mirror of
https://github.com/inverse-inc/sogo.git
synced 2026-07-14 21:04:53 +00:00
chore(js/css): update generated files
This commit is contained in:
+238
-152
@@ -1,6 +1,6 @@
|
||||
/**
|
||||
* @license AngularJS v1.8.0
|
||||
* (c) 2010-2020 Google, Inc. http://angularjs.org
|
||||
* @license AngularJS v1.8.1
|
||||
* (c) 2010-2020 Google LLC. http://angularjs.org
|
||||
* License: MIT
|
||||
*/
|
||||
(function(window) {'use strict';
|
||||
@@ -99,7 +99,7 @@ function isValidObjectMaxDepth(maxDepth) {
|
||||
function minErr(module, ErrorConstructor) {
|
||||
ErrorConstructor = ErrorConstructor || Error;
|
||||
|
||||
var url = 'https://errors.angularjs.org/1.8.0/';
|
||||
var url = 'https://errors.angularjs.org/1.8.1/';
|
||||
var regex = url.replace('.', '\\.') + '[\\s\\S]*';
|
||||
var errRegExp = new RegExp(regex, 'g');
|
||||
|
||||
@@ -1671,7 +1671,7 @@ function allowAutoBootstrap(document) {
|
||||
link.href = src.value;
|
||||
|
||||
if (document.location.origin === link.origin) {
|
||||
// Same-origin resources are always allowed, even for non-whitelisted schemes.
|
||||
// Same-origin resources are always allowed, even for banned URL schemes.
|
||||
return true;
|
||||
}
|
||||
// Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web.
|
||||
@@ -2828,11 +2828,11 @@ function toDebugString(obj, maxDepth) {
|
||||
var version = {
|
||||
// These placeholder strings will be replaced by grunt's `build` task.
|
||||
// They need to be double- or single-quoted.
|
||||
full: '1.8.0',
|
||||
full: '1.8.1',
|
||||
major: 1,
|
||||
minor: 8,
|
||||
dot: 0,
|
||||
codeName: 'nested-vaccination'
|
||||
dot: 1,
|
||||
codeName: 'mutually-supporting'
|
||||
};
|
||||
|
||||
|
||||
@@ -2983,7 +2983,7 @@ function publishExternalAPI(angular) {
|
||||
});
|
||||
}
|
||||
])
|
||||
.info({ angularVersion: '1.8.0' });
|
||||
.info({ angularVersion: '1.8.1' });
|
||||
}
|
||||
|
||||
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
|
||||
@@ -8428,8 +8428,8 @@ function $TemplateCacheProvider() {
|
||||
*
|
||||
* Based on the context, other options may exist to mark a value as trusted / configure the behavior
|
||||
* of {@link ng.$sce}. For example, to restrict the `RESOURCE_URL` context to specific origins, use
|
||||
* the {@link $sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist()}
|
||||
* and {@link $sceDelegateProvider#resourceUrlBlacklist resourceUrlBlacklist()}.
|
||||
* the {@link $sceDelegateProvider#trustedResourceUrlList trustedResourceUrlList()}
|
||||
* and {@link $sceDelegateProvider#bannedResourceUrlList bannedResourceUrlList()}.
|
||||
*
|
||||
* {@link ng.$sce#what-trusted-context-types-are-supported- Find out more about the different context types}.
|
||||
*
|
||||
@@ -8438,7 +8438,7 @@ function $TemplateCacheProvider() {
|
||||
* By default, `$sce` will throw an error if it detects untrusted HTML content, and will not bind the
|
||||
* content.
|
||||
* However, if you include the {@link ngSanitize ngSanitize module}, it will try to sanitize the
|
||||
* potentially dangerous HTML, e.g. strip non-whitelisted tags and attributes when binding to
|
||||
* potentially dangerous HTML, e.g. strip non-trusted tags and attributes when binding to
|
||||
* `innerHTML`.
|
||||
*
|
||||
* @example
|
||||
@@ -9020,30 +9020,81 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $compileProvider#aHrefSanitizationWhitelist
|
||||
* @name $compileProvider#aHrefSanitizationTrustedUrlList
|
||||
* @kind function
|
||||
*
|
||||
* @description
|
||||
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
|
||||
* Retrieves or overrides the default regular expression that is used for determining trusted safe
|
||||
* urls during a[href] sanitization.
|
||||
*
|
||||
* The sanitization is a security measure aimed at preventing XSS attacks via html links.
|
||||
*
|
||||
* Any url about to be assigned to a[href] via data-binding is first normalized and turned into
|
||||
* an absolute url. Afterwards, the url is matched against the `aHrefSanitizationWhitelist`
|
||||
* an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUrlList`
|
||||
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
|
||||
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
|
||||
*
|
||||
* @param {RegExp=} regexp New regexp to whitelist urls with.
|
||||
* @param {RegExp=} regexp New regexp to trust urls with.
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.aHrefSanitizationWhitelist = function(regexp) {
|
||||
this.aHrefSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
$$sanitizeUriProvider.aHrefSanitizationWhitelist(regexp);
|
||||
$$sanitizeUriProvider.aHrefSanitizationTrustedUrlList(regexp);
|
||||
return this;
|
||||
} else {
|
||||
return $$sanitizeUriProvider.aHrefSanitizationWhitelist();
|
||||
return $$sanitizeUriProvider.aHrefSanitizationTrustedUrlList();
|
||||
}
|
||||
};
|
||||
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $compileProvider#aHrefSanitizationWhitelist
|
||||
* @kind function
|
||||
*
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* This function is deprecated. Use {@link $compileProvider#aHrefSanitizationTrustedUrlList
|
||||
* aHrefSanitizationTrustedUrlList} instead.
|
||||
*/
|
||||
Object.defineProperty(this, 'aHrefSanitizationWhitelist', {
|
||||
get: function() {
|
||||
return this.aHrefSanitizationTrustedUrlList;
|
||||
},
|
||||
set: function(regexp) {
|
||||
this.aHrefSanitizationTrustedUrlList = regexp;
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $compileProvider#imgSrcSanitizationTrustedUrlList
|
||||
* @kind function
|
||||
*
|
||||
* @description
|
||||
* Retrieves or overrides the default regular expression that is used for determining trusted safe
|
||||
* urls during img[src] sanitization.
|
||||
*
|
||||
* The sanitization is a security measure aimed at prevent XSS attacks via html links.
|
||||
*
|
||||
* Any url about to be assigned to img[src] via data-binding is first normalized and turned into
|
||||
* an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUrlList`
|
||||
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
|
||||
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
|
||||
*
|
||||
* @param {RegExp=} regexp New regexp to trust urls with.
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.imgSrcSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
$$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(regexp);
|
||||
return this;
|
||||
} else {
|
||||
return $$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList();
|
||||
}
|
||||
};
|
||||
|
||||
@@ -9053,29 +9104,20 @@ function $CompileProvider($provide, $$sanitizeUriProvider) {
|
||||
* @name $compileProvider#imgSrcSanitizationWhitelist
|
||||
* @kind function
|
||||
*
|
||||
* @description
|
||||
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
|
||||
* urls during img[src] sanitization.
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* The sanitization is a security measure aimed at prevent XSS attacks via html links.
|
||||
*
|
||||
* Any url about to be assigned to img[src] via data-binding is first normalized and turned into
|
||||
* an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationWhitelist`
|
||||
* regular expression. If a match is found, the original url is written into the dom. Otherwise,
|
||||
* the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM.
|
||||
*
|
||||
* @param {RegExp=} regexp New regexp to whitelist urls with.
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
* This function is deprecated. Use {@link $compileProvider#imgSrcSanitizationTrustedUrlList
|
||||
* imgSrcSanitizationTrustedUrlList} instead.
|
||||
*/
|
||||
this.imgSrcSanitizationWhitelist = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
$$sanitizeUriProvider.imgSrcSanitizationWhitelist(regexp);
|
||||
return this;
|
||||
} else {
|
||||
return $$sanitizeUriProvider.imgSrcSanitizationWhitelist();
|
||||
Object.defineProperty(this, 'imgSrcSanitizationWhitelist', {
|
||||
get: function() {
|
||||
return this.imgSrcSanitizationTrustedUrlList;
|
||||
},
|
||||
set: function(regexp) {
|
||||
this.imgSrcSanitizationTrustedUrlList = regexp;
|
||||
}
|
||||
};
|
||||
});
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
@@ -12327,7 +12369,7 @@ function $HttpProvider() {
|
||||
|
||||
/**
|
||||
* @ngdoc property
|
||||
* @name $httpProvider#xsrfWhitelistedOrigins
|
||||
* @name $httpProvider#xsrfTrustedOrigins
|
||||
* @description
|
||||
*
|
||||
* Array containing URLs whose origins are trusted to receive the XSRF token. See the
|
||||
@@ -12341,7 +12383,7 @@ function $HttpProvider() {
|
||||
* Examples: `http://example.com`, `https://api.example.com:9876`
|
||||
*
|
||||
* <div class="alert alert-warning">
|
||||
* It is not possible to whitelist specific URLs/paths. The `path`, `query` and `fragment` parts
|
||||
* It is not possible to trust specific URLs/paths. The `path`, `query` and `fragment` parts
|
||||
* of a URL will be ignored. For example, `https://foo.com/path/bar?query=baz#fragment` will be
|
||||
* treated as `https://foo.com`, meaning that **all** requests to URLs starting with
|
||||
* `https://foo.com/` will include the XSRF token.
|
||||
@@ -12352,9 +12394,9 @@ function $HttpProvider() {
|
||||
* ```js
|
||||
* // App served from `https://example.com/`.
|
||||
* angular.
|
||||
* module('xsrfWhitelistedOriginsExample', []).
|
||||
* module('xsrfTrustedOriginsExample', []).
|
||||
* config(['$httpProvider', function($httpProvider) {
|
||||
* $httpProvider.xsrfWhitelistedOrigins.push('https://api.example.com');
|
||||
* $httpProvider.xsrfTrustedOrigins.push('https://api.example.com');
|
||||
* }]).
|
||||
* run(['$http', function($http) {
|
||||
* // The XSRF token will be sent.
|
||||
@@ -12365,7 +12407,27 @@ function $HttpProvider() {
|
||||
* }]);
|
||||
* ```
|
||||
*/
|
||||
var xsrfWhitelistedOrigins = this.xsrfWhitelistedOrigins = [];
|
||||
var xsrfTrustedOrigins = this.xsrfTrustedOrigins = [];
|
||||
|
||||
/**
|
||||
* @ngdoc property
|
||||
* @name $httpProvider#xsrfWhitelistedOrigins
|
||||
* @description
|
||||
*
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* This function is deprecated. Use {@link $httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}
|
||||
* instead.
|
||||
*/
|
||||
Object.defineProperty(this, 'xsrfWhitelistedOrigins', {
|
||||
get: function() {
|
||||
return this.xsrfTrustedOrigins;
|
||||
},
|
||||
set: function(origins) {
|
||||
this.xsrfTrustedOrigins = origins;
|
||||
}
|
||||
});
|
||||
|
||||
this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce',
|
||||
function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) {
|
||||
@@ -12393,7 +12455,7 @@ function $HttpProvider() {
|
||||
/**
|
||||
* A function to check request URLs against a list of allowed origins.
|
||||
*/
|
||||
var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfWhitelistedOrigins);
|
||||
var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfTrustedOrigins);
|
||||
|
||||
/**
|
||||
* @ngdoc service
|
||||
@@ -12767,16 +12829,16 @@ function $HttpProvider() {
|
||||
* The header will — by default — **not** be set for cross-domain requests. This
|
||||
* prevents unauthorized servers (e.g. malicious or compromised 3rd-party APIs) from gaining
|
||||
* access to your users' XSRF tokens and exposing them to Cross Site Request Forgery. If you
|
||||
* want to, you can whitelist additional origins to also receive the XSRF token, by adding them
|
||||
* to {@link ng.$httpProvider#xsrfWhitelistedOrigins xsrfWhitelistedOrigins}. This might be
|
||||
* want to, you can trust additional origins to also receive the XSRF token, by adding them
|
||||
* to {@link ng.$httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}. This might be
|
||||
* useful, for example, if your application, served from `example.com`, needs to access your API
|
||||
* at `api.example.com`.
|
||||
* See {@link ng.$httpProvider#xsrfWhitelistedOrigins $httpProvider.xsrfWhitelistedOrigins} for
|
||||
* See {@link ng.$httpProvider#xsrfTrustedOrigins $httpProvider.xsrfTrustedOrigins} for
|
||||
* more details.
|
||||
*
|
||||
* <div class="alert alert-danger">
|
||||
* **Warning**<br />
|
||||
* Only whitelist origins that you have control over and make sure you understand the
|
||||
* Only trusted origins that you have control over and make sure you understand the
|
||||
* implications of doing so.
|
||||
* </div>
|
||||
*
|
||||
@@ -12903,8 +12965,8 @@ function $HttpProvider() {
|
||||
<file name="script.js">
|
||||
angular.module('httpExample', [])
|
||||
.config(['$sceDelegateProvider', function($sceDelegateProvider) {
|
||||
// We must whitelist the JSONP endpoint that we are using to show that we trust it
|
||||
$sceDelegateProvider.resourceUrlWhitelist([
|
||||
// We must add the JSONP endpoint that we are using to the trusted list to show that we trust it
|
||||
$sceDelegateProvider.trustedResourceUrlList([
|
||||
'self',
|
||||
'https://angularjs.org/**'
|
||||
]);
|
||||
@@ -13161,8 +13223,8 @@ function $HttpProvider() {
|
||||
*
|
||||
* Note that, since JSONP requests are sensitive because the response is given full access to the browser,
|
||||
* the url must be declared, via {@link $sce} as a trusted resource URL.
|
||||
* You can trust a URL by adding it to the whitelist via
|
||||
* {@link $sceDelegateProvider#resourceUrlWhitelist `$sceDelegateProvider.resourceUrlWhitelist`} or
|
||||
* You can trust a URL by adding it to the trusted resource URL list via
|
||||
* {@link $sceDelegateProvider#trustedResourceUrlList `$sceDelegateProvider.trustedResourceUrlList`} or
|
||||
* by explicitly trusting the URL via {@link $sce#trustAsResourceUrl `$sce.trustAsResourceUrl(url)`}.
|
||||
*
|
||||
* You should avoid generating the URL for the JSONP request from user provided data.
|
||||
@@ -19898,12 +19960,12 @@ function $RootScopeProvider() {
|
||||
*/
|
||||
function $$SanitizeUriProvider() {
|
||||
|
||||
var aHrefSanitizationWhitelist = /^\s*(https?|s?ftp|mailto|tel|file):/,
|
||||
imgSrcSanitizationWhitelist = /^\s*((https?|ftp|file|blob):|data:image\/)/;
|
||||
var aHrefSanitizationTrustedUrlList = /^\s*(https?|s?ftp|mailto|tel|file):/,
|
||||
imgSrcSanitizationTrustedUrlList = /^\s*((https?|ftp|file|blob):|data:image\/)/;
|
||||
|
||||
/**
|
||||
* @description
|
||||
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
|
||||
* Retrieves or overrides the default regular expression that is used for determining trusted safe
|
||||
* urls during a[href] sanitization.
|
||||
*
|
||||
* The sanitization is a security measure aimed at prevent XSS attacks via HTML anchor links.
|
||||
@@ -19912,27 +19974,27 @@ function $$SanitizeUriProvider() {
|
||||
* the $sce.URL security context. When interpolation occurs a call is made to `$sce.trustAsUrl(url)`
|
||||
* which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize the potentially malicious URL.
|
||||
*
|
||||
* If the URL matches the `aHrefSanitizationWhitelist` regular expression, it is returned unchanged.
|
||||
* If the URL matches the `aHrefSanitizationTrustedUrlList` regular expression, it is returned unchanged.
|
||||
*
|
||||
* If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written
|
||||
* to the DOM it is inactive and potentially malicious code will not be executed.
|
||||
*
|
||||
* @param {RegExp=} regexp New regexp to whitelist urls with.
|
||||
* @param {RegExp=} regexp New regexp to trust urls with.
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.aHrefSanitizationWhitelist = function(regexp) {
|
||||
this.aHrefSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
aHrefSanitizationWhitelist = regexp;
|
||||
aHrefSanitizationTrustedUrlList = regexp;
|
||||
return this;
|
||||
}
|
||||
return aHrefSanitizationWhitelist;
|
||||
return aHrefSanitizationTrustedUrlList;
|
||||
};
|
||||
|
||||
|
||||
/**
|
||||
* @description
|
||||
* Retrieves or overrides the default regular expression that is used for whitelisting of safe
|
||||
* Retrieves or overrides the default regular expression that is used for determining trusted safe
|
||||
* urls during img[src] sanitization.
|
||||
*
|
||||
* The sanitization is a security measure aimed at prevent XSS attacks via HTML image src links.
|
||||
@@ -19942,27 +20004,28 @@ function $$SanitizeUriProvider() {
|
||||
* `$sce.trustAsMediaUrl(url)` which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize
|
||||
* the potentially malicious URL.
|
||||
*
|
||||
* If the URL matches the `aImgSanitizationWhitelist` regular expression, it is returned unchanged.
|
||||
* If the URL matches the `imgSrcSanitizationTrustedUrlList` regular expression, it is returned
|
||||
* unchanged.
|
||||
*
|
||||
* If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written
|
||||
* to the DOM it is inactive and potentially malicious code will not be executed.
|
||||
*
|
||||
* @param {RegExp=} regexp New regexp to whitelist urls with.
|
||||
* @param {RegExp=} regexp New regexp to trust urls with.
|
||||
* @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for
|
||||
* chaining otherwise.
|
||||
*/
|
||||
this.imgSrcSanitizationWhitelist = function(regexp) {
|
||||
this.imgSrcSanitizationTrustedUrlList = function(regexp) {
|
||||
if (isDefined(regexp)) {
|
||||
imgSrcSanitizationWhitelist = regexp;
|
||||
imgSrcSanitizationTrustedUrlList = regexp;
|
||||
return this;
|
||||
}
|
||||
return imgSrcSanitizationWhitelist;
|
||||
return imgSrcSanitizationTrustedUrlList;
|
||||
};
|
||||
|
||||
this.$get = function() {
|
||||
return function sanitizeUri(uri, isMediaUrl) {
|
||||
// if (!uri) return uri;
|
||||
var regex = isMediaUrl ? imgSrcSanitizationWhitelist : aHrefSanitizationWhitelist;
|
||||
var regex = isMediaUrl ? imgSrcSanitizationTrustedUrlList : aHrefSanitizationTrustedUrlList;
|
||||
var normalizedVal = urlResolve(uri && uri.trim()).href;
|
||||
if (normalizedVal !== '' && !normalizedVal.match(regex)) {
|
||||
return 'unsafe:' + normalizedVal;
|
||||
@@ -20090,10 +20153,10 @@ function adjustMatchers(matchers) {
|
||||
* The default instance of `$sceDelegate` should work out of the box with little pain. While you
|
||||
* can override it completely to change the behavior of `$sce`, the common case would
|
||||
* involve configuring the {@link ng.$sceDelegateProvider $sceDelegateProvider} instead by setting
|
||||
* your own whitelists and blacklists for trusting URLs used for loading AngularJS resources such as
|
||||
* templates. Refer {@link ng.$sceDelegateProvider#resourceUrlWhitelist
|
||||
* $sceDelegateProvider.resourceUrlWhitelist} and {@link
|
||||
* ng.$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist}
|
||||
* your own trusted and banned resource lists for trusting URLs used for loading AngularJS resources
|
||||
* such as templates. Refer {@link ng.$sceDelegateProvider#trustedResourceUrlList
|
||||
* $sceDelegateProvider.trustedResourceUrlList} and {@link
|
||||
* ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList}
|
||||
*/
|
||||
|
||||
/**
|
||||
@@ -20106,12 +20169,12 @@ function adjustMatchers(matchers) {
|
||||
* The `$sceDelegateProvider` provider allows developers to configure the {@link ng.$sceDelegate
|
||||
* $sceDelegate service}, used as a delegate for {@link ng.$sce Strict Contextual Escaping (SCE)}.
|
||||
*
|
||||
* The `$sceDelegateProvider` allows one to get/set the whitelists and blacklists used to ensure
|
||||
* that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all
|
||||
* places that use the `$sce.RESOURCE_URL` context). See
|
||||
* {@link ng.$sceDelegateProvider#resourceUrlWhitelist $sceDelegateProvider.resourceUrlWhitelist}
|
||||
* and
|
||||
* {@link ng.$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist},
|
||||
* The `$sceDelegateProvider` allows one to get/set the `trustedResourceUrlList` and
|
||||
* `bannedResourceUrlList` used to ensure that the URLs used for sourcing AngularJS templates and
|
||||
* other script-running URLs are safe (all places that use the `$sce.RESOURCE_URL` context). See
|
||||
* {@link ng.$sceDelegateProvider#trustedResourceUrlList
|
||||
* $sceDelegateProvider.trustedResourceUrlList} and
|
||||
* {@link ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList},
|
||||
*
|
||||
* For the general details about this service in AngularJS, read the main page for {@link ng.$sce
|
||||
* Strict Contextual Escaping (SCE)}.
|
||||
@@ -20127,64 +20190,99 @@ function adjustMatchers(matchers) {
|
||||
*
|
||||
* ```
|
||||
* angular.module('myApp', []).config(function($sceDelegateProvider) {
|
||||
* $sceDelegateProvider.resourceUrlWhitelist([
|
||||
* $sceDelegateProvider.trustedResourceUrlList([
|
||||
* // Allow same origin resource loads.
|
||||
* 'self',
|
||||
* // Allow loading from our assets domain. Notice the difference between * and **.
|
||||
* 'http://srv*.assets.example.com/**'
|
||||
* ]);
|
||||
*
|
||||
* // The blacklist overrides the whitelist so the open redirect here is blocked.
|
||||
* $sceDelegateProvider.resourceUrlBlacklist([
|
||||
* // The banned resource URL list overrides the trusted resource URL list so the open redirect
|
||||
* // here is blocked.
|
||||
* $sceDelegateProvider.bannedResourceUrlList([
|
||||
* 'http://myapp.example.com/clickThru**'
|
||||
* ]);
|
||||
* });
|
||||
* ```
|
||||
* Note that an empty whitelist will block every resource URL from being loaded, and will require
|
||||
* Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require
|
||||
* you to manually mark each one as trusted with `$sce.trustAsResourceUrl`. However, templates
|
||||
* requested by {@link ng.$templateRequest $templateRequest} that are present in
|
||||
* {@link ng.$templateCache $templateCache} will not go through this check. If you have a mechanism
|
||||
* to populate your templates in that cache at config time, then it is a good idea to remove 'self'
|
||||
* from that whitelist. This helps to mitigate the security impact of certain types of issues, like
|
||||
* for instance attacker-controlled `ng-includes`.
|
||||
* from the trusted resource URL lsit. This helps to mitigate the security impact of certain types
|
||||
* of issues, like for instance attacker-controlled `ng-includes`.
|
||||
*/
|
||||
|
||||
function $SceDelegateProvider() {
|
||||
this.SCE_CONTEXTS = SCE_CONTEXTS;
|
||||
|
||||
// Resource URLs can also be trusted by policy.
|
||||
var resourceUrlWhitelist = ['self'],
|
||||
resourceUrlBlacklist = [];
|
||||
var trustedResourceUrlList = ['self'],
|
||||
bannedResourceUrlList = [];
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $sceDelegateProvider#resourceUrlWhitelist
|
||||
* @name $sceDelegateProvider#trustedResourceUrlList
|
||||
* @kind function
|
||||
*
|
||||
* @param {Array=} whitelist When provided, replaces the resourceUrlWhitelist with the value
|
||||
* provided. This must be an array or null. A snapshot of this array is used so further
|
||||
* changes to the array are ignored.
|
||||
* @param {Array=} trustedResourceUrlList When provided, replaces the trustedResourceUrlList with
|
||||
* the value provided. This must be an array or null. A snapshot of this array is used so
|
||||
* further changes to the array are ignored.
|
||||
* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
|
||||
* allowed in this array.
|
||||
*
|
||||
* @return {Array} The currently set whitelist array.
|
||||
* @return {Array} The currently set trusted resource URL array.
|
||||
*
|
||||
* @description
|
||||
* Sets/Gets the whitelist of trusted resource URLs.
|
||||
* Sets/Gets the list trusted of resource URLs.
|
||||
*
|
||||
* The **default value** when no whitelist has been explicitly set is `['self']` allowing only
|
||||
* same origin resource requests.
|
||||
* The **default value** when no `trustedResourceUrlList` has been explicitly set is `['self']`
|
||||
* allowing only same origin resource requests.
|
||||
*
|
||||
* <div class="alert alert-warning">
|
||||
* **Note:** the default whitelist of 'self' is not recommended if your app shares its origin
|
||||
* with other apps! It is a good idea to limit it to only your application's directory.
|
||||
* **Note:** the default `trustedResourceUrlList` of 'self' is not recommended if your app shares
|
||||
* its origin with other apps! It is a good idea to limit it to only your application's directory.
|
||||
* </div>
|
||||
*/
|
||||
this.resourceUrlWhitelist = function(value) {
|
||||
this.trustedResourceUrlList = function(value) {
|
||||
if (arguments.length) {
|
||||
resourceUrlWhitelist = adjustMatchers(value);
|
||||
trustedResourceUrlList = adjustMatchers(value);
|
||||
}
|
||||
return resourceUrlWhitelist;
|
||||
return trustedResourceUrlList;
|
||||
};
|
||||
this.resourceUrlWhitelist = this.trustedResourceUrlList;
|
||||
|
||||
/**
|
||||
* @ngdoc method
|
||||
* @name $sceDelegateProvider#bannedResourceUrlList
|
||||
* @kind function
|
||||
*
|
||||
* @param {Array=} bannedResourceUrlList When provided, replaces the `bannedResourceUrlList` with
|
||||
* the value provided. This must be an array or null. A snapshot of this array is used so
|
||||
* further changes to the array are ignored.</p><p>
|
||||
* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
|
||||
* allowed in this array.</p><p>
|
||||
* The typical usage for the `bannedResourceUrlList` is to **block
|
||||
* [open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as
|
||||
* these would otherwise be trusted but actually return content from the redirected domain.
|
||||
* </p><p>
|
||||
* Finally, **the banned resource URL list overrides the trusted resource URL list** and has
|
||||
* the final say.
|
||||
*
|
||||
* @return {Array} The currently set `bannedResourceUrlList` array.
|
||||
*
|
||||
* @description
|
||||
* Sets/Gets the `bannedResourceUrlList` of trusted resource URLs.
|
||||
*
|
||||
* The **default value** when no trusted resource URL list has been explicitly set is the empty
|
||||
* array (i.e. there is no `bannedResourceUrlList`.)
|
||||
*/
|
||||
|
||||
this.bannedResourceUrlList = function(value) {
|
||||
if (arguments.length) {
|
||||
bannedResourceUrlList = adjustMatchers(value);
|
||||
}
|
||||
return bannedResourceUrlList;
|
||||
};
|
||||
|
||||
/**
|
||||
@@ -20192,32 +20290,20 @@ function $SceDelegateProvider() {
|
||||
* @name $sceDelegateProvider#resourceUrlBlacklist
|
||||
* @kind function
|
||||
*
|
||||
* @param {Array=} blacklist When provided, replaces the resourceUrlBlacklist with the value
|
||||
* provided. This must be an array or null. A snapshot of this array is used so further
|
||||
* changes to the array are ignored.</p><p>
|
||||
* Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items
|
||||
* allowed in this array.</p><p>
|
||||
* The typical usage for the blacklist is to **block
|
||||
* [open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as
|
||||
* these would otherwise be trusted but actually return content from the redirected domain.
|
||||
* </p><p>
|
||||
* Finally, **the blacklist overrides the whitelist** and has the final say.
|
||||
* @deprecated
|
||||
* sinceVersion="1.8.1"
|
||||
*
|
||||
* @return {Array} The currently set blacklist array.
|
||||
*
|
||||
* @description
|
||||
* Sets/Gets the blacklist of trusted resource URLs.
|
||||
*
|
||||
* The **default value** when no whitelist has been explicitly set is the empty array (i.e. there
|
||||
* is no blacklist.)
|
||||
* This function is deprecated. Use {@link $sceDelegateProvider#bannedResourceUrlList
|
||||
* bannedResourceUrlList} instead.
|
||||
*/
|
||||
|
||||
this.resourceUrlBlacklist = function(value) {
|
||||
if (arguments.length) {
|
||||
resourceUrlBlacklist = adjustMatchers(value);
|
||||
Object.defineProperty(this, 'resourceUrlBlacklist', {
|
||||
get: function() {
|
||||
return this.bannedResourceUrlList;
|
||||
},
|
||||
set: function(value) {
|
||||
this.bannedResourceUrlList = value;
|
||||
}
|
||||
return resourceUrlBlacklist;
|
||||
};
|
||||
});
|
||||
|
||||
this.$get = ['$injector', '$$sanitizeUri', function($injector, $$sanitizeUri) {
|
||||
|
||||
@@ -20242,17 +20328,17 @@ function $SceDelegateProvider() {
|
||||
function isResourceUrlAllowedByPolicy(url) {
|
||||
var parsedUrl = urlResolve(url.toString());
|
||||
var i, n, allowed = false;
|
||||
// Ensure that at least one item from the whitelist allows this url.
|
||||
for (i = 0, n = resourceUrlWhitelist.length; i < n; i++) {
|
||||
if (matchUrl(resourceUrlWhitelist[i], parsedUrl)) {
|
||||
// Ensure that at least one item from the trusted resource URL list allows this url.
|
||||
for (i = 0, n = trustedResourceUrlList.length; i < n; i++) {
|
||||
if (matchUrl(trustedResourceUrlList[i], parsedUrl)) {
|
||||
allowed = true;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (allowed) {
|
||||
// Ensure that no item from the blacklist blocked this url.
|
||||
for (i = 0, n = resourceUrlBlacklist.length; i < n; i++) {
|
||||
if (matchUrl(resourceUrlBlacklist[i], parsedUrl)) {
|
||||
// Ensure that no item from the banned resource URL list has blocked this url.
|
||||
for (i = 0, n = bannedResourceUrlList.length; i < n; i++) {
|
||||
if (matchUrl(bannedResourceUrlList[i], parsedUrl)) {
|
||||
allowed = false;
|
||||
break;
|
||||
}
|
||||
@@ -20373,9 +20459,9 @@ function $SceDelegateProvider() {
|
||||
* The contexts that can be sanitized are $sce.MEDIA_URL, $sce.URL and $sce.HTML. The first two are available
|
||||
* by default, and the third one relies on the `$sanitize` service (which may be loaded through
|
||||
* the `ngSanitize` module). Furthermore, for $sce.RESOURCE_URL context, a plain string may be
|
||||
* accepted if the resource url policy defined by {@link ng.$sceDelegateProvider#resourceUrlWhitelist
|
||||
* `$sceDelegateProvider.resourceUrlWhitelist`} and {@link ng.$sceDelegateProvider#resourceUrlBlacklist
|
||||
* `$sceDelegateProvider.resourceUrlBlacklist`} accepts that resource.
|
||||
* accepted if the resource url policy defined by {@link ng.$sceDelegateProvider#trustedResourceUrlList
|
||||
* `$sceDelegateProvider.trustedResourceUrlList`} and {@link ng.$sceDelegateProvider#bannedResourceUrlList
|
||||
* `$sceDelegateProvider.bannedResourceUrlList`} accepts that resource.
|
||||
*
|
||||
* This function will throw if the safe type isn't appropriate for this context, or if the
|
||||
* value given cannot be accepted in the context (which might be caused by sanitization not
|
||||
@@ -20469,9 +20555,9 @@ function $SceDelegateProvider() {
|
||||
*
|
||||
* To systematically block XSS security bugs, AngularJS treats all values as untrusted by default in
|
||||
* HTML or sensitive URL bindings. When binding untrusted values, AngularJS will automatically
|
||||
* run security checks on them (sanitizations, whitelists, depending on context), or throw when it
|
||||
* cannot guarantee the security of the result. That behavior depends strongly on contexts: HTML
|
||||
* can be sanitized, but template URLs cannot, for instance.
|
||||
* run security checks on them (sanitizations, trusted URL resource, depending on context), or throw
|
||||
* when it cannot guarantee the security of the result. That behavior depends strongly on contexts:
|
||||
* HTML can be sanitized, but template URLs cannot, for instance.
|
||||
*
|
||||
* To illustrate this, consider the `ng-bind-html` directive. It renders its value directly as HTML:
|
||||
* we call that the *context*. When given an untrusted input, AngularJS will attempt to sanitize it
|
||||
@@ -20550,8 +20636,8 @@ function $SceDelegateProvider() {
|
||||
* By default, AngularJS only loads templates from the same domain and protocol as the application
|
||||
* document. This is done by calling {@link ng.$sce#getTrustedResourceUrl
|
||||
* $sce.getTrustedResourceUrl} on the template URL. To load templates from other domains and/or
|
||||
* protocols, you may either {@link ng.$sceDelegateProvider#resourceUrlWhitelist whitelist
|
||||
* them} or {@link ng.$sce#trustAsResourceUrl wrap it} into a trusted value.
|
||||
* protocols, you may either add them to the {@link ng.$sceDelegateProvider#trustedResourceUrlList
|
||||
* trustedResourceUrlList} or {@link ng.$sce#trustAsResourceUrl wrap them} into trusted values.
|
||||
*
|
||||
* *Please note*:
|
||||
* The browser's
|
||||
@@ -20579,8 +20665,8 @@ function $SceDelegateProvider() {
|
||||
* templates in `ng-include` from your application's domain without having to even know about SCE.
|
||||
* It blocks loading templates from other domains or loading templates over http from an https
|
||||
* served document. You can change these by setting your own custom {@link
|
||||
* ng.$sceDelegateProvider#resourceUrlWhitelist whitelists} and {@link
|
||||
* ng.$sceDelegateProvider#resourceUrlBlacklist blacklists} for matching such URLs.
|
||||
* ng.$sceDelegateProvider#trustedResourceUrlList trusted resource URL list} and {@link
|
||||
* ng.$sceDelegateProvider#bannedResourceUrlList banned resource URL list} for matching such URLs.
|
||||
*
|
||||
* This significantly reduces the overhead. It is far easier to pay the small overhead and have an
|
||||
* application that's secure and can be audited to verify that with much more ease than bolting
|
||||
@@ -20595,7 +20681,7 @@ function $SceDelegateProvider() {
|
||||
* | `$sce.CSS` | For CSS that's safe to source into the application. Currently unused. Feel free to use it in your own directives. |
|
||||
* | `$sce.MEDIA_URL` | For URLs that are safe to render as media. Is automatically converted from string by sanitizing when needed. |
|
||||
* | `$sce.URL` | For URLs that are safe to follow as links. Is automatically converted from string by sanitizing when needed. Note that `$sce.URL` makes a stronger statement about the URL than `$sce.MEDIA_URL` does and therefore contexts requiring values trusted for `$sce.URL` can be used anywhere that values trusted for `$sce.MEDIA_URL` are required.|
|
||||
* | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application. Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.) <br><br>Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` or `$sce.MEDIA_URL` do and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` or `$sce.MEDIA_URL` are required. <br><br> The {@link $sceDelegateProvider#resourceUrlWhitelist $sceDelegateProvider#resourceUrlWhitelist()} and {@link $sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider#resourceUrlBlacklist()} can be used to restrict trusted origins for `RESOURCE_URL` |
|
||||
* | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application. Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.) <br><br>Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` or `$sce.MEDIA_URL` do and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` or `$sce.MEDIA_URL` are required. <br><br> The {@link $sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider#trustedResourceUrlList()} and {@link $sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider#bannedResourceUrlList()} can be used to restrict trusted origins for `RESOURCE_URL` |
|
||||
* | `$sce.JS` | For JavaScript that is safe to execute in your application's context. Currently unused. Feel free to use it in your own directives. |
|
||||
*
|
||||
*
|
||||
@@ -20613,7 +20699,7 @@ function $SceDelegateProvider() {
|
||||
* There are no CSS or JS context bindings in AngularJS currently, so their corresponding `$sce.trustAs`
|
||||
* functions aren't useful yet. This might evolve.
|
||||
*
|
||||
* ### Format of items in {@link ng.$sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist}/{@link ng.$sceDelegateProvider#resourceUrlBlacklist Blacklist} <a name="resourceUrlPatternItem"></a>
|
||||
* ### Format of items in {@link ng.$sceDelegateProvider#trustedResourceUrlList trustedResourceUrlList}/{@link ng.$sceDelegateProvider#bannedResourceUrlList bannedResourceUrlList} <a name="resourceUrlPatternItem"></a>
|
||||
*
|
||||
* Each element in these arrays must be one of the following:
|
||||
*
|
||||
@@ -20627,7 +20713,7 @@ function $SceDelegateProvider() {
|
||||
* match themselves.
|
||||
* - `*`: matches zero or more occurrences of any character other than one of the following 6
|
||||
* characters: '`:`', '`/`', '`.`', '`?`', '`&`' and '`;`'. It's a useful wildcard for use
|
||||
* in a whitelist.
|
||||
* for matching resource URL lists.
|
||||
* - `**`: matches zero or more occurrences of *any* character. As such, it's not
|
||||
* appropriate for use in a scheme, domain, etc. as it would match too much. (e.g.
|
||||
* http://**.example.com/ would match http://evil.com/?ignore=.example.com/ and that might
|
||||
@@ -21431,10 +21517,10 @@ function $TemplateRequestProvider() {
|
||||
handleRequestFn.totalPendingRequests++;
|
||||
|
||||
// We consider the template cache holds only trusted templates, so
|
||||
// there's no need to go through whitelisting again for keys that already
|
||||
// are included in there. This also makes AngularJS accept any script
|
||||
// directive, no matter its name. However, we still need to unwrap trusted
|
||||
// types.
|
||||
// there's no need to go through adding the template again to the trusted
|
||||
// resources for keys that already are included in there. This also makes
|
||||
// AngularJS accept any script directive, no matter its name. However, we
|
||||
// still need to unwrap trusted types.
|
||||
if (!isString(tpl) || isUndefined($templateCache.get(tpl))) {
|
||||
tpl = $sce.getTrustedResourceUrl(tpl);
|
||||
}
|
||||
@@ -21839,20 +21925,20 @@ function urlIsSameOriginAsBaseUrl(requestUrl) {
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a function that can check a URL's origin against a list of allowed/whitelisted origins.
|
||||
* Create a function that can check a URL's origin against a list of allowed/trusted origins.
|
||||
* The current location's origin is implicitly trusted.
|
||||
*
|
||||
* @param {string[]} whitelistedOriginUrls - A list of URLs (strings), whose origins are trusted.
|
||||
* @param {string[]} trustedOriginUrls - A list of URLs (strings), whose origins are trusted.
|
||||
*
|
||||
* @returns {Function} - A function that receives a URL (string or parsed URL object) and returns
|
||||
* whether it is of an allowed origin.
|
||||
*/
|
||||
function urlIsAllowedOriginFactory(whitelistedOriginUrls) {
|
||||
var parsedAllowedOriginUrls = [originUrl].concat(whitelistedOriginUrls.map(urlResolve));
|
||||
function urlIsAllowedOriginFactory(trustedOriginUrls) {
|
||||
var parsedAllowedOriginUrls = [originUrl].concat(trustedOriginUrls.map(urlResolve));
|
||||
|
||||
/**
|
||||
* Check whether the specified URL (string or parsed URL object) has an origin that is allowed
|
||||
* based on a list of whitelisted-origin URLs. The current location's origin is implicitly
|
||||
* based on a list of trusted-origin URLs. The current location's origin is implicitly
|
||||
* trusted.
|
||||
*
|
||||
* @param {string|Object} requestUrl - The URL to be checked (provided as a string that will be
|
||||
@@ -29599,9 +29685,9 @@ var ngIfDirective = ['$animate', '$compile', function($animate, $compile) {
|
||||
* By default, the template URL is restricted to the same domain and protocol as the
|
||||
* application document. This is done by calling {@link $sce#getTrustedResourceUrl
|
||||
* $sce.getTrustedResourceUrl} on it. To load templates from other domains or protocols
|
||||
* you may either {@link ng.$sceDelegateProvider#resourceUrlWhitelist whitelist them} or
|
||||
* {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to AngularJS's {@link
|
||||
* ng.$sce Strict Contextual Escaping}.
|
||||
* you may either add them to your {@link ng.$sceDelegateProvider#trustedResourceUrlList trusted
|
||||
* resource URL list} or {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to
|
||||
* AngularJS's {@link ng.$sce Strict Contextual Escaping}.
|
||||
*
|
||||
* In addition, the browser's
|
||||
* [Same Origin Policy](https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest)
|
||||
|
||||
Reference in New Issue
Block a user