diff -ur --ignore-all-space -x node_modules2 -x .git ./node_modules/@angular/cor

1. diff -ur --ignore-all-space -x node_modules2 -x .git ./node_modules/@angular/core/fesm5/core.js ../angular-realworld-example-app/node_modules/@angular/core/fesm5/core.js
2. --- ./node_modules/@angular/core/fesm5/core.js  2018-10-17 14:02:41.328000000 +0200
3. +++ ../angular-realworld-example-app/node_modules/@angular/core/fesm5/core.js   2018-10-17 18:34:11.814184546 +0200
4. @@ -6678,6 +6678,12 @@
5.      return ApplicationModule;
6.  }());
7.  
8. +var TrustedTypesPolicy = 'TrustedTypes' in window ? TrustedTypes.createPolicy('angular-sanitizer', { createHTML: function(s) {return s} }) : null;
9. +
10. +var htmlizer = function(html) {
11. +    return TrustedTypesPolicy ? TrustedTypesPolicy.createHTML(html) : html;
12. +};
13. +
14.  /**
15.   * @license
16.   * Copyright Google Inc. All Rights Reserved.
17. @@ -6694,6 +6700,7 @@
18.   * Default: InertDocument strategy
19.   */
20.  var InertBodyHelper = /** @class */ (function () {
21. +
22.      function InertBodyHelper(defaultDoc) {
23.          this.defaultDoc = defaultDoc;
24.          this.inertDocument = this.defaultDoc.implementation.createHTMLDocument('sanitization-inert');
25. @@ -6706,15 +6713,14 @@
26.              this.inertBodyElement = this.inertDocument.createElement('body');
27.              inertHtml.appendChild(this.inertBodyElement);
28.          }
29. -        this.inertBodyElement.innerHTML = '<svg><g onload="this.parentNode.remove()"></g></svg>';
30. +        this.inertBodyElement.innerHTML = htmlizer('<svg><g onload="this.parentNode.remove()"></g></svg>');
31.          if (this.inertBodyElement.querySelector && !this.inertBodyElement.querySelector('svg')) {
32.              // We just hit the Safari 10.1 bug - which allows JS to run inside the SVG G element
33.              // so use the XHR strategy.
34.              this.getInertBodyElement = this.getInertBodyElement_XHR;
35.              return;
36.          }
37. -        this.inertBodyElement.innerHTML =
38. -            '<svg><p><style><img src="</style><img src=x onerror=alert(1)//">';
39. +        this.inertBodyElement.innerHTML = htmlizer('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">');
40.          if (this.inertBodyElement.querySelector && this.inertBodyElement.querySelector('svg img')) {
41.              // We just hit the Firefox bug - which prevents the inner img JS from being sanitized
42.              // so use the DOMParser strategy, if it is available.
43. @@ -6765,7 +6771,7 @@
44.          try {
45.              var body = new window
46.                  .DOMParser()
47. -                .parseFromString(html, 'text/html')
48. +                .parseFromString(htmlizer(html), 'text/html')
49.                  .body;
50.              body.removeChild(body.firstChild);
51.              return body;
52. @@ -6784,10 +6790,10 @@
53.          // Prefer using <template> element if supported.
54.          var templateEl = this.inertDocument.createElement('template');
55.          if ('content' in templateEl) {
56. -            templateEl.innerHTML = html;
57. +            templateEl.innerHTML = htmlizer(html);
58.              return templateEl;
59.          }
60. -        this.inertBodyElement.innerHTML = html;
61. +        this.inertBodyElement.innerHTML = htmlizer(html);
62.          // Support: IE 9-11 only
63.          // strip custom-namespaced attributes on IE<=11
64.          if (this.defaultDoc.documentMode) {
65. @@ -8057,6 +8063,7 @@
66.  function setElementProperty(view, binding, renderNode$$1, name, value) {
67.      var securityContext = binding.securityContext;
68.      var renderValue = securityContext ? view.root.sanitizer.sanitize(securityContext, value) : value;
69. +    // TODO(koto): It would be better to wrap here.
70.      view.renderer.setProperty(renderNode$$1, name, renderValue);
71.  }
72.  
73. diff -ur --ignore-all-space -x node_modules2 -x .git ./node_modules/@angular/platform-browser/bundles/platform-browser.umd.js ../angular-realworld-example-app/node_modules/@angular/platform-browser/bundles/platform-browser.umd.js
74. --- ./node_modules/@angular/platform-browser/bundles/platform-browser.umd.js    2018-10-17 14:02:41.450000000 +0200
75. +++ ../angular-realworld-example-app/node_modules/@angular/platform-browser/bundles/platform-browser.umd.js 2018-10-17 15:24:07.814508210 +0200
76. @@ -588,14 +588,10 @@
77.      return baseElement.getAttribute('href');
78.  }
79.  // based on urlUtils.js in AngularJS 1
80. -var urlParsingNode;
81.  function relativePath(url) {
82. -    if (!urlParsingNode) {
83. -        urlParsingNode = document.createElement('a');
84. -    }
85. -    urlParsingNode.setAttribute('href', url);
86. -    return (urlParsingNode.pathname.charAt(0) === '/') ? urlParsingNode.pathname :
87. -        '/' + urlParsingNode.pathname;
88. +    var url = new URL(url, document.baseURI);
89. +    return (url.pathname.charAt(0) === '/') ? url.pathname :
90. +        '/' + url.pathname;
91.  }
92.  
93.  /**
94. diff -ur --ignore-all-space -x node_modules2 -x .git ./node_modules/@angular/platform-browser/fesm5/platform-browser.js ../angular-realworld-example-app/node_modules/@angular/platform-browser/fesm5/platform-browser.js
95. --- ./node_modules/@angular/platform-browser/fesm5/platform-browser.js  2018-10-17 14:02:41.450000000 +0200
96. +++ ../angular-realworld-example-app/node_modules/@angular/platform-browser/fesm5/platform-browser.js   2018-10-17 18:42:16.522146624 +0200
97. @@ -1150,7 +1150,12 @@
98.          this.eventManager = eventManager;
99.          this.sharedStylesHost = sharedStylesHost;
100.          this.rendererByCompId = new Map();
101. -        this.defaultRenderer = new DefaultDomRenderer2(eventManager);
102. +        this.ttPolicy = window.TrustedTypes ? window.TrustedTypes.createPolicy('angular-dom-renderer-factory2', {
103. +            createHTML: function(s) {
104. +                return s;
105. +            },
106. +        }) : null;
107. +        this.defaultRenderer = new DefaultDomRenderer2(eventManager, this.ttPolicy);
108.      }
109.      DomRendererFactory2.prototype.createRenderer = function (element, type) {
110.          if (!element || !type) {
111. @@ -1192,8 +1197,9 @@
112.      return DomRendererFactory2;
113.  }());
114.  var DefaultDomRenderer2 = /** @class */ (function () {
115. -    function DefaultDomRenderer2(eventManager) {
116. +    function DefaultDomRenderer2(eventManager, ttPolicy) {
117.          this.eventManager = eventManager;
118. +        this.ttPolicy = ttPolicy;
119.          this.data = Object.create(null);
120.      }
121.      DefaultDomRenderer2.prototype.destroy = function () { };
122. @@ -1278,6 +1284,9 @@
123.      };
124.      DefaultDomRenderer2.prototype.setProperty = function (el, name, value) {
125.          checkNoSyntheticProp(name, 'property');
126. +        if (name == 'innerHTML' && this.ttPolicy) {
127. +            value = this.ttPolicy.createHTML(value);
128. +        }
129.          el[name] = value;
130.      };
131.      DefaultDomRenderer2.prototype.setValue = function (node, value) { node.nodeValue = value; };
132. Only in ../angular-realworld-example-app/node_modules/node-sass/vendor: linux-x64-57
133. diff -ur --ignore-all-space -x node_modules2 -x .git ./node_modules/webpack/lib/web/JsonpMainTemplatePlugin.js ../angular-realworld-example-app/node_modules/webpack/lib/web/JsonpMainTemplatePlugin.js
134. --- ./node_modules/webpack/lib/web/JsonpMainTemplatePlugin.js   2018-10-17 14:02:43.592000000 +0200
135. +++ ../angular-realworld-example-app/node_modules/webpack/lib/web/JsonpMainTemplatePlugin.js    2018-10-17 17:17:31.489351070 +0200
136. @@ -128,13 +128,18 @@
137.                     extraCode.push(
138.                         "",
139.                         "// script path function",
140. +                       "var ttPolicy;",
141. +                       "if('TrustedTypes' in window) {",
142. +                       "ttPolicy = TrustedTypes.createPolicy('webpack-jsonp', {createScriptURL: (s) => s})",
143. +                       "}",
144.                         "function jsonpScriptSrc(chunkId) {",
145.                         Template.indent([
146. -                           `return ${mainTemplate.requireFn}.p + ${getScriptSrcPath(
147. +                           `var path = ${mainTemplate.requireFn}.p + ${getScriptSrcPath(
148.                                 hash,
149.                                 chunk,
150.                                 "chunkId"
151. -                           )}`
152. +                           )}`,
153. +                           "return ttPolicy ? ttPolicy.createScriptURL(path) : path;"
154.                         ]),
155.                         "}"
156.                     );
157. Only in .: patch
158. Only in ../angular-realworld-example-app/: realworld-trustedtypes.patch
159. diff -ur --ignore-all-space -x node_modules2 -x .git ./src/index.html ../angular-realworld-example-app/src/index.html
160. --- ./src/index.html    2018-10-18 16:22:44.420606617 +0200
161. +++ ../angular-realworld-example-app/src/index.html 2018-10-18 16:20:25.923486313 +0200
162. @@ -2,6 +2,22 @@
163.  <html>
164.  <head>
165.    <meta charset="utf-8">
166. +  <meta http-equiv="Content-Security-Policy" content="trusted-types default webpack-jsonp angular-sanitizer angular-dom-renderer-factory2">
167. +<script src="https://wicg.github.io/trusted-types/dist/es6/trustedtypes.build.js">
168. +</script>
169. +<script>
170. +  if (window.TrustedTypes) {
171. +    TrustedTypes.createPolicy('default', {
172. +      createURL: (url) => {
173. +        const u = new URL(url, document.baseURI);
174. +        if (['data:', 'http:', 'https:'].includes(u.protocol)) {
175. +          return u.href;
176. +        }
177. +      }
178. +    }, true);
179. +  };
180. +</script>
181. +</head>
182.    <title>Conduit</title>
183.    <base href="/">