@vaadin/bundles 25.2.0-rc2 → 25.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -10,7 +10,7 @@ __webpack_require__.r(__webpack_exports__);
10
10
  /* harmony export */ __webpack_require__.d(__webpack_exports__, {
11
11
  /* harmony export */ "default": () => (/* binding */ purify)
12
12
  /* harmony export */ });
13
- /*! @license DOMPurify 3.4.10 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.10/LICENSE */
13
+ /*! @license DOMPurify 3.4.11 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.11/LICENSE */
14
14
 
15
15
  function _arrayLikeToArray(r, a) {
16
16
  (null == a || a > r.length) && (a = r.length);
@@ -347,7 +347,6 @@ const COMMENT_MARKUP_PROBE = seal(/<[/\w]/g);
347
347
  const FALLBACK_TAG_CLOSE = seal(/<\/no(script|embed|frames)/i);
348
348
  const SELF_CLOSING_TAG = seal(/\/>/i);
349
349
 
350
- /* eslint-disable @typescript-eslint/indent */
351
350
  // https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeType
352
351
  const NODE_TYPE = {
353
352
  element: 1,
@@ -437,7 +436,7 @@ const _resolveSetOption = function _resolveSetOption(cfg, key, fallback, options
437
436
  function createDOMPurify() {
438
437
  let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
439
438
  const DOMPurify = root => createDOMPurify(root);
440
- DOMPurify.version = '3.4.10';
439
+ DOMPurify.version = '3.4.11';
441
440
  DOMPurify.removed = [];
442
441
  if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
443
442
  // Not running in a browser, provide a factory function
@@ -626,6 +625,13 @@ function createDOMPurify() {
626
625
  let WHOLE_DOCUMENT = false;
627
626
  /* Track whether config is already set on this instance of DOMPurify. */
628
627
  let SET_CONFIG = false;
628
+ /* Pristine allowlist bindings captured at setConfig() time. On the
629
+ * persistent-config path sanitize() restores the sets from these before
630
+ * the per-walk hook clone-guard, so a hook's in-call widening cannot
631
+ * carry across calls. Null until setConfig() is called; reset by
632
+ * clearConfig(). */
633
+ let SET_CONFIG_ALLOWED_TAGS = null;
634
+ let SET_CONFIG_ALLOWED_ATTR = null;
629
635
  /* Decide if all elements (e.g. style, script) must be children of
630
636
  * document.body. By default, browsers might move them to document.head */
631
637
  let FORCE_BODY = false;
@@ -935,21 +941,6 @@ function createDOMPurify() {
935
941
  emptyHTML = _createTrustedHTML('');
936
942
  }
937
943
  }
938
- /*
939
- * Mirror the clone-before-mutate pattern already applied above for
940
- * cfg.ADD_TAGS / cfg.ADD_ATTR: if any uponSanitize* hook is
941
- * registered AND the set still points at the default constant,
942
- * clone it. The hook then mutates the clone (in-call widening
943
- * still works exactly as documented) and the next default-cfg
944
- * call rebinds to the untouched original via the reassignment at
945
- * the top of this function.
946
- */
947
- if ((hooks.uponSanitizeElement.length > 0 || hooks.uponSanitizeAttribute.length > 0) && ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
948
- ALLOWED_TAGS = clone(ALLOWED_TAGS);
949
- }
950
- if (hooks.uponSanitizeAttribute.length > 0 && ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) {
951
- ALLOWED_ATTR = clone(ALLOWED_ATTR);
952
- }
953
944
  // Prevent further manipulation of configuration.
954
945
  // Not available in IE8, Safari 5, etc.
955
946
  if (freeze) {
@@ -2006,9 +1997,31 @@ function createDOMPurify() {
2006
1997
  return dirty;
2007
1998
  }
2008
1999
  /* Assign config vars */
2009
- if (!SET_CONFIG) {
2000
+ if (SET_CONFIG) {
2001
+ /* Persistent setConfig() path: _parseConfig is skipped, so the sets are
2002
+ * not re-derived per call. Restore them from the pristine bindings
2003
+ * captured at setConfig() time so a previous call's hook clone (mutated
2004
+ * below) does not carry over. */
2005
+ ALLOWED_TAGS = SET_CONFIG_ALLOWED_TAGS;
2006
+ ALLOWED_ATTR = SET_CONFIG_ALLOWED_ATTR;
2007
+ } else {
2010
2008
  _parseConfig(cfg);
2011
2009
  }
2010
+ /* Clone the hook-mutable allowlists before the walk whenever an
2011
+ * uponSanitize* hook is registered. The hook event exposes ALLOWED_TAGS
2012
+ * and ALLOWED_ATTR by reference (as allowedTags / allowedAttributes), so
2013
+ * a hook that widens them would otherwise mutate the shared set
2014
+ * permanently: across later calls and across every element. Cloning per
2015
+ * walk keeps documented in-call widening working while scoping it to the
2016
+ * call. A single guard for both config paths - the per-call path rebinds
2017
+ * the sets in _parseConfig each call, the persistent path restores them
2018
+ * from the captured bindings just above - so the two cannot diverge. */
2019
+ if (hooks.uponSanitizeElement.length > 0 || hooks.uponSanitizeAttribute.length > 0) {
2020
+ ALLOWED_TAGS = clone(ALLOWED_TAGS);
2021
+ }
2022
+ if (hooks.uponSanitizeAttribute.length > 0) {
2023
+ ALLOWED_ATTR = clone(ALLOWED_ATTR);
2024
+ }
2012
2025
  /* Clean up removed elements */
2013
2026
  DOMPurify.removed = [];
2014
2027
  /* Resolve IN_PLACE for this call without mutating persistent config.
@@ -2184,10 +2197,14 @@ function createDOMPurify() {
2184
2197
  let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
2185
2198
  _parseConfig(cfg);
2186
2199
  SET_CONFIG = true;
2200
+ SET_CONFIG_ALLOWED_TAGS = ALLOWED_TAGS;
2201
+ SET_CONFIG_ALLOWED_ATTR = ALLOWED_ATTR;
2187
2202
  };
2188
2203
  DOMPurify.clearConfig = function () {
2189
2204
  CONFIG = null;
2190
2205
  SET_CONFIG = false;
2206
+ SET_CONFIG_ALLOWED_TAGS = null;
2207
+ SET_CONFIG_ALLOWED_ATTR = null;
2191
2208
  // Drop any caller-supplied Trusted Types policy so it cannot poison later
2192
2209
  // `RETURN_TRUSTED_TYPE` output. The internal default policy (cached, and
2193
2210
  // never recreated — Trusted Types throws on duplicate names) is restored by
@@ -2208,9 +2225,19 @@ function createDOMPurify() {
2208
2225
  if (typeof hookFunction !== 'function') {
2209
2226
  return;
2210
2227
  }
2228
+ /* Reject unknown entry points. Without this, a non-hook key (e.g.
2229
+ * '__proto__') indexes off the prototype chain rather than a real
2230
+ * hook array, and arrayPush then writes to Object.prototype. Guard
2231
+ * with an own-property check against the known hook names. */
2232
+ if (!objectHasOwnProperty(hooks, entryPoint)) {
2233
+ return;
2234
+ }
2211
2235
  arrayPush(hooks[entryPoint], hookFunction);
2212
2236
  };
2213
2237
  DOMPurify.removeHook = function (entryPoint, hookFunction) {
2238
+ if (!objectHasOwnProperty(hooks, entryPoint)) {
2239
+ return undefined;
2240
+ }
2214
2241
  if (hookFunction !== undefined) {
2215
2242
  const index = arrayLastIndexOf(hooks[entryPoint], hookFunction);
2216
2243
  return index === -1 ? undefined : arraySplice(hooks[entryPoint], index, 1)[0];
@@ -2218,6 +2245,9 @@ function createDOMPurify() {
2218
2245
  return arrayPop(hooks[entryPoint]);
2219
2246
  };
2220
2247
  DOMPurify.removeHooks = function (entryPoint) {
2248
+ if (!objectHasOwnProperty(hooks, entryPoint)) {
2249
+ return;
2250
+ }
2221
2251
  hooks[entryPoint] = [];
2222
2252
  };
2223
2253
  DOMPurify.removeAllHooks = function () {