1 | /**
|
---|
2 | * @license
|
---|
3 | * Copyright Google LLC All Rights Reserved.
|
---|
4 | *
|
---|
5 | * Use of this source code is governed by an MIT-style license that can be
|
---|
6 | * found in the LICENSE file at https://angular.io/license
|
---|
7 | */
|
---|
8 | /**
|
---|
9 | * Set of tagName|propertyName corresponding to Trusted Types sinks. Properties applying to all
|
---|
10 | * tags use '*'.
|
---|
11 | *
|
---|
12 | * Extracted from, and should be kept in sync with
|
---|
13 | * https://w3c.github.io/webappsec-trusted-types/dist/spec/#integrations
|
---|
14 | */
|
---|
15 | const TRUSTED_TYPES_SINKS = new Set([
|
---|
16 | // NOTE: All strings in this set *must* be lowercase!
|
---|
17 | // TrustedHTML
|
---|
18 | 'iframe|srcdoc',
|
---|
19 | '*|innerhtml',
|
---|
20 | '*|outerhtml',
|
---|
21 | // NB: no TrustedScript here, as the corresponding tags are stripped by the compiler.
|
---|
22 | // TrustedScriptURL
|
---|
23 | 'embed|src',
|
---|
24 | 'object|codebase',
|
---|
25 | 'object|data',
|
---|
26 | ]);
|
---|
27 | /**
|
---|
28 | * isTrustedTypesSink returns true if the given property on the given DOM tag is a Trusted Types
|
---|
29 | * sink. In that case, use `ElementSchemaRegistry.securityContext` to determine which particular
|
---|
30 | * Trusted Type is required for values passed to the sink:
|
---|
31 | * - SecurityContext.HTML corresponds to TrustedHTML
|
---|
32 | * - SecurityContext.RESOURCE_URL corresponds to TrustedScriptURL
|
---|
33 | */
|
---|
34 | export function isTrustedTypesSink(tagName, propName) {
|
---|
35 | // Make sure comparisons are case insensitive, so that case differences between attribute and
|
---|
36 | // property names do not have a security impact.
|
---|
37 | tagName = tagName.toLowerCase();
|
---|
38 | propName = propName.toLowerCase();
|
---|
39 | return TRUSTED_TYPES_SINKS.has(tagName + '|' + propName) ||
|
---|
40 | TRUSTED_TYPES_SINKS.has('*|' + propName);
|
---|
41 | }
|
---|
42 | //# sourceMappingURL=data:application/json;base64,eyJ2ZXJzaW9uIjozLCJmaWxlIjoidHJ1c3RlZF90eXBlc19zaW5rcy5qcyIsInNvdXJjZVJvb3QiOiIiLCJzb3VyY2VzIjpbIi4uLy4uLy4uLy4uLy4uLy4uLy4uL3BhY2thZ2VzL2NvbXBpbGVyL3NyYy9zY2hlbWEvdHJ1c3RlZF90eXBlc19zaW5rcy50cyJdLCJuYW1lcyI6W10sIm1hcHBpbmdzIjoiQUFBQTs7Ozs7O0dBTUc7QUFFSDs7Ozs7O0dBTUc7QUFDSCxNQUFNLG1CQUFtQixHQUFHLElBQUksR0FBRyxDQUFTO0lBQzFDLHFEQUFxRDtJQUVyRCxjQUFjO0lBQ2QsZUFBZTtJQUNmLGFBQWE7SUFDYixhQUFhO0lBRWIscUZBQXFGO0lBRXJGLG1CQUFtQjtJQUNuQixXQUFXO0lBQ1gsaUJBQWlCO0lBQ2pCLGFBQWE7Q0FDZCxDQUFDLENBQUM7QUFFSDs7Ozs7O0dBTUc7QUFDSCxNQUFNLFVBQVUsa0JBQWtCLENBQUMsT0FBZSxFQUFFLFFBQWdCO0lBQ2xFLDZGQUE2RjtJQUM3RixnREFBZ0Q7SUFDaEQsT0FBTyxHQUFHLE9BQU8sQ0FBQyxXQUFXLEVBQUUsQ0FBQztJQUNoQyxRQUFRLEdBQUcsUUFBUSxDQUFDLFdBQVcsRUFBRSxDQUFDO0lBRWxDLE9BQU8sbUJBQW1CLENBQUMsR0FBRyxDQUFDLE9BQU8sR0FBRyxHQUFHLEdBQUcsUUFBUSxDQUFDO1FBQ3BELG1CQUFtQixDQUFDLEdBQUcsQ0FBQyxJQUFJLEdBQUcsUUFBUSxDQUFDLENBQUM7QUFDL0MsQ0FBQyIsInNvdXJjZXNDb250ZW50IjpbIi8qKlxuICogQGxpY2Vuc2VcbiAqIENvcHlyaWdodCBHb29nbGUgTExDIEFsbCBSaWdodHMgUmVzZXJ2ZWQuXG4gKlxuICogVXNlIG9mIHRoaXMgc291cmNlIGNvZGUgaXMgZ292ZXJuZWQgYnkgYW4gTUlULXN0eWxlIGxpY2Vuc2UgdGhhdCBjYW4gYmVcbiAqIGZvdW5kIGluIHRoZSBMSUNFTlNFIGZpbGUgYXQgaHR0cHM6Ly9hbmd1bGFyLmlvL2xpY2Vuc2VcbiAqL1xuXG4vKipcbiAqIFNldCBvZiB0YWdOYW1lfHByb3BlcnR5TmFtZSBjb3JyZXNwb25kaW5nIHRvIFRydXN0ZWQgVHlwZXMgc2lua3MuIFByb3BlcnRpZXMgYXBwbHlpbmcgdG8gYWxsXG4gKiB0YWdzIHVzZSAnKicuXG4gKlxuICogRXh0cmFjdGVkIGZyb20sIGFuZCBzaG91bGQgYmUga2VwdCBpbiBzeW5jIHdpdGhcbiAqIGh0dHBzOi8vdzNjLmdpdGh1Yi5pby93ZWJhcHBzZWMtdHJ1c3RlZC10eXBlcy9kaXN0L3NwZWMvI2ludGVncmF0aW9uc1xuICovXG5jb25zdCBUUlVTVEVEX1RZUEVTX1NJTktTID0gbmV3IFNldDxzdHJpbmc+KFtcbiAgLy8gTk9URTogQWxsIHN0cmluZ3MgaW4gdGhpcyBzZXQgKm11c3QqIGJlIGxvd2VyY2FzZSFcblxuICAvLyBUcnVzdGVkSFRNTFxuICAnaWZyYW1lfHNyY2RvYycsXG4gICcqfGlubmVyaHRtbCcsXG4gICcqfG91dGVyaHRtbCcsXG5cbiAgLy8gTkI6IG5vIFRydXN0ZWRTY3JpcHQgaGVyZSwgYXMgdGhlIGNvcnJlc3BvbmRpbmcgdGFncyBhcmUgc3RyaXBwZWQgYnkgdGhlIGNvbXBpbGVyLlxuXG4gIC8vIFRydXN0ZWRTY3JpcHRVUkxcbiAgJ2VtYmVkfHNyYycsXG4gICdvYmplY3R8Y29kZWJhc2UnLFxuICAnb2JqZWN0fGRhdGEnLFxuXSk7XG5cbi8qKlxuICogaXNUcnVzdGVkVHlwZXNTaW5rIHJldHVybnMgdHJ1ZSBpZiB0aGUgZ2l2ZW4gcHJvcGVydHkgb24gdGhlIGdpdmVuIERPTSB0YWcgaXMgYSBUcnVzdGVkIFR5cGVzXG4gKiBzaW5rLiBJbiB0aGF0IGNhc2UsIHVzZSBgRWxlbWVudFNjaGVtYVJlZ2lzdHJ5LnNlY3VyaXR5Q29udGV4dGAgdG8gZGV0ZXJtaW5lIHdoaWNoIHBhcnRpY3VsYXJcbiAqIFRydXN0ZWQgVHlwZSBpcyByZXF1aXJlZCBmb3IgdmFsdWVzIHBhc3NlZCB0byB0aGUgc2luazpcbiAqIC0gU2VjdXJpdHlDb250ZXh0LkhUTUwgY29ycmVzcG9uZHMgdG8gVHJ1c3RlZEhUTUxcbiAqIC0gU2VjdXJpdHlDb250ZXh0LlJFU09VUkNFX1VSTCBjb3JyZXNwb25kcyB0byBUcnVzdGVkU2NyaXB0VVJMXG4gKi9cbmV4cG9ydCBmdW5jdGlvbiBpc1RydXN0ZWRUeXBlc1NpbmsodGFnTmFtZTogc3RyaW5nLCBwcm9wTmFtZTogc3RyaW5nKTogYm9vbGVhbiB7XG4gIC8vIE1ha2Ugc3VyZSBjb21wYXJpc29ucyBhcmUgY2FzZSBpbnNlbnNpdGl2ZSwgc28gdGhhdCBjYXNlIGRpZmZlcmVuY2VzIGJldHdlZW4gYXR0cmlidXRlIGFuZFxuICAvLyBwcm9wZXJ0eSBuYW1lcyBkbyBub3QgaGF2ZSBhIHNlY3VyaXR5IGltcGFjdC5cbiAgdGFnTmFtZSA9IHRhZ05hbWUudG9Mb3dlckNhc2UoKTtcbiAgcHJvcE5hbWUgPSBwcm9wTmFtZS50b0xvd2VyQ2FzZSgpO1xuXG4gIHJldHVybiBUUlVTVEVEX1RZUEVTX1NJTktTLmhhcyh0YWdOYW1lICsgJ3wnICsgcHJvcE5hbWUpIHx8XG4gICAgICBUUlVTVEVEX1RZUEVTX1NJTktTLmhhcygnKnwnICsgcHJvcE5hbWUpO1xufVxuIl19 |
---|