lwc 2.43.0 → 2.44.0

package/dist/engine-server/esm/es2017/engine-server.js

@@ -1,4 +1,7 @@
+import * as parse5 from 'parse5';
+
 /* proxy-compat-disable */
+
 /**
  * Copyright (C) 2018 salesforce.com, inc.
  */
@@ -43,7 +46,7 @@ var assert = /*#__PURE__*/Object.freeze({
  */
 const { assign, create, defineProperties, defineProperty, freeze, getOwnPropertyDescriptor: getOwnPropertyDescriptor$1, getOwnPropertyNames: getOwnPropertyNames$1, getPrototypeOf: getPrototypeOf$1, hasOwnProperty: hasOwnProperty$1, isFrozen, keys, seal, setPrototypeOf, } = Object;
 const { isArray: isArray$1 } = Array;
-const { concat: ArrayConcat$1, copyWithin: ArrayCopyWithin, fill: ArrayFill, filter: ArrayFilter, find: ArrayFind, indexOf: ArrayIndexOf, join: ArrayJoin, map: ArrayMap, pop: ArrayPop, push: ArrayPush$1, reduce: ArrayReduce, reverse: ArrayReverse, shift: ArrayShift, slice: ArraySlice, some: ArraySome, sort: ArraySort, splice: ArraySplice, unshift: ArrayUnshift, forEach, } = Array.prototype;
+const { concat: ArrayConcat$1, copyWithin: ArrayCopyWithin, fill: ArrayFill, filter: ArrayFilter, find: ArrayFind, findIndex: ArrayFindIndex, indexOf: ArrayIndexOf, join: ArrayJoin, map: ArrayMap, pop: ArrayPop, push: ArrayPush$1, reduce: ArrayReduce, reverse: ArrayReverse, shift: ArrayShift, slice: ArraySlice, some: ArraySome, sort: ArraySort, splice: ArraySplice, unshift: ArrayUnshift, forEach, } = Array.prototype;
 const { fromCharCode: StringFromCharCode } = String;
 const { charCodeAt: StringCharCodeAt, replace: StringReplace, split: StringSplit, slice: StringSlice, toLowerCase: StringToLowerCase, } = String.prototype;
 function isUndefined$1(obj) {
@@ -442,9 +445,9 @@ function htmlEscape(str, attrMode = false) {
  * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/MIT
  */
 // Increment whenever the LWC template compiler changes
-const LWC_VERSION = "2.43.0";
+const LWC_VERSION = "2.44.0";
 const LWC_VERSION_COMMENT_REGEX = /\/\*LWC compiler v([\d.]+)\*\/\s*}/;
-/** version: 2.43.0 */
+/** version: 2.44.0 */
 
 /**
  * Copyright (C) 2018 salesforce.com, inc.
@@ -522,7 +525,7 @@ function setFeatureFlagForTest(name, value) {
         setFeatureFlag(name, value);
     }
 }
-/** version: 2.43.0 */
+/** version: 2.44.0 */
 
 /*
  * Copyright (c) 2020, salesforce.com, inc.
@@ -618,7 +621,7 @@ function applyAriaReflection(prototype = Element.prototype) {
         }
     }
 }
-/** version: 2.43.0 */
+/** version: 2.44.0 */
 
 /* proxy-compat-disable */
 /**
@@ -854,101 +857,6 @@ const defaultDefHTMLPropertyNames = [
     'tabIndex',
     'title',
 ];
-function offsetPropertyErrorMessage(name) {
-    return `Using the \`${name}\` property is an anti-pattern because it rounds the value to an integer. Instead, use the \`getBoundingClientRect\` method to obtain fractional values for the size of an element and its position relative to the viewport.`;
-}
-// Global HTML Attributes & Properties
-// https://developer.mozilla.org/en-US/docs/Web/HTML/Global_attributes
-// https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement
-//
-// If you update this list, check for test files that recapitulate the same list. Searching the codebase
-// for e.g. "dropzone" should suffice.
-const globalHTMLProperties = {
-    accessKey: {
-        attribute: 'accesskey',
-    },
-    accessKeyLabel: {
-        readOnly: true,
-    },
-    className: {
-        attribute: 'class',
-        error: 'Using the `className` property is an anti-pattern because of slow runtime behavior and potential conflicts with classes provided by the owner element. Use the `classList` API instead.',
-    },
-    contentEditable: {
-        attribute: 'contenteditable',
-    },
-    dataset: {
-        readOnly: true,
-        error: "Using the `dataset` property is an anti-pattern because it can't be statically analyzed. Expose each property individually using the `@api` decorator instead.",
-    },
-    dir: {
-        attribute: 'dir',
-    },
-    draggable: {
-        attribute: 'draggable',
-    },
-    dropzone: {
-        attribute: 'dropzone',
-        readOnly: true,
-    },
-    hidden: {
-        attribute: 'hidden',
-    },
-    id: {
-        attribute: 'id',
-    },
-    inputMode: {
-        attribute: 'inputmode',
-    },
-    lang: {
-        attribute: 'lang',
-    },
-    slot: {
-        attribute: 'slot',
-        error: 'Using the `slot` property is an anti-pattern.',
-    },
-    spellcheck: {
-        attribute: 'spellcheck',
-    },
-    style: {
-        attribute: 'style',
-    },
-    tabIndex: {
-        attribute: 'tabindex',
-    },
-    title: {
-        attribute: 'title',
-    },
-    translate: {
-        attribute: 'translate',
-    },
-    // additional "global attributes" that are not present in the link above.
-    isContentEditable: {
-        readOnly: true,
-    },
-    offsetHeight: {
-        readOnly: true,
-        error: offsetPropertyErrorMessage('offsetHeight'),
-    },
-    offsetLeft: {
-        readOnly: true,
-        error: offsetPropertyErrorMessage('offsetLeft'),
-    },
-    offsetParent: {
-        readOnly: true,
-    },
-    offsetTop: {
-        readOnly: true,
-        error: offsetPropertyErrorMessage('offsetTop'),
-    },
-    offsetWidth: {
-        readOnly: true,
-        error: offsetPropertyErrorMessage('offsetWidth'),
-    },
-    role: {
-        attribute: 'role',
-    },
-};
 let controlledElement = null;
 let controlledAttributeName;
 function isAttributeLocked(elm, attrName) {
@@ -1133,8 +1041,7 @@ function getShadowRootRestrictionsDescriptors(sr) {
         }),
         addEventListener: generateDataDescriptor({
             value(type, listener, options) {
-                // TODO [#420]: this is triggered when the component author attempts to add a listener
-                // programmatically into its Component's shadow root
+                // TODO [#1824]: Potentially relax this restriction
                 if (!isUndefined$1(options)) {
                     logError('The `addEventListener` method on ShadowRoot does not support any options.', getAssociatedVMIfPresent(this));
                 }
@@ -1180,8 +1087,7 @@ function getCustomElementRestrictionsDescriptors(elm) {
         }),
         addEventListener: generateDataDescriptor({
             value(type, listener, options) {
-                // TODO [#420]: this is triggered when the component author attempts to add a listener
-                // programmatically into a lighting element node
+                // TODO [#1824]: Potentially relax this restriction
                 if (!isUndefined$1(options)) {
                     logError('The `addEventListener` method in `LightningElement` does not support any options.', getAssociatedVMIfPresent(this));
                 }
@@ -1209,7 +1115,7 @@ function getComponentRestrictionsDescriptors() {
 function getLightningElementPrototypeRestrictionsDescriptors(proto) {
     assertNotProd(); // this method should never leak to prod
     const originalDispatchEvent = proto.dispatchEvent;
-    const descriptors = {
+    return {
         dispatchEvent: generateDataDescriptor({
             value(event) {
                 const vm = getAssociatedVM(this);
@@ -1227,32 +1133,6 @@ function getLightningElementPrototypeRestrictionsDescriptors(proto) {
             },
         }),
     };
-    forEach.call(getOwnPropertyNames$1(globalHTMLProperties), (propName) => {
-        if (propName in proto) {
-            return; // no need to redefine something that we are already exposing
-        }
-        descriptors[propName] = generateAccessorDescriptor({
-            get() {
-                const { error, attribute } = globalHTMLProperties[propName];
-                const msg = [];
-                msg.push(`Accessing the global HTML property "${propName}" is disabled.`);
-                if (error) {
-                    msg.push(error);
-                }
-                else if (attribute) {
-                    msg.push(`Instead access it via \`this.getAttribute("${attribute}")\`.`);
-                }
-                logError(msg.join('\n'), getAssociatedVM(this));
-            },
-            set() {
-                const { readOnly } = globalHTMLProperties[propName];
-                if (readOnly) {
-                    logError(`The global HTML property \`${propName}\` is read-only.`, getAssociatedVM(this));
-                }
-            },
-        });
-    });
-    return descriptors;
 }
 // This routine will prevent access to certain properties on a shadow root instance to guarantee
 // that all components will work fine in IE11 and other browsers without shadow dom support.
@@ -2577,12 +2457,7 @@ function createPublicPropertyDescriptor(key) {
 }
 function createPublicAccessorDescriptor(key, descriptor) {
     const { get, set, enumerable, configurable } = descriptor;
-    if (!isFunction$1(get)) {
-        if (process.env.NODE_ENV !== 'production') {
-            assert.invariant(isFunction$1(get), `Invalid compiler output for public accessor ${toString$1(key)} decorated with @api`);
-        }
-        throw new Error();
-    }
+    assert.invariant(isFunction$1(get), `Invalid public accessor ${toString$1(key)} decorated with @api. The property is missing a getter.`);
     return {
         get() {
             if (process.env.NODE_ENV !== 'production') {
@@ -2702,64 +2577,64 @@ function getClassDescriptorType(descriptor) {
     }
 }
 function validateObservedField(Ctor, fieldName, descriptor) {
+    assertNotProd(); // this method should never leak to prod
     if (!isUndefined$1(descriptor)) {
         const type = getClassDescriptorType(descriptor);
         const message = `Invalid observed ${fieldName} field. Found a duplicate ${type} with the same name.`;
-        // [W-9927596] Ideally we always throw an error when detecting duplicate observed field.
-        // This branch is only here for backward compatibility reasons.
-        if (type === "accessor" /* DescriptorType.Accessor */) {
-            logError(message);
-        }
-        else {
-            assert.fail(message);
-        }
+        // TODO [#3408]: this should throw, not log
+        logError(message);
     }
 }
 function validateFieldDecoratedWithTrack(Ctor, fieldName, descriptor) {
+    assertNotProd(); // this method should never leak to prod
     if (!isUndefined$1(descriptor)) {
         const type = getClassDescriptorType(descriptor);
-        assert.fail(`Invalid @track ${fieldName} field. Found a duplicate ${type} with the same name.`);
+        // TODO [#3408]: this should throw, not log
+        logError(`Invalid @track ${fieldName} field. Found a duplicate ${type} with the same name.`);
     }
 }
 function validateFieldDecoratedWithWire(Ctor, fieldName, descriptor) {
+    assertNotProd(); // this method should never leak to prod
     if (!isUndefined$1(descriptor)) {
         const type = getClassDescriptorType(descriptor);
-        assert.fail(`Invalid @wire ${fieldName} field. Found a duplicate ${type} with the same name.`);
+        // TODO [#3408]: this should throw, not log
+        logError(`Invalid @wire ${fieldName} field. Found a duplicate ${type} with the same name.`);
     }
 }
 function validateMethodDecoratedWithWire(Ctor, methodName, descriptor) {
+    assertNotProd(); // this method should never leak to prod
     if (isUndefined$1(descriptor) || !isFunction$1(descriptor.value) || isFalse(descriptor.writable)) {
-        assert.fail(`Invalid @wire ${methodName} method.`);
+        // TODO [#3441]: This line of code does not seem possible to reach.
+        logError(`Invalid @wire ${methodName} field. The field should have a valid writable descriptor.`);
     }
 }
 function validateFieldDecoratedWithApi(Ctor, fieldName, descriptor) {
+    assertNotProd(); // this method should never leak to prod
     if (!isUndefined$1(descriptor)) {
         const type = getClassDescriptorType(descriptor);
         const message = `Invalid @api ${fieldName} field. Found a duplicate ${type} with the same name.`;
-        // [W-9927596] Ideally we always throw an error when detecting duplicate public properties.
-        // This branch is only here for backward compatibility reasons.
-        if (type === "accessor" /* DescriptorType.Accessor */) {
-            logError(message);
-        }
-        else {
-            assert.fail(message);
-        }
+        // TODO [#3408]: this should throw, not log
+        logError(message);
     }
 }
 function validateAccessorDecoratedWithApi(Ctor, fieldName, descriptor) {
-    if (isUndefined$1(descriptor)) {
-        assert.fail(`Invalid @api get ${fieldName} accessor.`);
-    }
-    else if (isFunction$1(descriptor.set)) {
-        assert.isTrue(isFunction$1(descriptor.get), `Missing getter for property ${fieldName} decorated with @api in ${Ctor}. You cannot have a setter without the corresponding getter.`);
+    assertNotProd(); // this method should never leak to prod
+    if (isFunction$1(descriptor.set)) {
+        if (!isFunction$1(descriptor.get)) {
+            // TODO [#3441]: This line of code does not seem possible to reach.
+            logError(`Missing getter for property ${fieldName} decorated with @api in ${Ctor}. You cannot have a setter without the corresponding getter.`);
+        }
     }
     else if (!isFunction$1(descriptor.get)) {
-        assert.fail(`Missing @api get ${fieldName} accessor.`);
+        // TODO [#3441]: This line of code does not seem possible to reach.
+        logError(`Missing @api get ${fieldName} accessor.`);
     }
 }
 function validateMethodDecoratedWithApi(Ctor, methodName, descriptor) {
+    assertNotProd(); // this method should never leak to prod
     if (isUndefined$1(descriptor) || !isFunction$1(descriptor.value) || isFalse(descriptor.writable)) {
-        assert.fail(`Invalid @api ${methodName} method.`);
+        // TODO [#3441]: This line of code does not seem possible to reach.
+        logError(`Invalid @api ${methodName} method.`);
     }
 }
 /**
@@ -2782,13 +2657,14 @@ function registerDecorators(Ctor, meta) {
             apiFieldsConfig[fieldName] = propConfig.config;
             descriptor = getOwnPropertyDescriptor$1(proto, fieldName);
             if (propConfig.config > 0) {
+                if (isUndefined$1(descriptor)) {
+                    // TODO [#3441]: This line of code does not seem possible to reach.
+                    throw new Error();
+                }
                 // accessor declaration
                 if (process.env.NODE_ENV !== 'production') {
                     validateAccessorDecoratedWithApi(Ctor, fieldName, descriptor);
                 }
-                if (isUndefined$1(descriptor)) {
-                    throw new Error();
-                }
                 descriptor = createPublicAccessorDescriptor(fieldName, descriptor);
             }
             else {
@@ -2828,7 +2704,10 @@ function registerDecorators(Ctor, meta) {
             descriptor = getOwnPropertyDescriptor$1(proto, fieldOrMethodName);
             if (method === 1) {
                 if (process.env.NODE_ENV !== 'production') {
-                    assert.isTrue(adapter, `@wire on method "${fieldOrMethodName}": adapter id must be truthy.`);
+                    if (!adapter) {
+                        // TODO [#3408]: this should throw, not log
+                        logError(`@wire on method "${fieldOrMethodName}": adapter id must be truthy.`);
+                    }
                     validateMethodDecoratedWithWire(Ctor, fieldOrMethodName, descriptor);
                 }
                 if (isUndefined$1(descriptor)) {
@@ -2839,7 +2718,10 @@ function registerDecorators(Ctor, meta) {
             }
             else {
                 if (process.env.NODE_ENV !== 'production') {
-                    assert.isTrue(adapter, `@wire on field "${fieldOrMethodName}": adapter id must be truthy.`);
+                    if (!adapter) {
+                        // TODO [#3408]: this should throw, not log
+                        logError(`@wire on field "${fieldOrMethodName}": adapter id must be truthy.`);
+                    }
                     validateFieldDecoratedWithWire(Ctor, fieldOrMethodName, descriptor);
                 }
                 descriptor = internalWireFieldDecorator(fieldOrMethodName);
@@ -6360,12 +6242,12 @@ function readonly(obj) {
     if (process.env.NODE_ENV !== 'production') {
         // TODO [#1292]: Remove the readonly decorator
         if (arguments.length !== 1) {
-            assert.fail('@readonly cannot be used as a decorator just yet, use it as a function with one argument to produce a readonly version of the provided value.');
+            logError('@readonly cannot be used as a decorator just yet, use it as a function with one argument to produce a readonly version of the provided value.');
         }
     }
     return getReadOnlyProxy(obj);
 }
-/* version: 2.43.0 */
+/* version: 2.44.0 */
 
 /*
  * Copyright (c) 2020, salesforce.com, inc.
@@ -6775,6 +6657,38 @@ const renderer = {
     registerContextConsumer,
 };
 
+/*
+ * Copyright (c) 2023, salesforce.com, inc.
+ * All rights reserved.
+ * SPDX-License-Identifier: MIT
+ * For full license text, see the LICENSE file in the repo root or https://opensource.org/licenses/MIT
+ */
+function isSingleStyleNodeContainingSingleTextNode(node) {
+    if (node.childNodes.length !== 1) {
+        return false;
+    }
+    const style = node.childNodes[0];
+    if (style.nodeName !== 'style' || style.childNodes.length !== 1) {
+        return false;
+    }
+    const textNode = style.childNodes[0];
+    return textNode.nodeName === '#text';
+}
+// The text content inside `<style>` is a special case. It is _only_ rendered by the LWC engine itself; <style> tags
+// are disallowed inside of templates. Also, we want to avoid over-escaping, since CSS containing strings like
+// `&amp;` and `&quot;` is not valid CSS (even when inside a `<style>` element).
+//
+// However, to avoid XSS attacks, we still need to check for things like `</style><script>alert("pwned")</script>`,
+// since a user could use that inside of a *.css file to break out of a <style> element.
+// See: https://github.com/salesforce/lwc/issues/3439
+function validateStyleTextContents(contents) {
+    // If parse5 parses this as more than one `<style>` tag, then it is unsafe to be rendered as-is
+    const fragment = parse5.parseFragment(`<style>${contents}</style>`);
+    if (!isSingleStyleNodeContainingSingleTextNode(fragment)) {
+        throw new Error('CSS contains unsafe characters and cannot be serialized inside a style element');
+    }
+}
+
 /*
  * Copyright (c) 2020, salesforce.com, inc.
  * All rights reserved.
@@ -6786,12 +6700,12 @@ function serializeAttributes(attributes) {
         .map((attr) => attr.value.length ? `${attr.name}="${htmlEscape(attr.value, true)}"` : attr.name)
         .join(' ');
 }
-function serializeChildNodes(children) {
+function serializeChildNodes(children, tagName) {
     return children
         .map((child) => {
         switch (child[HostTypeKey]) {
             case HostNodeType.Text:
-                return child[HostValueKey] === '' ? '\u200D' : htmlEscape(child[HostValueKey]);
+                return serializeTextContent(child[HostValueKey], tagName);
             case HostNodeType.Comment:
                 return `<!--${htmlEscape(child[HostValueKey])}-->`;
             case HostNodeType.Raw:
@@ -6828,12 +6742,26 @@ function serializeElement(element) {
     if (element[HostShadowRootKey]) {
         output += serializeShadowRoot(element[HostShadowRootKey]);
     }
-    output += serializeChildNodes(element[HostChildrenKey]);
+    output += serializeChildNodes(element[HostChildrenKey], tagName);
     if (!isVoidElement(tagName, namespace) || hasChildren) {
         output += `</${tagName}>`;
     }
     return output;
 }
+function serializeTextContent(contents, tagName) {
+    if (contents === '') {
+        return '\u200D'; // Special serialization for empty text nodes
+    }
+    if (tagName === 'style') {
+        // Special validation for <style> tags since their content must be served unescaped, and we need to validate
+        // that the contents are safe to serialize unescaped.
+        // TODO [#3454]: move this validation to compilation
+        validateStyleTextContents(contents);
+        // If we haven't thrown an error during validation, then the content is safe to serialize unescaped
+        return contents;
+    }
+    return htmlEscape(contents);
+}
 
 /*
  * Copyright (c) 2018, salesforce.com, inc.
@@ -6900,7 +6828,7 @@ seal(LightningElement.prototype);
 function createElement() {
     throw new Error('createElement is not supported in @lwc/engine-server, only @lwc/engine-dom.');
 }
-/* version: 2.43.0 */
+/* version: 2.44.0 */
 
 export { LightningElement, api$1 as api, createContextProvider, createElement, freezeTemplate, getComponentDef, isComponentConstructor, parseFragment, parseFragment as parseSVGFragment, readonly, register, registerComponent, registerDecorators, registerStylesheet, registerTemplate, renderComponent, renderer, sanitizeAttribute, setFeatureFlag, setFeatureFlagForTest, setHooks, track, unwrap, wire };
 //# sourceMappingURL=engine-server.js.map