npm - ember-source - Versions diffs - 6.7.0-alpha.2 → 6.7.0-alpha.4 - Mend

ember-source 6.7.0-alpha.2 → 6.7.0-alpha.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (84) hide show

package/dist/ember.prod.js CHANGED Viewed

@@ -5,7 +5,7 @@
  *            Portions Copyright 2008-2011 Apple Inc. All rights reserved.
  * @license   Licensed under MIT license
  *            See https://raw.github.com/emberjs/ember.js/master/LICENSE
- * @version   6.7.0-alpha.2
+ * @version   6.7.0-alpha.4
  */
 /* eslint-disable no-var */
 /* globals global globalThis self */
@@ -742,20 +742,6 @@ var define, require;
               }
             }
-            // TODO: Remove in Ember 6.5. This setting code for EXTEND_PROTOTYPES
-            // should stay for at least an LTS cycle so that users get the explicit
-            // deprecation exception when it breaks in >= 6.0.0.
-            let {
-              EXTEND_PROTOTYPES
-            } = EmberENV;
-            if (EXTEND_PROTOTYPES !== undefined) {
-              if (typeof EXTEND_PROTOTYPES === 'object' && EXTEND_PROTOTYPES !== null) {
-                ENV.EXTEND_PROTOTYPES.Array = EXTEND_PROTOTYPES.Array !== false;
-              } else {
-                ENV.EXTEND_PROTOTYPES.Array = EXTEND_PROTOTYPES !== false;
-              }
-            }
             // TODO this does not seem to be used by anything,
             //      can we remove it? do we need to deprecate it?
             let {
@@ -2130,7 +2116,7 @@ var define, require;
           }, Symbol.toStringTag, { value: 'Module' });
           // this file gets replaced with the real value during the build
-          const Version = '6.7.0-alpha.2';
+          const Version = '6.7.0-alpha.4';
           const emberVersion = /*#__PURE__*/Object.defineProperty({
                     __proto__: null,
@@ -2325,16 +2311,6 @@ var define, require;
                 url: `https://deprecations.emberjs.com/id/import-${dasherize(importName).toLowerCase()}-from-ember`
               });
             },
-            DEPRECATE_ARRAY_PROTOTYPE_EXTENSIONS: deprecation({
-              id: 'deprecate-array-prototype-extensions',
-              url: 'https://deprecations.emberjs.com/id/deprecate-array-prototype-extensions',
-              until: '6.0.0',
-              for: 'ember-source',
-              since: {
-                available: '5.10.0',
-                enabled: '5.10.0'
-              }
-            }),
             DEPRECATE_IMPORT_INJECT: deprecation({
               for: 'ember-source',
               id: 'importing-inject-from-ember-service',
@@ -2354,12 +2330,6 @@ var define, require;
               throw new Error(`The API deprecated by ${options.id} was removed in ember-source ${options.until}. The message was: ${message}. Please see ${options.url} for more details.`);
             }
           }
-          const {
-            EXTEND_PROTOTYPES
-          } = ENV;
-          if (EXTEND_PROTOTYPES.Array !== false) {
-            deprecateUntil('Array prototype extensions are deprecated. Follow the deprecation guide for migration instructions, and set EmberENV.EXTEND_PROTOTYPES to false in your config/environment.js', DEPRECATIONS.DEPRECATE_ARRAY_PROTOTYPE_EXTENSIONS);
-          }
           const emberinternalsDeprecationsIndex = /*#__PURE__*/Object.defineProperty({
                     __proto__: null,
@@ -24380,19 +24350,19 @@ var define, require;
           */
           /**
-            A wrapper around a string that has been marked as safe ("trusted"). **When
+            A wrapper around a string that has been marked as "trusted". **When
             rendered in HTML, Ember will not perform any escaping.**
             Note:
             1. This does not *make* the string safe; it means that some code in your
-               application has *marked* it as safe using the `htmlSafe()` function.
+               application has *marked* it as trusted using the `trustHTML()` function.
-            2. The only public API for getting a `SafeString` is calling `htmlSafe()`. It
+            2. The only public API for getting a `TrutsedHTML` is calling `trustHTML()`. It
                is *not* user-constructible.
             If a string contains user inputs or other untrusted data, you must sanitize
-            the string before using the `htmlSafe` method. Otherwise your code is
+            the string before using the `trustHTML` method. Otherwise your code is
             vulnerable to [Cross-Site Scripting][xss]. There are many open source
             sanitization libraries to choose from, both for front end and server-side
             sanitization.
@@ -24400,19 +24370,19 @@ var define, require;
             [xss]: https://owasp.org/www-community/attacks/DOM_Based_XSS
             ```javascript
-            import { htmlSafe } from '@ember/template';
+            import { trustHTML } from '@ember/template';
             let someTrustedOrSanitizedString = "<div>Hello!</div>"
-            htmlSafe(someTrustedorSanitizedString);
+            trustHTML(someTrustedorSanitizedString);
             ```
             @for @ember/template
-            @class SafeString
-            @since 4.12.0
+            @class TrustedHTML
+            @since 6.7.0
             @public
            */
-          class SafeString {
+          class TrustedHTML {
             __string;
             constructor(string) {
               this.__string = string;
@@ -24439,6 +24409,40 @@ var define, require;
             }
           }
+          /**
+            A wrapper around a string that has been marked as safe ("trusted"). **When
+            rendered in HTML, Ember will not perform any escaping.**
+            Note:
+            1. This does not *make* the string safe; it means that some code in your
+               application has *marked* it as safe using the `htmlSafe()` function.
+            2. The only public API for getting a `SafeString` is calling `htmlSafe()`. It
+               is *not* user-constructible.
+            If a string contains user inputs or other untrusted data, you must sanitize
+            the string before using the `htmlSafe` method. Otherwise your code is
+            vulnerable to [Cross-Site Scripting][xss]. There are many open source
+            sanitization libraries to choose from, both for front end and server-side
+            sanitization.
+            [xss]: https://owasp.org/www-community/attacks/DOM_Based_XSS
+            ```javascript
+            import { htmlSafe } from '@ember/template';
+            let someTrustedOrSanitizedString = "<div>Hello!</div>"
+            htmlSafe(someTrustedorSanitizedString);
+            ```
+            @for @ember/template
+            @class SafeString
+            @since 4.12.0
+            @public
+           */
+          const SafeString = TrustedHTML;
           /**
             Use this method to indicate that a string should be rendered as HTML
             when the string is used in a template. To say this another way,
@@ -24468,13 +24472,46 @@ var define, require;
             @return {SafeString} A string that will not be HTML escaped by Handlebars.
             @public
           */
-          function htmlSafe(str) {
+          const htmlSafe = trustHTML;
+          /**
+            Use this method to indicate that a string should be rendered as HTML
+            without escaping when the string is used in a template. To say this another way,
+            strings marked with `trustHTML` will not be HTML escaped.
+            A word of warning -   The `trustHTML` method does not make the string safe;
+            it only tells the framework to treat the string as if it is safe to render
+            as HTML - that we trust its contents to be safe. If a string contains user inputs or other untrusted
+            data, you must sanitize the string before using the `trustHTML` method.
+            Otherwise your code is vulnerable to
+            [Cross-Site Scripting](https://owasp.org/www-community/attacks/DOM_Based_XSS).
+            There are many open source sanitization libraries to choose from,
+            both for front end and server-side sanitization.
+            ```glimmer-js
+            import { trustHTML } from '@ember/template';
+            const someTrustedOrSanitizedString = "<div>Hello!</div>"
+            <template>
+              {{trustHTML someTrustedOrSanitizedString}}
+            </template>
+            ```
+            @method trustHTML
+            @for @ember/template
+            @param str {String} The string to treat as trusted.
+            @static
+            @return {TrustedHTML} A string that will not be HTML escaped by Handlebars.
+            @public
+           */
+          function trustHTML(str) {
             if (str === null || str === undefined) {
               str = '';
             } else if (typeof str !== 'string') {
               str = String(str);
             }
-            return new SafeString(str);
+            return new TrustedHTML(str);
           }
           /**
@@ -24496,7 +24533,28 @@ var define, require;
             @return {Boolean} `true` if the string was decorated with `htmlSafe`, `false` otherwise.
             @public
           */
-          function isHTMLSafe(str) {
+          const isHTMLSafe = isTrustedHTML;
+          /**
+            Detects if a string was decorated using `trustHTML`.
+            ```javascript
+            import { trustHTML, isTrustedHTML } from '@ember/template';
+            let plainString = 'plain string';
+            let safeString = trustHTML('<div>someValue</div>');
+            isTrustedHTML(plainString); // false
+            isTrustedHTML(safeString);  // true
+            ```
+            @method isTrustedHTML
+            @for @ember/template
+            @static
+            @return {Boolean} `true` if the string was decorated with `htmlSafe`, `false` otherwise.
+            @public
+          */
+          function isTrustedHTML(str) {
             return (
               // SAFETY: cast `as SafeString` only present to make this check "legal"; we
               // can further improve this by changing the behavior to do an `in` check
@@ -25911,9 +25969,6 @@ var define, require;
           /*
             This allows us to define computed properties that are not enumerable.
-            The primary reason this is important is that when `NativeArray` is
-            applied to `Array.prototype` we need to ensure that we do not add _any_
-            new enumerable properties.
           */
           function nonEnumerableComputed(callback) {
             let property = computed(callback);
@@ -37529,6 +37584,7 @@ var define, require;
                     RootTemplate,
                     SafeString,
                     Textarea,
+                    TrustedHTML,
                     _resetRenderers,
                     componentCapabilities,
                     getTemplate,
@@ -37538,6 +37594,7 @@ var define, require;
                     htmlSafe,
                     isHTMLSafe,
                     isSerializationFirstNode,
+                    isTrustedHTML,
                     modifierCapabilities,
                     renderSettled,
                     setComponentManager,
@@ -37547,6 +37604,7 @@ var define, require;
                     setupEngineRegistry,
                     template: templateFactory,
                     templateCacheCounters,
+                    trustHTML,
                     uniqueId: uniqueId$2
           }, Symbol.toStringTag, { value: 'Module' });
@@ -42548,7 +42606,9 @@ var define, require;
           const emberTemplateIndex = /*#__PURE__*/Object.defineProperty({
                     __proto__: null,
                     htmlSafe,
-                    isHTMLSafe
+                    isHTMLSafe,
+                    isTrustedHTML,
+                    trustHTML
           }, Symbol.toStringTag, { value: 'Module' });
           function run(fn) {