@vaadin/bundles 25.2.1 → 25.3.0-alpha2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +135 -135
- package/vaadin-bundle.json +1621 -1620
- package/vaadin.js +1299 -1210
- package/vaadin.js.map +1 -1
- package/vendors-node_modules_vaadin_markdown_node_modules_dompurify_dist_purify_es_mjs.js +19 -49
- package/vendors-node_modules_vaadin_markdown_node_modules_dompurify_dist_purify_es_mjs.js.map +1 -1
|
@@ -10,7 +10,7 @@ __webpack_require__.r(__webpack_exports__);
|
|
|
10
10
|
/* harmony export */ __webpack_require__.d(__webpack_exports__, {
|
|
11
11
|
/* harmony export */ "default": () => (/* binding */ purify)
|
|
12
12
|
/* harmony export */ });
|
|
13
|
-
/*! @license DOMPurify 3.4.
|
|
13
|
+
/*! @license DOMPurify 3.4.10 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.10/LICENSE */
|
|
14
14
|
|
|
15
15
|
function _arrayLikeToArray(r, a) {
|
|
16
16
|
(null == a || a > r.length) && (a = r.length);
|
|
@@ -347,6 +347,7 @@ const COMMENT_MARKUP_PROBE = seal(/<[/\w]/g);
|
|
|
347
347
|
const FALLBACK_TAG_CLOSE = seal(/<\/no(script|embed|frames)/i);
|
|
348
348
|
const SELF_CLOSING_TAG = seal(/\/>/i);
|
|
349
349
|
|
|
350
|
+
/* eslint-disable @typescript-eslint/indent */
|
|
350
351
|
// https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeType
|
|
351
352
|
const NODE_TYPE = {
|
|
352
353
|
element: 1,
|
|
@@ -436,7 +437,7 @@ const _resolveSetOption = function _resolveSetOption(cfg, key, fallback, options
|
|
|
436
437
|
function createDOMPurify() {
|
|
437
438
|
let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
|
|
438
439
|
const DOMPurify = root => createDOMPurify(root);
|
|
439
|
-
DOMPurify.version = '3.4.
|
|
440
|
+
DOMPurify.version = '3.4.10';
|
|
440
441
|
DOMPurify.removed = [];
|
|
441
442
|
if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
|
|
442
443
|
// Not running in a browser, provide a factory function
|
|
@@ -625,13 +626,6 @@ function createDOMPurify() {
|
|
|
625
626
|
let WHOLE_DOCUMENT = false;
|
|
626
627
|
/* Track whether config is already set on this instance of DOMPurify. */
|
|
627
628
|
let SET_CONFIG = false;
|
|
628
|
-
/* Pristine allowlist bindings captured at setConfig() time. On the
|
|
629
|
-
* persistent-config path sanitize() restores the sets from these before
|
|
630
|
-
* the per-walk hook clone-guard, so a hook's in-call widening cannot
|
|
631
|
-
* carry across calls. Null until setConfig() is called; reset by
|
|
632
|
-
* clearConfig(). */
|
|
633
|
-
let SET_CONFIG_ALLOWED_TAGS = null;
|
|
634
|
-
let SET_CONFIG_ALLOWED_ATTR = null;
|
|
635
629
|
/* Decide if all elements (e.g. style, script) must be children of
|
|
636
630
|
* document.body. By default, browsers might move them to document.head */
|
|
637
631
|
let FORCE_BODY = false;
|
|
@@ -941,6 +935,21 @@ function createDOMPurify() {
|
|
|
941
935
|
emptyHTML = _createTrustedHTML('');
|
|
942
936
|
}
|
|
943
937
|
}
|
|
938
|
+
/*
|
|
939
|
+
* Mirror the clone-before-mutate pattern already applied above for
|
|
940
|
+
* cfg.ADD_TAGS / cfg.ADD_ATTR: if any uponSanitize* hook is
|
|
941
|
+
* registered AND the set still points at the default constant,
|
|
942
|
+
* clone it. The hook then mutates the clone (in-call widening
|
|
943
|
+
* still works exactly as documented) and the next default-cfg
|
|
944
|
+
* call rebinds to the untouched original via the reassignment at
|
|
945
|
+
* the top of this function.
|
|
946
|
+
*/
|
|
947
|
+
if ((hooks.uponSanitizeElement.length > 0 || hooks.uponSanitizeAttribute.length > 0) && ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
|
|
948
|
+
ALLOWED_TAGS = clone(ALLOWED_TAGS);
|
|
949
|
+
}
|
|
950
|
+
if (hooks.uponSanitizeAttribute.length > 0 && ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) {
|
|
951
|
+
ALLOWED_ATTR = clone(ALLOWED_ATTR);
|
|
952
|
+
}
|
|
944
953
|
// Prevent further manipulation of configuration.
|
|
945
954
|
// Not available in IE8, Safari 5, etc.
|
|
946
955
|
if (freeze) {
|
|
@@ -1997,31 +2006,9 @@ function createDOMPurify() {
|
|
|
1997
2006
|
return dirty;
|
|
1998
2007
|
}
|
|
1999
2008
|
/* Assign config vars */
|
|
2000
|
-
if (SET_CONFIG) {
|
|
2001
|
-
/* Persistent setConfig() path: _parseConfig is skipped, so the sets are
|
|
2002
|
-
* not re-derived per call. Restore them from the pristine bindings
|
|
2003
|
-
* captured at setConfig() time so a previous call's hook clone (mutated
|
|
2004
|
-
* below) does not carry over. */
|
|
2005
|
-
ALLOWED_TAGS = SET_CONFIG_ALLOWED_TAGS;
|
|
2006
|
-
ALLOWED_ATTR = SET_CONFIG_ALLOWED_ATTR;
|
|
2007
|
-
} else {
|
|
2009
|
+
if (!SET_CONFIG) {
|
|
2008
2010
|
_parseConfig(cfg);
|
|
2009
2011
|
}
|
|
2010
|
-
/* Clone the hook-mutable allowlists before the walk whenever an
|
|
2011
|
-
* uponSanitize* hook is registered. The hook event exposes ALLOWED_TAGS
|
|
2012
|
-
* and ALLOWED_ATTR by reference (as allowedTags / allowedAttributes), so
|
|
2013
|
-
* a hook that widens them would otherwise mutate the shared set
|
|
2014
|
-
* permanently: across later calls and across every element. Cloning per
|
|
2015
|
-
* walk keeps documented in-call widening working while scoping it to the
|
|
2016
|
-
* call. A single guard for both config paths - the per-call path rebinds
|
|
2017
|
-
* the sets in _parseConfig each call, the persistent path restores them
|
|
2018
|
-
* from the captured bindings just above - so the two cannot diverge. */
|
|
2019
|
-
if (hooks.uponSanitizeElement.length > 0 || hooks.uponSanitizeAttribute.length > 0) {
|
|
2020
|
-
ALLOWED_TAGS = clone(ALLOWED_TAGS);
|
|
2021
|
-
}
|
|
2022
|
-
if (hooks.uponSanitizeAttribute.length > 0) {
|
|
2023
|
-
ALLOWED_ATTR = clone(ALLOWED_ATTR);
|
|
2024
|
-
}
|
|
2025
2012
|
/* Clean up removed elements */
|
|
2026
2013
|
DOMPurify.removed = [];
|
|
2027
2014
|
/* Resolve IN_PLACE for this call without mutating persistent config.
|
|
@@ -2197,14 +2184,10 @@ function createDOMPurify() {
|
|
|
2197
2184
|
let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
|
|
2198
2185
|
_parseConfig(cfg);
|
|
2199
2186
|
SET_CONFIG = true;
|
|
2200
|
-
SET_CONFIG_ALLOWED_TAGS = ALLOWED_TAGS;
|
|
2201
|
-
SET_CONFIG_ALLOWED_ATTR = ALLOWED_ATTR;
|
|
2202
2187
|
};
|
|
2203
2188
|
DOMPurify.clearConfig = function () {
|
|
2204
2189
|
CONFIG = null;
|
|
2205
2190
|
SET_CONFIG = false;
|
|
2206
|
-
SET_CONFIG_ALLOWED_TAGS = null;
|
|
2207
|
-
SET_CONFIG_ALLOWED_ATTR = null;
|
|
2208
2191
|
// Drop any caller-supplied Trusted Types policy so it cannot poison later
|
|
2209
2192
|
// `RETURN_TRUSTED_TYPE` output. The internal default policy (cached, and
|
|
2210
2193
|
// never recreated — Trusted Types throws on duplicate names) is restored by
|
|
@@ -2225,19 +2208,9 @@ function createDOMPurify() {
|
|
|
2225
2208
|
if (typeof hookFunction !== 'function') {
|
|
2226
2209
|
return;
|
|
2227
2210
|
}
|
|
2228
|
-
/* Reject unknown entry points. Without this, a non-hook key (e.g.
|
|
2229
|
-
* '__proto__') indexes off the prototype chain rather than a real
|
|
2230
|
-
* hook array, and arrayPush then writes to Object.prototype. Guard
|
|
2231
|
-
* with an own-property check against the known hook names. */
|
|
2232
|
-
if (!objectHasOwnProperty(hooks, entryPoint)) {
|
|
2233
|
-
return;
|
|
2234
|
-
}
|
|
2235
2211
|
arrayPush(hooks[entryPoint], hookFunction);
|
|
2236
2212
|
};
|
|
2237
2213
|
DOMPurify.removeHook = function (entryPoint, hookFunction) {
|
|
2238
|
-
if (!objectHasOwnProperty(hooks, entryPoint)) {
|
|
2239
|
-
return undefined;
|
|
2240
|
-
}
|
|
2241
2214
|
if (hookFunction !== undefined) {
|
|
2242
2215
|
const index = arrayLastIndexOf(hooks[entryPoint], hookFunction);
|
|
2243
2216
|
return index === -1 ? undefined : arraySplice(hooks[entryPoint], index, 1)[0];
|
|
@@ -2245,9 +2218,6 @@ function createDOMPurify() {
|
|
|
2245
2218
|
return arrayPop(hooks[entryPoint]);
|
|
2246
2219
|
};
|
|
2247
2220
|
DOMPurify.removeHooks = function (entryPoint) {
|
|
2248
|
-
if (!objectHasOwnProperty(hooks, entryPoint)) {
|
|
2249
|
-
return;
|
|
2250
|
-
}
|
|
2251
2221
|
hooks[entryPoint] = [];
|
|
2252
2222
|
};
|
|
2253
2223
|
DOMPurify.removeAllHooks = function () {
|