Comparing version 0.12.6 to 0.12.7-csp
{ | ||
"name": "vue", | ||
"version": "0.12.6", | ||
"version": "0.12.7-csp", | ||
"author": "Evan You <yyx990803@gmail.com>", | ||
@@ -5,0 +5,0 @@ "license": "MIT", |
@@ -0,1 +1,7 @@ | ||
# CSP compliant build | ||
This is the CSP-compliant build of Vue.js that does not use `new Function()` for expression evaluation. Note there's an additional limitation compared to the normal build: you cannot use any globals in expressions (e.g. `Date`, `parseInt` etc.). | ||
--- | ||
<p align="center"><a href="http://vuejs.org" target="_blank"><img width="100"src="http://vuejs.org/images/logo.png"></a></p> | ||
@@ -2,0 +8,0 @@ |
@@ -26,14 +26,11 @@ var _ = require('../util') | ||
if (!ChildVue) { | ||
var optionName = BaseCtor.options.name | ||
var className = optionName | ||
? _.classify(optionName) | ||
: 'VueComponent' | ||
ChildVue = new Function( | ||
'return function ' + className + ' (options) {' + | ||
'this.constructor = ' + className + ';' + | ||
'this._init(options) }' | ||
)() | ||
ChildVue = function VueComponent (options) { | ||
this.constructor = ChildVue | ||
this._init(options) | ||
} | ||
ChildVue.options = BaseCtor.options | ||
ChildVue.linker = BaseCtor.linker | ||
ChildVue.prototype = this | ||
// important: transcluded inline repeaters should | ||
// inherit from outer scope rather than host | ||
ChildVue.prototype = opts._context || this | ||
ctors[BaseCtor.cid] = ChildVue | ||
@@ -40,0 +37,0 @@ } |
@@ -39,7 +39,5 @@ var _ = require('../util') | ||
var Super = this | ||
var Sub = createClass( | ||
extendOptions.name || | ||
Super.options.name || | ||
'VueComponent' | ||
) | ||
var Sub = function VueComponent (options) { | ||
_.Vue.call(this, options) | ||
} | ||
Sub.prototype = Object.create(Super.prototype) | ||
@@ -64,18 +62,2 @@ Sub.prototype.constructor = Sub | ||
/** | ||
* A function that returns a sub-class constructor with the | ||
* given name. This gives us much nicer output when | ||
* logging instances in the console. | ||
* | ||
* @param {String} name | ||
* @return {Function} | ||
*/ | ||
function createClass (name) { | ||
return new Function( | ||
'return function ' + _.classify(name) + | ||
' (options) { this._init(options) }' | ||
)() | ||
} | ||
/** | ||
* Plugin system | ||
@@ -82,0 +64,0 @@ * |
@@ -95,2 +95,4 @@ var _ = require('../util') | ||
return function propsLinkFn (vm, el) { | ||
// store resolved props info | ||
vm._props = {} | ||
var i = props.length | ||
@@ -101,2 +103,3 @@ var prop, path, options, value | ||
path = prop.path | ||
vm._props[path] = prop | ||
options = prop.options | ||
@@ -116,5 +119,3 @@ if (prop.raw === null) { | ||
value = vm._context.$get(prop.parentPath) | ||
if (_.assertProp(prop, value)) { | ||
vm[path] = vm._data[path] = value | ||
} | ||
_.initProp(vm, prop, value) | ||
} else { | ||
@@ -136,5 +137,3 @@ // dynamic binding | ||
: _.toBoolean(_.toNumber(prop.raw)) | ||
if (_.assertProp(prop, value)) { | ||
vm[path] = vm._data[path] = value | ||
} | ||
_.initProp(vm, prop, value) | ||
} | ||
@@ -141,0 +140,0 @@ } |
@@ -51,8 +51,6 @@ // NOTE: the prop internal directive is compiled and linked | ||
var value = this.parentWatcher.value | ||
if (_.assertProp(prop, value)) { | ||
if (childKey === '$data') { | ||
child._data = value | ||
} else { | ||
child[childKey] = child._data[childKey] = value | ||
} | ||
if (childKey === '$data') { | ||
child._data = value | ||
} else { | ||
_.initProp(child, prop, value) | ||
} | ||
@@ -59,0 +57,0 @@ |
@@ -173,5 +173,14 @@ var _ = require('../util') | ||
// remove reference from data ob | ||
this._data.__ob__.removeVm(this) | ||
this._data = | ||
this._watchers = | ||
// frozen object may not have observer. | ||
if (this._data.__ob__) { | ||
this._data.__ob__.removeVm(this) | ||
} | ||
// Clean up references to private properties and other | ||
// instances. preserve reference to _data so that proxy | ||
// accessors still work. The only potential side effect | ||
// here is that mutating the instance after it's destroyed | ||
// may affect the state of other components that are still | ||
// observing the same object, but that seems to be a | ||
// reasonable responsibility for the user rather than | ||
// always throwing an error on them. | ||
this.$el = | ||
@@ -181,2 +190,3 @@ this.$parent = | ||
this.$children = | ||
this._watchers = | ||
this._directives = null | ||
@@ -183,0 +193,0 @@ // call the last hook... |
@@ -56,6 +56,3 @@ var _ = require('../util') | ||
for (var prop in propsData) { | ||
if ( | ||
!optionsData.hasOwnProperty(prop) || | ||
propsData[prop] !== undefined | ||
) { | ||
if (this._props[prop].raw !== null) { | ||
optionsData.$set(prop, propsData[prop]) | ||
@@ -77,3 +74,3 @@ } | ||
// observe data | ||
Observer.create(data).addVm(this) | ||
Observer.create(data, this) | ||
} | ||
@@ -126,3 +123,3 @@ | ||
oldData.__ob__.removeVm(this) | ||
Observer.create(newData).addVm(this) | ||
Observer.create(newData, this) | ||
this._digest() | ||
@@ -172,3 +169,3 @@ } | ||
while (i--) { | ||
this._watchers[i].update() | ||
this._watchers[i].update(true) // shallow updates | ||
} | ||
@@ -175,0 +172,0 @@ var children = this.$children |
@@ -8,12 +8,3 @@ var _ = require('../util') | ||
var uid = 0 | ||
/** | ||
* Type enums | ||
*/ | ||
var ARRAY = 0 | ||
var OBJECT = 1 | ||
/** | ||
* Observer class that are attached to each observed | ||
@@ -25,8 +16,6 @@ * object. Once attached, the observer converts target | ||
* @param {Array|Object} value | ||
* @param {Number} type | ||
* @constructor | ||
*/ | ||
function Observer (value, type) { | ||
this.id = ++uid | ||
function Observer (value) { | ||
this.value = value | ||
@@ -36,3 +25,3 @@ this.active = true | ||
_.define(value, '__ob__', this) | ||
if (type === ARRAY) { | ||
if (_.isArray(value)) { | ||
var augment = config.proto && _.hasProto | ||
@@ -43,3 +32,3 @@ ? protoAugment | ||
this.observeArray(value) | ||
} else if (type === OBJECT) { | ||
} else { | ||
this.walk(value) | ||
@@ -57,2 +46,3 @@ } | ||
* @param {*} value | ||
* @param {Vue} [vm] | ||
* @return {Observer|undefined} | ||
@@ -62,3 +52,4 @@ * @static | ||
Observer.create = function (value) { | ||
Observer.create = function (value, vm) { | ||
var ob | ||
if ( | ||
@@ -69,11 +60,14 @@ value && | ||
) { | ||
return value.__ob__ | ||
} else if (_.isArray(value)) { | ||
return new Observer(value, ARRAY) | ||
ob = value.__ob__ | ||
} else if ( | ||
_.isPlainObject(value) && | ||
!value._isVue // avoid Vue instance | ||
_.isObject(value) && | ||
!Object.isFrozen(value) && | ||
!value._isVue | ||
) { | ||
return new Observer(value, OBJECT) | ||
ob = new Observer(value) | ||
} | ||
if (ob && vm) { | ||
ob.addVm(vm) | ||
} | ||
return ob | ||
} | ||
@@ -80,0 +74,0 @@ |
var _ = require('../util') | ||
var Path = require('./path') | ||
var Cache = require('../cache') | ||
var notevil = require('../../vendor/notevil') | ||
var expressionCache = new Cache(1000) | ||
@@ -176,3 +177,9 @@ | ||
try { | ||
return new Function('scope', 'return ' + body + ';') | ||
var fn = notevil.Function( | ||
'scope', 'Math', | ||
'return ' + body + ';' | ||
) | ||
return function (scope) { | ||
return fn.call(this, scope, Math) | ||
} | ||
} catch (e) { | ||
@@ -202,3 +209,11 @@ _.warn( | ||
try { | ||
return new Function('scope', 'value', body + '=value;') | ||
var fn = notevil.Function( | ||
'scope', 'value', 'Math', | ||
body + ' = value;' | ||
) | ||
return function (scope, value) { | ||
try { | ||
fn.call(this, scope, value, Math) | ||
} catch (e) {} | ||
} | ||
} catch (e) { | ||
@@ -205,0 +220,0 @@ _.warn('Invalid setter function body: ' + body) |
var _ = require('../util') | ||
var Cache = require('../cache') | ||
var pathCache = new Cache(1000) | ||
var identRE = exports.identRE = /^[$_a-zA-Z]+[\w$]*$/ | ||
exports.identRE = /^[$_a-zA-Z]+[\w$]*$/ | ||
@@ -212,21 +212,2 @@ /** | ||
/** | ||
* Format a accessor segment based on its type. | ||
* | ||
* @param {String} key | ||
* @return {Boolean} | ||
*/ | ||
function formatAccessor (key) { | ||
if (identRE.test(key)) { // identifier | ||
return '.' + key | ||
} else if (+key === key >>> 0) { // bracket index | ||
return '[' + key + ']' | ||
} else if (key.charAt(0) === '*') { | ||
return '[o' + formatAccessor(key.slice(1)) + ']' | ||
} else { // bracket string | ||
return '["' + key.replace(/"/g, '\\"') + '"]' | ||
} | ||
} | ||
/** | ||
* Compiles a getter function with a fixed path. | ||
@@ -240,4 +221,18 @@ * The fixed path getter supresses errors. | ||
exports.compileGetter = function (path) { | ||
var body = 'return o' + path.map(formatAccessor).join('') | ||
return new Function('o', body) | ||
return function get (obj) { | ||
var original = obj | ||
var segment | ||
for (var i = 0, l = path.length; i < l; i++) { | ||
segment = path[i] | ||
if (segment.charAt(0) === '*') { | ||
segment = original[segment.slice(1)] | ||
} | ||
obj = obj[segment] | ||
if (i === l - 1) { | ||
return obj | ||
} else if (!_.isObject(obj)) { | ||
return | ||
} | ||
} | ||
} | ||
} | ||
@@ -244,0 +239,0 @@ |
@@ -237,1 +237,25 @@ var _ = require('./index') | ||
} | ||
/** | ||
* Create an "anchor" for performing dom insertion/removals. | ||
* This is used in a number of scenarios: | ||
* - block instance | ||
* - v-html | ||
* - v-if | ||
* - component | ||
* - repeat | ||
* | ||
* @param {String} content | ||
* @param {Boolean} persist - IE trashes empty textNodes on | ||
* cloneNode(true), so in certain | ||
* cases the anchor needs to be | ||
* non-empty to be persisted in | ||
* templates. | ||
* @return {Comment|Text} | ||
*/ | ||
exports.createAnchor = function (content, persist) { | ||
return config.debug | ||
? document.createComment(content) | ||
: document.createTextNode(persist ? ' ' : '') | ||
} |
@@ -7,4 +7,4 @@ var lang = require('./lang') | ||
extend(exports, require('./dom')) | ||
extend(exports, require('./misc')) | ||
extend(exports, require('./options')) | ||
extend(exports, require('./component')) | ||
extend(exports, require('./debug')) | ||
extend(exports, require('./options')) |
@@ -51,2 +51,5 @@ var _ = require('./util') | ||
this.value = this.get() | ||
// state for avoiding false triggers for deep and Array | ||
// watchers during vm._digest() | ||
this.queued = this.shallow = false | ||
} | ||
@@ -165,8 +168,18 @@ | ||
* Will be called when a dependency changes. | ||
* | ||
* @param {Boolean} shallow | ||
*/ | ||
p.update = function () { | ||
p.update = function (shallow) { | ||
if (!config.async) { | ||
this.run() | ||
} else { | ||
// if queued, only overwrite shallow with non-shallow, | ||
// but not the other way around. | ||
this.shallow = this.queued | ||
? shallow | ||
? this.shallow | ||
: false | ||
: !!shallow | ||
this.queued = true | ||
batcher.push(this) | ||
@@ -186,4 +199,7 @@ } | ||
value !== this.value || | ||
_.isArray(value) || | ||
this.deep | ||
// Deep watchers and Array watchers should fire even | ||
// when the value is the same, because the value may | ||
// have mutated; but only do so if this is a | ||
// non-shallow update (caused by a vm digest). | ||
((_.isArray(value) || this.deep) && !this.shallow) | ||
) { | ||
@@ -194,2 +210,3 @@ var oldValue = this.value | ||
} | ||
this.queued = this.shallow = false | ||
} | ||
@@ -196,0 +213,0 @@ } |
Sorry, the diff of this file is too big to display
Sorry, the diff of this file is too big to display
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Uses eval
Supply chain riskPackage uses dynamic code execution (e.g., eval()), which is a dangerous practice. This can prevent the code from running in certain environments and increases the risk that the code may contain exploits or malicious behavior.
Found 1 instance in 1 package
870833
73
25217
46
0