Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- diff -ur --ignore-all-space -x node_modules2 -x .git ./node_modules/@angular/core/fesm5/core.js ../angular-realworld-example-app/node_modules/@angular/core/fesm5/core.js
- --- ./node_modules/@angular/core/fesm5/core.js 2018-10-17 14:02:41.328000000 +0200
- +++ ../angular-realworld-example-app/node_modules/@angular/core/fesm5/core.js 2018-10-17 18:34:11.814184546 +0200
- @@ -6678,6 +6678,12 @@
- return ApplicationModule;
- }());
- +var TrustedTypesPolicy = 'TrustedTypes' in window ? TrustedTypes.createPolicy('angular-sanitizer', { createHTML: function(s) {return s} }) : null;
- +
- +var htmlizer = function(html) {
- + return TrustedTypesPolicy ? TrustedTypesPolicy.createHTML(html) : html;
- +};
- +
- /**
- * @license
- * Copyright Google Inc. All Rights Reserved.
- @@ -6694,6 +6700,7 @@
- * Default: InertDocument strategy
- */
- var InertBodyHelper = /** @class */ (function () {
- +
- function InertBodyHelper(defaultDoc) {
- this.defaultDoc = defaultDoc;
- this.inertDocument = this.defaultDoc.implementation.createHTMLDocument('sanitization-inert');
- @@ -6706,15 +6713,14 @@
- this.inertBodyElement = this.inertDocument.createElement('body');
- inertHtml.appendChild(this.inertBodyElement);
- }
- - this.inertBodyElement.innerHTML = '<svg><g onload="this.parentNode.remove()"></g></svg>';
- + this.inertBodyElement.innerHTML = htmlizer('<svg><g onload="this.parentNode.remove()"></g></svg>');
- if (this.inertBodyElement.querySelector && !this.inertBodyElement.querySelector('svg')) {
- // We just hit the Safari 10.1 bug - which allows JS to run inside the SVG G element
- // so use the XHR strategy.
- this.getInertBodyElement = this.getInertBodyElement_XHR;
- return;
- }
- - this.inertBodyElement.innerHTML =
- - '<svg><p><style><img src="</style><img src=x onerror=alert(1)//">';
- + this.inertBodyElement.innerHTML = htmlizer('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">');
- if (this.inertBodyElement.querySelector && this.inertBodyElement.querySelector('svg img')) {
- // We just hit the Firefox bug - which prevents the inner img JS from being sanitized
- // so use the DOMParser strategy, if it is available.
- @@ -6765,7 +6771,7 @@
- try {
- var body = new window
- .DOMParser()
- - .parseFromString(html, 'text/html')
- + .parseFromString(htmlizer(html), 'text/html')
- .body;
- body.removeChild(body.firstChild);
- return body;
- @@ -6784,10 +6790,10 @@
- // Prefer using <template> element if supported.
- var templateEl = this.inertDocument.createElement('template');
- if ('content' in templateEl) {
- - templateEl.innerHTML = html;
- + templateEl.innerHTML = htmlizer(html);
- return templateEl;
- }
- - this.inertBodyElement.innerHTML = html;
- + this.inertBodyElement.innerHTML = htmlizer(html);
- // Support: IE 9-11 only
- // strip custom-namespaced attributes on IE<=11
- if (this.defaultDoc.documentMode) {
- @@ -8057,6 +8063,7 @@
- function setElementProperty(view, binding, renderNode$$1, name, value) {
- var securityContext = binding.securityContext;
- var renderValue = securityContext ? view.root.sanitizer.sanitize(securityContext, value) : value;
- + // TODO(koto): It would be better to wrap here.
- view.renderer.setProperty(renderNode$$1, name, renderValue);
- }
- diff -ur --ignore-all-space -x node_modules2 -x .git ./node_modules/@angular/platform-browser/bundles/platform-browser.umd.js ../angular-realworld-example-app/node_modules/@angular/platform-browser/bundles/platform-browser.umd.js
- --- ./node_modules/@angular/platform-browser/bundles/platform-browser.umd.js 2018-10-17 14:02:41.450000000 +0200
- +++ ../angular-realworld-example-app/node_modules/@angular/platform-browser/bundles/platform-browser.umd.js 2018-10-17 15:24:07.814508210 +0200
- @@ -588,14 +588,10 @@
- return baseElement.getAttribute('href');
- }
- // based on urlUtils.js in AngularJS 1
- -var urlParsingNode;
- function relativePath(url) {
- - if (!urlParsingNode) {
- - urlParsingNode = document.createElement('a');
- - }
- - urlParsingNode.setAttribute('href', url);
- - return (urlParsingNode.pathname.charAt(0) === '/') ? urlParsingNode.pathname :
- - '/' + urlParsingNode.pathname;
- + var url = new URL(url, document.baseURI);
- + return (url.pathname.charAt(0) === '/') ? url.pathname :
- + '/' + url.pathname;
- }
- /**
- diff -ur --ignore-all-space -x node_modules2 -x .git ./node_modules/@angular/platform-browser/fesm5/platform-browser.js ../angular-realworld-example-app/node_modules/@angular/platform-browser/fesm5/platform-browser.js
- --- ./node_modules/@angular/platform-browser/fesm5/platform-browser.js 2018-10-17 14:02:41.450000000 +0200
- +++ ../angular-realworld-example-app/node_modules/@angular/platform-browser/fesm5/platform-browser.js 2018-10-17 18:42:16.522146624 +0200
- @@ -1150,7 +1150,12 @@
- this.eventManager = eventManager;
- this.sharedStylesHost = sharedStylesHost;
- this.rendererByCompId = new Map();
- - this.defaultRenderer = new DefaultDomRenderer2(eventManager);
- + this.ttPolicy = window.TrustedTypes ? window.TrustedTypes.createPolicy('angular-dom-renderer-factory2', {
- + createHTML: function(s) {
- + return s;
- + },
- + }) : null;
- + this.defaultRenderer = new DefaultDomRenderer2(eventManager, this.ttPolicy);
- }
- DomRendererFactory2.prototype.createRenderer = function (element, type) {
- if (!element || !type) {
- @@ -1192,8 +1197,9 @@
- return DomRendererFactory2;
- }());
- var DefaultDomRenderer2 = /** @class */ (function () {
- - function DefaultDomRenderer2(eventManager) {
- + function DefaultDomRenderer2(eventManager, ttPolicy) {
- this.eventManager = eventManager;
- + this.ttPolicy = ttPolicy;
- this.data = Object.create(null);
- }
- DefaultDomRenderer2.prototype.destroy = function () { };
- @@ -1278,6 +1284,9 @@
- };
- DefaultDomRenderer2.prototype.setProperty = function (el, name, value) {
- checkNoSyntheticProp(name, 'property');
- + if (name == 'innerHTML' && this.ttPolicy) {
- + value = this.ttPolicy.createHTML(value);
- + }
- el[name] = value;
- };
- DefaultDomRenderer2.prototype.setValue = function (node, value) { node.nodeValue = value; };
- Only in ../angular-realworld-example-app/node_modules/node-sass/vendor: linux-x64-57
- diff -ur --ignore-all-space -x node_modules2 -x .git ./node_modules/webpack/lib/web/JsonpMainTemplatePlugin.js ../angular-realworld-example-app/node_modules/webpack/lib/web/JsonpMainTemplatePlugin.js
- --- ./node_modules/webpack/lib/web/JsonpMainTemplatePlugin.js 2018-10-17 14:02:43.592000000 +0200
- +++ ../angular-realworld-example-app/node_modules/webpack/lib/web/JsonpMainTemplatePlugin.js 2018-10-17 17:17:31.489351070 +0200
- @@ -128,13 +128,18 @@
- extraCode.push(
- "",
- "// script path function",
- + "var ttPolicy;",
- + "if('TrustedTypes' in window) {",
- + "ttPolicy = TrustedTypes.createPolicy('webpack-jsonp', {createScriptURL: (s) => s})",
- + "}",
- "function jsonpScriptSrc(chunkId) {",
- Template.indent([
- - `return ${mainTemplate.requireFn}.p + ${getScriptSrcPath(
- + `var path = ${mainTemplate.requireFn}.p + ${getScriptSrcPath(
- hash,
- chunk,
- "chunkId"
- - )}`
- + )}`,
- + "return ttPolicy ? ttPolicy.createScriptURL(path) : path;"
- ]),
- "}"
- );
- Only in .: patch
- Only in ../angular-realworld-example-app/: realworld-trustedtypes.patch
- diff -ur --ignore-all-space -x node_modules2 -x .git ./src/index.html ../angular-realworld-example-app/src/index.html
- --- ./src/index.html 2018-10-18 16:22:44.420606617 +0200
- +++ ../angular-realworld-example-app/src/index.html 2018-10-18 16:20:25.923486313 +0200
- @@ -2,6 +2,22 @@
- <html>
- <head>
- <meta charset="utf-8">
- + <meta http-equiv="Content-Security-Policy" content="trusted-types default webpack-jsonp angular-sanitizer angular-dom-renderer-factory2">
- +<script src="https://wicg.github.io/trusted-types/dist/es6/trustedtypes.build.js">
- +</script>
- +<script>
- + if (window.TrustedTypes) {
- + TrustedTypes.createPolicy('default', {
- + createURL: (url) => {
- + const u = new URL(url, document.baseURI);
- + if (['data:', 'http:', 'https:'].includes(u.protocol)) {
- + return u.href;
- + }
- + }
- + }, true);
- + };
- +</script>
- +</head>
- <title>Conduit</title>
- <base href="/">
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement