From 2b4757367470d8e36bc00901dac567e375796ed4 Mon Sep 17 00:00:00 2001 From: Brian Picciano Date: Tue, 13 Nov 2018 00:24:09 -0500 Subject: update viz 2 to use the newest version, which has some performance improvements and is easier to read the code for. also update the description --- assets/viz/2/goog/html/safehtml.js | 62 +++++++-- assets/viz/2/goog/html/safescript.js | 2 +- assets/viz/2/goog/html/safestyle.js | 181 ++++++++++++++++++++----- assets/viz/2/goog/html/safestylesheet.js | 68 +++++++++- assets/viz/2/goog/html/safeurl.js | 86 +++++++++--- assets/viz/2/goog/html/trustedresourceurl.js | 174 +++++++++++++++++++++++- assets/viz/2/goog/html/uncheckedconversions.js | 12 +- 7 files changed, 505 insertions(+), 80 deletions(-) (limited to 'assets/viz/2/goog/html') diff --git a/assets/viz/2/goog/html/safehtml.js b/assets/viz/2/goog/html/safehtml.js index 704d826..4bffbff 100644 --- a/assets/viz/2/goog/html/safehtml.js +++ b/assets/viz/2/goog/html/safehtml.js @@ -25,6 +25,7 @@ goog.require('goog.array'); goog.require('goog.asserts'); goog.require('goog.dom.TagName'); goog.require('goog.dom.tags'); +goog.require('goog.html.SafeScript'); goog.require('goog.html.SafeStyle'); goog.require('goog.html.SafeStyleSheet'); goog.require('goog.html.SafeUrl'); @@ -77,7 +78,7 @@ goog.html.SafeHtml = function() { /** * A type marker used to implement additional run-time type checking. * @see goog.html.SafeHtml#unwrap - * @const + * @const {!Object} * @private */ this.SAFE_HTML_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = @@ -319,7 +320,7 @@ goog.html.SafeHtml.NOT_ALLOWED_TAG_NAMES_ = goog.object.createSet( /** * @typedef {string|number|goog.string.TypedString| - * goog.html.SafeStyle.PropertyMap} + * goog.html.SafeStyle.PropertyMap|undefined} */ goog.html.SafeHtml.AttributeValue; @@ -360,8 +361,9 @@ goog.html.SafeHtml.AttributeValue; * which are not supported by this function are applet, base, embed, iframe, * link, math, object, script, style, svg, and template. * - * @param {string} tagName The name of the tag. Only tag names consisting of - * [a-zA-Z0-9-] are allowed. Tag names documented above are disallowed. + * @param {!goog.dom.TagName|string} tagName The name of the tag. Only tag names + * consisting of [a-zA-Z0-9-] are allowed. Tag names documented above are + * disallowed. * @param {?Object=} opt_attributes * Mapping from attribute names to their values. Only attribute names * consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes @@ -376,9 +378,9 @@ goog.html.SafeHtml.AttributeValue; * @throws {goog.asserts.AssertionError} If content for void tag is provided. */ goog.html.SafeHtml.create = function(tagName, opt_attributes, opt_content) { - goog.html.SafeHtml.verifyTagName(tagName); + goog.html.SafeHtml.verifyTagName(String(tagName)); return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse( - tagName, opt_attributes, opt_content); + String(tagName), opt_attributes, opt_content); }; @@ -525,6 +527,12 @@ goog.html.SafeHtml.canUseSandboxIframe = function() { * opt_attributes contains the src attribute. */ goog.html.SafeHtml.createScriptSrc = function(src, opt_attributes) { + // TODO(mlourenco): The charset attribute should probably be blocked. If + // its value is attacker controlled, the script contains attacker controlled + // sub-strings (even if properly escaped) and the server does not set charset + // then XSS is likely possible. + // https://html.spec.whatwg.org/multipage/scripting.html#dom-script-charset + // Check whether this is really TrustedResourceUrl. goog.html.TrustedResourceUrl.unwrap(src); @@ -537,6 +545,44 @@ goog.html.SafeHtml.createScriptSrc = function(src, opt_attributes) { }; +/** + * Creates a SafeHtml representing a script tag. Does not allow the language, + * src, text or type attributes to be set. + * @param {!goog.html.SafeScript|!Array} + * script Content to put inside the tag. Array elements are + * concatenated. + * @param {?Object=} opt_attributes + * Mapping from attribute names to their values. Only attribute names + * consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes + * the attribute to be omitted. + * @return {!goog.html.SafeHtml} The SafeHtml content with the tag. + * @throws {Error} If invalid attribute name or attribute value is provided. If + * opt_attributes contains the language, src, text or type attribute. + */ +goog.html.SafeHtml.createScript = function(script, opt_attributes) { + for (var attr in opt_attributes) { + var attrLower = attr.toLowerCase(); + if (attrLower == 'language' || attrLower == 'src' || attrLower == 'text' || + attrLower == 'type') { + throw Error('Cannot set "' + attrLower + '" attribute'); + } + } + + var content = ''; + script = goog.array.concat(script); + for (var i = 0; i < script.length; i++) { + content += goog.html.SafeScript.unwrap(script[i]); + } + // Convert to SafeHtml so that it's not HTML-escaped. This is safe because + // as part of its contract, SafeScript should have no dangerous '<'. + var htmlContent = + goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse( + content, goog.i18n.bidi.Dir.NEUTRAL); + return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse( + 'script', opt_attributes, htmlContent); +}; + + /** * Creates a SafeHtml representing a style tag. The type attribute is set * to "text/css". @@ -636,7 +682,7 @@ goog.html.SafeHtml.getAttrNameAndValue_ = function(tagName, name, value) { throw Error( 'Attribute "' + name + '" requires goog.string.Const value, "' + value + '" given.'); - // URL attributes handled differently accroding to tag. + // URL attributes handled differently according to tag. } else if (name.toLowerCase() in goog.html.SafeHtml.URL_ATTRIBUTES_) { if (value instanceof goog.html.TrustedResourceUrl) { value = goog.html.TrustedResourceUrl.unwrap(value); @@ -881,7 +927,7 @@ goog.html.SafeHtml.stringifyAttributes = function(tagName, opt_attributes) { /** - * @param {!Object} fixedAttributes + * @param {!Object} fixedAttributes * @param {!Object} defaultAttributes * @param {?Object=} opt_attributes * Optional attributes passed to create*(). diff --git a/assets/viz/2/goog/html/safescript.js b/assets/viz/2/goog/html/safescript.js index 26f58f6..7a945eb 100644 --- a/assets/viz/2/goog/html/safescript.js +++ b/assets/viz/2/goog/html/safescript.js @@ -78,7 +78,7 @@ goog.html.SafeScript = function() { /** * A type marker used to implement additional run-time type checking. * @see goog.html.SafeScript#unwrap - * @const + * @const {!Object} * @private */ this.SAFE_SCRIPT_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = diff --git a/assets/viz/2/goog/html/safestyle.js b/assets/viz/2/goog/html/safestyle.js index a1f87cb..506a475 100644 --- a/assets/viz/2/goog/html/safestyle.js +++ b/assets/viz/2/goog/html/safestyle.js @@ -22,6 +22,7 @@ goog.provide('goog.html.SafeStyle'); goog.require('goog.array'); goog.require('goog.asserts'); +goog.require('goog.html.SafeUrl'); goog.require('goog.string'); goog.require('goog.string.Const'); goog.require('goog.string.TypedString'); @@ -42,19 +43,19 @@ goog.require('goog.string.TypedString'); * is immutable; hence only a default instance corresponding to the empty string * can be obtained via constructor invocation. * - * A SafeStyle's string representation ({@link #getTypedStringValue()}) can - * safely: + * SafeStyle's string representation can safely be: *
    - *
  • Be interpolated as the entire content of a *quoted* HTML style - * attribute, or before already existing properties. The SafeStyle string - * *must be HTML-attribute-escaped* (where " and ' are escaped) before + *
  • Interpolated as the content of a *quoted* HTML style attribute. + * However, the SafeStyle string *must be HTML-attribute-escaped* before * interpolation. - *
  • Be interpolated as the entire content of a {}-wrapped block within a - * stylesheet, or before already existing properties. The SafeStyle string - * should not be escaped before interpolation. SafeStyle's contract also - * guarantees that the string will not be able to introduce new properties - * or elide existing ones. - *
  • Be assigned to the style property of a DOM node. The SafeStyle string + *
  • Interpolated as the content of a {}-wrapped block within a stylesheet. + * '<' characters in the SafeStyle string *must be CSS-escaped* before + * interpolation. The SafeStyle string is also guaranteed not to be able + * to introduce new properties or elide existing ones. + *
  • Interpolated as the content of a {}-wrapped block within an HTML + *