marko 5.33.13 → 5.33.15
Sign up to get free protection for your applications and to get access to all the features.
- package/dist/runtime/html/helpers/escape-script-placeholder.js +10 -5
- package/dist/runtime/html/helpers/escape-style-placeholder.js +10 -5
- package/dist/runtime/html/helpers/escape-xml.js +8 -32
- package/dist/runtime/vdom/morphdom/index.js +6 -1
- package/package.json +1 -1
- package/src/runtime/html/helpers/escape-script-placeholder.js +10 -5
- package/src/runtime/html/helpers/escape-style-placeholder.js +10 -5
- package/src/runtime/html/helpers/escape-xml.js +8 -32
- package/src/runtime/vdom/morphdom/index.js +6 -1
@@ -1,4 +1,8 @@
|
|
1
1
|
"use strict";
|
2
|
+
const unsafeCharsReg = /<\/script/g;
|
3
|
+
const replaceMatch = () => "\\x3C/script";
|
4
|
+
const escape = (str) =>
|
5
|
+
unsafeCharsReg.test(str) ? str.replace(unsafeCharsReg, replaceMatch) : str;
|
2
6
|
|
3
7
|
/**
|
4
8
|
* Escapes the '</' sequence in the body of a <script> body to avoid the `<script>` being
|
@@ -15,9 +19,10 @@
|
|
15
19
|
* prematurely ended and a new script tag could then be started that could then execute
|
16
20
|
* arbitrary code.
|
17
21
|
*/
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
22
|
+
module.exports = function escapeScriptHelper(value) {
|
23
|
+
if (value == null) {
|
24
|
+
return "";
|
25
|
+
}
|
26
|
+
|
27
|
+
return escape(value + "");
|
23
28
|
};
|
@@ -1,4 +1,8 @@
|
|
1
1
|
"use strict";
|
2
|
+
const unsafeCharsReg = /<\/style/g;
|
3
|
+
const replaceMatch = () => "\\3C/style";
|
4
|
+
const escape = (str) =>
|
5
|
+
unsafeCharsReg.test(str) ? str.replace(unsafeCharsReg, replaceMatch) : str;
|
2
6
|
|
3
7
|
/**
|
4
8
|
* Escapes the '</' sequence in the body of a <style> body to avoid the `<style>` being
|
@@ -13,9 +17,10 @@
|
|
13
17
|
* prematurely ended and a script tag could then be started that could then execute
|
14
18
|
* arbitrary code.
|
15
19
|
*/
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
20
|
+
module.exports = function escapeScriptHelper(value) {
|
21
|
+
if (value == null) {
|
22
|
+
return "";
|
23
|
+
}
|
24
|
+
|
25
|
+
return escape(value + "");
|
21
26
|
};
|
@@ -1,4 +1,10 @@
|
|
1
1
|
"use strict";
|
2
|
+
const unsafeCharsRegExp = /[<&]/g;
|
3
|
+
const replaceMatch = (c) => c === "&" ? "&" : "<";
|
4
|
+
const escape = (str) =>
|
5
|
+
unsafeCharsRegExp.test(str) ?
|
6
|
+
str.replace(unsafeCharsRegExp, replaceMatch) :
|
7
|
+
str;
|
2
8
|
|
3
9
|
module.exports.x = function (value) {
|
4
10
|
if (value == null) {
|
@@ -9,37 +15,7 @@ module.exports.x = function (value) {
|
|
9
15
|
return value.toHTML();
|
10
16
|
}
|
11
17
|
|
12
|
-
return
|
18
|
+
return escape(value + "");
|
13
19
|
};
|
14
20
|
|
15
|
-
exports.bo_ =
|
16
|
-
|
17
|
-
function escapeXML(str) {
|
18
|
-
var len = str.length;
|
19
|
-
var result = "";
|
20
|
-
var lastPos = 0;
|
21
|
-
var i = 0;
|
22
|
-
var replacement;
|
23
|
-
|
24
|
-
for (; i < len; i++) {
|
25
|
-
switch (str[i]) {
|
26
|
-
case "<":
|
27
|
-
replacement = "<";
|
28
|
-
break;
|
29
|
-
case "&":
|
30
|
-
replacement = "&";
|
31
|
-
break;
|
32
|
-
default:
|
33
|
-
continue;
|
34
|
-
}
|
35
|
-
|
36
|
-
result += str.slice(lastPos, i) + replacement;
|
37
|
-
lastPos = i + 1;
|
38
|
-
}
|
39
|
-
|
40
|
-
if (lastPos) {
|
41
|
-
return result + str.slice(lastPos);
|
42
|
-
}
|
43
|
-
|
44
|
-
return str;
|
45
|
-
}
|
21
|
+
exports.bo_ = escape;
|
@@ -592,8 +592,13 @@ function morphdom(fromNode, toNode, host, componentsContext) {
|
|
592
592
|
if (curFromNodeValue !== curToNodeValue) {
|
593
593
|
if (
|
594
594
|
isHydrate &&
|
595
|
+
toNextSibling &&
|
595
596
|
curFromNodeType === TEXT_NODE &&
|
596
|
-
|
597
|
+
toNextSibling.bW_ === TEXT_NODE &&
|
598
|
+
curFromNodeValue.startsWith(curToNodeValue) &&
|
599
|
+
toNextSibling.cm_.startsWith(
|
600
|
+
curFromNodeValue.slice(curToNodeValue.length)
|
601
|
+
))
|
597
602
|
{
|
598
603
|
// In hydrate mode we can use splitText to more efficiently handle
|
599
604
|
// adjacent text vdom nodes that were merged.
|
package/package.json
CHANGED
@@ -1,4 +1,8 @@
|
|
1
1
|
"use strict";
|
2
|
+
const unsafeCharsReg = /<\/script/g;
|
3
|
+
const replaceMatch = () => "\\x3C/script";
|
4
|
+
const escape = (str) =>
|
5
|
+
unsafeCharsReg.test(str) ? str.replace(unsafeCharsReg, replaceMatch) : str;
|
2
6
|
|
3
7
|
/**
|
4
8
|
* Escapes the '</' sequence in the body of a <script> body to avoid the `<script>` being
|
@@ -15,9 +19,10 @@
|
|
15
19
|
* prematurely ended and a new script tag could then be started that could then execute
|
16
20
|
* arbitrary code.
|
17
21
|
*/
|
18
|
-
|
19
|
-
|
20
|
-
|
21
|
-
|
22
|
-
|
22
|
+
module.exports = function escapeScriptHelper(value) {
|
23
|
+
if (value == null) {
|
24
|
+
return "";
|
25
|
+
}
|
26
|
+
|
27
|
+
return escape(value + "");
|
23
28
|
};
|
@@ -1,4 +1,8 @@
|
|
1
1
|
"use strict";
|
2
|
+
const unsafeCharsReg = /<\/style/g;
|
3
|
+
const replaceMatch = () => "\\3C/style";
|
4
|
+
const escape = (str) =>
|
5
|
+
unsafeCharsReg.test(str) ? str.replace(unsafeCharsReg, replaceMatch) : str;
|
2
6
|
|
3
7
|
/**
|
4
8
|
* Escapes the '</' sequence in the body of a <style> body to avoid the `<style>` being
|
@@ -13,9 +17,10 @@
|
|
13
17
|
* prematurely ended and a script tag could then be started that could then execute
|
14
18
|
* arbitrary code.
|
15
19
|
*/
|
16
|
-
|
17
|
-
|
18
|
-
|
19
|
-
|
20
|
-
|
20
|
+
module.exports = function escapeScriptHelper(value) {
|
21
|
+
if (value == null) {
|
22
|
+
return "";
|
23
|
+
}
|
24
|
+
|
25
|
+
return escape(value + "");
|
21
26
|
};
|
@@ -1,4 +1,10 @@
|
|
1
1
|
"use strict";
|
2
|
+
const unsafeCharsRegExp = /[<&]/g;
|
3
|
+
const replaceMatch = (c) => (c === "&" ? "&" : "<");
|
4
|
+
const escape = (str) =>
|
5
|
+
unsafeCharsRegExp.test(str)
|
6
|
+
? str.replace(unsafeCharsRegExp, replaceMatch)
|
7
|
+
: str;
|
2
8
|
|
3
9
|
module.exports.x = function (value) {
|
4
10
|
if (value == null) {
|
@@ -9,37 +15,7 @@ module.exports.x = function (value) {
|
|
9
15
|
return value.toHTML();
|
10
16
|
}
|
11
17
|
|
12
|
-
return
|
18
|
+
return escape(value + "");
|
13
19
|
};
|
14
20
|
|
15
|
-
exports.___escapeXML =
|
16
|
-
|
17
|
-
function escapeXML(str) {
|
18
|
-
var len = str.length;
|
19
|
-
var result = "";
|
20
|
-
var lastPos = 0;
|
21
|
-
var i = 0;
|
22
|
-
var replacement;
|
23
|
-
|
24
|
-
for (; i < len; i++) {
|
25
|
-
switch (str[i]) {
|
26
|
-
case "<":
|
27
|
-
replacement = "<";
|
28
|
-
break;
|
29
|
-
case "&":
|
30
|
-
replacement = "&";
|
31
|
-
break;
|
32
|
-
default:
|
33
|
-
continue;
|
34
|
-
}
|
35
|
-
|
36
|
-
result += str.slice(lastPos, i) + replacement;
|
37
|
-
lastPos = i + 1;
|
38
|
-
}
|
39
|
-
|
40
|
-
if (lastPos) {
|
41
|
-
return result + str.slice(lastPos);
|
42
|
-
}
|
43
|
-
|
44
|
-
return str;
|
45
|
-
}
|
21
|
+
exports.___escapeXML = escape;
|
@@ -592,8 +592,13 @@ function morphdom(fromNode, toNode, host, componentsContext) {
|
|
592
592
|
if (curFromNodeValue !== curToNodeValue) {
|
593
593
|
if (
|
594
594
|
isHydrate &&
|
595
|
+
toNextSibling &&
|
595
596
|
curFromNodeType === TEXT_NODE &&
|
596
|
-
|
597
|
+
toNextSibling.___nodeType === TEXT_NODE &&
|
598
|
+
curFromNodeValue.startsWith(curToNodeValue) &&
|
599
|
+
toNextSibling.___nodeValue.startsWith(
|
600
|
+
curFromNodeValue.slice(curToNodeValue.length),
|
601
|
+
)
|
597
602
|
) {
|
598
603
|
// In hydrate mode we can use splitText to more efficiently handle
|
599
604
|
// adjacent text vdom nodes that were merged.
|