@vaadin/bundles 25.2.0-rc2 → 25.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +135 -135
- package/vaadin-bundle.json +1704 -1703
- package/vaadin.js +1227 -1170
- package/vaadin.js.map +1 -1
- package/vendors-node_modules_vaadin_markdown_node_modules_dompurify_dist_purify_es_mjs.js +49 -19
- package/vendors-node_modules_vaadin_markdown_node_modules_dompurify_dist_purify_es_mjs.js.map +1 -1
|
@@ -10,7 +10,7 @@ __webpack_require__.r(__webpack_exports__);
|
|
|
10
10
|
/* harmony export */ __webpack_require__.d(__webpack_exports__, {
|
|
11
11
|
/* harmony export */ "default": () => (/* binding */ purify)
|
|
12
12
|
/* harmony export */ });
|
|
13
|
-
/*! @license DOMPurify 3.4.
|
|
13
|
+
/*! @license DOMPurify 3.4.11 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.11/LICENSE */
|
|
14
14
|
|
|
15
15
|
function _arrayLikeToArray(r, a) {
|
|
16
16
|
(null == a || a > r.length) && (a = r.length);
|
|
@@ -347,7 +347,6 @@ const COMMENT_MARKUP_PROBE = seal(/<[/\w]/g);
|
|
|
347
347
|
const FALLBACK_TAG_CLOSE = seal(/<\/no(script|embed|frames)/i);
|
|
348
348
|
const SELF_CLOSING_TAG = seal(/\/>/i);
|
|
349
349
|
|
|
350
|
-
/* eslint-disable @typescript-eslint/indent */
|
|
351
350
|
// https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeType
|
|
352
351
|
const NODE_TYPE = {
|
|
353
352
|
element: 1,
|
|
@@ -437,7 +436,7 @@ const _resolveSetOption = function _resolveSetOption(cfg, key, fallback, options
|
|
|
437
436
|
function createDOMPurify() {
|
|
438
437
|
let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
|
|
439
438
|
const DOMPurify = root => createDOMPurify(root);
|
|
440
|
-
DOMPurify.version = '3.4.
|
|
439
|
+
DOMPurify.version = '3.4.11';
|
|
441
440
|
DOMPurify.removed = [];
|
|
442
441
|
if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
|
|
443
442
|
// Not running in a browser, provide a factory function
|
|
@@ -626,6 +625,13 @@ function createDOMPurify() {
|
|
|
626
625
|
let WHOLE_DOCUMENT = false;
|
|
627
626
|
/* Track whether config is already set on this instance of DOMPurify. */
|
|
628
627
|
let SET_CONFIG = false;
|
|
628
|
+
/* Pristine allowlist bindings captured at setConfig() time. On the
|
|
629
|
+
* persistent-config path sanitize() restores the sets from these before
|
|
630
|
+
* the per-walk hook clone-guard, so a hook's in-call widening cannot
|
|
631
|
+
* carry across calls. Null until setConfig() is called; reset by
|
|
632
|
+
* clearConfig(). */
|
|
633
|
+
let SET_CONFIG_ALLOWED_TAGS = null;
|
|
634
|
+
let SET_CONFIG_ALLOWED_ATTR = null;
|
|
629
635
|
/* Decide if all elements (e.g. style, script) must be children of
|
|
630
636
|
* document.body. By default, browsers might move them to document.head */
|
|
631
637
|
let FORCE_BODY = false;
|
|
@@ -935,21 +941,6 @@ function createDOMPurify() {
|
|
|
935
941
|
emptyHTML = _createTrustedHTML('');
|
|
936
942
|
}
|
|
937
943
|
}
|
|
938
|
-
/*
|
|
939
|
-
* Mirror the clone-before-mutate pattern already applied above for
|
|
940
|
-
* cfg.ADD_TAGS / cfg.ADD_ATTR: if any uponSanitize* hook is
|
|
941
|
-
* registered AND the set still points at the default constant,
|
|
942
|
-
* clone it. The hook then mutates the clone (in-call widening
|
|
943
|
-
* still works exactly as documented) and the next default-cfg
|
|
944
|
-
* call rebinds to the untouched original via the reassignment at
|
|
945
|
-
* the top of this function.
|
|
946
|
-
*/
|
|
947
|
-
if ((hooks.uponSanitizeElement.length > 0 || hooks.uponSanitizeAttribute.length > 0) && ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
|
|
948
|
-
ALLOWED_TAGS = clone(ALLOWED_TAGS);
|
|
949
|
-
}
|
|
950
|
-
if (hooks.uponSanitizeAttribute.length > 0 && ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) {
|
|
951
|
-
ALLOWED_ATTR = clone(ALLOWED_ATTR);
|
|
952
|
-
}
|
|
953
944
|
// Prevent further manipulation of configuration.
|
|
954
945
|
// Not available in IE8, Safari 5, etc.
|
|
955
946
|
if (freeze) {
|
|
@@ -2006,9 +1997,31 @@ function createDOMPurify() {
|
|
|
2006
1997
|
return dirty;
|
|
2007
1998
|
}
|
|
2008
1999
|
/* Assign config vars */
|
|
2009
|
-
if (
|
|
2000
|
+
if (SET_CONFIG) {
|
|
2001
|
+
/* Persistent setConfig() path: _parseConfig is skipped, so the sets are
|
|
2002
|
+
* not re-derived per call. Restore them from the pristine bindings
|
|
2003
|
+
* captured at setConfig() time so a previous call's hook clone (mutated
|
|
2004
|
+
* below) does not carry over. */
|
|
2005
|
+
ALLOWED_TAGS = SET_CONFIG_ALLOWED_TAGS;
|
|
2006
|
+
ALLOWED_ATTR = SET_CONFIG_ALLOWED_ATTR;
|
|
2007
|
+
} else {
|
|
2010
2008
|
_parseConfig(cfg);
|
|
2011
2009
|
}
|
|
2010
|
+
/* Clone the hook-mutable allowlists before the walk whenever an
|
|
2011
|
+
* uponSanitize* hook is registered. The hook event exposes ALLOWED_TAGS
|
|
2012
|
+
* and ALLOWED_ATTR by reference (as allowedTags / allowedAttributes), so
|
|
2013
|
+
* a hook that widens them would otherwise mutate the shared set
|
|
2014
|
+
* permanently: across later calls and across every element. Cloning per
|
|
2015
|
+
* walk keeps documented in-call widening working while scoping it to the
|
|
2016
|
+
* call. A single guard for both config paths - the per-call path rebinds
|
|
2017
|
+
* the sets in _parseConfig each call, the persistent path restores them
|
|
2018
|
+
* from the captured bindings just above - so the two cannot diverge. */
|
|
2019
|
+
if (hooks.uponSanitizeElement.length > 0 || hooks.uponSanitizeAttribute.length > 0) {
|
|
2020
|
+
ALLOWED_TAGS = clone(ALLOWED_TAGS);
|
|
2021
|
+
}
|
|
2022
|
+
if (hooks.uponSanitizeAttribute.length > 0) {
|
|
2023
|
+
ALLOWED_ATTR = clone(ALLOWED_ATTR);
|
|
2024
|
+
}
|
|
2012
2025
|
/* Clean up removed elements */
|
|
2013
2026
|
DOMPurify.removed = [];
|
|
2014
2027
|
/* Resolve IN_PLACE for this call without mutating persistent config.
|
|
@@ -2184,10 +2197,14 @@ function createDOMPurify() {
|
|
|
2184
2197
|
let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
|
|
2185
2198
|
_parseConfig(cfg);
|
|
2186
2199
|
SET_CONFIG = true;
|
|
2200
|
+
SET_CONFIG_ALLOWED_TAGS = ALLOWED_TAGS;
|
|
2201
|
+
SET_CONFIG_ALLOWED_ATTR = ALLOWED_ATTR;
|
|
2187
2202
|
};
|
|
2188
2203
|
DOMPurify.clearConfig = function () {
|
|
2189
2204
|
CONFIG = null;
|
|
2190
2205
|
SET_CONFIG = false;
|
|
2206
|
+
SET_CONFIG_ALLOWED_TAGS = null;
|
|
2207
|
+
SET_CONFIG_ALLOWED_ATTR = null;
|
|
2191
2208
|
// Drop any caller-supplied Trusted Types policy so it cannot poison later
|
|
2192
2209
|
// `RETURN_TRUSTED_TYPE` output. The internal default policy (cached, and
|
|
2193
2210
|
// never recreated — Trusted Types throws on duplicate names) is restored by
|
|
@@ -2208,9 +2225,19 @@ function createDOMPurify() {
|
|
|
2208
2225
|
if (typeof hookFunction !== 'function') {
|
|
2209
2226
|
return;
|
|
2210
2227
|
}
|
|
2228
|
+
/* Reject unknown entry points. Without this, a non-hook key (e.g.
|
|
2229
|
+
* '__proto__') indexes off the prototype chain rather than a real
|
|
2230
|
+
* hook array, and arrayPush then writes to Object.prototype. Guard
|
|
2231
|
+
* with an own-property check against the known hook names. */
|
|
2232
|
+
if (!objectHasOwnProperty(hooks, entryPoint)) {
|
|
2233
|
+
return;
|
|
2234
|
+
}
|
|
2211
2235
|
arrayPush(hooks[entryPoint], hookFunction);
|
|
2212
2236
|
};
|
|
2213
2237
|
DOMPurify.removeHook = function (entryPoint, hookFunction) {
|
|
2238
|
+
if (!objectHasOwnProperty(hooks, entryPoint)) {
|
|
2239
|
+
return undefined;
|
|
2240
|
+
}
|
|
2214
2241
|
if (hookFunction !== undefined) {
|
|
2215
2242
|
const index = arrayLastIndexOf(hooks[entryPoint], hookFunction);
|
|
2216
2243
|
return index === -1 ? undefined : arraySplice(hooks[entryPoint], index, 1)[0];
|
|
@@ -2218,6 +2245,9 @@ function createDOMPurify() {
|
|
|
2218
2245
|
return arrayPop(hooks[entryPoint]);
|
|
2219
2246
|
};
|
|
2220
2247
|
DOMPurify.removeHooks = function (entryPoint) {
|
|
2248
|
+
if (!objectHasOwnProperty(hooks, entryPoint)) {
|
|
2249
|
+
return;
|
|
2250
|
+
}
|
|
2221
2251
|
hooks[entryPoint] = [];
|
|
2222
2252
|
};
|
|
2223
2253
|
DOMPurify.removeAllHooks = function () {
|