diff options
Diffstat (limited to 'assets/viz/2/goog/html/safehtml.js')
| -rw-r--r-- | assets/viz/2/goog/html/safehtml.js | 62 |
1 files changed, 54 insertions, 8 deletions
diff --git a/assets/viz/2/goog/html/safehtml.js b/assets/viz/2/goog/html/safehtml.js index 704d826..4bffbff 100644 --- a/assets/viz/2/goog/html/safehtml.js +++ b/assets/viz/2/goog/html/safehtml.js @@ -25,6 +25,7 @@ goog.require('goog.array'); goog.require('goog.asserts'); goog.require('goog.dom.TagName'); goog.require('goog.dom.tags'); +goog.require('goog.html.SafeScript'); goog.require('goog.html.SafeStyle'); goog.require('goog.html.SafeStyleSheet'); goog.require('goog.html.SafeUrl'); @@ -77,7 +78,7 @@ goog.html.SafeHtml = function() { /** * A type marker used to implement additional run-time type checking. * @see goog.html.SafeHtml#unwrap - * @const + * @const {!Object} * @private */ this.SAFE_HTML_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = @@ -319,7 +320,7 @@ goog.html.SafeHtml.NOT_ALLOWED_TAG_NAMES_ = goog.object.createSet( /** * @typedef {string|number|goog.string.TypedString| - * goog.html.SafeStyle.PropertyMap} + * goog.html.SafeStyle.PropertyMap|undefined} */ goog.html.SafeHtml.AttributeValue; @@ -360,8 +361,9 @@ goog.html.SafeHtml.AttributeValue; * which are not supported by this function are applet, base, embed, iframe, * link, math, object, script, style, svg, and template. * - * @param {string} tagName The name of the tag. Only tag names consisting of - * [a-zA-Z0-9-] are allowed. Tag names documented above are disallowed. + * @param {!goog.dom.TagName|string} tagName The name of the tag. Only tag names + * consisting of [a-zA-Z0-9-] are allowed. Tag names documented above are + * disallowed. * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes * Mapping from attribute names to their values. Only attribute names * consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes @@ -376,9 +378,9 @@ goog.html.SafeHtml.AttributeValue; * @throws {goog.asserts.AssertionError} If content for void tag is provided. */ goog.html.SafeHtml.create = function(tagName, opt_attributes, opt_content) { - goog.html.SafeHtml.verifyTagName(tagName); + goog.html.SafeHtml.verifyTagName(String(tagName)); return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse( - tagName, opt_attributes, opt_content); + String(tagName), opt_attributes, opt_content); }; @@ -525,6 +527,12 @@ goog.html.SafeHtml.canUseSandboxIframe = function() { * opt_attributes contains the src attribute. */ goog.html.SafeHtml.createScriptSrc = function(src, opt_attributes) { + // TODO(mlourenco): The charset attribute should probably be blocked. If + // its value is attacker controlled, the script contains attacker controlled + // sub-strings (even if properly escaped) and the server does not set charset + // then XSS is likely possible. + // https://html.spec.whatwg.org/multipage/scripting.html#dom-script-charset + // Check whether this is really TrustedResourceUrl. goog.html.TrustedResourceUrl.unwrap(src); @@ -538,6 +546,44 @@ goog.html.SafeHtml.createScriptSrc = function(src, opt_attributes) { /** + * Creates a SafeHtml representing a script tag. Does not allow the language, + * src, text or type attributes to be set. + * @param {!goog.html.SafeScript|!Array<!goog.html.SafeScript>} + * script Content to put inside the tag. Array elements are + * concatenated. + * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes + * Mapping from attribute names to their values. Only attribute names + * consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes + * the attribute to be omitted. + * @return {!goog.html.SafeHtml} The SafeHtml content with the tag. + * @throws {Error} If invalid attribute name or attribute value is provided. If + * opt_attributes contains the language, src, text or type attribute. + */ +goog.html.SafeHtml.createScript = function(script, opt_attributes) { + for (var attr in opt_attributes) { + var attrLower = attr.toLowerCase(); + if (attrLower == 'language' || attrLower == 'src' || attrLower == 'text' || + attrLower == 'type') { + throw Error('Cannot set "' + attrLower + '" attribute'); + } + } + + var content = ''; + script = goog.array.concat(script); + for (var i = 0; i < script.length; i++) { + content += goog.html.SafeScript.unwrap(script[i]); + } + // Convert to SafeHtml so that it's not HTML-escaped. This is safe because + // as part of its contract, SafeScript should have no dangerous '<'. + var htmlContent = + goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse( + content, goog.i18n.bidi.Dir.NEUTRAL); + return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse( + 'script', opt_attributes, htmlContent); +}; + + +/** * Creates a SafeHtml representing a style tag. The type attribute is set * to "text/css". * @param {!goog.html.SafeStyleSheet|!Array<!goog.html.SafeStyleSheet>} @@ -636,7 +682,7 @@ goog.html.SafeHtml.getAttrNameAndValue_ = function(tagName, name, value) { throw Error( 'Attribute "' + name + '" requires goog.string.Const value, "' + value + '" given.'); - // URL attributes handled differently accroding to tag. + // URL attributes handled differently according to tag. } else if (name.toLowerCase() in goog.html.SafeHtml.URL_ATTRIBUTES_) { if (value instanceof goog.html.TrustedResourceUrl) { value = goog.html.TrustedResourceUrl.unwrap(value); @@ -881,7 +927,7 @@ goog.html.SafeHtml.stringifyAttributes = function(tagName, opt_attributes) { /** - * @param {!Object<string, string>} fixedAttributes + * @param {!Object<string, ?goog.html.SafeHtml.AttributeValue>} fixedAttributes * @param {!Object<string, string>} defaultAttributes * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes * Optional attributes passed to create*(). |