SAFE_URL_PATTERN_.test(url), "%s does not match the safe URL pattern", url)) {
+    url = goog.html.SafeUrl.INNOCUOUS_STRING;
+  }
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(url);
+};
+goog.html.SafeUrl.extractScheme = function(url) {
+  let parsedUrl;
+  try {
+    parsedUrl = new URL(url);
+  } catch (e) {
+    return "https:";
+  }
+  return parsedUrl.protocol;
+};
+goog.html.SafeUrl.sanitizeJavascriptUrlAssertUnchanged = function(url) {
+  if (url instanceof goog.html.SafeUrl) {
+    return url;
+  } else if (typeof url == "object" && url.implementsGoogStringTypedString) {
+    url = url.getTypedStringValue();
+  } else {
+    url = String(url);
+  }
+  const parsedScheme = goog.html.SafeUrl.extractScheme(url);
+  if (!goog.asserts.assert(parsedScheme !== "javascript:", "%s is a javascript: URL", url)) {
+    url = goog.html.SafeUrl.INNOCUOUS_STRING;
+  }
+  return goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(url);
+};
+goog.html.SafeUrl.CONSTRUCTOR_TOKEN_PRIVATE_ = {};
+goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse = function(url) {
+  return new goog.html.SafeUrl(url, goog.html.SafeUrl.CONSTRUCTOR_TOKEN_PRIVATE_);
+};
+goog.html.SafeUrl.INNOCUOUS_URL = goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse(goog.html.SafeUrl.INNOCUOUS_STRING);
+goog.html.SafeUrl.ABOUT_BLANK = goog.html.SafeUrl.createSafeUrlSecurityPrivateDoNotAccessOrElse("about:blank");
+//# sourceMappingURL=goog.html.safeurl.js.map