123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994 |
- // Copyright 2013 The Closure Library Authors. All Rights Reserved.
- //
- // Licensed under the Apache License, Version 2.0 (the "License");
- // you may not use this file except in compliance with the License.
- // You may obtain a copy of the License at
- //
- // http://www.apache.org/licenses/LICENSE-2.0
- //
- // Unless required by applicable law or agreed to in writing, software
- // distributed under the License is distributed on an "AS-IS" BASIS,
- // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- // See the License for the specific language governing permissions and
- // limitations under the License.
- /**
- * @fileoverview The SafeHtml type and its builders.
- *
- * TODO(xtof): Link to document stating type contract.
- */
- goog.provide('goog.html.SafeHtml');
- goog.require('goog.array');
- goog.require('goog.asserts');
- goog.require('goog.dom.TagName');
- goog.require('goog.dom.tags');
- goog.require('goog.html.SafeScript');
- goog.require('goog.html.SafeStyle');
- goog.require('goog.html.SafeStyleSheet');
- goog.require('goog.html.SafeUrl');
- goog.require('goog.html.TrustedResourceUrl');
- goog.require('goog.i18n.bidi.Dir');
- goog.require('goog.i18n.bidi.DirectionalString');
- goog.require('goog.labs.userAgent.browser');
- goog.require('goog.object');
- goog.require('goog.string');
- goog.require('goog.string.Const');
- goog.require('goog.string.TypedString');
- /**
- * A string that is safe to use in HTML context in DOM APIs and HTML documents.
- *
- * A SafeHtml is a string-like object that carries the security type contract
- * that its value as a string will not cause untrusted script execution when
- * evaluated as HTML in a browser.
- *
- * Values of this type are guaranteed to be safe to use in HTML contexts,
- * such as, assignment to the innerHTML DOM property, or interpolation into
- * a HTML template in HTML PC_DATA context, in the sense that the use will not
- * result in a Cross-Site-Scripting vulnerability.
- *
- * Instances of this type must be created via the factory methods
- * ({@code goog.html.SafeHtml.create}, {@code goog.html.SafeHtml.htmlEscape}),
- * etc and not by invoking its constructor. The constructor intentionally
- * takes no parameters and the type is immutable; hence only a default instance
- * corresponding to the empty string can be obtained via constructor invocation.
- *
- * @see goog.html.SafeHtml#create
- * @see goog.html.SafeHtml#htmlEscape
- * @constructor
- * @final
- * @struct
- * @implements {goog.i18n.bidi.DirectionalString}
- * @implements {goog.string.TypedString}
- */
- goog.html.SafeHtml = function() {
- /**
- * The contained value of this SafeHtml. The field has a purposely ugly
- * name to make (non-compiled) code that attempts to directly access this
- * field stand out.
- * @private {string}
- */
- this.privateDoNotAccessOrElseSafeHtmlWrappedValue_ = '';
- /**
- * A type marker used to implement additional run-time type checking.
- * @see goog.html.SafeHtml#unwrap
- * @const {!Object}
- * @private
- */
- this.SAFE_HTML_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ =
- goog.html.SafeHtml.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_;
- /**
- * This SafeHtml's directionality, or null if unknown.
- * @private {?goog.i18n.bidi.Dir}
- */
- this.dir_ = null;
- };
- /**
- * @override
- * @const
- */
- goog.html.SafeHtml.prototype.implementsGoogI18nBidiDirectionalString = true;
- /** @override */
- goog.html.SafeHtml.prototype.getDirection = function() {
- return this.dir_;
- };
- /**
- * @override
- * @const
- */
- goog.html.SafeHtml.prototype.implementsGoogStringTypedString = true;
- /**
- * Returns this SafeHtml's value as string.
- *
- * IMPORTANT: In code where it is security relevant that an object's type is
- * indeed {@code SafeHtml}, use {@code goog.html.SafeHtml.unwrap} instead of
- * this method. If in doubt, assume that it's security relevant. In particular,
- * note that goog.html functions which return a goog.html type do not guarantee
- * that the returned instance is of the right type. For example:
- *
- * <pre>
- * var fakeSafeHtml = new String('fake');
- * fakeSafeHtml.__proto__ = goog.html.SafeHtml.prototype;
- * var newSafeHtml = goog.html.SafeHtml.htmlEscape(fakeSafeHtml);
- * // newSafeHtml is just an alias for fakeSafeHtml, it's passed through by
- * // goog.html.SafeHtml.htmlEscape() as fakeSafeHtml
- * // instanceof goog.html.SafeHtml.
- * </pre>
- *
- * @see goog.html.SafeHtml#unwrap
- * @override
- */
- goog.html.SafeHtml.prototype.getTypedStringValue = function() {
- return this.privateDoNotAccessOrElseSafeHtmlWrappedValue_;
- };
- if (goog.DEBUG) {
- /**
- * Returns a debug string-representation of this value.
- *
- * To obtain the actual string value wrapped in a SafeHtml, use
- * {@code goog.html.SafeHtml.unwrap}.
- *
- * @see goog.html.SafeHtml#unwrap
- * @override
- */
- goog.html.SafeHtml.prototype.toString = function() {
- return 'SafeHtml{' + this.privateDoNotAccessOrElseSafeHtmlWrappedValue_ +
- '}';
- };
- }
- /**
- * Performs a runtime check that the provided object is indeed a SafeHtml
- * object, and returns its value.
- * @param {!goog.html.SafeHtml} safeHtml The object to extract from.
- * @return {string} The SafeHtml object's contained string, unless the run-time
- * type check fails. In that case, {@code unwrap} returns an innocuous
- * string, or, if assertions are enabled, throws
- * {@code goog.asserts.AssertionError}.
- */
- goog.html.SafeHtml.unwrap = function(safeHtml) {
- // Perform additional run-time type-checking to ensure that safeHtml is indeed
- // an instance of the expected type. This provides some additional protection
- // against security bugs due to application code that disables type checks.
- // Specifically, the following checks are performed:
- // 1. The object is an instance of the expected type.
- // 2. The object is not an instance of a subclass.
- // 3. The object carries a type marker for the expected type. "Faking" an
- // object requires a reference to the type marker, which has names intended
- // to stand out in code reviews.
- if (safeHtml instanceof goog.html.SafeHtml &&
- safeHtml.constructor === goog.html.SafeHtml &&
- safeHtml.SAFE_HTML_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ ===
- goog.html.SafeHtml.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_) {
- return safeHtml.privateDoNotAccessOrElseSafeHtmlWrappedValue_;
- } else {
- goog.asserts.fail('expected object of type SafeHtml, got \'' +
- safeHtml + '\' of type ' + goog.typeOf(safeHtml));
- return 'type_error:SafeHtml';
- }
- };
- /**
- * Shorthand for union of types that can sensibly be converted to strings
- * or might already be SafeHtml (as SafeHtml is a goog.string.TypedString).
- * @private
- * @typedef {string|number|boolean|!goog.string.TypedString|
- * !goog.i18n.bidi.DirectionalString}
- */
- goog.html.SafeHtml.TextOrHtml_;
- /**
- * Returns HTML-escaped text as a SafeHtml object.
- *
- * If text is of a type that implements
- * {@code goog.i18n.bidi.DirectionalString}, the directionality of the new
- * {@code SafeHtml} object is set to {@code text}'s directionality, if known.
- * Otherwise, the directionality of the resulting SafeHtml is unknown (i.e.,
- * {@code null}).
- *
- * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text to escape. If
- * the parameter is of type SafeHtml it is returned directly (no escaping
- * is done).
- * @return {!goog.html.SafeHtml} The escaped text, wrapped as a SafeHtml.
- */
- goog.html.SafeHtml.htmlEscape = function(textOrHtml) {
- if (textOrHtml instanceof goog.html.SafeHtml) {
- return textOrHtml;
- }
- var dir = null;
- if (textOrHtml.implementsGoogI18nBidiDirectionalString) {
- dir = textOrHtml.getDirection();
- }
- var textAsString;
- if (textOrHtml.implementsGoogStringTypedString) {
- textAsString = textOrHtml.getTypedStringValue();
- } else {
- textAsString = String(textOrHtml);
- }
- return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(
- goog.string.htmlEscape(textAsString), dir);
- };
- /**
- * Returns HTML-escaped text as a SafeHtml object, with newlines changed to
- * <br>.
- * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text to escape. If
- * the parameter is of type SafeHtml it is returned directly (no escaping
- * is done).
- * @return {!goog.html.SafeHtml} The escaped text, wrapped as a SafeHtml.
- */
- goog.html.SafeHtml.htmlEscapePreservingNewlines = function(textOrHtml) {
- if (textOrHtml instanceof goog.html.SafeHtml) {
- return textOrHtml;
- }
- var html = goog.html.SafeHtml.htmlEscape(textOrHtml);
- return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(
- goog.string.newLineToBr(goog.html.SafeHtml.unwrap(html)),
- html.getDirection());
- };
- /**
- * Returns HTML-escaped text as a SafeHtml object, with newlines changed to
- * <br> and escaping whitespace to preserve spatial formatting. Character
- * entity #160 is used to make it safer for XML.
- * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text to escape. If
- * the parameter is of type SafeHtml it is returned directly (no escaping
- * is done).
- * @return {!goog.html.SafeHtml} The escaped text, wrapped as a SafeHtml.
- */
- goog.html.SafeHtml.htmlEscapePreservingNewlinesAndSpaces = function(
- textOrHtml) {
- if (textOrHtml instanceof goog.html.SafeHtml) {
- return textOrHtml;
- }
- var html = goog.html.SafeHtml.htmlEscape(textOrHtml);
- return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(
- goog.string.whitespaceEscape(goog.html.SafeHtml.unwrap(html)),
- html.getDirection());
- };
- /**
- * Coerces an arbitrary object into a SafeHtml object.
- *
- * If {@code textOrHtml} is already of type {@code goog.html.SafeHtml}, the same
- * object is returned. Otherwise, {@code textOrHtml} is coerced to string, and
- * HTML-escaped. If {@code textOrHtml} is of a type that implements
- * {@code goog.i18n.bidi.DirectionalString}, its directionality, if known, is
- * preserved.
- *
- * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text or SafeHtml to
- * coerce.
- * @return {!goog.html.SafeHtml} The resulting SafeHtml object.
- * @deprecated Use goog.html.SafeHtml.htmlEscape.
- */
- goog.html.SafeHtml.from = goog.html.SafeHtml.htmlEscape;
- /**
- * @const
- * @private
- */
- goog.html.SafeHtml.VALID_NAMES_IN_TAG_ = /^[a-zA-Z0-9-]+$/;
- /**
- * Set of attributes containing URL as defined at
- * http://www.w3.org/TR/html5/index.html#attributes-1.
- * @private @const {!Object<string,boolean>}
- */
- goog.html.SafeHtml.URL_ATTRIBUTES_ = goog.object.createSet(
- 'action', 'cite', 'data', 'formaction', 'href', 'manifest', 'poster',
- 'src');
- /**
- * Tags which are unsupported via create(). They might be supported via a
- * tag-specific create method. These are tags which might require a
- * TrustedResourceUrl in one of their attributes or a restricted type for
- * their content.
- * @private @const {!Object<string,boolean>}
- */
- goog.html.SafeHtml.NOT_ALLOWED_TAG_NAMES_ = goog.object.createSet(
- goog.dom.TagName.APPLET, goog.dom.TagName.BASE, goog.dom.TagName.EMBED,
- goog.dom.TagName.IFRAME, goog.dom.TagName.LINK, goog.dom.TagName.MATH,
- goog.dom.TagName.META, goog.dom.TagName.OBJECT, goog.dom.TagName.SCRIPT,
- goog.dom.TagName.STYLE, goog.dom.TagName.SVG, goog.dom.TagName.TEMPLATE);
- /**
- * @typedef {string|number|goog.string.TypedString|
- * goog.html.SafeStyle.PropertyMap|undefined}
- */
- goog.html.SafeHtml.AttributeValue;
- /**
- * Creates a SafeHtml content consisting of a tag with optional attributes and
- * optional content.
- *
- * For convenience tag names and attribute names are accepted as regular
- * strings, instead of goog.string.Const. Nevertheless, you should not pass
- * user-controlled values to these parameters. Note that these parameters are
- * syntactically validated at runtime, and invalid values will result in
- * an exception.
- *
- * Example usage:
- *
- * goog.html.SafeHtml.create('br');
- * goog.html.SafeHtml.create('div', {'class': 'a'});
- * goog.html.SafeHtml.create('p', {}, 'a');
- * goog.html.SafeHtml.create('p', {}, goog.html.SafeHtml.create('br'));
- *
- * goog.html.SafeHtml.create('span', {
- * 'style': {'margin': '0'}
- * });
- *
- * To guarantee SafeHtml's type contract is upheld there are restrictions on
- * attribute values and tag names.
- *
- * - For attributes which contain script code (on*), a goog.string.Const is
- * required.
- * - For attributes which contain style (style), a goog.html.SafeStyle or a
- * goog.html.SafeStyle.PropertyMap is required.
- * - For attributes which are interpreted as URLs (e.g. src, href) a
- * goog.html.SafeUrl, goog.string.Const or string is required. If a string
- * is passed, it will be sanitized with SafeUrl.sanitize().
- * - For tags which can load code or set security relevant page metadata,
- * more specific goog.html.SafeHtml.create*() functions must be used. Tags
- * which are not supported by this function are applet, base, embed, iframe,
- * link, math, object, script, style, svg, and template.
- *
- * @param {!goog.dom.TagName|string} tagName The name of the tag. Only tag names
- * consisting of [a-zA-Z0-9-] are allowed. Tag names documented above are
- * disallowed.
- * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes
- * Mapping from attribute names to their values. Only attribute names
- * consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes
- * the attribute to be omitted.
- * @param {!goog.html.SafeHtml.TextOrHtml_|
- * !Array<!goog.html.SafeHtml.TextOrHtml_>=} opt_content Content to
- * HTML-escape and put inside the tag. This must be empty for void tags
- * like <br>. Array elements are concatenated.
- * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.
- * @throws {Error} If invalid tag name, attribute name, or attribute value is
- * provided.
- * @throws {goog.asserts.AssertionError} If content for void tag is provided.
- */
- goog.html.SafeHtml.create = function(tagName, opt_attributes, opt_content) {
- goog.html.SafeHtml.verifyTagName(String(tagName));
- return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(
- String(tagName), opt_attributes, opt_content);
- };
- /**
- * Verifies if the tag name is valid and if it doesn't change the context.
- * E.g. STRONG is fine but SCRIPT throws because it changes context. See
- * goog.html.SafeHtml.create for an explanation of allowed tags.
- * @param {string} tagName
- * @throws {Error} If invalid tag name is provided.
- * @package
- */
- goog.html.SafeHtml.verifyTagName = function(tagName) {
- if (!goog.html.SafeHtml.VALID_NAMES_IN_TAG_.test(tagName)) {
- throw Error('Invalid tag name <' + tagName + '>.');
- }
- if (tagName.toUpperCase() in goog.html.SafeHtml.NOT_ALLOWED_TAG_NAMES_) {
- throw Error('Tag name <' + tagName + '> is not allowed for SafeHtml.');
- }
- };
- /**
- * Creates a SafeHtml representing an iframe tag.
- *
- * This by default restricts the iframe as much as possible by setting the
- * sandbox attribute to the empty string. If the iframe requires less
- * restrictions, set the sandbox attribute as tight as possible, but do not rely
- * on the sandbox as a security feature because it is not supported by older
- * browsers. If a sandbox is essential to security (e.g. for third-party
- * frames), use createSandboxIframe which checks for browser support.
- *
- * @see https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe#attr-sandbox
- *
- * @param {?goog.html.TrustedResourceUrl=} opt_src The value of the src
- * attribute. If null or undefined src will not be set.
- * @param {?goog.html.SafeHtml=} opt_srcdoc The value of the srcdoc attribute.
- * If null or undefined srcdoc will not be set.
- * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes
- * Mapping from attribute names to their values. Only attribute names
- * consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes
- * the attribute to be omitted.
- * @param {!goog.html.SafeHtml.TextOrHtml_|
- * !Array<!goog.html.SafeHtml.TextOrHtml_>=} opt_content Content to
- * HTML-escape and put inside the tag. Array elements are concatenated.
- * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.
- * @throws {Error} If invalid tag name, attribute name, or attribute value is
- * provided. If opt_attributes contains the src or srcdoc attributes.
- */
- goog.html.SafeHtml.createIframe = function(
- opt_src, opt_srcdoc, opt_attributes, opt_content) {
- if (opt_src) {
- // Check whether this is really TrustedResourceUrl.
- goog.html.TrustedResourceUrl.unwrap(opt_src);
- }
- var fixedAttributes = {};
- fixedAttributes['src'] = opt_src || null;
- fixedAttributes['srcdoc'] =
- opt_srcdoc && goog.html.SafeHtml.unwrap(opt_srcdoc);
- var defaultAttributes = {'sandbox': ''};
- var attributes = goog.html.SafeHtml.combineAttributes(
- fixedAttributes, defaultAttributes, opt_attributes);
- return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(
- 'iframe', attributes, opt_content);
- };
- /**
- * Creates a SafeHtml representing a sandboxed iframe tag.
- *
- * The sandbox attribute is enforced in its most restrictive mode, an empty
- * string. Consequently, the security requirements for the src and srcdoc
- * attributes are relaxed compared to SafeHtml.createIframe. This function
- * will throw on browsers that do not support the sandbox attribute, as
- * determined by SafeHtml.canUseSandboxIframe.
- *
- * The SafeHtml returned by this function can trigger downloads with no
- * user interaction on Chrome (though only a few, further attempts are blocked).
- * Firefox and IE will block all downloads from the sandbox.
- *
- * @see https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe#attr-sandbox
- * @see https://lists.w3.org/Archives/Public/public-whatwg-archive/2013Feb/0112.html
- *
- * @param {string|!goog.html.SafeUrl=} opt_src The value of the src
- * attribute. If null or undefined src will not be set.
- * @param {string=} opt_srcdoc The value of the srcdoc attribute.
- * If null or undefined srcdoc will not be set. Will not be sanitized.
- * @param {!Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes
- * Mapping from attribute names to their values. Only attribute names
- * consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes
- * the attribute to be omitted.
- * @param {!goog.html.SafeHtml.TextOrHtml_|
- * !Array<!goog.html.SafeHtml.TextOrHtml_>=} opt_content Content to
- * HTML-escape and put inside the tag. Array elements are concatenated.
- * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.
- * @throws {Error} If invalid tag name, attribute name, or attribute value is
- * provided. If opt_attributes contains the src, srcdoc or sandbox
- * attributes. If browser does not support the sandbox attribute on iframe.
- */
- goog.html.SafeHtml.createSandboxIframe = function(
- opt_src, opt_srcdoc, opt_attributes, opt_content) {
- if (!goog.html.SafeHtml.canUseSandboxIframe()) {
- throw new Error('The browser does not support sandboxed iframes.');
- }
- var fixedAttributes = {};
- if (opt_src) {
- // Note that sanitize is a no-op on SafeUrl.
- fixedAttributes['src'] =
- goog.html.SafeUrl.unwrap(goog.html.SafeUrl.sanitize(opt_src));
- } else {
- fixedAttributes['src'] = null;
- }
- fixedAttributes['srcdoc'] = opt_srcdoc || null;
- fixedAttributes['sandbox'] = '';
- var attributes =
- goog.html.SafeHtml.combineAttributes(fixedAttributes, {}, opt_attributes);
- return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(
- 'iframe', attributes, opt_content);
- };
- /**
- * Checks if the user agent supports sandboxed iframes.
- * @return {boolean}
- */
- goog.html.SafeHtml.canUseSandboxIframe = function() {
- return goog.global['HTMLIFrameElement'] &&
- ('sandbox' in goog.global['HTMLIFrameElement'].prototype);
- };
- /**
- * Creates a SafeHtml representing a script tag with the src attribute.
- * @param {!goog.html.TrustedResourceUrl} src The value of the src
- * attribute.
- * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=}
- * opt_attributes
- * Mapping from attribute names to their values. Only attribute names
- * consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined
- * causes the attribute to be omitted.
- * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.
- * @throws {Error} If invalid attribute name or value is provided. If
- * opt_attributes contains the src attribute.
- */
- goog.html.SafeHtml.createScriptSrc = function(src, opt_attributes) {
- // TODO(mlourenco): The charset attribute should probably be blocked. If
- // its value is attacker controlled, the script contains attacker controlled
- // sub-strings (even if properly escaped) and the server does not set charset
- // then XSS is likely possible.
- // https://html.spec.whatwg.org/multipage/scripting.html#dom-script-charset
- // Check whether this is really TrustedResourceUrl.
- goog.html.TrustedResourceUrl.unwrap(src);
- var fixedAttributes = {'src': src};
- var defaultAttributes = {};
- var attributes = goog.html.SafeHtml.combineAttributes(
- fixedAttributes, defaultAttributes, opt_attributes);
- return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(
- 'script', attributes);
- };
- /**
- * Creates a SafeHtml representing a script tag. Does not allow the language,
- * src, text or type attributes to be set.
- * @param {!goog.html.SafeScript|!Array<!goog.html.SafeScript>}
- * script Content to put inside the tag. Array elements are
- * concatenated.
- * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes
- * Mapping from attribute names to their values. Only attribute names
- * consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes
- * the attribute to be omitted.
- * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.
- * @throws {Error} If invalid attribute name or attribute value is provided. If
- * opt_attributes contains the language, src, text or type attribute.
- */
- goog.html.SafeHtml.createScript = function(script, opt_attributes) {
- for (var attr in opt_attributes) {
- var attrLower = attr.toLowerCase();
- if (attrLower == 'language' || attrLower == 'src' || attrLower == 'text' ||
- attrLower == 'type') {
- throw Error('Cannot set "' + attrLower + '" attribute');
- }
- }
- var content = '';
- script = goog.array.concat(script);
- for (var i = 0; i < script.length; i++) {
- content += goog.html.SafeScript.unwrap(script[i]);
- }
- // Convert to SafeHtml so that it's not HTML-escaped. This is safe because
- // as part of its contract, SafeScript should have no dangerous '<'.
- var htmlContent =
- goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(
- content, goog.i18n.bidi.Dir.NEUTRAL);
- return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(
- 'script', opt_attributes, htmlContent);
- };
- /**
- * Creates a SafeHtml representing a style tag. The type attribute is set
- * to "text/css".
- * @param {!goog.html.SafeStyleSheet|!Array<!goog.html.SafeStyleSheet>}
- * styleSheet Content to put inside the tag. Array elements are
- * concatenated.
- * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes
- * Mapping from attribute names to their values. Only attribute names
- * consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes
- * the attribute to be omitted.
- * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.
- * @throws {Error} If invalid attribute name or attribute value is provided. If
- * opt_attributes contains the type attribute.
- */
- goog.html.SafeHtml.createStyle = function(styleSheet, opt_attributes) {
- var fixedAttributes = {'type': 'text/css'};
- var defaultAttributes = {};
- var attributes = goog.html.SafeHtml.combineAttributes(
- fixedAttributes, defaultAttributes, opt_attributes);
- var content = '';
- styleSheet = goog.array.concat(styleSheet);
- for (var i = 0; i < styleSheet.length; i++) {
- content += goog.html.SafeStyleSheet.unwrap(styleSheet[i]);
- }
- // Convert to SafeHtml so that it's not HTML-escaped. This is safe because
- // as part of its contract, SafeStyleSheet should have no dangerous '<'.
- var htmlContent =
- goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(
- content, goog.i18n.bidi.Dir.NEUTRAL);
- return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(
- 'style', attributes, htmlContent);
- };
- /**
- * Creates a SafeHtml representing a meta refresh tag.
- * @param {!goog.html.SafeUrl|string} url Where to redirect. If a string is
- * passed, it will be sanitized with SafeUrl.sanitize().
- * @param {number=} opt_secs Number of seconds until the page should be
- * reloaded. Will be set to 0 if unspecified.
- * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.
- */
- goog.html.SafeHtml.createMetaRefresh = function(url, opt_secs) {
- // Note that sanitize is a no-op on SafeUrl.
- var unwrappedUrl = goog.html.SafeUrl.unwrap(goog.html.SafeUrl.sanitize(url));
- if (goog.labs.userAgent.browser.isIE() ||
- goog.labs.userAgent.browser.isEdge()) {
- // IE/EDGE can't parse the content attribute if the url contains a
- // semicolon. We can fix this by adding quotes around the url, but then we
- // can't parse quotes in the URL correctly. Also, it seems that IE/EDGE
- // did not unescape semicolons in these URLs at some point in the past. We
- // take a best-effort approach.
- //
- // If the URL has semicolons (which may happen in some cases, see
- // http://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2
- // for instance), wrap it in single quotes to protect the semicolons.
- // If the URL has semicolons and single quotes, url-encode the single quotes
- // as well.
- //
- // This is imperfect. Notice that both ' and ; are reserved characters in
- // URIs, so this could do the wrong thing, but at least it will do the wrong
- // thing in only rare cases.
- if (goog.string.contains(unwrappedUrl, ';')) {
- unwrappedUrl = "'" + unwrappedUrl.replace(/'/g, '%27') + "'";
- }
- }
- var attributes = {
- 'http-equiv': 'refresh',
- 'content': (opt_secs || 0) + '; url=' + unwrappedUrl
- };
- // This function will handle the HTML escaping for attributes.
- return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(
- 'meta', attributes);
- };
- /**
- * @param {string} tagName The tag name.
- * @param {string} name The attribute name.
- * @param {!goog.html.SafeHtml.AttributeValue} value The attribute value.
- * @return {string} A "name=value" string.
- * @throws {Error} If attribute value is unsafe for the given tag and attribute.
- * @private
- */
- goog.html.SafeHtml.getAttrNameAndValue_ = function(tagName, name, value) {
- // If it's goog.string.Const, allow any valid attribute name.
- if (value instanceof goog.string.Const) {
- value = goog.string.Const.unwrap(value);
- } else if (name.toLowerCase() == 'style') {
- value = goog.html.SafeHtml.getStyleValue_(value);
- } else if (/^on/i.test(name)) {
- // TODO(jakubvrana): Disallow more attributes with a special meaning.
- throw Error(
- 'Attribute "' + name + '" requires goog.string.Const value, "' + value +
- '" given.');
- // URL attributes handled differently according to tag.
- } else if (name.toLowerCase() in goog.html.SafeHtml.URL_ATTRIBUTES_) {
- if (value instanceof goog.html.TrustedResourceUrl) {
- value = goog.html.TrustedResourceUrl.unwrap(value);
- } else if (value instanceof goog.html.SafeUrl) {
- value = goog.html.SafeUrl.unwrap(value);
- } else if (goog.isString(value)) {
- value = goog.html.SafeUrl.sanitize(value).getTypedStringValue();
- } else {
- throw Error(
- 'Attribute "' + name + '" on tag "' + tagName +
- '" requires goog.html.SafeUrl, goog.string.Const, or string,' +
- ' value "' + value + '" given.');
- }
- }
- // Accept SafeUrl, TrustedResourceUrl, etc. for attributes which only require
- // HTML-escaping.
- if (value.implementsGoogStringTypedString) {
- // Ok to call getTypedStringValue() since there's no reliance on the type
- // contract for security here.
- value = value.getTypedStringValue();
- }
- goog.asserts.assert(
- goog.isString(value) || goog.isNumber(value),
- 'String or number value expected, got ' + (typeof value) +
- ' with value: ' + value);
- return name + '="' + goog.string.htmlEscape(String(value)) + '"';
- };
- /**
- * Gets value allowed in "style" attribute.
- * @param {!goog.html.SafeHtml.AttributeValue} value It could be SafeStyle or a
- * map which will be passed to goog.html.SafeStyle.create.
- * @return {string} Unwrapped value.
- * @throws {Error} If string value is given.
- * @private
- */
- goog.html.SafeHtml.getStyleValue_ = function(value) {
- if (!goog.isObject(value)) {
- throw Error(
- 'The "style" attribute requires goog.html.SafeStyle or map ' +
- 'of style properties, ' + (typeof value) + ' given: ' + value);
- }
- if (!(value instanceof goog.html.SafeStyle)) {
- // Process the property bag into a style object.
- value = goog.html.SafeStyle.create(value);
- }
- return goog.html.SafeStyle.unwrap(value);
- };
- /**
- * Creates a SafeHtml content with known directionality consisting of a tag with
- * optional attributes and optional content.
- * @param {!goog.i18n.bidi.Dir} dir Directionality.
- * @param {string} tagName
- * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes
- * @param {!goog.html.SafeHtml.TextOrHtml_|
- * !Array<!goog.html.SafeHtml.TextOrHtml_>=} opt_content
- * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.
- */
- goog.html.SafeHtml.createWithDir = function(
- dir, tagName, opt_attributes, opt_content) {
- var html = goog.html.SafeHtml.create(tagName, opt_attributes, opt_content);
- html.dir_ = dir;
- return html;
- };
- /**
- * Creates a new SafeHtml object by concatenating values.
- * @param {...(!goog.html.SafeHtml.TextOrHtml_|
- * !Array<!goog.html.SafeHtml.TextOrHtml_>)} var_args Values to concatenate.
- * @return {!goog.html.SafeHtml}
- */
- goog.html.SafeHtml.concat = function(var_args) {
- var dir = goog.i18n.bidi.Dir.NEUTRAL;
- var content = '';
- /**
- * @param {!goog.html.SafeHtml.TextOrHtml_|
- * !Array<!goog.html.SafeHtml.TextOrHtml_>} argument
- */
- var addArgument = function(argument) {
- if (goog.isArray(argument)) {
- goog.array.forEach(argument, addArgument);
- } else {
- var html = goog.html.SafeHtml.htmlEscape(argument);
- content += goog.html.SafeHtml.unwrap(html);
- var htmlDir = html.getDirection();
- if (dir == goog.i18n.bidi.Dir.NEUTRAL) {
- dir = htmlDir;
- } else if (htmlDir != goog.i18n.bidi.Dir.NEUTRAL && dir != htmlDir) {
- dir = null;
- }
- }
- };
- goog.array.forEach(arguments, addArgument);
- return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(
- content, dir);
- };
- /**
- * Creates a new SafeHtml object with known directionality by concatenating the
- * values.
- * @param {!goog.i18n.bidi.Dir} dir Directionality.
- * @param {...(!goog.html.SafeHtml.TextOrHtml_|
- * !Array<!goog.html.SafeHtml.TextOrHtml_>)} var_args Elements of array
- * arguments would be processed recursively.
- * @return {!goog.html.SafeHtml}
- */
- goog.html.SafeHtml.concatWithDir = function(dir, var_args) {
- var html = goog.html.SafeHtml.concat(goog.array.slice(arguments, 1));
- html.dir_ = dir;
- return html;
- };
- /**
- * Type marker for the SafeHtml type, used to implement additional run-time
- * type checking.
- * @const {!Object}
- * @private
- */
- goog.html.SafeHtml.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = {};
- /**
- * Package-internal utility method to create SafeHtml instances.
- *
- * @param {string} html The string to initialize the SafeHtml object with.
- * @param {?goog.i18n.bidi.Dir} dir The directionality of the SafeHtml to be
- * constructed, or null if unknown.
- * @return {!goog.html.SafeHtml} The initialized SafeHtml object.
- * @package
- */
- goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse = function(
- html, dir) {
- return new goog.html.SafeHtml().initSecurityPrivateDoNotAccessOrElse_(
- html, dir);
- };
- /**
- * Called from createSafeHtmlSecurityPrivateDoNotAccessOrElse(). This
- * method exists only so that the compiler can dead code eliminate static
- * fields (like EMPTY) when they're not accessed.
- * @param {string} html
- * @param {?goog.i18n.bidi.Dir} dir
- * @return {!goog.html.SafeHtml}
- * @private
- */
- goog.html.SafeHtml.prototype.initSecurityPrivateDoNotAccessOrElse_ = function(
- html, dir) {
- this.privateDoNotAccessOrElseSafeHtmlWrappedValue_ = html;
- this.dir_ = dir;
- return this;
- };
- /**
- * Like create() but does not restrict which tags can be constructed.
- *
- * @param {string} tagName Tag name. Set or validated by caller.
- * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes
- * @param {(!goog.html.SafeHtml.TextOrHtml_|
- * !Array<!goog.html.SafeHtml.TextOrHtml_>)=} opt_content
- * @return {!goog.html.SafeHtml}
- * @throws {Error} If invalid or unsafe attribute name or value is provided.
- * @throws {goog.asserts.AssertionError} If content for void tag is provided.
- * @package
- */
- goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse = function(
- tagName, opt_attributes, opt_content) {
- var dir = null;
- var result = '<' + tagName;
- result += goog.html.SafeHtml.stringifyAttributes(tagName, opt_attributes);
- var content = opt_content;
- if (!goog.isDefAndNotNull(content)) {
- content = [];
- } else if (!goog.isArray(content)) {
- content = [content];
- }
- if (goog.dom.tags.isVoidTag(tagName.toLowerCase())) {
- goog.asserts.assert(
- !content.length, 'Void tag <' + tagName + '> does not allow content.');
- result += '>';
- } else {
- var html = goog.html.SafeHtml.concat(content);
- result += '>' + goog.html.SafeHtml.unwrap(html) + '</' + tagName + '>';
- dir = html.getDirection();
- }
- var dirAttribute = opt_attributes && opt_attributes['dir'];
- if (dirAttribute) {
- if (/^(ltr|rtl|auto)$/i.test(dirAttribute)) {
- // If the tag has the "dir" attribute specified then its direction is
- // neutral because it can be safely used in any context.
- dir = goog.i18n.bidi.Dir.NEUTRAL;
- } else {
- dir = null;
- }
- }
- return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(
- result, dir);
- };
- /**
- * Creates a string with attributes to insert after tagName.
- * @param {string} tagName
- * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes
- * @return {string} Returns an empty string if there are no attributes, returns
- * a string starting with a space otherwise.
- * @throws {Error} If attribute value is unsafe for the given tag and attribute.
- * @package
- */
- goog.html.SafeHtml.stringifyAttributes = function(tagName, opt_attributes) {
- var result = '';
- if (opt_attributes) {
- for (var name in opt_attributes) {
- if (!goog.html.SafeHtml.VALID_NAMES_IN_TAG_.test(name)) {
- throw Error('Invalid attribute name "' + name + '".');
- }
- var value = opt_attributes[name];
- if (!goog.isDefAndNotNull(value)) {
- continue;
- }
- result +=
- ' ' + goog.html.SafeHtml.getAttrNameAndValue_(tagName, name, value);
- }
- }
- return result;
- };
- /**
- * @param {!Object<string, ?goog.html.SafeHtml.AttributeValue>} fixedAttributes
- * @param {!Object<string, string>} defaultAttributes
- * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes
- * Optional attributes passed to create*().
- * @return {!Object<string, ?goog.html.SafeHtml.AttributeValue>}
- * @throws {Error} If opt_attributes contains an attribute with the same name
- * as an attribute in fixedAttributes.
- * @package
- */
- goog.html.SafeHtml.combineAttributes = function(
- fixedAttributes, defaultAttributes, opt_attributes) {
- var combinedAttributes = {};
- var name;
- for (name in fixedAttributes) {
- goog.asserts.assert(name.toLowerCase() == name, 'Must be lower case');
- combinedAttributes[name] = fixedAttributes[name];
- }
- for (name in defaultAttributes) {
- goog.asserts.assert(name.toLowerCase() == name, 'Must be lower case');
- combinedAttributes[name] = defaultAttributes[name];
- }
- for (name in opt_attributes) {
- var nameLower = name.toLowerCase();
- if (nameLower in fixedAttributes) {
- throw Error(
- 'Cannot override "' + nameLower + '" attribute, got "' + name +
- '" with value "' + opt_attributes[name] + '"');
- }
- if (nameLower in defaultAttributes) {
- delete combinedAttributes[nameLower];
- }
- combinedAttributes[name] = opt_attributes[name];
- }
- return combinedAttributes;
- };
- /**
- * A SafeHtml instance corresponding to the HTML doctype: "<!DOCTYPE html>".
- * @const {!goog.html.SafeHtml}
- */
- goog.html.SafeHtml.DOCTYPE_HTML =
- goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(
- '<!DOCTYPE html>', goog.i18n.bidi.Dir.NEUTRAL);
- /**
- * A SafeHtml instance corresponding to the empty string.
- * @const {!goog.html.SafeHtml}
- */
- goog.html.SafeHtml.EMPTY =
- goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(
- '', goog.i18n.bidi.Dir.NEUTRAL);
- /**
- * A SafeHtml instance corresponding to the <br> tag.
- * @const {!goog.html.SafeHtml}
- */
- goog.html.SafeHtml.BR =
- goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(
- '<br>', goog.i18n.bidi.Dir.NEUTRAL);
|