ember-source 4.11.0-alpha.6 → 4.11.0

package/dist/header/license.js

@@ -5,5 +5,5 @@
  *            Portions Copyright 2008-2011 Apple Inc. All rights reserved.
  * @license   Licensed under MIT license
  *            See https://raw.github.com/emberjs/ember.js/master/LICENSE
- * @version   4.11.0-alpha.6
+ * @version   4.11.0
  */

package/dist/packages/@ember/-internals/glimmer/index.js

@@ -2554,13 +2554,58 @@ setHelperManager(() => SIMPLE_CLASSIC_HELPER_MANAGER, Wrapper.prototype);
 /**
 @module @ember/template
 */
+/**
+  A wrapper around a string that has been marked as safe ("trusted"). **When
+  rendered in HTML, Ember will not perform any escaping.**
+
+  Note:
+
+  1. This does not *make* the string safe; it means that some code in your
+     application has *marked* it as safe using the `htmlSafe()` function.
+
+  2. The only public API for getting a `SafeString` is calling `htmlSafe()`. It
+     is *not* user-constructible.
+
+  If a string contains user inputs or other untrusted data, you must sanitize
+  the string before using the `htmlSafe` method. Otherwise your code is
+  vulnerable to [Cross-Site Scripting][xss]. There are many open source
+  sanitization libraries to choose from, both for front end and server-side
+  sanitization.
+
+  [xss]: https://owasp.org/www-community/attacks/DOM_Based_XSS
+
+  ```javascript
+  import { htmlSafe } from '@ember/template';
+
+  let someTrustedOrSanitizedString = "<div>Hello!</div>"
+
+  htmlSafe(someTrustedorSanitizedString);
+  ```
+
+  @for @ember/template
+  @class SafeString
+  @since 4.12.0
+  @public
+ */
 class SafeString {
   constructor(string) {
-    this.string = string;
+    this.__string = string;
   }
+  /**
+    Get the string back to use as a string.
+       @public
+    @method toString
+    @returns {String} The string marked as trusted
+   */
   toString() {
-    return `${this.string}`;
+    return `${this.__string}`;
   }
+  /**
+    Get the wrapped string as HTML to use without escaping.
+       @public
+    @method toHTML
+    @returns {String} the trusted string, without any escaping applied
+   */
   toHTML() {
     return this.toString();
   }
@@ -2580,9 +2625,10 @@ function escapeChar(chr) {
   return escape[chr];
 }
 function escapeExpression(string) {
+  let s;
   if (typeof string !== 'string') {
     // don't escape SafeStrings, since they're already safe
-    if (string && string.toHTML) {
+    if (isHTMLSafe$1(string)) {
       return string.toHTML();
     } else if (string === null || string === undefined) {
       return '';
@@ -2592,12 +2638,21 @@ function escapeExpression(string) {
     // Force a string conversion as this will be done by the append regardless and
     // the regex test will do this transparently behind the scenes, causing issues if
     // an object's to string has escaped characters in it.
-    string = String(string);
-  }
-  if (!possible.test(string)) {
-    return string;
-  }
-  return string.replace(badChars, escapeChar);
+    s = String(string);
+  } else {
+    s = string;
+  }
+  if (!possible.test(s)) {
+    return s;
+  }
+  // SAFETY: this is technically a lie, but it's a true lie as long as the
+  // invariant it depends on is upheld: `escapeChar` will always return a string
+  // as long as its input is one of the characters in `escape`, and it will only
+  // be called if it matches one of the characters in the `badChar` regex, which
+  // is hand-maintained to match the set escaped. (It would be nice if TS could
+  // "see" into the regex to see how this works, but that'd be quite a lot of
+  // extra fanciness.)
+  return s.replace(badChars, escapeChar);
 }
 /**
   Use this method to indicate that a string should be rendered as HTML
@@ -2623,6 +2678,7 @@ function escapeExpression(string) {
 
   @method htmlSafe
   @for @ember/template
+  @param str {String} The string to treat as trusted.
   @static
   @return {SafeString} A string that will not be HTML escaped by Handlebars.
   @public
@@ -2641,8 +2697,8 @@ function htmlSafe(str) {
   ```javascript
   import { htmlSafe, isHTMLSafe } from '@ember/template';
 
-  var plainString = 'plain string',
-      safeString = htmlSafe('<div>someValue</div>');
+  let plainString = 'plain string';
+  let safeString = htmlSafe('<div>someValue</div>');
 
   isHTMLSafe(plainString); // false
   isHTMLSafe(safeString);  // true
@@ -2655,7 +2711,7 @@ function htmlSafe(str) {
   @public
 */
 function isHTMLSafe$1(str) {
-  return str !== null && typeof str === 'object' && typeof str.toHTML === 'function';
+  return str !== null && typeof str === 'object' && 'toHTML' in str && typeof str.toHTML === 'function';
 }
 
 function instrumentationPayload(def) {

package/dist/packages/@ember/canary-features/index.js

@@ -47,10 +47,11 @@ export function isEnabled(feature) {
     return false;
   }
 }
-function featureValue(value) {
-  if (ENV.ENABLE_OPTIONAL_FEATURES && value === null) {
-    return true;
-  }
-  return value;
-}
+// Uncomment the below when features are present:
+// function featureValue(value: null | boolean) {
+//   if (ENV.ENABLE_OPTIONAL_FEATURES && value === null) {
+//     return true;
+//   }
+//   return value;
+// }
 // export const FLAG_NAME = featureValue(FEATURES.FLAG_NAME);

package/dist/packages/@ember/template/index.js

@@ -1 +1,3 @@
+// NOTE: this intentionally *only* exports the *type* `SafeString`, not its
+// value, since it should not be constructed by users.
 export { htmlSafe, isHTMLSafe } from '@ember/-internals/glimmer';

package/dist/packages/ember/version.js

@@ -1 +1 @@
-export default "4.11.0-alpha.6";
+export default "4.11.0";

package/docs/data.json

@@ -3,7 +3,7 @@
     "name": "The Ember API",
     "description": "The Ember API: a framework for building ambitious web applications",
     "url": "https://emberjs.com/",
-    "version": "4.11.0-alpha.6"
+    "version": "4.11.0"
   },
   "files": {
     "node_modules/rsvp/lib/rsvp/promise/all.js": {
@@ -498,7 +498,9 @@
       "modules": {
         "@ember/template": 1
       },
-      "classes": {},
+      "classes": {
+        "SafeString": 1
+      },
       "fors": {
         "@ember/template": 1
       },
@@ -1898,7 +1900,8 @@
       "submodules": {},
       "elements": {},
       "classes": {
-        "@ember/template": 1
+        "@ember/template": 1,
+        "SafeString": 1
       },
       "fors": {
         "@ember/template": 1
@@ -1906,7 +1909,7 @@
       "namespaces": {},
       "tag": "module",
       "file": "packages/@ember/-internals/glimmer/lib/utils/string.ts",
-      "line": 1
+      "line": 7
     },
     "@glimmer/component": {
       "name": "@glimmer/component",
@@ -2803,6 +2806,23 @@
       "module": "@ember/template",
       "namespace": ""
     },
+    "SafeString": {
+      "name": "SafeString",
+      "shortname": "SafeString",
+      "classitems": [],
+      "plugins": [],
+      "extensions": [],
+      "plugin_for": [],
+      "extension_for": [],
+      "module": "@ember/template",
+      "namespace": "",
+      "file": "packages/@ember/-internals/glimmer/lib/utils/string.ts",
+      "line": 7,
+      "description": "A wrapper around a string that has been marked as safe (\"trusted\"). **When\nrendered in HTML, Ember will not perform any escaping.**\n\nNote:\n\n1. This does not *make* the string safe; it means that some code in your\n   application has *marked* it as safe using the `htmlSafe()` function.\n\n2. The only public API for getting a `SafeString` is calling `htmlSafe()`. It\n   is *not* user-constructible.\n\nIf a string contains user inputs or other untrusted data, you must sanitize\nthe string before using the `htmlSafe` method. Otherwise your code is\nvulnerable to [Cross-Site Scripting][xss]. There are many open source\nsanitization libraries to choose from, both for front end and server-side\nsanitization.\n\n[xss]: https://owasp.org/www-community/attacks/DOM_Based_XSS\n\n```javascript\nimport { htmlSafe } from '@ember/template';\n\nlet someTrustedOrSanitizedString = \"<div>Hello!</div>\"\n\nhtmlSafe(someTrustedorSanitizedString);\n```",
+      "since": "4.12.0",
+      "access": "public",
+      "tagname": ""
+    },
     "Component": {
       "name": "Component",
       "shortname": "Component",
@@ -6254,10 +6274,47 @@
     },
     {
       "file": "packages/@ember/-internals/glimmer/lib/utils/string.ts",
-      "line": 61,
+      "line": 47,
+      "description": "Get the string back to use as a string.",
+      "access": "public",
+      "tagname": "",
+      "itemtype": "method",
+      "name": "toString",
+      "return": {
+        "description": "The string marked as trusted",
+        "type": "String"
+      },
+      "class": "SafeString",
+      "module": "@ember/template"
+    },
+    {
+      "file": "packages/@ember/-internals/glimmer/lib/utils/string.ts",
+      "line": 58,
+      "description": "Get the wrapped string as HTML to use without escaping.",
+      "access": "public",
+      "tagname": "",
+      "itemtype": "method",
+      "name": "toHTML",
+      "return": {
+        "description": "the trusted string, without any escaping applied",
+        "type": "String"
+      },
+      "class": "SafeString",
+      "module": "@ember/template"
+    },
+    {
+      "file": "packages/@ember/-internals/glimmer/lib/utils/string.ts",
+      "line": 121,
       "description": "Use this method to indicate that a string should be rendered as HTML\nwhen the string is used in a template. To say this another way,\nstrings marked with `htmlSafe` will not be HTML escaped.\n\nA word of warning -   The `htmlSafe` method does not make the string safe;\nit only tells the framework to treat the string as if it is safe to render\nas HTML. If a string contains user inputs or other untrusted\ndata, you must sanitize the string before using the `htmlSafe` method.\nOtherwise your code is vulnerable to\n[Cross-Site Scripting](https://owasp.org/www-community/attacks/DOM_Based_XSS).\nThere are many open source sanitization libraries to choose from,\nboth for front end and server-side sanitization.\n\n```javascript\nimport { htmlSafe } from '@ember/template';\n\nconst someTrustedOrSanitizedString = \"<div>Hello!</div>\"\n\nhtmlSafe(someTrustedorSanitizedString)\n```",
       "itemtype": "method",
       "name": "htmlSafe",
+      "params": [
+        {
+          "name": "str",
+          "description": "The string to treat as trusted.",
+          "type": "String"
+        }
+      ],
       "static": 1,
       "return": {
         "description": "A string that will not be HTML escaped by Handlebars.",
@@ -6270,8 +6327,8 @@
     },
     {
       "file": "packages/@ember/-internals/glimmer/lib/utils/string.ts",
-      "line": 98,
-      "description": "Detects if a string was decorated using `htmlSafe`.\n\n```javascript\nimport { htmlSafe, isHTMLSafe } from '@ember/template';\n\nvar plainString = 'plain string',\n    safeString = htmlSafe('<div>someValue</div>');\n\nisHTMLSafe(plainString); // false\nisHTMLSafe(safeString);  // true\n```",
+      "line": 159,
+      "description": "Detects if a string was decorated using `htmlSafe`.\n\n```javascript\nimport { htmlSafe, isHTMLSafe } from '@ember/template';\n\nlet plainString = 'plain string';\nlet safeString = htmlSafe('<div>someValue</div>');\n\nisHTMLSafe(plainString); // false\nisHTMLSafe(safeString);  // true\n```",
       "itemtype": "method",
       "name": "isHTMLSafe",
       "static": 1,
@@ -19404,6 +19461,14 @@
       "message": "replacing incorrect tag: returns with return",
       "line": " packages/@ember/-internals/container/lib/container.ts:195"
     },
+    {
+      "message": "replacing incorrect tag: returns with return",
+      "line": " packages/@ember/-internals/glimmer/lib/utils/string.ts:47"
+    },
+    {
+      "message": "replacing incorrect tag: returns with return",
+      "line": " packages/@ember/-internals/glimmer/lib/utils/string.ts:58"
+    },
     {
       "message": "unknown tag: decorator",
       "line": " packages/@ember/-internals/metal/lib/tracked.ts:12"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ember-source",
-  "version": "4.11.0-alpha.6",
+  "version": "4.11.0",
   "description": "A JavaScript framework for creating ambitious web applications",
   "keywords": [
     "ember-addon"
@@ -182,9 +182,6 @@
       ]
     }
   },
-  "_originalVersion": "4.11.0-alpha.6",
-  "_versionPreviouslyCalculated": true,
-  "publishConfig": {
-    "tag": "alpha"
-  }
-}
+  "_originalVersion": "4.11.0",
+  "_versionPreviouslyCalculated": true
+}

package/types/preview/@ember/template/index.d.ts

@@ -1,5 +1,6 @@
 declare module '@ember/template' {
   import { SafeString } from '@ember/template/-private/handlebars';
+  export type { SafeString };
   export function htmlSafe(str: string): SafeString;
   export function isHTMLSafe(str: unknown): str is SafeString;
 }

package/types/stable/@ember/-internals/glimmer/lib/utils/string.d.ts

@@ -2,13 +2,61 @@ declare module '@ember/-internals/glimmer/lib/utils/string' {
   /**
     @module @ember/template
     */
-  export class SafeString {
-    string: string;
+  import type { SafeString as GlimmerSafeString } from '@glimmer/runtime';
+  /**
+      A wrapper around a string that has been marked as safe ("trusted"). **When
+      rendered in HTML, Ember will not perform any escaping.**
+
+      Note:
+
+      1. This does not *make* the string safe; it means that some code in your
+         application has *marked* it as safe using the `htmlSafe()` function.
+
+      2. The only public API for getting a `SafeString` is calling `htmlSafe()`. It
+         is *not* user-constructible.
+
+      If a string contains user inputs or other untrusted data, you must sanitize
+      the string before using the `htmlSafe` method. Otherwise your code is
+      vulnerable to [Cross-Site Scripting][xss]. There are many open source
+      sanitization libraries to choose from, both for front end and server-side
+      sanitization.
+
+      [xss]: https://owasp.org/www-community/attacks/DOM_Based_XSS
+
+      ```javascript
+      import { htmlSafe } from '@ember/template';
+
+      let someTrustedOrSanitizedString = "<div>Hello!</div>"
+
+      htmlSafe(someTrustedorSanitizedString);
+      ```
+
+      @for @ember/template
+      @class SafeString
+      @since 4.12.0
+      @public
+     */
+  export class SafeString implements GlimmerSafeString {
+    private __string;
     constructor(string: string);
+    /**
+          Get the string back to use as a string.
+      
+          @public
+          @method toString
+          @returns {String} The string marked as trusted
+         */
     toString(): string;
+    /**
+          Get the wrapped string as HTML to use without escaping.
+      
+          @public
+          @method toHTML
+          @returns {String} the trusted string, without any escaping applied
+         */
     toHTML(): string;
   }
-  export function escapeExpression(string: any): string;
+  export function escapeExpression(string: unknown): string;
   /**
       Use this method to indicate that a string should be rendered as HTML
       when the string is used in a template. To say this another way,
@@ -33,6 +81,7 @@ declare module '@ember/-internals/glimmer/lib/utils/string' {
 
       @method htmlSafe
       @for @ember/template
+      @param str {String} The string to treat as trusted.
       @static
       @return {SafeString} A string that will not be HTML escaped by Handlebars.
       @public
@@ -44,8 +93,8 @@ declare module '@ember/-internals/glimmer/lib/utils/string' {
       ```javascript
       import { htmlSafe, isHTMLSafe } from '@ember/template';
 
-      var plainString = 'plain string',
-          safeString = htmlSafe('<div>someValue</div>');
+      let plainString = 'plain string';
+      let safeString = htmlSafe('<div>someValue</div>');
 
       isHTMLSafe(plainString); // false
       isHTMLSafe(safeString);  // true
@@ -57,5 +106,5 @@ declare module '@ember/-internals/glimmer/lib/utils/string' {
       @return {Boolean} `true` if the string was decorated with `htmlSafe`, `false` otherwise.
       @public
     */
-  export function isHTMLSafe(str: any | null | undefined): str is SafeString;
+  export function isHTMLSafe(str: unknown): str is SafeString;
 }

package/types/stable/@ember/string/index.d.ts

@@ -159,5 +159,5 @@ declare module '@ember/string' {
     */
   export function capitalize(str: string): string;
   export function htmlSafe(str: string): SafeString;
-  export function isHTMLSafe(str: any | null | undefined): str is SafeString;
+  export function isHTMLSafe(str: unknown): str is SafeString;
 }

package/types/stable/@ember/template/index.d.ts

@@ -1,3 +1,3 @@
 declare module '@ember/template' {
-  export { htmlSafe, isHTMLSafe } from '@ember/-internals/glimmer';
+  export { htmlSafe, isHTMLSafe, type SafeString } from '@ember/-internals/glimmer';
 }