@yoobic/yobi 8.3.0-43 → 8.3.0-46

package/dist/esm/yoo-form-text-editor.entry.js

@@ -5,7 +5,7 @@ import { q as isString, n as compact, s as assign, i as isArray } from './lodash
 import { cZ as require$$2, c9 as process_1, d8 as MODAL_BASE_ZINDEX, aN as getUUID, C as debounce, ao as replaceAtTagToMentionTag, a3 as getSession, P as getAsyncExtraData, dm as getCustomApp, t as translate, dn as images, dp as videos, A as isWeb, dq as getColorSwatches, au as isCloudinaryLink, d2 as getVideoPoster, ag as isVideo, aS as isImageUrl, dr as asyncWaterfall, ds as showContextMenu, z as showModal, p as closeModal, av as getCurrentLanguage, dt as containsUrls, cg as replaceAndGetAllLinks, Z as translateMulti } from './overlays-be5a9ab3.js';
 import { B as Buffer } from './buffer-es6-3df916b6.js';
 import { q as querySelectorDeep, g as getAppContext } from './common-helpers-0071c2da.js';
-import { s as sanitizeMentionTag } from './entities-helpers-9ea378f0.js';
+import { s as sanitizeMentionTag } from './entities-helpers-67ff3fa4.js';
 import { a as setValueAndValidateInput } from './form-input-helpers-a792a9ab.js';
 import { g as getInsertElementProp, s as safeReplaceElement, i as isMentionTag, a as safeInsert, b as getTagHTML, c as safeInsertElements } from './form-text-area-helpers-fb84fe65.js';
 import { d as destroyMountPoints, g as generateRandomMountElementId, i as initShadowMountPoints } from './shadow-dom-helper-98f06c2b.js';
@@ -20368,7 +20368,7 @@ NoWorkResult.default = NoWorkResult;
 
 class Processor {
   constructor(plugins = []) {
-    this.version = '8.4.13';
+    this.version = '8.4.14';
     this.plugins = this.normalize(plugins);
   }
 
@@ -20511,25 +20511,27 @@ function postcss(...plugins) {
 }
 
 postcss.plugin = function plugin(name, initializer) {
-  // eslint-disable-next-line no-console
-  if (console && console.warn) {
+  let warningPrinted = false;
+  function creator(...args) {
     // eslint-disable-next-line no-console
-    console.warn(
-      name +
-        ': postcss.plugin was deprecated. Migration guide:\n' +
-        'https://evilmartians.com/chronicles/postcss-8-plugin-migration'
-    );
-    if (process_1.env.LANG && process_1.env.LANG.startsWith('cn')) {
-      /* c8 ignore next 7 */
+    if (console && console.warn && !warningPrinted) {
+      warningPrinted = true;
       // eslint-disable-next-line no-console
       console.warn(
         name +
-          ': 里面 postcss.plugin 被弃用. 迁移指南:\n' +
-          'https://www.w3ctech.com/topic/2226'
+          ': postcss.plugin was deprecated. Migration guide:\n' +
+          'https://evilmartians.com/chronicles/postcss-8-plugin-migration'
       );
+      if (process_1.env.LANG && process_1.env.LANG.startsWith('cn')) {
+        /* c8 ignore next 7 */
+        // eslint-disable-next-line no-console
+        console.warn(
+          name +
+            ': 里面 postcss.plugin 被弃用. 迁移指南:\n' +
+            'https://www.w3ctech.com/topic/2226'
+        );
+      }
     }
-  }
-  function creator(...args) {
     let transformer = initializer(...args);
     transformer.postcssPlugin = name;
     transformer.postcssVersion = new processor().version;
@@ -20871,7 +20873,6 @@ function sanitizeHtml(html, options, _recursing) {
             delete frame.attribs[a];
             return;
           }
-          let parsed;
           // check allowedAttributesMap for the element and attribute and modify the value
           // as necessary if there are specific values defined.
           let passedAllowedAttributesMapCheck = false;
@@ -20919,14 +20920,14 @@ function sanitizeHtml(html, options, _recursing) {
               let allowed = true;
 
               try {
-                const parsed = new URL(value);
+                const parsed = parseUrl(value);
 
                 if (options.allowedScriptHostnames || options.allowedScriptDomains) {
                   const allowedHostname = (options.allowedScriptHostnames || []).find(function (hostname) {
-                    return hostname === parsed.hostname;
+                    return hostname === parsed.url.hostname;
                   });
                   const allowedDomain = (options.allowedScriptDomains || []).find(function(domain) {
-                    return parsed.hostname === domain || parsed.hostname.endsWith(`.${domain}`);
+                    return parsed.url.hostname === domain || parsed.url.hostname.endsWith(`.${domain}`);
                   });
                   allowed = allowedHostname || allowedDomain;
                 }
@@ -20943,29 +20944,9 @@ function sanitizeHtml(html, options, _recursing) {
             if (name === 'iframe' && a === 'src') {
               let allowed = true;
               try {
-                // Chrome accepts \ as a substitute for / in the // at the
-                // start of a URL, so rewrite accordingly to prevent exploit.
-                // Also drop any whitespace at that point in the URL
-                value = value.replace(/^(\w+:)?\s*[\\/]\s*[\\/]/, '$1//');
-                if (value.startsWith('relative:')) {
-                  // An attempt to exploit our workaround for base URLs being
-                  // mandatory for relative URL validation in the WHATWG
-                  // URL parser, reject it
-                  throw new Error('relative: exploit attempt');
-                }
-                // naughtyHref is in charge of whether protocol relative URLs
-                // are cool. Here we are concerned just with allowed hostnames and
-                // whether to allow relative URLs.
-                //
-                // Build a placeholder "base URL" against which any reasonable
-                // relative URL may be parsed successfully
-                let base = 'relative://relative-site';
-                for (let i = 0; (i < 100); i++) {
-                  base += `/${i}`;
-                }
-                const parsed = new URL(value, base);
-                const isRelativeUrl = parsed && parsed.hostname === 'relative-site' && parsed.protocol === 'relative:';
-                if (isRelativeUrl) {
+                const parsed = parseUrl(value);
+
+                if (parsed.isRelativeUrl) {
                   // default value of allowIframeRelativeUrls is true
                   // unless allowedIframeHostnames or allowedIframeDomains specified
                   allowed = has(options, 'allowIframeRelativeUrls')
@@ -20973,10 +20954,10 @@ function sanitizeHtml(html, options, _recursing) {
                     : (!options.allowedIframeHostnames && !options.allowedIframeDomains);
                 } else if (options.allowedIframeHostnames || options.allowedIframeDomains) {
                   const allowedHostname = (options.allowedIframeHostnames || []).find(function (hostname) {
-                    return hostname === parsed.hostname;
+                    return hostname === parsed.url.hostname;
                   });
                   const allowedDomain = (options.allowedIframeDomains || []).find(function(domain) {
-                    return parsed.hostname === domain || parsed.hostname.endsWith(`.${domain}`);
+                    return parsed.url.hostname === domain || parsed.url.hostname.endsWith(`.${domain}`);
                   });
                   allowed = allowedHostname || allowedDomain;
                 }
@@ -20991,7 +20972,7 @@ function sanitizeHtml(html, options, _recursing) {
             }
             if (a === 'srcset') {
               try {
-                parsed = parseSrcset(value);
+                let parsed = parseSrcset(value);
                 parsed.forEach(function(value) {
                   if (naughtyHref('srcset', value.url)) {
                     value.evil = true;
@@ -21217,7 +21198,17 @@ function sanitizeHtml(html, options, _recursing) {
     // Clobber any comments in URLs, which the browser might
     // interpret inside an XML data island, allowing
     // a javascript: URL to be snuck through
-    href = href.replace(/<!--.*?-->/g, '');
+    while (true) {
+      const firstIndex = href.indexOf('<!--');
+      if (firstIndex === -1) {
+        break;
+      }
+      const lastIndex = href.indexOf('-->', firstIndex + 4);
+      if (lastIndex === -1) {
+        break;
+      }
+      href = href.substring(0, firstIndex) + href.substring(lastIndex + 3);
+    }
     // Case insensitive so we don't get faked out by JAVASCRIPT #1
     // Allow more characters after the first so we don't get faked
     // out by certain schemes browsers accept
@@ -21240,6 +21231,33 @@ function sanitizeHtml(html, options, _recursing) {
     return !options.allowedSchemes || options.allowedSchemes.indexOf(scheme) === -1;
   }
 
+  function parseUrl(value) {
+    value = value.replace(/^(\w+:)?\s*[\\/]\s*[\\/]/, '$1//');
+    if (value.startsWith('relative:')) {
+      // An attempt to exploit our workaround for base URLs being
+      // mandatory for relative URL validation in the WHATWG
+      // URL parser, reject it
+      throw new Error('relative: exploit attempt');
+    }
+    // naughtyHref is in charge of whether protocol relative URLs
+    // are cool. Here we are concerned just with allowed hostnames and
+    // whether to allow relative URLs.
+    //
+    // Build a placeholder "base URL" against which any reasonable
+    // relative URL may be parsed successfully
+    let base = 'relative://relative-site';
+    for (let i = 0; (i < 100); i++) {
+      base += `/${i}`;
+    }
+
+    const parsed = new URL(value, base);
+
+    const isRelativeUrl = parsed && parsed.hostname === 'relative-site' && parsed.protocol === 'relative:';
+    return {
+      isRelativeUrl,
+      url: parsed
+    };
+  }
   /**
    * Filters user input css properties by allowlisted regex attributes.
    * Modifies the abstractSyntaxTree object.

package/dist/esm/yoo-form-todo-task-list.entry.js

@@ -107,9 +107,8 @@ const YooFormTodoTaskListComponent = class {
     return updated;
   }
   async deleteTask(index, withConfirmation = true) {
-    var _a, _b;
     const result = withConfirmation
-      ? await showAlert(translate('DELETETASK'), [translate('CANCEL'), { cssClass: 'danger', text: translate('DELETE') }], translate('CONFIRMDELETETASK', { title: ((_b = (_a = this.value.values[index]) === null || _a === void 0 ? void 0 : _a.text) === null || _b === void 0 ? void 0 : _b.value) || '' }))
+      ? await showAlert(translate('DELETETASK'), [translate('CANCEL'), { cssClass: 'danger', text: translate('DELETE') }], translate('CONFIRMDELETETASK'))
       : true;
     if (result) {
       this.updateValue({ ...this.value, values: [...this.value.values.slice(0, index), ...this.value.values.slice(index + 1)] });

package/dist/esm/yoo-grid.entry.js

@@ -7,7 +7,7 @@ import './index-4d88723b.js';
 import { g as getButton } from './button.factory-6c7aab55.js';
 import { a as assignPressActions } from './index-0ecbfd27.js';
 import { c as querySelectorAllDeep, r as hideShowSearchBar, t as getNextValueInArray, g as getAppContext } from './common-helpers-0071c2da.js';
-import { m as mapCustomViewToButton, l as isKanbanColumnField } from './filters-helpers-41224cde.js';
+import { m as mapCustomViewToButton, l as isKanbanColumnField } from './filters-helpers-ded9ed03.js';
 import { s as setValidator, a as setValueAndValidateInput } from './form-input-helpers-a792a9ab.js';
 import { g as getRenderer } from './grid-renderers-43b55d35.js';
 import { es as HorizontalSlidesAnimation, A as isWeb, aq as pipes, aF as isPresent, dS as safeScrollIntoView, P as getAsyncExtraData, et as MONGODB_ID_REGEX, bC as filterListByText, a3 as getSession, da as isAnimationsDisabled, eu as isMapField, X as isNullOrUndefined, t as translate, z as showModal, Z as translateMulti, az as toButton, cR as getAuthentication, af as showActionSheet, bi as isOffline, bz as isDateTimeField, al as dispatchCustomEvent, dP as isFirefox, ev as isForceScrollbar } from './overlays-be5a9ab3.js';