@azure/core-xml - npm Package Compare versions

Comparing version 1.2.3-alpha.20220701.1 to 1.3.0-alpha.20220801.2

dist-esm/src/xml.browser.js

@@ -8,6 +8,18 @@ // Copyright (c) Microsoft Corporation.
 }
+// Policy to make our code Trusted Types compliant at running time.
+//   https://github.com/w3c/webappsec-trusted-types
+// We are calling DOMParser.parseFromString() to parse XML payload from Azure services.
+// The parsed DOM object is not exposed to outside. Scripts are disabled when parsing
+// according to the spec.  There are no HTML/XSS security concerns on the usage of
+// parseFromString() here.
+let ttPolicy;
+if (typeof self.trustedTypes !== "undefined") {
+    ttPolicy = self.trustedTypes.createPolicy("@azure/core-xml#xml.browser", {
+        createHTML: (s) => s,
+    });
+}
 const doc = document.implementation.createDocument(null, null, null);
 const parser = new DOMParser();
 export function parseXML(str, opts = {}) {
-    var _a, _b, _c, _d, _e;
+    var _a, _b, _c, _d, _e, _f;
     try {
@@ -21,3 +33,3 @@ const updatedOptions = {
         };
-        const dom = parser.parseFromString(str, "application/xml");
+        const dom = parser.parseFromString(((_f = ttPolicy === null || ttPolicy === void 0 ? void 0 : ttPolicy.createHTML(str)) !== null && _f !== void 0 ? _f : str), "application/xml");
         throwIfError(dom);
@@ -39,8 +51,9 @@ let obj;
 function getErrorNamespace() {
-    var _a;
+    var _a, _b;
     if (errorNS === undefined) {
         try {
+            const invalidXML = ((_a = ttPolicy === null || ttPolicy === void 0 ? void 0 : ttPolicy.createHTML("INVALID")) !== null && _a !== void 0 ? _a : "INVALID");
             errorNS =
-                (_a = parser.parseFromString("INVALID", "text/xml").getElementsByTagName("parsererror")[0]
-                    .namespaceURI) !== null && _a !== void 0 ? _a : "";
+                (_b = parser.parseFromString(invalidXML, "text/xml").getElementsByTagName("parsererror")[0]
+                    .namespaceURI) !== null && _b !== void 0 ? _b : "";
         }
@@ -47,0 +60,0 @@ catch (ignored) {

package.json

 {
   "name": "@azure/core-xml",
-  "version": "1.2.3-alpha.20220701.1",
+  "version": "1.3.0-alpha.20220801.2",
   "description": "Core library for interacting with XML payloads",
@@ -82,2 +82,3 @@ "sdk-type": "client",
     "@types/sinon": "^9.0.4",
+    "@types/trusted-types": "^2.0.0",
     "@azure/eslint-plugin-azure-sdk": ">=3.0.0-alpha <3.0.0-alphb",
@@ -84,0 +85,0 @@ "chai": "^4.2.0",

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

52214

increased by4.32%

Lines of code

463

increased by2.89%

Worsened metrics

Dev dependency count

31

increased by3.33%

No dependency changes