| 12345678910111213141516171819202122232425262728293031323334353637383940 |
- /**
- * @license
- * SPDX-License-Identifier: Apache-2.0
- */
- import '../environment/dev';
- import { createAttributePrefix } from '../internals/attribute_impl';
- import { assertIsTemplateObject } from '../internals/string_literal';
- import { SECURITY_SENSITIVE_ATTRIBUTES } from './sensitive_attributes';
- /**
- * Creates a SafeAttributePrefix object from a template literal with no
- * interpolations for attributes that share a common prefix guaranteed to be not
- * security sensitive.
- *
- * The template literal is a prefix that makes it obvious this attribute is not
- * security sensitive. If it doesn't, this function will throw.
- */
- export function safeAttrPrefix(templ) {
- if (process.env.NODE_ENV !== 'production') {
- assertIsTemplateObject(templ, true, 'safeAttr is a template literal tag function ' +
- 'and should be called using the tagged template syntax. ' +
- 'For example, safeAttr`foo`;');
- }
- const attrPrefix = templ[0].toLowerCase();
- if (process.env.NODE_ENV !== 'production') {
- if (attrPrefix.indexOf('on') === 0 || 'on'.indexOf(attrPrefix) === 0) {
- throw new Error(`Prefix '${templ[0]}' does not guarantee the attribute ` +
- `to be safe as it is also a prefix for event handler attributes` +
- `Please use 'addEventListener' to set event handlers.`);
- }
- SECURITY_SENSITIVE_ATTRIBUTES.forEach(sensitiveAttr => {
- if (sensitiveAttr.indexOf(attrPrefix) === 0) {
- throw new Error(`Prefix '${templ[0]}' does not guarantee the attribute ` +
- `to be safe as it is also a prefix for ` +
- `the security sensitive attribute '${sensitiveAttr}'. ` +
- `Please use native or safe DOM APIs to set the attribute.`);
- }
- });
- }
- return createAttributePrefix(attrPrefix);
- }
|
