safevalues - npm Package Compare versions

Comparing version 0.1.2 to 0.1.3

builders/script_builders.d.ts

 /// <reference types="trusted-types" />
+declare type Primitive = number | string | boolean | null;
+declare type Serializable = Primitive | readonly Serializable[] | {
+    readonly [key: string]: Serializable;
+};
 /**
@@ -13,4 +17,31 @@ * Creates a TrustedScript object from a template literal (without any embedded
 export declare function script(templateObj: TemplateStringsArray): TrustedScript;
-/** Creates a `TrustedScript` value by concatenating multiple `TrustedScript`s. */
+/**
+ * Creates a `TrustedScript` value by concatenating multiple `TrustedScript`s.
+ */
 export declare function concatScripts(...scripts: TrustedScript[]): TrustedScript;
+/**
+ * Creates a `TrustedScript` object from a template literal (without any
+ * embedded expressions) along with additional arguments that the script should
+ * have access to. These arguments will be JSON-encoded and passed to the script
+ * as a function call.
+ * @example
+ * ```ts
+ * scriptWithArgs`function (name, props) {
+ *  console.log(name + ' is ' + props.age);
+ * }`('Bob', { 'age': 42 })
+ * ```
+ * would return a `TrustedScript` that represents the following code:
+ * ```js
+ * (function (name, props) {
+ *  console.log(name + ' is ' + props.age);
+ * })("Bob",{"age":42})
+ * ```
+ * @note Be careful when passing objects as arguments, as unquoted property
+ * names may be changed during compilation.
+ * @param templateObj This contains the literal part of the template literal.
+ * @param emptyArgs Expressions that evaluate to the empty string to enable
+ *     inline comments.
+ */
+export declare function scriptWithArgs(templateObj: TemplateStringsArray, ...emptyArgs: ReadonlyArray<''>): (...argValues: Serializable[]) => TrustedScript;
+export {};
 //# sourceMappingURL=script_builders.d.ts.map

builders/script_builders.js

@@ -19,5 +19,5 @@ "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.concatScripts = exports.script = void 0;
+exports.scriptWithArgs = exports.concatScripts = exports.script = void 0;
+const safe_string_literal_1 = require("../implementation/safe_string_literal");
 const script_impl_1 = require("../implementation/script_impl");
-const safe_string_literal_1 = require("../implementation/safe_string_literal");
 /**
@@ -40,3 +40,5 @@ * Creates a TrustedScript object from a template literal (without any embedded
 exports.script = script;
-/** Creates a `TrustedScript` value by concatenating multiple `TrustedScript`s. */
+/**
+ * Creates a `TrustedScript` value by concatenating multiple `TrustedScript`s.
+ */
 function concatScripts(...scripts) {
@@ -46,2 +48,48 @@ return script_impl_1.createScript(scripts.map(script_impl_1.unwrapScriptAsString).join(''));
 exports.concatScripts = concatScripts;
+/**
+ * Converts a serializable value into JSON that is safe to interpolate into a
+ * script context. In particular it escapes < characters so that a value of
+ * "</script>" doesn't break out of the context.
+ * @param value: The value to serialize.
+ */
+function serializeAsScriptValue(value) {
+    return JSON.stringify(value).replace(/</g, '\\x3c');
+}
+/**
+ * Creates a `TrustedScript` object from a template literal (without any
+ * embedded expressions) along with additional arguments that the script should
+ * have access to. These arguments will be JSON-encoded and passed to the script
+ * as a function call.
+ * @example
+ * ```ts
+ * scriptWithArgs`function (name, props) {
+ *  console.log(name + ' is ' + props.age);
+ * }`('Bob', { 'age': 42 })
+ * ```
+ * would return a `TrustedScript` that represents the following code:
+ * ```js
+ * (function (name, props) {
+ *  console.log(name + ' is ' + props.age);
+ * })("Bob",{"age":42})
+ * ```
+ * @note Be careful when passing objects as arguments, as unquoted property
+ * names may be changed during compilation.
+ * @param templateObj This contains the literal part of the template literal.
+ * @param emptyArgs Expressions that evaluate to the empty string to enable
+ *     inline comments.
+ */
+function scriptWithArgs(templateObj, ...emptyArgs) {
+    if (emptyArgs.some(a => a !== '')) {
+        throw new Error('scriptWithArgs only allows empty string expressions ' +
+            'to enable inline comments.');
+    }
+    safe_string_literal_1.assertIsTemplateObject(templateObj, true, 'scriptWithArgs is a template literal tag function ' +
+        'that only accepts template literals. ' +
+        'For example, scriptWithArgs`foo`;');
+    return (...argValues) => {
+        const values = argValues.map(serializeAsScriptValue);
+        return script_impl_1.createScript(`(${templateObj.join('')})(${values.join(',')})`);
+    };
+}
+exports.scriptWithArgs = scriptWithArgs;
 //# sourceMappingURL=script_builders.js.map

builders/script_url_builders.d.ts

@@ -25,3 +25,3 @@ /// <reference types="trusted-types" />
  *
- * `<origin>` must contain only alphanumeric or any of the following: `-.:[]`.
+ * `<origin>` must contain only alphanumeric or any of the following: `-.:`.
  * Remember that, as per the documentation for TrustedScriptURL, the origin
@@ -28,0 +28,0 @@ * must be trustworthy. An origin of "example.com" could be set with this

builders/script_url_builders.js

@@ -20,4 +20,4 @@ "use strict";
 exports.blobUrlFromScript = exports.appendParams = exports.scriptUrl = void 0;
+const safe_string_literal_1 = require("../implementation/safe_string_literal");
 const script_impl_1 = require("../implementation/script_impl");
-const safe_string_literal_1 = require("../implementation/safe_string_literal");
 const script_url_impl_1 = require("../implementation/script_url_impl");
@@ -28,5 +28,9 @@ /**
  * A string for an origin must contain only alphanumeric or any of the
- * following: `-.:[]`. Remember that, as per the documentation for
+ * following: `-.:`. Remember that, as per the documentation for
  * TrustedScriptURL, the origin must be trustworthy.
  *
+ * IPv6 origins (e.g. `https://[2001:db8::8a2e:370:7334]/`) are considered
+ * invalid. IPv4 origins (e.g. `https://192.0.2.235/`) should not be used, but
+ * currently pass validation (b/184051990).
+ *
  * @param base The base url that contains an origin.
@@ -109,3 +113,3 @@ */
  *
- * `<origin>` must contain only alphanumeric or any of the following: `-.:[]`.
+ * `<origin>` must contain only alphanumeric or any of the following: `-.:`.
  * Remember that, as per the documentation for TrustedScriptURL, the origin
@@ -129,6 +133,4 @@ * must be trustworthy. An origin of "example.com" could be set with this
     // Check if templateObj is actually from a template literal.
-    safe_string_literal_1.assertIsTemplateObject(templateObj, true, 'scriptUrl is a template literal tag function ' +
-        'that only accepts template literals with or without expressions. ' +
-        'For example, scriptUrl`foo`; or ' +
-        'scriptUrl`foo${bar}`');
+    safe_string_literal_1.assertIsTemplateObject(templateObj, true, 'scriptUrl is a template literal tag function and ' +
+        'can only be called as such (e.g. scriptUrl`/somepath.js`)');
     if (rest.length === 0) {
@@ -135,0 +137,0 @@ return script_url_impl_1.createScriptUrl(templateObj[0]);

implementation/html_impl.d.ts

@@ -28,5 +28,5 @@ /// <reference types="trusted-types" />
  */
-export declare function uwrapHtmlForSink(value: TrustedHTML): TrustedHTML & string;
+export declare function unwrapHtmlForSink(value: TrustedHTML): TrustedHTML & string;
 /**
- * Same as `uwrapHtmlForSink`, but returns an actual string.
+ * Same as `unwrapHtmlForSink`, but returns an actual string.
  *
@@ -33,0 +33,0 @@ * Also ensures to return the right string value for `TrustedHTML` objects if

implementation/html_impl.js

@@ -18,5 +18,5 @@ "use strict";
  */
-var _a;
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.unwrapHtmlAsString = exports.uwrapHtmlForSink = exports.EMPTY_HTML = exports.createHtml = void 0;
+exports.unwrapHtmlAsString = exports.unwrapHtmlForSink = exports.EMPTY_HTML = exports.createHtml = void 0;
+const pure_1 = require("./pure");
 const secrets_1 = require("./secrets");
@@ -46,3 +46,5 @@ const trusted_types_1 = require("./trusted_types");
     var _a;
-    return createHtmlInternal(html, (_a = trusted_types_1.getTrustedTypesPolicy()) === null || _a === void 0 ? void 0 : _a.createHTML(html));
+    /** @noinline */
+    const noinlineHtml = html;
+    return createHtmlInternal(noinlineHtml, (_a = trusted_types_1.getTrustedTypesPolicy()) === null || _a === void 0 ? void 0 : _a.createHTML(noinlineHtml));
 }
@@ -54,3 +56,3 @@ exports.createHtml = createHtml;
  */
-exports.EMPTY_HTML = createHtmlInternal('', (_a = trusted_types_1.getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.emptyHTML);
+exports.EMPTY_HTML = pure_1.pure(() => { var _a; return createHtmlInternal('', (_a = trusted_types_1.getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.emptyHTML); });
 /**
@@ -70,3 +72,3 @@ * Returns the value of the passed `TrustedHTML` object while ensuring it
  */
-function uwrapHtmlForSink(value) {
+function unwrapHtmlForSink(value) {
     var _a;
@@ -84,5 +86,5 @@ if ((_a = trusted_types_1.getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.isHTML(value)) {
 }
-exports.uwrapHtmlForSink = uwrapHtmlForSink;
+exports.unwrapHtmlForSink = unwrapHtmlForSink;
 /**
- * Same as `uwrapHtmlForSink`, but returns an actual string.
+ * Same as `unwrapHtmlForSink`, but returns an actual string.
  *
@@ -94,3 +96,3 @@ * Also ensures to return the right string value for `TrustedHTML` objects if
     var _a;
-    const unwrapped = uwrapHtmlForSink(value);
+    const unwrapped = unwrapHtmlForSink(value);
     if ((_a = trusted_types_1.getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.isHTML(unwrapped)) {
@@ -97,0 +99,0 @@ // TODO: Remove once the spec freezes instances of `TrustedHTML`.

implementation/script_impl.d.ts

@@ -28,5 +28,5 @@ /// <reference types="trusted-types" />
  */
-export declare function uwrapScriptForSink(value: TrustedScript): TrustedScript & string;
+export declare function unwrapScriptForSink(value: TrustedScript): TrustedScript & string;
 /**
- * Same as `uwrapScriptForSink`, but returns an actual string
+ * Same as `unwrapScriptForSink`, but returns an actual string
  *
@@ -33,0 +33,0 @@ * Also ensures to return the right string value for `TrustedScript` objects if

implementation/script_impl.js

@@ -18,5 +18,5 @@ "use strict";
  */
-var _a;
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.unwrapScriptAsString = exports.uwrapScriptForSink = exports.EMPTY_SCRIPT = exports.createScript = void 0;
+exports.unwrapScriptAsString = exports.unwrapScriptForSink = exports.EMPTY_SCRIPT = exports.createScript = void 0;
+const pure_1 = require("./pure");
 const secrets_1 = require("./secrets");
@@ -46,3 +46,5 @@ const trusted_types_1 = require("./trusted_types");
     var _a;
-    return createScriptInternal(script, (_a = trusted_types_1.getTrustedTypesPolicy()) === null || _a === void 0 ? void 0 : _a.createScript(script));
+    /** @noinline */
+    const noinlineScript = script;
+    return createScriptInternal(noinlineScript, (_a = trusted_types_1.getTrustedTypesPolicy()) === null || _a === void 0 ? void 0 : _a.createScript(noinlineScript));
 }
@@ -54,3 +56,3 @@ exports.createScript = createScript;
  */
-exports.EMPTY_SCRIPT = createScriptInternal('', (_a = trusted_types_1.getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.emptyScript);
+exports.EMPTY_SCRIPT = pure_1.pure(() => { var _a; return createScriptInternal('', (_a = trusted_types_1.getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.emptyScript); });
 /**
@@ -70,3 +72,3 @@ * Returns the value of the passed `TrustedScript` object while ensuring it
  */
-function uwrapScriptForSink(value) {
+function unwrapScriptForSink(value) {
     var _a;
@@ -84,5 +86,5 @@ if ((_a = trusted_types_1.getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.isScript(value)) {
 }
-exports.uwrapScriptForSink = uwrapScriptForSink;
+exports.unwrapScriptForSink = unwrapScriptForSink;
 /**
- * Same as `uwrapScriptForSink`, but returns an actual string
+ * Same as `unwrapScriptForSink`, but returns an actual string
  *
@@ -94,3 +96,3 @@ * Also ensures to return the right string value for `TrustedScript` objects if
     var _a;
-    const unwrapped = uwrapScriptForSink(value);
+    const unwrapped = unwrapScriptForSink(value);
     if ((_a = trusted_types_1.getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.isScript(unwrapped)) {
@@ -97,0 +99,0 @@ // TODO: Remove once the spec freezes instances of `TrustedScript`.

implementation/script_url_impl.d.ts

@@ -24,5 +24,5 @@ /// <reference types="trusted-types" />
  */
-export declare function uwrapScriptUrlForSink(value: TrustedScriptURL): TrustedScriptURL & string;
+export declare function unwrapScriptUrlForSink(value: TrustedScriptURL): TrustedScriptURL & string;
 /**
- * Same as `uwrapScriptUrlForSink`, but returns an actual string
+ * Same as `unwrapScriptUrlForSink`, but returns an actual string
  *
@@ -29,0 +29,0 @@ * Also ensures to return the right string value for `TrustedScriptURL` objects

implementation/script_url_impl.js

@@ -19,3 +19,3 @@ "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.unwrapScriptUrlAsString = exports.uwrapScriptUrlForSink = exports.createScriptUrl = void 0;
+exports.unwrapScriptUrlAsString = exports.unwrapScriptUrlForSink = exports.createScriptUrl = void 0;
 const secrets_1 = require("./secrets");
@@ -42,4 +42,6 @@ const trusted_types_1 = require("./trusted_types");
     var _a;
-    const trustedScriptURL = (_a = trusted_types_1.getTrustedTypesPolicy()) === null || _a === void 0 ? void 0 : _a.createScriptURL(url);
-    return (trustedScriptURL !== null && trustedScriptURL !== void 0 ? trustedScriptURL : new ScriptUrlImpl(url, secrets_1.secretToken));
+    /** @noinline */
+    const noinlineUrl = url;
+    const trustedScriptURL = (_a = trusted_types_1.getTrustedTypesPolicy()) === null || _a === void 0 ? void 0 : _a.createScriptURL(noinlineUrl);
+    return (trustedScriptURL !== null && trustedScriptURL !== void 0 ? trustedScriptURL : new ScriptUrlImpl(noinlineUrl, secrets_1.secretToken));
 }
@@ -62,3 +64,3 @@ exports.createScriptUrl = createScriptUrl;
  */
-function uwrapScriptUrlForSink(value) {
+function unwrapScriptUrlForSink(value) {
     var _a;
@@ -76,5 +78,5 @@ if ((_a = trusted_types_1.getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.isScriptURL(value)) {
 }
-exports.uwrapScriptUrlForSink = uwrapScriptUrlForSink;
+exports.unwrapScriptUrlForSink = unwrapScriptUrlForSink;
 /**
- * Same as `uwrapScriptUrlForSink`, but returns an actual string
+ * Same as `unwrapScriptUrlForSink`, but returns an actual string
  *
@@ -86,3 +88,3 @@ * Also ensures to return the right string value for `TrustedScriptURL` objects
     var _a;
-    const unwrapped = uwrapScriptUrlForSink(value);
+    const unwrapped = unwrapScriptUrlForSink(value);
     if ((_a = trusted_types_1.getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.isScriptURL(unwrapped)) {
@@ -89,0 +91,0 @@ // TODO: Remove once the spec freezes instances of `TrustedScriptURL`.

implementation/trusted_types.js

@@ -56,7 +56,8 @@ "use strict";
     if (trustedTypesPolicy === undefined) {
-        trustedTypesPolicy = (_b = (_a = getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.createPolicy(trustedTypesPolicyName, {
-            createHTML: (s) => s,
-            createScript: (s) => s,
-            createScriptURL: (s) => s
-        })) !== null && _b !== void 0 ? _b : null;
+        trustedTypesPolicy =
+            (_b = (_a = getTrustedTypes()) === null || _a === void 0 ? void 0 : _a.createPolicy(trustedTypesPolicyName, {
+                createHTML: (s) => s,
+                createScript: (s) => s,
+                createScriptURL: (s) => s
+            })) !== null && _b !== void 0 ? _b : null;
     }
@@ -63,0 +64,0 @@ return trustedTypesPolicy;

index.d.ts

@@ -10,5 +10,5 @@ /**
 /** Reexport the public type (but not the Impl). */
-export { EMPTY_HTML, uwrapHtmlForSink } from './implementation/html_impl';
-export { EMPTY_SCRIPT, uwrapScriptForSink } from './implementation/script_impl';
-export { uwrapScriptUrlForSink } from './implementation/script_url_impl';
+export { EMPTY_HTML, unwrapHtmlForSink } from './implementation/html_impl';
+export { EMPTY_SCRIPT, unwrapScriptForSink } from './implementation/script_impl';
+export { unwrapScriptUrlForSink } from './implementation/script_url_impl';
 //# sourceMappingURL=index.d.ts.map

index.js

@@ -19,3 +19,3 @@ "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.uwrapScriptUrlForSink = exports.uwrapScriptForSink = exports.EMPTY_SCRIPT = exports.uwrapHtmlForSink = exports.EMPTY_HTML = exports.scriptUrl = exports.script = exports.htmlEscape = void 0;
+exports.unwrapScriptUrlForSink = exports.unwrapScriptForSink = exports.EMPTY_SCRIPT = exports.unwrapHtmlForSink = exports.EMPTY_HTML = exports.scriptUrl = exports.script = exports.htmlEscape = void 0;
 /**
@@ -35,8 +35,8 @@ * @fileoverview Export for main builders of the library.
 Object.defineProperty(exports, "EMPTY_HTML", { enumerable: true, get: function () { return html_impl_1.EMPTY_HTML; } });
-Object.defineProperty(exports, "uwrapHtmlForSink", { enumerable: true, get: function () { return html_impl_1.uwrapHtmlForSink; } });
+Object.defineProperty(exports, "unwrapHtmlForSink", { enumerable: true, get: function () { return html_impl_1.unwrapHtmlForSink; } });
 var script_impl_1 = require("./implementation/script_impl");
 Object.defineProperty(exports, "EMPTY_SCRIPT", { enumerable: true, get: function () { return script_impl_1.EMPTY_SCRIPT; } });
-Object.defineProperty(exports, "uwrapScriptForSink", { enumerable: true, get: function () { return script_impl_1.uwrapScriptForSink; } });
+Object.defineProperty(exports, "unwrapScriptForSink", { enumerable: true, get: function () { return script_impl_1.unwrapScriptForSink; } });
 var script_url_impl_1 = require("./implementation/script_url_impl");
-Object.defineProperty(exports, "uwrapScriptUrlForSink", { enumerable: true, get: function () { return script_url_impl_1.uwrapScriptUrlForSink; } });
+Object.defineProperty(exports, "unwrapScriptUrlForSink", { enumerable: true, get: function () { return script_url_impl_1.unwrapScriptUrlForSink; } });
 //# sourceMappingURL=index.js.map

package.json

 {
   "name": "safevalues",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Safe builders for Trusted Types values",
@@ -5,0 +5,0 @@ "repository": "https://github.com/google/safevalues",

unsafe/legacy.js

@@ -39,4 +39,4 @@ "use strict";
  * security review that the value produced by a piece of code will always
- * satisfy the TrustedHTML contract (e.g., the output of a secure HTML sanitizer).
- * In uses of legacyconversions, this guarantee is not given -- the
+ * satisfy the TrustedHTML contract (e.g., the output of a secure HTML
+ * sanitizer). In uses of legacyconversions, this guarantee is not given -- the
  * value in question originates in unreviewed legacy code and there is no
@@ -52,7 +52,7 @@ * guarantee that it satisfies the TrustedHTML contract.
  * an element with it. In this case a setHtmlContent function could be
- * added, consuming TrustedHTML instead of string. setContent could then internally
- *  use legacyconversions to create a TrustedHTML
- * from string and pass the TrustedHTML to a safe values consumer down the line. In
- * this scenario remember to document the use of legacyconversions in the
- * modified setContent and consider deprecating it as well.
+ * added, consuming TrustedHTML instead of string. setContent could then
+ * internally use legacyconversions to create a TrustedHTML from string and pass
+ * the TrustedHTML to a safe values consumer down the line. In this scenario
+ * remember to document the use of legacyconversions in the modified setContent
+ * and consider deprecating it as well.
  *
@@ -59,0 +59,0 @@ * 2. Automated refactoring of application code which handles HTML as string

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Unidentified License

License

(Experimental) Something that seems like a license was found, but its contents could not be matched with a known license.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Unidentified License

License

(Experimental) Something that seems like a license was found, but its contents could not be matched with a known license.

Found 2 instances in 1 package

Improved metrics

Number of low license alerts

7

decreased by-12.5%

Worsened metrics

Total package byte prevSize

139732

decreased by-29.36%

Number of package files

55

decreased by-26.67%

Lines of code

1337

decreased by-32.85%

No dependency changes