1 | /**
|
2 | * Copyright (c) 2013-present, Facebook, Inc.
|
3 | *
|
4 | * This source code is licensed under the MIT license found in the
|
5 | * LICENSE file in the root directory of this source tree.
|
6 | *
|
7 | */
|
8 |
|
9 | ;
|
10 |
|
11 | var CSSProperty = require('./CSSProperty');
|
12 | var warning = require('fbjs/lib/warning');
|
13 |
|
14 | var isUnitlessNumber = CSSProperty.isUnitlessNumber;
|
15 | var styleWarnings = {};
|
16 |
|
17 | /**
|
18 | * Convert a value into the proper css writable value. The style name `name`
|
19 | * should be logical (no hyphens), as specified
|
20 | * in `CSSProperty.isUnitlessNumber`.
|
21 | *
|
22 | * @param {string} name CSS property name such as `topMargin`.
|
23 | * @param {*} value CSS property value such as `10px`.
|
24 | * @param {ReactDOMComponent} component
|
25 | * @return {string} Normalized style value with dimensions applied.
|
26 | */
|
27 | function dangerousStyleValue(name, value, component, isCustomProperty) {
|
28 | // Note that we've removed escapeTextForBrowser() calls here since the
|
29 | // whole string will be escaped when the attribute is injected into
|
30 | // the markup. If you provide unsafe user data here they can inject
|
31 | // arbitrary CSS which may be problematic (I couldn't repro this):
|
32 | // https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
33 | // http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/
|
34 | // This is not an XSS hole but instead a potential CSS injection issue
|
35 | // which has lead to a greater discussion about how we're going to
|
36 | // trust URLs moving forward. See #2115901
|
37 |
|
38 | var isEmpty = value == null || typeof value === 'boolean' || value === '';
|
39 | if (isEmpty) {
|
40 | return '';
|
41 | }
|
42 |
|
43 | var isNonNumeric = isNaN(value);
|
44 | if (isCustomProperty || isNonNumeric || value === 0 || isUnitlessNumber.hasOwnProperty(name) && isUnitlessNumber[name]) {
|
45 | return '' + value; // cast to string
|
46 | }
|
47 |
|
48 | if (typeof value === 'string') {
|
49 | if (process.env.NODE_ENV !== 'production') {
|
50 | // Allow '0' to pass through without warning. 0 is already special and
|
51 | // doesn't require units, so we don't need to warn about it.
|
52 | if (component && value !== '0') {
|
53 | var owner = component._currentElement._owner;
|
54 | var ownerName = owner ? owner.getName() : null;
|
55 | if (ownerName && !styleWarnings[ownerName]) {
|
56 | styleWarnings[ownerName] = {};
|
57 | }
|
58 | var warned = false;
|
59 | if (ownerName) {
|
60 | var warnings = styleWarnings[ownerName];
|
61 | warned = warnings[name];
|
62 | if (!warned) {
|
63 | warnings[name] = true;
|
64 | }
|
65 | }
|
66 | if (!warned) {
|
67 | process.env.NODE_ENV !== 'production' ? warning(false, 'a `%s` tag (owner: `%s`) was passed a numeric string value ' + 'for CSS property `%s` (value: `%s`) which will be treated ' + 'as a unitless number in a future version of React.', component._currentElement.type, ownerName || 'unknown', name, value) : void 0;
|
68 | }
|
69 | }
|
70 | }
|
71 | value = value.trim();
|
72 | }
|
73 | return value + 'px';
|
74 | }
|
75 |
|
76 | module.exports = dangerousStyleValue; |
\ | No newline at end of file |