You're Invited: Meet the Socket team at BSidesSF and RSAC - April 27 - May 1.RSVP →
@locker/html-sanitizer
Advanced tools
@locker/html-sanitizer - npm Package Compare versions
to
0.17.25
@@ -65,146 +65,42 @@ /*! | ||
| }; | ||
| var CONFIG$LWS = /*#__PURE__*/Object.freeze({ | ||
| __proto__: null, | ||
| NODE_ALL_IN_PLACE: NODE_ALL_IN_PLACE$LWS, | ||
| NODE_SVG: NODE_SVG$LWS, | ||
| STRING_BLOB_HTML: STRING_BLOB_HTML$LWS | ||
| }); | ||
| const instancesBySandboxKeyRegistry$LWS = { | ||
| __proto__: null | ||
| }; | ||
| const SANITIZE_ATTRIBUTES_LIST$LWS = shared$LWS.toSafeArray(['href', 'xlink:href']); | ||
| const SHARED_SVG_SANITIZER_KEY$LWS = 'SHARED_SVG_SANITIZER_KEY'; | ||
| const htmlTemplate$LWS = shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoCreateElement, document, ['template']); // Queue for managing pending XHR requests. | ||
| const instances$LWS = shared$LWS.toSafeWeakMap(new shared$LWS.WeakMapCtor()); | ||
| const queue$LWS = shared$LWS.toSafeSet(new shared$LWS.SetCtor()); // A regexp to find all non lowercase alphanumeric. | ||
| function sanitizer$LWS(config$LWS, hooksRegistry$LWS) { | ||
| let dompurify$LWS = instances$LWS.get(config$LWS); | ||
| const urlReplacerRegExp$LWS = /[^a-z0-9]+/gi; | ||
| if (dompurify$LWS === undefined) { | ||
| dompurify$LWS = createDOMPurify__default$LWS["default"](); | ||
| dompurify$LWS.setConfig(config$LWS); | ||
| function createSantizerHooksRegistry$LWS(sandboxKey$LWS) { | ||
| return { | ||
| __proto__: null, | ||
| // uponSanitizeAttribute is generic, so its definition can be a reused function | ||
| // eslint-disable-next-line @typescript-eslint/no-use-before-define | ||
| uponSanitizeAttribute: uponSanitizeAttribute$LWS, | ||
| // uponSanitizeElement is sandbox-key-specific | ||
| uponSanitizeElement(node$LWS, data$LWS, config$LWS) { | ||
| var _config$CUSTOM_ELEMEN$LWS; | ||
| const { | ||
| tagName: tagName$LWS | ||
| } = data$LWS; | ||
| const tagNameCheck$LWS = config$LWS == null ? void 0 : (_config$CUSTOM_ELEMEN$LWS = config$LWS.CUSTOM_ELEMENT_HANDLING) == null ? void 0 : _config$CUSTOM_ELEMEN$LWS.tagNameCheck; | ||
| if (tagNameCheck$LWS && shared$LWS.ReflectApply(shared$LWS.RegExpProtoTest, tagNameCheck$LWS, [tagName$LWS]) && // This MUST be called ONLY after we've ensured the previous | ||
| // two conditions have been met, otherwise it may result in an | ||
| // unwanted "Illegal invocation" on a node we don't care about. | ||
| !shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoHasAttribute, node$LWS, [sharedDom$LWS.CUSTOM_ELEMENT_REGISTRY_ATTRIBUTE_NAME])) { | ||
| shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoSetAttribute, node$LWS, [sharedDom$LWS.CUSTOM_ELEMENT_REGISTRY_ATTRIBUTE_NAME, sandboxKey$LWS]); | ||
| for (const hookName$LWS in hooksRegistry$LWS) { | ||
| // istanbul ignore else | ||
| if (hooksRegistry$LWS) { | ||
| dompurify$LWS.addHook(hookName$LWS, hooksRegistry$LWS[hookName$LWS]); | ||
| } | ||
| } | ||
| }; | ||
| } | ||
| function createUrlContainer$LWS(url$LWS) { | ||
| const container$LWS = shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoCreateElement, document, ['div']); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoSetAttribute, container$LWS, ['style', 'display:none']); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoSetAttribute, container$LWS, ['id', url$LWS]); | ||
| const body$LWS = shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoBodyGetter, document, []); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.NodeProtoAppendChild, body$LWS, [container$LWS]); | ||
| return container$LWS; | ||
| } | ||
| function getSanitizerForConfig$LWS(sandboxKey$LWS, configName$LWS) { | ||
| if (typeof sandboxKey$LWS !== 'string') { | ||
| throw new shared$LWS.LockerSecurityError(shared$LWS.ERR_INVALID_SANDBOX_KEY); | ||
| instances$LWS.set(config$LWS, dompurify$LWS); | ||
| } | ||
| if (typeof configName$LWS !== 'string') { | ||
| throw new shared$LWS.LockerSecurityError('Invalid config name.'); | ||
| } | ||
| let sandboxConfiguredSanitizerInstances$LWS = instancesBySandboxKeyRegistry$LWS[sandboxKey$LWS]; | ||
| if (sandboxConfiguredSanitizerInstances$LWS === undefined) { | ||
| sandboxConfiguredSanitizerInstances$LWS = instancesBySandboxKeyRegistry$LWS[sandboxKey$LWS] = { | ||
| __proto__: null | ||
| }; | ||
| } | ||
| let configuredDOMPurifyInstance$LWS = sandboxConfiguredSanitizerInstances$LWS[configName$LWS]; | ||
| if (configuredDOMPurifyInstance$LWS === undefined) { | ||
| const config$LWS = CONFIG$LWS[configName$LWS]; | ||
| configuredDOMPurifyInstance$LWS = createDOMPurify__default$LWS["default"](); | ||
| configuredDOMPurifyInstance$LWS.setConfig(config$LWS); | ||
| const hooksRegistry$LWS = createSantizerHooksRegistry$LWS(sandboxKey$LWS); | ||
| for (const hookName$LWS in hooksRegistry$LWS) { | ||
| configuredDOMPurifyInstance$LWS.addHook(hookName$LWS, hooksRegistry$LWS[hookName$LWS]); | ||
| } | ||
| sandboxConfiguredSanitizerInstances$LWS[configName$LWS] = configuredDOMPurifyInstance$LWS; | ||
| } | ||
| return configuredDOMPurifyInstance$LWS; | ||
| return dompurify$LWS; | ||
| } | ||
| function sanitizeSvgTextReturnDOM$LWS(dirty$LWS) { | ||
| const svgSanitizer$LWS = getSanitizerForConfig$LWS(SHARED_SVG_SANITIZER_KEY$LWS, 'NODE_SVG'); | ||
| return svgSanitizer$LWS.sanitize(dirty$LWS); | ||
| } | ||
| const SANITIZE_ATTRIBUTES_LIST$LWS = shared$LWS.toSafeArray(['href', 'xlink:href']); | ||
| const SANITIZER_HOOKS_REGISTRY$LWS = { | ||
| __proto__: null, | ||
| uponSanitizeAttribute: sanitizeHrefAttributeHook$LWS | ||
| }; | ||
| const htmlTemplate$LWS = shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoCreateElement, document, ['template']); | ||
| const normalizerAnchor$LWS = shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoCreateElement, document, ['a']); // Queue for managing pending xhr requests. | ||
| function sanitizeSvgHref$LWS(url$LWS) { | ||
| const urlAsString$LWS = shared$LWS.toString(url$LWS); | ||
| const queue$LWS = shared$LWS.toSafeSet(new shared$LWS.SetCtor()); // A regexp to find all non lowercase alphanumeric. | ||
| if (shared$LWS.ReflectApply(shared$LWS.StringProtoStartsWith, urlAsString$LWS, ['#'])) { | ||
| return url$LWS; | ||
| } | ||
| const urlReplacerRegExp$LWS = /[^a-z0-9]+/gi; | ||
| const normalizedHref$LWS = parseHref$LWS(urlAsString$LWS); // Sanitize only for supported URL_SCHEMES_LIST. | ||
| if (sharedUrl$LWS.URL_SCHEMES_LIST.includes(normalizedHref$LWS.protocol)) { | ||
| const container$LWS = shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoGetElementById, document, [normalizedHref$LWS.normalizedURL]); // Have we sanitized this URL already? | ||
| if (container$LWS && normalizedHref$LWS.normalizedFragment) { | ||
| checkExistingAndDequeue$LWS(container$LWS, normalizedHref$LWS); | ||
| } else if (!container$LWS) { | ||
| fetchAndSanitize$LWS(normalizedHref$LWS); | ||
| } // If this has been in the form of http://my-url/file.svg#fragment we | ||
| // return the normalized fragment otherwise we return the normalized URL. | ||
| return normalizedHref$LWS.requestedFragment ? `#${normalizedHref$LWS.normalizedFragment}` : `#${normalizedHref$LWS.normalizedURL}`; | ||
| } | ||
| return url$LWS; | ||
| } | ||
| function updater$LWS(container$LWS, normalizedHref$LWS) { | ||
| const { | ||
| normalizedFragment: normalizedFragment$LWS, | ||
| requestedFragment: requestedFragment$LWS | ||
| } = normalizedHref$LWS; | ||
| let el$LWS = shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoQuerySelector, container$LWS, [`#${normalizedFragment$LWS}`]); // istanbul ignore else | ||
| if (el$LWS === null) { | ||
| try { | ||
| el$LWS = shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoQuerySelector, container$LWS, [`#${requestedFragment$LWS}`]); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoSetAttribute, el$LWS, ['id', normalizedFragment$LWS]); | ||
| } catch (_unused$LWS) {// Catch all malformed CSS3 selectors. | ||
| // getElementById not available on Node. | ||
| // Cannot use document.getElementById because multiple containers | ||
| // may have the same ids for SVG elements. | ||
| } | ||
| } | ||
| } | ||
| function checkExistingAndDequeue$LWS(container$LWS, normalizedHref$LWS) { | ||
| if (queue$LWS.has(normalizedHref$LWS.normalizedURL)) { | ||
| if (queue$LWS.has(normalizedHref$LWS.normalizedUrl)) { | ||
| // Wait for request to finish, then update content. | ||
| const interval$LWS = sharedDom$LWS.WindowSetInterval(() => { | ||
| // istanbul ignore else | ||
| if (!queue$LWS.has(normalizedHref$LWS.normalizedURL)) { | ||
| if (!queue$LWS.has(normalizedHref$LWS.normalizedUrl)) { | ||
| updater$LWS(container$LWS, normalizedHref$LWS); | ||
@@ -219,7 +115,16 @@ sharedDom$LWS.WindowClearInterval(interval$LWS); | ||
| function createUrlContainer$LWS(url$LWS) { | ||
| const container$LWS = shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoCreateElement, document, ['div']); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoSetAttribute, container$LWS, ['style', 'display:none']); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoSetAttribute, container$LWS, ['id', url$LWS]); | ||
| const body$LWS = shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoBodyGetter, document, []); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.NodeProtoAppendChild, body$LWS, [container$LWS]); | ||
| return container$LWS; | ||
| } | ||
| function fetchAndSanitize$LWS(normalizedHref$LWS) { | ||
| // This is the first time we see this href. | ||
| const container$LWS = createUrlContainer$LWS(normalizedHref$LWS.normalizedURL); // Put the URL we're fetching in a queue. | ||
| const container$LWS = createUrlContainer$LWS(normalizedHref$LWS.normalizedUrl); // Put the URL we're fetching in a queue. | ||
| queue$LWS.add(normalizedHref$LWS.normalizedURL); // Initiate an XHR to fetch the resource. | ||
| queue$LWS.add(normalizedHref$LWS.normalizedUrl); // Initiate an XHR to fetch the resource. | ||
@@ -232,4 +137,3 @@ const xhr$LWS = new sharedDom$LWS.XhrCtor(); | ||
| // Retrieved content should be sanitized immediately. | ||
| const responseText$LWS = shared$LWS.ReflectApply(sharedDom$LWS.XhrProtoResponseTextGetter, xhr$LWS, []); // eslint-disable-next-line @typescript-eslint/no-use-before-define | ||
| const responseText$LWS = shared$LWS.ReflectApply(sharedDom$LWS.XhrProtoResponseTextGetter, xhr$LWS, []); | ||
| const fragment$LWS = sanitizeSvgTextReturnDOM$LWS(responseText$LWS); // Look for the container again in case other requests have finished | ||
@@ -247,6 +151,6 @@ // earlier for the same URL. | ||
| shared$LWS.ReflectApply(sharedDom$LWS.NodeProtoAppendChild, container$LWS, [fragment$LWS]); | ||
| queue$LWS.delete(normalizedHref$LWS.normalizedURL); | ||
| queue$LWS.delete(normalizedHref$LWS.normalizedUrl); | ||
| } | ||
| }]); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.XhrProtoOpen, xhr$LWS, ['GET', normalizedHref$LWS.requestedURL]); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.XhrProtoOpen, xhr$LWS, ['GET', normalizedHref$LWS.requestedUrl]); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.XhrProtoSend, xhr$LWS, []); | ||
@@ -256,64 +160,59 @@ } | ||
| function parseHref$LWS(url$LWS) { | ||
| shared$LWS.ReflectApply(sharedDom$LWS.HTMLAnchorElementProtoHrefSetter, sharedUrl$LWS.normalizerAnchor, [url$LWS]); | ||
| const href$LWS = shared$LWS.ReflectApply(sharedDom$LWS.HTMLAnchorElementProtoHrefGetter, sharedUrl$LWS.normalizerAnchor, []); | ||
| const protocol$LWS = shared$LWS.ReflectApply(sharedDom$LWS.HTMLAnchorElementProtoProtocolGetter, sharedUrl$LWS.normalizerAnchor, []); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.HTMLAnchorElementProtoHrefSetter, normalizerAnchor$LWS, [url$LWS]); | ||
| const href$LWS = shared$LWS.ReflectApply(sharedDom$LWS.HTMLAnchorElementProtoHrefGetter, normalizerAnchor$LWS, []); | ||
| const protocol$LWS = shared$LWS.ReflectApply(sharedDom$LWS.HTMLAnchorElementProtoProtocolGetter, normalizerAnchor$LWS, []); | ||
| const { | ||
| 0: requestedURL$LWS, | ||
| 0: requestedUrl$LWS, | ||
| 1: requestedFragment$LWS | ||
| } = shared$LWS.ReflectApply(shared$LWS.StringProtoSplit, href$LWS, ['#']); | ||
| const loweredUrl$LWS = shared$LWS.ReflectApply(shared$LWS.StringProtoToLowerCase, requestedURL$LWS, []); // RegExp.prototype[Symbol.replace] resets the lastIndex of global regexp to 0. | ||
| } = shared$LWS.ReflectApply(shared$LWS.StringProtoSplit, href$LWS, ['#']); // RegExp.prototype[Symbol.replace] resets the lastIndex of global regexp to 0. | ||
| // https://tc39.es/ecma262/#sec-regexp.prototype-@@replace | ||
| const normalizedURL$LWS = shared$LWS.ReflectApply(shared$LWS.StringProtoReplace, loweredUrl$LWS, [urlReplacerRegExp$LWS, '']); | ||
| const normalizedFragment$LWS = requestedFragment$LWS ? `${normalizedURL$LWS}_${shared$LWS.ReflectApply(shared$LWS.StringProtoReplace, requestedFragment$LWS, [urlReplacerRegExp$LWS, ''])}` : ''; | ||
| const loweredUrl$LWS = shared$LWS.ReflectApply(shared$LWS.StringProtoToLowerCase, requestedUrl$LWS, []); | ||
| const normalizedUrl$LWS = shared$LWS.ReflectApply(shared$LWS.StringProtoReplace, loweredUrl$LWS, [urlReplacerRegExp$LWS, '']); | ||
| const normalizedFragment$LWS = requestedFragment$LWS ? `${normalizedUrl$LWS}_${shared$LWS.ReflectApply(shared$LWS.StringProtoReplace, requestedFragment$LWS, [urlReplacerRegExp$LWS, ''])}` : ''; | ||
| return { | ||
| normalizedFragment: normalizedFragment$LWS, | ||
| normalizedURL: normalizedURL$LWS, | ||
| normalizedUrl: normalizedUrl$LWS, | ||
| protocol: protocol$LWS, | ||
| requestedFragment: requestedFragment$LWS, | ||
| requestedURL: requestedURL$LWS | ||
| requestedUrl: requestedUrl$LWS | ||
| }; | ||
| } // Sanitize a URL representing a SVG href attribute value. | ||
| } | ||
| function uponSanitizeAttribute$LWS(node$LWS, data$LWS, _config$LWS) { | ||
| function updater$LWS(container$LWS, normalizedHref$LWS) { | ||
| const { | ||
| attrValue: attrValue$LWS, | ||
| attrName: attrName$LWS | ||
| } = data$LWS; | ||
| normalizedFragment: normalizedFragment$LWS, | ||
| requestedFragment: requestedFragment$LWS | ||
| } = normalizedHref$LWS; | ||
| let el$LWS = shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoQuerySelector, container$LWS, [`#${normalizedFragment$LWS}`]); // istanbul ignore else | ||
| if (attrValue$LWS && shared$LWS.ReflectApply(shared$LWS.StringProtoToUpperCase, shared$LWS.ReflectApply(sharedDom$LWS.NodeProtoNodeNameGetter, node$LWS, []), []) === 'USE' && SANITIZE_ATTRIBUTES_LIST$LWS.includes(attrName$LWS)) { | ||
| data$LWS.attrValue = sanitizeSvgHref$LWS(attrValue$LWS); | ||
| if (el$LWS === null) { | ||
| try { | ||
| el$LWS = shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoQuerySelector, container$LWS, [`#${requestedFragment$LWS}`]); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoSetAttribute, el$LWS, ['id', normalizedFragment$LWS]); | ||
| } catch (_unused$LWS) {// Catch all malformed CSS3 selectors. | ||
| // getElementById not available on Node. | ||
| // Cannot use document.getElementById because multiple containers | ||
| // may have the same ids for SVG elements. | ||
| } | ||
| } | ||
| return data$LWS; | ||
| } | ||
| function blobSanitizer$LWS(sandboxKey$LWS) { | ||
| if (typeof sandboxKey$LWS !== 'string') { | ||
| throw new shared$LWS.LockerSecurityError(shared$LWS.ERR_INVALID_SANDBOX_KEY); | ||
| } | ||
| return getSanitizerForConfig$LWS(sandboxKey$LWS, 'STRING_BLOB_HTML'); | ||
| function blobSanitizer$LWS() { | ||
| return sanitizer$LWS(STRING_BLOB_HTML$LWS, SANITIZER_HOOKS_REGISTRY$LWS); | ||
| } | ||
| function svgSanitizer$LWS() { | ||
| // SVG sanitization can be shared since there won't be custom elements created from existing SVG elements, | ||
| // and all SVG sanitization is subject to the same rules. | ||
| return getSanitizerForConfig$LWS(SHARED_SVG_SANITIZER_KEY$LWS, 'NODE_SVG'); | ||
| return sanitizer$LWS(NODE_SVG$LWS, SANITIZER_HOOKS_REGISTRY$LWS); | ||
| } | ||
| function sanitize$LWS(dirty$LWS, sandboxKey$LWS) { | ||
| if (typeof sandboxKey$LWS !== 'string') { | ||
| throw new shared$LWS.LockerSecurityError(shared$LWS.ERR_INVALID_SANDBOX_KEY); | ||
| } | ||
| function sanitize$LWS(dirty$LWS) { | ||
| shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoInnerHTMLSetter, htmlTemplate$LWS, [dirty$LWS]); | ||
| const content$LWS = shared$LWS.ReflectApply(sharedDom$LWS.HTMLTemplateElementProtoContentGetter, htmlTemplate$LWS, []); | ||
| const sanitizer$LWS = getSanitizerForConfig$LWS(sandboxKey$LWS, 'NODE_ALL_IN_PLACE'); | ||
| sanitizer$LWS.sanitize(content$LWS); | ||
| const sanitizer$1$LWS = sanitizer$LWS(NODE_ALL_IN_PLACE$LWS, SANITIZER_HOOKS_REGISTRY$LWS); | ||
| sanitizer$1$LWS.sanitize(content$LWS); | ||
| return shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoInnerHTMLGetter, htmlTemplate$LWS, []); | ||
| } | ||
| function sanitizeDocument$LWS(doc$LWS, sandboxKey$LWS) { | ||
| function sanitizeDocument$LWS(doc$LWS) { | ||
| const docEl$LWS = shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoDocumentElementGetter, doc$LWS, []); | ||
@@ -324,6 +223,46 @@ const content$LWS = shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoOuterHTMLGetter, docEl$LWS, []); | ||
| const newDocEl$LWS = shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoDocumentElementGetter, newDoc$LWS, []); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoInnerHTMLSetter, newDocEl$LWS, [sanitize$LWS(content$LWS, sandboxKey$LWS)]); | ||
| shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoInnerHTMLSetter, newDocEl$LWS, [sanitize$LWS(content$LWS)]); | ||
| return newDoc$LWS; | ||
| } // Sanitize a URL representing a SVG href attribute value. | ||
| function sanitizeHrefAttributeHook$LWS(node$LWS, data$LWS, _config$LWS) { | ||
| const { | ||
| attrValue: attrValue$LWS, | ||
| attrName: attrName$LWS | ||
| } = data$LWS; | ||
| if (attrValue$LWS && shared$LWS.ReflectApply(shared$LWS.StringProtoToUpperCase, shared$LWS.ReflectApply(sharedDom$LWS.NodeProtoNodeNameGetter, node$LWS, []), []) === 'USE' && SANITIZE_ATTRIBUTES_LIST$LWS.includes(attrName$LWS)) { | ||
| data$LWS.attrValue = sanitizeSvgHref$LWS(attrValue$LWS); | ||
| } | ||
| return data$LWS; | ||
| } | ||
| function sanitizeSvgHref$LWS(url$LWS) { | ||
| const urlAsString$LWS = shared$LWS.toString(url$LWS); | ||
| if (shared$LWS.ReflectApply(shared$LWS.StringProtoStartsWith, urlAsString$LWS, ['#'])) { | ||
| return url$LWS; | ||
| } | ||
| const normalizedHref$LWS = parseHref$LWS(urlAsString$LWS); // Sanitize only for supported URL_SCHEMES_LIST. | ||
| if (sharedUrl$LWS.URL_SCHEMES_LIST.includes(normalizedHref$LWS.protocol)) { | ||
| const container$LWS = shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoGetElementById, document, [normalizedHref$LWS.normalizedUrl]); // Have we sanitized this URL already? | ||
| if (container$LWS && normalizedHref$LWS.normalizedFragment) { | ||
| checkExistingAndDequeue$LWS(container$LWS, normalizedHref$LWS); | ||
| } else if (!container$LWS) { | ||
| fetchAndSanitize$LWS(normalizedHref$LWS); | ||
| } // If this has been in the form of http://my-url/file.svg#fragment we | ||
| // return the normalized fragment otherwise we return the normalized URL. | ||
| return normalizedHref$LWS.requestedFragment ? `#${normalizedHref$LWS.normalizedFragment}` : `#${normalizedHref$LWS.normalizedUrl}`; | ||
| } | ||
| return url$LWS; | ||
| } | ||
| function createSvgContainer$LWS(ownerDoc$LWS) { | ||
@@ -348,4 +287,3 @@ return shared$LWS.ReflectApply(sharedDom$LWS.DocumentProtoCreateElementNS, ownerDoc$LWS, [sharedDom$LWS.NAMESPACE_SVG, 'svg']); | ||
| const outerHTML$LWS = shared$LWS.ReflectApply(sharedDom$LWS.ElementProtoOuterHTMLGetter, container$LWS, []); | ||
| const replacedOuterHTML$LWS = shared$LWS.ReflectApply(shared$LWS.StringProtoReplace, outerHTML$LWS, ['<!---->', dirty$LWS]); // eslint-disable-next-line @typescript-eslint/no-use-before-define | ||
| const replacedOuterHTML$LWS = shared$LWS.ReflectApply(shared$LWS.StringProtoReplace, outerHTML$LWS, ['<!---->', dirty$LWS]); | ||
| const fragment$LWS = sanitizeSvgTextReturnDOM$LWS(replacedOuterHTML$LWS); | ||
@@ -356,11 +294,16 @@ const firstChild$LWS = shared$LWS.ReflectApply(sharedDom$LWS.NodeProtoFirstChildGetter, fragment$LWS, []); | ||
| function sanitizeSvgTextReturnDOM$LWS(dirty$LWS) { | ||
| const sanitizer$LWS = svgSanitizer$LWS(); | ||
| return sanitizer$LWS.sanitize(dirty$LWS); | ||
| } | ||
| exports.blobSanitizer = blobSanitizer$LWS; | ||
| exports.getSanitizerForConfig = getSanitizerForConfig$LWS; | ||
| exports.sanitize = sanitize$LWS; | ||
| exports.sanitizeDocument = sanitizeDocument$LWS; | ||
| exports.sanitizeHrefAttributeHook = sanitizeHrefAttributeHook$LWS; | ||
| exports.sanitizeSvgHref = sanitizeSvgHref$LWS; | ||
| exports.sanitizeSvgInnerHtml = sanitizeSvgInnerHtml$LWS; | ||
| exports.sanitizeSvgTextReturnDOM = sanitizeSvgTextReturnDOM$LWS; | ||
| exports.sanitizer = sanitizer$LWS; | ||
| exports.svgSanitizer = svgSanitizer$LWS; | ||
| exports.uponSanitizeAttribute = uponSanitizeAttribute$LWS; | ||
| /*! version: 0.18.6 */ | ||
| /*! version: 0.17.25 */ |
| /*! | ||
| * Copyright (C) 2019 salesforce.com, inc. | ||
| */ | ||
| import { ArrayConcat as ArrayConcat$LWS, shallowCloneArray as shallowCloneArray$LWS, ObjectAssign as ObjectAssign$LWS, ReflectApply as ReflectApply$LWS, ArrayProtoFilter as ArrayProtoFilter$LWS, toSafeArray as toSafeArray$LWS, toSafeSet as toSafeSet$LWS, SetCtor as SetCtor$LWS, LockerSecurityError as LockerSecurityError$LWS, ERR_INVALID_SANDBOX_KEY as ERR_INVALID_SANDBOX_KEY$LWS, toString as toString$LWS, StringProtoStartsWith as StringProtoStartsWith$LWS, StringProtoSplit as StringProtoSplit$LWS, StringProtoToLowerCase as StringProtoToLowerCase$LWS, StringProtoReplace as StringProtoReplace$LWS, StringProtoToUpperCase as StringProtoToUpperCase$LWS, RegExpProtoTest as RegExpProtoTest$LWS } from '@locker/shared'; | ||
| import { DocumentProtoCreateElement as DocumentProtoCreateElement$LWS, DocumentProtoGetElementById as DocumentProtoGetElementById$LWS, WindowSetInterval as WindowSetInterval$LWS, WindowClearInterval as WindowClearInterval$LWS, XhrCtor as XhrCtor$LWS, EventTargetProtoAddEventListener as EventTargetProtoAddEventListener$LWS, XhrProtoStatusGetter as XhrProtoStatusGetter$LWS, XhrProtoResponseTextGetter as XhrProtoResponseTextGetter$LWS, DocumentFragmentProtoGetElementById as DocumentFragmentProtoGetElementById$LWS, ElementProtoSetAttribute as ElementProtoSetAttribute$LWS, NodeProtoAppendChild as NodeProtoAppendChild$LWS, XhrProtoOpen as XhrProtoOpen$LWS, XhrProtoSend as XhrProtoSend$LWS, HTMLAnchorElementProtoHrefSetter as HTMLAnchorElementProtoHrefSetter$LWS, HTMLAnchorElementProtoHrefGetter as HTMLAnchorElementProtoHrefGetter$LWS, HTMLAnchorElementProtoProtocolGetter as HTMLAnchorElementProtoProtocolGetter$LWS, NodeProtoNodeNameGetter as NodeProtoNodeNameGetter$LWS, DocumentProtoBodyGetter as DocumentProtoBodyGetter$LWS, ElementProtoQuerySelector as ElementProtoQuerySelector$LWS, ElementProtoHasAttribute as ElementProtoHasAttribute$LWS, CUSTOM_ELEMENT_REGISTRY_ATTRIBUTE_NAME as CUSTOM_ELEMENT_REGISTRY_ATTRIBUTE_NAME$LWS, ElementProtoInnerHTMLSetter as ElementProtoInnerHTMLSetter$LWS, HTMLTemplateElementProtoContentGetter as HTMLTemplateElementProtoContentGetter$LWS, ElementProtoInnerHTMLGetter as ElementProtoInnerHTMLGetter$LWS, DocumentProtoDocumentElementGetter as DocumentProtoDocumentElementGetter$LWS, ElementProtoOuterHTMLGetter as ElementProtoOuterHTMLGetter$LWS, DocumentProtoImplementationGetter as DocumentProtoImplementationGetter$LWS, DOMImplementationProtoCreateDocument as DOMImplementationProtoCreateDocument$LWS, NAMESPACE_XHTML as NAMESPACE_XHTML$LWS, NodeProtoOwnerDocumentGetter as NodeProtoOwnerDocumentGetter$LWS, ElementProtoClosest as ElementProtoClosest$LWS, NodeProtoCloneNode as NodeProtoCloneNode$LWS, DocumentProtoCreateComment as DocumentProtoCreateComment$LWS, NodeProtoFirstChildGetter as NodeProtoFirstChildGetter$LWS, DocumentProtoCreateElementNS as DocumentProtoCreateElementNS$LWS, NAMESPACE_SVG as NAMESPACE_SVG$LWS } from '@locker/shared-dom'; | ||
| import { URL_SCHEMES_LIST as URL_SCHEMES_LIST$LWS, normalizerAnchor as normalizerAnchor$LWS } from '@locker/shared-url'; | ||
| import { ArrayConcat as ArrayConcat$LWS, shallowCloneArray as shallowCloneArray$LWS, ObjectAssign as ObjectAssign$LWS, ReflectApply as ReflectApply$LWS, ArrayProtoFilter as ArrayProtoFilter$LWS, toSafeWeakMap as toSafeWeakMap$LWS, WeakMapCtor as WeakMapCtor$LWS, toSafeArray as toSafeArray$LWS, toSafeSet as toSafeSet$LWS, SetCtor as SetCtor$LWS, StringProtoToUpperCase as StringProtoToUpperCase$LWS, toString as toString$LWS, StringProtoStartsWith as StringProtoStartsWith$LWS, StringProtoReplace as StringProtoReplace$LWS, StringProtoSplit as StringProtoSplit$LWS, StringProtoToLowerCase as StringProtoToLowerCase$LWS } from '@locker/shared'; | ||
| import { DocumentProtoCreateElement as DocumentProtoCreateElement$LWS, ElementProtoInnerHTMLSetter as ElementProtoInnerHTMLSetter$LWS, HTMLTemplateElementProtoContentGetter as HTMLTemplateElementProtoContentGetter$LWS, ElementProtoInnerHTMLGetter as ElementProtoInnerHTMLGetter$LWS, DocumentProtoDocumentElementGetter as DocumentProtoDocumentElementGetter$LWS, ElementProtoOuterHTMLGetter as ElementProtoOuterHTMLGetter$LWS, DocumentProtoImplementationGetter as DocumentProtoImplementationGetter$LWS, DOMImplementationProtoCreateDocument as DOMImplementationProtoCreateDocument$LWS, NAMESPACE_XHTML as NAMESPACE_XHTML$LWS, NodeProtoNodeNameGetter as NodeProtoNodeNameGetter$LWS, DocumentProtoGetElementById as DocumentProtoGetElementById$LWS, NodeProtoOwnerDocumentGetter as NodeProtoOwnerDocumentGetter$LWS, ElementProtoClosest as ElementProtoClosest$LWS, NodeProtoCloneNode as NodeProtoCloneNode$LWS, DocumentProtoCreateComment as DocumentProtoCreateComment$LWS, NodeProtoAppendChild as NodeProtoAppendChild$LWS, NodeProtoFirstChildGetter as NodeProtoFirstChildGetter$LWS, WindowSetInterval as WindowSetInterval$LWS, WindowClearInterval as WindowClearInterval$LWS, XhrCtor as XhrCtor$LWS, EventTargetProtoAddEventListener as EventTargetProtoAddEventListener$LWS, XhrProtoStatusGetter as XhrProtoStatusGetter$LWS, XhrProtoResponseTextGetter as XhrProtoResponseTextGetter$LWS, DocumentFragmentProtoGetElementById as DocumentFragmentProtoGetElementById$LWS, ElementProtoSetAttribute as ElementProtoSetAttribute$LWS, XhrProtoOpen as XhrProtoOpen$LWS, XhrProtoSend as XhrProtoSend$LWS, HTMLAnchorElementProtoHrefSetter as HTMLAnchorElementProtoHrefSetter$LWS, HTMLAnchorElementProtoHrefGetter as HTMLAnchorElementProtoHrefGetter$LWS, HTMLAnchorElementProtoProtocolGetter as HTMLAnchorElementProtoProtocolGetter$LWS, ElementProtoQuerySelector as ElementProtoQuerySelector$LWS, DocumentProtoCreateElementNS as DocumentProtoCreateElementNS$LWS, NAMESPACE_SVG as NAMESPACE_SVG$LWS, DocumentProtoBodyGetter as DocumentProtoBodyGetter$LWS } from '@locker/shared-dom'; | ||
| import { URL_SCHEMES_LIST as URL_SCHEMES_LIST$LWS } from '@locker/shared-url'; | ||
| import createDOMPurify$LWS from 'dompurify'; | ||
@@ -47,146 +47,42 @@ const ariaAttributes$LWS = ['aria-activedescendant', 'aria-atomic', 'aria-autocomplete', 'aria-busy', 'aria-checked', 'aria-controls', 'aria-describedby', 'aria-disabled', 'aria-readonly', 'aria-dropeffect', 'aria-expanded', 'aria-flowto', 'aria-grabbed', 'aria-haspopup', 'aria-hidden', 'aria-disabled', 'aria-invalid', 'aria-label', 'aria-labelledby', 'aria-level', 'aria-live', 'aria-multiline', 'aria-multiselectable', 'aria-orientation', 'aria-owns', 'aria-posinset', 'aria-pressed', 'aria-readonly', 'aria-relevant', 'aria-required', 'aria-selected', 'aria-setsize', 'aria-sort', 'aria-valuemax', 'aria-valuemin', 'aria-valuenow', 'aria-valuetext', 'role', 'target']; | ||
| }; | ||
| var CONFIG$LWS = /*#__PURE__*/Object.freeze({ | ||
| __proto__: null, | ||
| NODE_ALL_IN_PLACE: NODE_ALL_IN_PLACE$LWS, | ||
| NODE_SVG: NODE_SVG$LWS, | ||
| STRING_BLOB_HTML: STRING_BLOB_HTML$LWS | ||
| }); | ||
| const instancesBySandboxKeyRegistry$LWS = { | ||
| __proto__: null | ||
| }; | ||
| const SANITIZE_ATTRIBUTES_LIST$LWS = toSafeArray$LWS(['href', 'xlink:href']); | ||
| const SHARED_SVG_SANITIZER_KEY$LWS = 'SHARED_SVG_SANITIZER_KEY'; | ||
| const htmlTemplate$LWS = ReflectApply$LWS(DocumentProtoCreateElement$LWS, document, ['template']); // Queue for managing pending XHR requests. | ||
| const instances$LWS = toSafeWeakMap$LWS(new WeakMapCtor$LWS()); | ||
| const queue$LWS = toSafeSet$LWS(new SetCtor$LWS()); // A regexp to find all non lowercase alphanumeric. | ||
| function sanitizer$LWS(config$LWS, hooksRegistry$LWS) { | ||
| let dompurify$LWS = instances$LWS.get(config$LWS); | ||
| const urlReplacerRegExp$LWS = /[^a-z0-9]+/gi; | ||
| if (dompurify$LWS === undefined) { | ||
| dompurify$LWS = createDOMPurify$LWS(); | ||
| dompurify$LWS.setConfig(config$LWS); | ||
| function createSantizerHooksRegistry$LWS(sandboxKey$LWS) { | ||
| return { | ||
| __proto__: null, | ||
| // uponSanitizeAttribute is generic, so its definition can be a reused function | ||
| // eslint-disable-next-line @typescript-eslint/no-use-before-define | ||
| uponSanitizeAttribute: uponSanitizeAttribute$LWS, | ||
| // uponSanitizeElement is sandbox-key-specific | ||
| uponSanitizeElement(node$LWS, data$LWS, config$LWS) { | ||
| var _config$CUSTOM_ELEMEN$LWS; | ||
| const { | ||
| tagName: tagName$LWS | ||
| } = data$LWS; | ||
| const tagNameCheck$LWS = config$LWS == null ? void 0 : (_config$CUSTOM_ELEMEN$LWS = config$LWS.CUSTOM_ELEMENT_HANDLING) == null ? void 0 : _config$CUSTOM_ELEMEN$LWS.tagNameCheck; | ||
| if (tagNameCheck$LWS && ReflectApply$LWS(RegExpProtoTest$LWS, tagNameCheck$LWS, [tagName$LWS]) && // This MUST be called ONLY after we've ensured the previous | ||
| // two conditions have been met, otherwise it may result in an | ||
| // unwanted "Illegal invocation" on a node we don't care about. | ||
| !ReflectApply$LWS(ElementProtoHasAttribute$LWS, node$LWS, [CUSTOM_ELEMENT_REGISTRY_ATTRIBUTE_NAME$LWS])) { | ||
| ReflectApply$LWS(ElementProtoSetAttribute$LWS, node$LWS, [CUSTOM_ELEMENT_REGISTRY_ATTRIBUTE_NAME$LWS, sandboxKey$LWS]); | ||
| for (const hookName$LWS in hooksRegistry$LWS) { | ||
| // istanbul ignore else | ||
| if (hooksRegistry$LWS) { | ||
| dompurify$LWS.addHook(hookName$LWS, hooksRegistry$LWS[hookName$LWS]); | ||
| } | ||
| } | ||
| }; | ||
| } | ||
| function createUrlContainer$LWS(url$LWS) { | ||
| const container$LWS = ReflectApply$LWS(DocumentProtoCreateElement$LWS, document, ['div']); | ||
| ReflectApply$LWS(ElementProtoSetAttribute$LWS, container$LWS, ['style', 'display:none']); | ||
| ReflectApply$LWS(ElementProtoSetAttribute$LWS, container$LWS, ['id', url$LWS]); | ||
| const body$LWS = ReflectApply$LWS(DocumentProtoBodyGetter$LWS, document, []); | ||
| ReflectApply$LWS(NodeProtoAppendChild$LWS, body$LWS, [container$LWS]); | ||
| return container$LWS; | ||
| } | ||
| function getSanitizerForConfig$LWS(sandboxKey$LWS, configName$LWS) { | ||
| if (typeof sandboxKey$LWS !== 'string') { | ||
| throw new LockerSecurityError$LWS(ERR_INVALID_SANDBOX_KEY$LWS); | ||
| instances$LWS.set(config$LWS, dompurify$LWS); | ||
| } | ||
| if (typeof configName$LWS !== 'string') { | ||
| throw new LockerSecurityError$LWS('Invalid config name.'); | ||
| } | ||
| let sandboxConfiguredSanitizerInstances$LWS = instancesBySandboxKeyRegistry$LWS[sandboxKey$LWS]; | ||
| if (sandboxConfiguredSanitizerInstances$LWS === undefined) { | ||
| sandboxConfiguredSanitizerInstances$LWS = instancesBySandboxKeyRegistry$LWS[sandboxKey$LWS] = { | ||
| __proto__: null | ||
| }; | ||
| } | ||
| let configuredDOMPurifyInstance$LWS = sandboxConfiguredSanitizerInstances$LWS[configName$LWS]; | ||
| if (configuredDOMPurifyInstance$LWS === undefined) { | ||
| const config$LWS = CONFIG$LWS[configName$LWS]; | ||
| configuredDOMPurifyInstance$LWS = createDOMPurify$LWS(); | ||
| configuredDOMPurifyInstance$LWS.setConfig(config$LWS); | ||
| const hooksRegistry$LWS = createSantizerHooksRegistry$LWS(sandboxKey$LWS); | ||
| for (const hookName$LWS in hooksRegistry$LWS) { | ||
| configuredDOMPurifyInstance$LWS.addHook(hookName$LWS, hooksRegistry$LWS[hookName$LWS]); | ||
| } | ||
| sandboxConfiguredSanitizerInstances$LWS[configName$LWS] = configuredDOMPurifyInstance$LWS; | ||
| } | ||
| return configuredDOMPurifyInstance$LWS; | ||
| return dompurify$LWS; | ||
| } | ||
| function sanitizeSvgTextReturnDOM$LWS(dirty$LWS) { | ||
| const svgSanitizer$LWS = getSanitizerForConfig$LWS(SHARED_SVG_SANITIZER_KEY$LWS, 'NODE_SVG'); | ||
| return svgSanitizer$LWS.sanitize(dirty$LWS); | ||
| } | ||
| const SANITIZE_ATTRIBUTES_LIST$LWS = toSafeArray$LWS(['href', 'xlink:href']); | ||
| const SANITIZER_HOOKS_REGISTRY$LWS = { | ||
| __proto__: null, | ||
| uponSanitizeAttribute: sanitizeHrefAttributeHook$LWS | ||
| }; | ||
| const htmlTemplate$LWS = ReflectApply$LWS(DocumentProtoCreateElement$LWS, document, ['template']); | ||
| const normalizerAnchor$LWS = ReflectApply$LWS(DocumentProtoCreateElement$LWS, document, ['a']); // Queue for managing pending xhr requests. | ||
| function sanitizeSvgHref$LWS(url$LWS) { | ||
| const urlAsString$LWS = toString$LWS(url$LWS); | ||
| const queue$LWS = toSafeSet$LWS(new SetCtor$LWS()); // A regexp to find all non lowercase alphanumeric. | ||
| if (ReflectApply$LWS(StringProtoStartsWith$LWS, urlAsString$LWS, ['#'])) { | ||
| return url$LWS; | ||
| } | ||
| const urlReplacerRegExp$LWS = /[^a-z0-9]+/gi; | ||
| const normalizedHref$LWS = parseHref$LWS(urlAsString$LWS); // Sanitize only for supported URL_SCHEMES_LIST. | ||
| if (URL_SCHEMES_LIST$LWS.includes(normalizedHref$LWS.protocol)) { | ||
| const container$LWS = ReflectApply$LWS(DocumentProtoGetElementById$LWS, document, [normalizedHref$LWS.normalizedURL]); // Have we sanitized this URL already? | ||
| if (container$LWS && normalizedHref$LWS.normalizedFragment) { | ||
| checkExistingAndDequeue$LWS(container$LWS, normalizedHref$LWS); | ||
| } else if (!container$LWS) { | ||
| fetchAndSanitize$LWS(normalizedHref$LWS); | ||
| } // If this has been in the form of http://my-url/file.svg#fragment we | ||
| // return the normalized fragment otherwise we return the normalized URL. | ||
| return normalizedHref$LWS.requestedFragment ? `#${normalizedHref$LWS.normalizedFragment}` : `#${normalizedHref$LWS.normalizedURL}`; | ||
| } | ||
| return url$LWS; | ||
| } | ||
| function updater$LWS(container$LWS, normalizedHref$LWS) { | ||
| const { | ||
| normalizedFragment: normalizedFragment$LWS, | ||
| requestedFragment: requestedFragment$LWS | ||
| } = normalizedHref$LWS; | ||
| let el$LWS = ReflectApply$LWS(ElementProtoQuerySelector$LWS, container$LWS, [`#${normalizedFragment$LWS}`]); // istanbul ignore else | ||
| if (el$LWS === null) { | ||
| try { | ||
| el$LWS = ReflectApply$LWS(ElementProtoQuerySelector$LWS, container$LWS, [`#${requestedFragment$LWS}`]); | ||
| ReflectApply$LWS(ElementProtoSetAttribute$LWS, el$LWS, ['id', normalizedFragment$LWS]); | ||
| } catch (_unused$LWS) {// Catch all malformed CSS3 selectors. | ||
| // getElementById not available on Node. | ||
| // Cannot use document.getElementById because multiple containers | ||
| // may have the same ids for SVG elements. | ||
| } | ||
| } | ||
| } | ||
| function checkExistingAndDequeue$LWS(container$LWS, normalizedHref$LWS) { | ||
| if (queue$LWS.has(normalizedHref$LWS.normalizedURL)) { | ||
| if (queue$LWS.has(normalizedHref$LWS.normalizedUrl)) { | ||
| // Wait for request to finish, then update content. | ||
| const interval$LWS = WindowSetInterval$LWS(() => { | ||
| // istanbul ignore else | ||
| if (!queue$LWS.has(normalizedHref$LWS.normalizedURL)) { | ||
| if (!queue$LWS.has(normalizedHref$LWS.normalizedUrl)) { | ||
| updater$LWS(container$LWS, normalizedHref$LWS); | ||
@@ -201,7 +97,16 @@ WindowClearInterval$LWS(interval$LWS); | ||
| function createUrlContainer$LWS(url$LWS) { | ||
| const container$LWS = ReflectApply$LWS(DocumentProtoCreateElement$LWS, document, ['div']); | ||
| ReflectApply$LWS(ElementProtoSetAttribute$LWS, container$LWS, ['style', 'display:none']); | ||
| ReflectApply$LWS(ElementProtoSetAttribute$LWS, container$LWS, ['id', url$LWS]); | ||
| const body$LWS = ReflectApply$LWS(DocumentProtoBodyGetter$LWS, document, []); | ||
| ReflectApply$LWS(NodeProtoAppendChild$LWS, body$LWS, [container$LWS]); | ||
| return container$LWS; | ||
| } | ||
| function fetchAndSanitize$LWS(normalizedHref$LWS) { | ||
| // This is the first time we see this href. | ||
| const container$LWS = createUrlContainer$LWS(normalizedHref$LWS.normalizedURL); // Put the URL we're fetching in a queue. | ||
| const container$LWS = createUrlContainer$LWS(normalizedHref$LWS.normalizedUrl); // Put the URL we're fetching in a queue. | ||
| queue$LWS.add(normalizedHref$LWS.normalizedURL); // Initiate an XHR to fetch the resource. | ||
| queue$LWS.add(normalizedHref$LWS.normalizedUrl); // Initiate an XHR to fetch the resource. | ||
@@ -214,4 +119,3 @@ const xhr$LWS = new XhrCtor$LWS(); | ||
| // Retrieved content should be sanitized immediately. | ||
| const responseText$LWS = ReflectApply$LWS(XhrProtoResponseTextGetter$LWS, xhr$LWS, []); // eslint-disable-next-line @typescript-eslint/no-use-before-define | ||
| const responseText$LWS = ReflectApply$LWS(XhrProtoResponseTextGetter$LWS, xhr$LWS, []); | ||
| const fragment$LWS = sanitizeSvgTextReturnDOM$LWS(responseText$LWS); // Look for the container again in case other requests have finished | ||
@@ -229,6 +133,6 @@ // earlier for the same URL. | ||
| ReflectApply$LWS(NodeProtoAppendChild$LWS, container$LWS, [fragment$LWS]); | ||
| queue$LWS.delete(normalizedHref$LWS.normalizedURL); | ||
| queue$LWS.delete(normalizedHref$LWS.normalizedUrl); | ||
| } | ||
| }]); | ||
| ReflectApply$LWS(XhrProtoOpen$LWS, xhr$LWS, ['GET', normalizedHref$LWS.requestedURL]); | ||
| ReflectApply$LWS(XhrProtoOpen$LWS, xhr$LWS, ['GET', normalizedHref$LWS.requestedUrl]); | ||
| ReflectApply$LWS(XhrProtoSend$LWS, xhr$LWS, []); | ||
@@ -242,60 +146,55 @@ } | ||
| const { | ||
| 0: requestedURL$LWS, | ||
| 0: requestedUrl$LWS, | ||
| 1: requestedFragment$LWS | ||
| } = ReflectApply$LWS(StringProtoSplit$LWS, href$LWS, ['#']); | ||
| const loweredUrl$LWS = ReflectApply$LWS(StringProtoToLowerCase$LWS, requestedURL$LWS, []); // RegExp.prototype[Symbol.replace] resets the lastIndex of global regexp to 0. | ||
| } = ReflectApply$LWS(StringProtoSplit$LWS, href$LWS, ['#']); // RegExp.prototype[Symbol.replace] resets the lastIndex of global regexp to 0. | ||
| // https://tc39.es/ecma262/#sec-regexp.prototype-@@replace | ||
| const normalizedURL$LWS = ReflectApply$LWS(StringProtoReplace$LWS, loweredUrl$LWS, [urlReplacerRegExp$LWS, '']); | ||
| const normalizedFragment$LWS = requestedFragment$LWS ? `${normalizedURL$LWS}_${ReflectApply$LWS(StringProtoReplace$LWS, requestedFragment$LWS, [urlReplacerRegExp$LWS, ''])}` : ''; | ||
| const loweredUrl$LWS = ReflectApply$LWS(StringProtoToLowerCase$LWS, requestedUrl$LWS, []); | ||
| const normalizedUrl$LWS = ReflectApply$LWS(StringProtoReplace$LWS, loweredUrl$LWS, [urlReplacerRegExp$LWS, '']); | ||
| const normalizedFragment$LWS = requestedFragment$LWS ? `${normalizedUrl$LWS}_${ReflectApply$LWS(StringProtoReplace$LWS, requestedFragment$LWS, [urlReplacerRegExp$LWS, ''])}` : ''; | ||
| return { | ||
| normalizedFragment: normalizedFragment$LWS, | ||
| normalizedURL: normalizedURL$LWS, | ||
| normalizedUrl: normalizedUrl$LWS, | ||
| protocol: protocol$LWS, | ||
| requestedFragment: requestedFragment$LWS, | ||
| requestedURL: requestedURL$LWS | ||
| requestedUrl: requestedUrl$LWS | ||
| }; | ||
| } // Sanitize a URL representing a SVG href attribute value. | ||
| } | ||
| function uponSanitizeAttribute$LWS(node$LWS, data$LWS, _config$LWS) { | ||
| function updater$LWS(container$LWS, normalizedHref$LWS) { | ||
| const { | ||
| attrValue: attrValue$LWS, | ||
| attrName: attrName$LWS | ||
| } = data$LWS; | ||
| normalizedFragment: normalizedFragment$LWS, | ||
| requestedFragment: requestedFragment$LWS | ||
| } = normalizedHref$LWS; | ||
| let el$LWS = ReflectApply$LWS(ElementProtoQuerySelector$LWS, container$LWS, [`#${normalizedFragment$LWS}`]); // istanbul ignore else | ||
| if (attrValue$LWS && ReflectApply$LWS(StringProtoToUpperCase$LWS, ReflectApply$LWS(NodeProtoNodeNameGetter$LWS, node$LWS, []), []) === 'USE' && SANITIZE_ATTRIBUTES_LIST$LWS.includes(attrName$LWS)) { | ||
| data$LWS.attrValue = sanitizeSvgHref$LWS(attrValue$LWS); | ||
| if (el$LWS === null) { | ||
| try { | ||
| el$LWS = ReflectApply$LWS(ElementProtoQuerySelector$LWS, container$LWS, [`#${requestedFragment$LWS}`]); | ||
| ReflectApply$LWS(ElementProtoSetAttribute$LWS, el$LWS, ['id', normalizedFragment$LWS]); | ||
| } catch (_unused$LWS) {// Catch all malformed CSS3 selectors. | ||
| // getElementById not available on Node. | ||
| // Cannot use document.getElementById because multiple containers | ||
| // may have the same ids for SVG elements. | ||
| } | ||
| } | ||
| return data$LWS; | ||
| } | ||
| function blobSanitizer$LWS(sandboxKey$LWS) { | ||
| if (typeof sandboxKey$LWS !== 'string') { | ||
| throw new LockerSecurityError$LWS(ERR_INVALID_SANDBOX_KEY$LWS); | ||
| } | ||
| return getSanitizerForConfig$LWS(sandboxKey$LWS, 'STRING_BLOB_HTML'); | ||
| function blobSanitizer$LWS() { | ||
| return sanitizer$LWS(STRING_BLOB_HTML$LWS, SANITIZER_HOOKS_REGISTRY$LWS); | ||
| } | ||
| function svgSanitizer$LWS() { | ||
| // SVG sanitization can be shared since there won't be custom elements created from existing SVG elements, | ||
| // and all SVG sanitization is subject to the same rules. | ||
| return getSanitizerForConfig$LWS(SHARED_SVG_SANITIZER_KEY$LWS, 'NODE_SVG'); | ||
| return sanitizer$LWS(NODE_SVG$LWS, SANITIZER_HOOKS_REGISTRY$LWS); | ||
| } | ||
| function sanitize$LWS(dirty$LWS, sandboxKey$LWS) { | ||
| if (typeof sandboxKey$LWS !== 'string') { | ||
| throw new LockerSecurityError$LWS(ERR_INVALID_SANDBOX_KEY$LWS); | ||
| } | ||
| function sanitize$LWS(dirty$LWS) { | ||
| ReflectApply$LWS(ElementProtoInnerHTMLSetter$LWS, htmlTemplate$LWS, [dirty$LWS]); | ||
| const content$LWS = ReflectApply$LWS(HTMLTemplateElementProtoContentGetter$LWS, htmlTemplate$LWS, []); | ||
| const sanitizer$LWS = getSanitizerForConfig$LWS(sandboxKey$LWS, 'NODE_ALL_IN_PLACE'); | ||
| sanitizer$LWS.sanitize(content$LWS); | ||
| const sanitizer$1$LWS = sanitizer$LWS(NODE_ALL_IN_PLACE$LWS, SANITIZER_HOOKS_REGISTRY$LWS); | ||
| sanitizer$1$LWS.sanitize(content$LWS); | ||
| return ReflectApply$LWS(ElementProtoInnerHTMLGetter$LWS, htmlTemplate$LWS, []); | ||
| } | ||
| function sanitizeDocument$LWS(doc$LWS, sandboxKey$LWS) { | ||
| function sanitizeDocument$LWS(doc$LWS) { | ||
| const docEl$LWS = ReflectApply$LWS(DocumentProtoDocumentElementGetter$LWS, doc$LWS, []); | ||
@@ -306,6 +205,46 @@ const content$LWS = ReflectApply$LWS(ElementProtoOuterHTMLGetter$LWS, docEl$LWS, []); | ||
| const newDocEl$LWS = ReflectApply$LWS(DocumentProtoDocumentElementGetter$LWS, newDoc$LWS, []); | ||
| ReflectApply$LWS(ElementProtoInnerHTMLSetter$LWS, newDocEl$LWS, [sanitize$LWS(content$LWS, sandboxKey$LWS)]); | ||
| ReflectApply$LWS(ElementProtoInnerHTMLSetter$LWS, newDocEl$LWS, [sanitize$LWS(content$LWS)]); | ||
| return newDoc$LWS; | ||
| } // Sanitize a URL representing a SVG href attribute value. | ||
| function sanitizeHrefAttributeHook$LWS(node$LWS, data$LWS, _config$LWS) { | ||
| const { | ||
| attrValue: attrValue$LWS, | ||
| attrName: attrName$LWS | ||
| } = data$LWS; | ||
| if (attrValue$LWS && ReflectApply$LWS(StringProtoToUpperCase$LWS, ReflectApply$LWS(NodeProtoNodeNameGetter$LWS, node$LWS, []), []) === 'USE' && SANITIZE_ATTRIBUTES_LIST$LWS.includes(attrName$LWS)) { | ||
| data$LWS.attrValue = sanitizeSvgHref$LWS(attrValue$LWS); | ||
| } | ||
| return data$LWS; | ||
| } | ||
| function sanitizeSvgHref$LWS(url$LWS) { | ||
| const urlAsString$LWS = toString$LWS(url$LWS); | ||
| if (ReflectApply$LWS(StringProtoStartsWith$LWS, urlAsString$LWS, ['#'])) { | ||
| return url$LWS; | ||
| } | ||
| const normalizedHref$LWS = parseHref$LWS(urlAsString$LWS); // Sanitize only for supported URL_SCHEMES_LIST. | ||
| if (URL_SCHEMES_LIST$LWS.includes(normalizedHref$LWS.protocol)) { | ||
| const container$LWS = ReflectApply$LWS(DocumentProtoGetElementById$LWS, document, [normalizedHref$LWS.normalizedUrl]); // Have we sanitized this URL already? | ||
| if (container$LWS && normalizedHref$LWS.normalizedFragment) { | ||
| checkExistingAndDequeue$LWS(container$LWS, normalizedHref$LWS); | ||
| } else if (!container$LWS) { | ||
| fetchAndSanitize$LWS(normalizedHref$LWS); | ||
| } // If this has been in the form of http://my-url/file.svg#fragment we | ||
| // return the normalized fragment otherwise we return the normalized URL. | ||
| return normalizedHref$LWS.requestedFragment ? `#${normalizedHref$LWS.normalizedFragment}` : `#${normalizedHref$LWS.normalizedUrl}`; | ||
| } | ||
| return url$LWS; | ||
| } | ||
| function createSvgContainer$LWS(ownerDoc$LWS) { | ||
@@ -330,4 +269,3 @@ return ReflectApply$LWS(DocumentProtoCreateElementNS$LWS, ownerDoc$LWS, [NAMESPACE_SVG$LWS, 'svg']); | ||
| const outerHTML$LWS = ReflectApply$LWS(ElementProtoOuterHTMLGetter$LWS, container$LWS, []); | ||
| const replacedOuterHTML$LWS = ReflectApply$LWS(StringProtoReplace$LWS, outerHTML$LWS, ['<!---->', dirty$LWS]); // eslint-disable-next-line @typescript-eslint/no-use-before-define | ||
| const replacedOuterHTML$LWS = ReflectApply$LWS(StringProtoReplace$LWS, outerHTML$LWS, ['<!---->', dirty$LWS]); | ||
| const fragment$LWS = sanitizeSvgTextReturnDOM$LWS(replacedOuterHTML$LWS); | ||
@@ -338,3 +276,8 @@ const firstChild$LWS = ReflectApply$LWS(NodeProtoFirstChildGetter$LWS, fragment$LWS, []); | ||
| export { blobSanitizer$LWS as blobSanitizer, getSanitizerForConfig$LWS as getSanitizerForConfig, sanitize$LWS as sanitize, sanitizeDocument$LWS as sanitizeDocument, sanitizeSvgHref$LWS as sanitizeSvgHref, sanitizeSvgInnerHtml$LWS as sanitizeSvgInnerHtml, sanitizeSvgTextReturnDOM$LWS as sanitizeSvgTextReturnDOM, svgSanitizer$LWS as svgSanitizer, uponSanitizeAttribute$LWS as uponSanitizeAttribute }; | ||
| /*! version: 0.18.6 */ | ||
| function sanitizeSvgTextReturnDOM$LWS(dirty$LWS) { | ||
| const sanitizer$LWS = svgSanitizer$LWS(); | ||
| return sanitizer$LWS.sanitize(dirty$LWS); | ||
| } | ||
| export { blobSanitizer$LWS as blobSanitizer, sanitize$LWS as sanitize, sanitizeDocument$LWS as sanitizeDocument, sanitizeHrefAttributeHook$LWS as sanitizeHrefAttributeHook, sanitizeSvgHref$LWS as sanitizeSvgHref, sanitizeSvgInnerHtml$LWS as sanitizeSvgInnerHtml, sanitizeSvgTextReturnDOM$LWS as sanitizeSvgTextReturnDOM, sanitizer$LWS as sanitizer, svgSanitizer$LWS as svgSanitizer }; | ||
| /*! version: 0.17.25 */ |
| { | ||
| "name": "@locker/html-sanitizer", | ||
| "version": "0.17.24", | ||
| "version": "0.17.25", | ||
| "license": "SEE LICENSE IN LICENSE.txt", | ||
@@ -20,5 +20,5 @@ "author": "Salesforce UI Security Team", | ||
| "dependencies": { | ||
| "@locker/shared": "0.17.24", | ||
| "@locker/shared-dom": "0.17.24", | ||
| "@locker/shared-url": "0.17.24", | ||
| "@locker/shared": "0.17.25", | ||
| "@locker/shared-dom": "0.17.25", | ||
| "@locker/shared-url": "0.17.25", | ||
| "@types/dompurify": "2.3.4", | ||
@@ -32,3 +32,3 @@ "dompurify": "2.4.0" | ||
| ], | ||
| "gitHead": "5e0e0de06575de99a816fd5c71d323d75e5b361e" | ||
| "gitHead": "e3421ee28dec007fc67301084643401d4bb52171" | ||
| } |
@@ -1,10 +0,3 @@ | ||
| import type { SandboxKey } from '@locker/shared/types'; | ||
| import createDOMPurify, { HookEvent } from 'dompurify'; | ||
| import type { BaseDOMPurifyConfigName, DOMPurifyConfig, DOMPurifyInterface } from './types'; | ||
| export declare const SHARED_SVG_SANITIZER_KEY = "SHARED_SVG_SANITIZER_KEY"; | ||
| export declare const htmlTemplate: HTMLTemplateElement; | ||
| export declare function getSanitizerForConfig(sandboxKey: SandboxKey, configName: BaseDOMPurifyConfigName): DOMPurifyInterface; | ||
| export declare function sanitizeSvgTextReturnDOM(dirty: string): DocumentFragment; | ||
| export declare function sanitizeSvgHref(url: string): string; | ||
| export declare function uponSanitizeAttribute(node: Node, data: HookEvent, _config: DOMPurifyConfig): createDOMPurify.HookEvent; | ||
| import type { DOMPurifyConfig, DOMPurifyInterface, HooksRegistry } from './types'; | ||
| export declare function sanitizer(config: DOMPurifyConfig, hooksRegistry?: HooksRegistry): DOMPurifyInterface; | ||
| //# sourceMappingURL=dompurify-wrapper.d.ts.map |
@@ -1,10 +0,14 @@ | ||
| import type { SandboxKey } from '@locker/shared/types'; | ||
| import { getSanitizerForConfig } from './dompurify-wrapper'; | ||
| export { getSanitizerForConfig, sanitizeSvgHref, sanitizeSvgTextReturnDOM, uponSanitizeAttribute, } from './dompurify-wrapper'; | ||
| export declare function blobSanitizer(sandboxKey: SandboxKey): ReturnType<typeof getSanitizerForConfig>; | ||
| /// <reference types="dompurify" /> | ||
| import { sanitizer as getSanitizerForConfig } from './dompurify-wrapper'; | ||
| import type { DOMPurifyConfig, HookEvent } from './types'; | ||
| export { getSanitizerForConfig as sanitizer }; | ||
| export declare function blobSanitizer(): ReturnType<typeof getSanitizerForConfig>; | ||
| export declare function svgSanitizer(): ReturnType<typeof getSanitizerForConfig>; | ||
| export declare function sanitize(dirty: string, sandboxKey: SandboxKey): string; | ||
| export declare function sanitizeDocument(doc: Document, sandboxKey: SandboxKey): Document; | ||
| export declare function sanitize(dirty: string): string; | ||
| export declare function sanitizeDocument(doc: Document): Document; | ||
| export declare function sanitizeHrefAttributeHook(node: Node, data: HookEvent, _config: DOMPurifyConfig): HookEvent; | ||
| export declare function sanitizeSvgHref(url: string): string; | ||
| export declare function sanitizeSvgInnerHtml(stringOrSvg: string | SVGElement, dirty?: string): string; | ||
| export declare function sanitizeSvgTextReturnDOM(dirty: string): DocumentFragment; | ||
| export * from './types'; | ||
| //# sourceMappingURL=index.d.ts.map |
| import type { Config, DOMPurifyI, HookEvent, HookName, SanitizeAttributeHookEvent } from 'dompurify'; | ||
| export declare type BaseDOMPurifyConfigName = 'NODE_ALL_IN_PLACE' | 'NODE_SVG' | 'STRING_BLOB_HTML'; | ||
| export interface DOMPurifyConfig extends Config { | ||
@@ -16,8 +15,8 @@ CUSTOM_ELEMENT_HANDLING?: { | ||
| export declare type NormalizedHref = { | ||
| requestedUrl: string; | ||
| normalizedUrl: string; | ||
| requestedFragment: string; | ||
| normalizedFragment: string; | ||
| normalizedURL: string; | ||
| protocol: string; | ||
| requestedFragment: string; | ||
| requestedURL: string; | ||
| }; | ||
| //# sourceMappingURL=types.d.ts.map |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Fixed alerts
Major refactor
Supply chain riskPackage has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.
Found 1 instance in 1 package
Worsened metrics
- Total package byte prevSize
45170
-47.03%- Number of package files
17
-10.53%- Lines of code
541
-52.29%