@vaadin/bundles 25.2.1 → 25.3.0-alpha2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -10,7 +10,7 @@ __webpack_require__.r(__webpack_exports__);
10
10
  /* harmony export */ __webpack_require__.d(__webpack_exports__, {
11
11
  /* harmony export */ "default": () => (/* binding */ purify)
12
12
  /* harmony export */ });
13
- /*! @license DOMPurify 3.4.11 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.11/LICENSE */
13
+ /*! @license DOMPurify 3.4.10 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.10/LICENSE */
14
14
 
15
15
  function _arrayLikeToArray(r, a) {
16
16
  (null == a || a > r.length) && (a = r.length);
@@ -347,6 +347,7 @@ const COMMENT_MARKUP_PROBE = seal(/<[/\w]/g);
347
347
  const FALLBACK_TAG_CLOSE = seal(/<\/no(script|embed|frames)/i);
348
348
  const SELF_CLOSING_TAG = seal(/\/>/i);
349
349
 
350
+ /* eslint-disable @typescript-eslint/indent */
350
351
  // https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeType
351
352
  const NODE_TYPE = {
352
353
  element: 1,
@@ -436,7 +437,7 @@ const _resolveSetOption = function _resolveSetOption(cfg, key, fallback, options
436
437
  function createDOMPurify() {
437
438
  let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
438
439
  const DOMPurify = root => createDOMPurify(root);
439
- DOMPurify.version = '3.4.11';
440
+ DOMPurify.version = '3.4.10';
440
441
  DOMPurify.removed = [];
441
442
  if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
442
443
  // Not running in a browser, provide a factory function
@@ -625,13 +626,6 @@ function createDOMPurify() {
625
626
  let WHOLE_DOCUMENT = false;
626
627
  /* Track whether config is already set on this instance of DOMPurify. */
627
628
  let SET_CONFIG = false;
628
- /* Pristine allowlist bindings captured at setConfig() time. On the
629
- * persistent-config path sanitize() restores the sets from these before
630
- * the per-walk hook clone-guard, so a hook's in-call widening cannot
631
- * carry across calls. Null until setConfig() is called; reset by
632
- * clearConfig(). */
633
- let SET_CONFIG_ALLOWED_TAGS = null;
634
- let SET_CONFIG_ALLOWED_ATTR = null;
635
629
  /* Decide if all elements (e.g. style, script) must be children of
636
630
  * document.body. By default, browsers might move them to document.head */
637
631
  let FORCE_BODY = false;
@@ -941,6 +935,21 @@ function createDOMPurify() {
941
935
  emptyHTML = _createTrustedHTML('');
942
936
  }
943
937
  }
938
+ /*
939
+ * Mirror the clone-before-mutate pattern already applied above for
940
+ * cfg.ADD_TAGS / cfg.ADD_ATTR: if any uponSanitize* hook is
941
+ * registered AND the set still points at the default constant,
942
+ * clone it. The hook then mutates the clone (in-call widening
943
+ * still works exactly as documented) and the next default-cfg
944
+ * call rebinds to the untouched original via the reassignment at
945
+ * the top of this function.
946
+ */
947
+ if ((hooks.uponSanitizeElement.length > 0 || hooks.uponSanitizeAttribute.length > 0) && ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
948
+ ALLOWED_TAGS = clone(ALLOWED_TAGS);
949
+ }
950
+ if (hooks.uponSanitizeAttribute.length > 0 && ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) {
951
+ ALLOWED_ATTR = clone(ALLOWED_ATTR);
952
+ }
944
953
  // Prevent further manipulation of configuration.
945
954
  // Not available in IE8, Safari 5, etc.
946
955
  if (freeze) {
@@ -1997,31 +2006,9 @@ function createDOMPurify() {
1997
2006
  return dirty;
1998
2007
  }
1999
2008
  /* Assign config vars */
2000
- if (SET_CONFIG) {
2001
- /* Persistent setConfig() path: _parseConfig is skipped, so the sets are
2002
- * not re-derived per call. Restore them from the pristine bindings
2003
- * captured at setConfig() time so a previous call's hook clone (mutated
2004
- * below) does not carry over. */
2005
- ALLOWED_TAGS = SET_CONFIG_ALLOWED_TAGS;
2006
- ALLOWED_ATTR = SET_CONFIG_ALLOWED_ATTR;
2007
- } else {
2009
+ if (!SET_CONFIG) {
2008
2010
  _parseConfig(cfg);
2009
2011
  }
2010
- /* Clone the hook-mutable allowlists before the walk whenever an
2011
- * uponSanitize* hook is registered. The hook event exposes ALLOWED_TAGS
2012
- * and ALLOWED_ATTR by reference (as allowedTags / allowedAttributes), so
2013
- * a hook that widens them would otherwise mutate the shared set
2014
- * permanently: across later calls and across every element. Cloning per
2015
- * walk keeps documented in-call widening working while scoping it to the
2016
- * call. A single guard for both config paths - the per-call path rebinds
2017
- * the sets in _parseConfig each call, the persistent path restores them
2018
- * from the captured bindings just above - so the two cannot diverge. */
2019
- if (hooks.uponSanitizeElement.length > 0 || hooks.uponSanitizeAttribute.length > 0) {
2020
- ALLOWED_TAGS = clone(ALLOWED_TAGS);
2021
- }
2022
- if (hooks.uponSanitizeAttribute.length > 0) {
2023
- ALLOWED_ATTR = clone(ALLOWED_ATTR);
2024
- }
2025
2012
  /* Clean up removed elements */
2026
2013
  DOMPurify.removed = [];
2027
2014
  /* Resolve IN_PLACE for this call without mutating persistent config.
@@ -2197,14 +2184,10 @@ function createDOMPurify() {
2197
2184
  let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
2198
2185
  _parseConfig(cfg);
2199
2186
  SET_CONFIG = true;
2200
- SET_CONFIG_ALLOWED_TAGS = ALLOWED_TAGS;
2201
- SET_CONFIG_ALLOWED_ATTR = ALLOWED_ATTR;
2202
2187
  };
2203
2188
  DOMPurify.clearConfig = function () {
2204
2189
  CONFIG = null;
2205
2190
  SET_CONFIG = false;
2206
- SET_CONFIG_ALLOWED_TAGS = null;
2207
- SET_CONFIG_ALLOWED_ATTR = null;
2208
2191
  // Drop any caller-supplied Trusted Types policy so it cannot poison later
2209
2192
  // `RETURN_TRUSTED_TYPE` output. The internal default policy (cached, and
2210
2193
  // never recreated — Trusted Types throws on duplicate names) is restored by
@@ -2225,19 +2208,9 @@ function createDOMPurify() {
2225
2208
  if (typeof hookFunction !== 'function') {
2226
2209
  return;
2227
2210
  }
2228
- /* Reject unknown entry points. Without this, a non-hook key (e.g.
2229
- * '__proto__') indexes off the prototype chain rather than a real
2230
- * hook array, and arrayPush then writes to Object.prototype. Guard
2231
- * with an own-property check against the known hook names. */
2232
- if (!objectHasOwnProperty(hooks, entryPoint)) {
2233
- return;
2234
- }
2235
2211
  arrayPush(hooks[entryPoint], hookFunction);
2236
2212
  };
2237
2213
  DOMPurify.removeHook = function (entryPoint, hookFunction) {
2238
- if (!objectHasOwnProperty(hooks, entryPoint)) {
2239
- return undefined;
2240
- }
2241
2214
  if (hookFunction !== undefined) {
2242
2215
  const index = arrayLastIndexOf(hooks[entryPoint], hookFunction);
2243
2216
  return index === -1 ? undefined : arraySplice(hooks[entryPoint], index, 1)[0];
@@ -2245,9 +2218,6 @@ function createDOMPurify() {
2245
2218
  return arrayPop(hooks[entryPoint]);
2246
2219
  };
2247
2220
  DOMPurify.removeHooks = function (entryPoint) {
2248
- if (!objectHasOwnProperty(hooks, entryPoint)) {
2249
- return;
2250
- }
2251
2221
  hooks[entryPoint] = [];
2252
2222
  };
2253
2223
  DOMPurify.removeAllHooks = function () {