1 |
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 |
|
9 |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 | 'use strict';
|
19 |
|
20 | require('module-keys/cjs').polyfill(module, require);
|
21 |
|
22 | const { keysSymbol } = require('module-keys');
|
23 | const { Mintable } = require('node-sec-patterns');
|
24 | const { TypedString } = require('template-tag-common');
|
25 |
|
26 | const { defineProperties, freeze } = Object;
|
27 | const { apply } = Reflect;
|
28 | const { exec: reExec, test: reTest } = RegExp.prototype;
|
29 | const { replace } = String.prototype;
|
30 |
|
31 | const { stringify: JSONstringify } = JSON;
|
32 | const { encodeURIComponent } = global;
|
33 |
|
34 |
|
35 | const HTML_SPECIAL = /[\x00<>&"'+=@`{]/g;
|
36 | const HTML_ESCS = {
|
37 | __proto__: null,
|
38 | '\x00': '',
|
39 | '<': '<',
|
40 | '>': '>',
|
41 | '&': '&',
|
42 | '"': '"',
|
43 | '\'': ''',
|
44 |
|
45 | '+': '+',
|
46 | '=': '=',
|
47 |
|
48 | '@': '@',
|
49 |
|
50 | '`': '`',
|
51 |
|
52 | '{': '{',
|
53 | };
|
54 | function escapeHtmlMetaCharacter(chr) {
|
55 | return HTML_ESCS[chr];
|
56 | }
|
57 |
|
58 | function htmlEscapeString(str) {
|
59 | return apply(replace, `${ str }`, [ HTML_SPECIAL, escapeHtmlMetaCharacter ]);
|
60 | }
|
61 |
|
62 | const SCRIPT_OR_CDATA_END = /<\/script|\]\]>/i;
|
63 |
|
64 |
|
65 | class TrustedType extends TypedString {}
|
66 | defineProperties(
|
67 | TrustedType.prototype,
|
68 | {
|
69 | 'toJSON': {
|
70 |
|
71 | value: function toJSON() {
|
72 |
|
73 |
|
74 | return this.content;
|
75 | },
|
76 | },
|
77 | });
|
78 |
|
79 |
|
80 |
|
81 |
|
82 |
|
83 |
|
84 |
|
85 |
|
86 |
|
87 |
|
88 |
|
89 |
|
90 |
|
91 |
|
92 |
|
93 |
|
94 |
|
95 |
|
96 |
|
97 | class TrustedHTML extends TrustedType {}
|
98 |
|
99 |
|
100 |
|
101 |
|
102 |
|
103 |
|
104 |
|
105 |
|
106 |
|
107 |
|
108 |
|
109 |
|
110 |
|
111 |
|
112 |
|
113 |
|
114 |
|
115 |
|
116 | class TrustedResourceURL extends TrustedType {}
|
117 |
|
118 |
|
119 |
|
120 |
|
121 |
|
122 |
|
123 |
|
124 |
|
125 |
|
126 |
|
127 |
|
128 |
|
129 |
|
130 |
|
131 |
|
132 |
|
133 |
|
134 |
|
135 |
|
136 |
|
137 |
|
138 |
|
139 |
|
140 | class TrustedScript extends TrustedType {}
|
141 |
|
142 |
|
143 |
|
144 |
|
145 |
|
146 |
|
147 |
|
148 |
|
149 |
|
150 |
|
151 |
|
152 |
|
153 |
|
154 |
|
155 |
|
156 |
|
157 |
|
158 |
|
159 |
|
160 |
|
161 |
|
162 | class TrustedURL extends TrustedType {}
|
163 |
|
164 |
|
165 | defineProperties(TrustedHTML, {
|
166 | 'contractKey': {
|
167 | enumerable: true,
|
168 | value: 'web-contract-types/TrustedHTML',
|
169 | },
|
170 | });
|
171 | defineProperties(TrustedResourceURL, {
|
172 | 'contractKey': {
|
173 | enumerable: true,
|
174 | value: 'web-contract-types/TrustedResourceURL',
|
175 | },
|
176 | });
|
177 | defineProperties(TrustedScript, {
|
178 | 'contractKey': {
|
179 | enumerable: true,
|
180 | value: 'web-contract-types/TrustedScript',
|
181 | },
|
182 | });
|
183 | defineProperties(TrustedURL, {
|
184 | 'contractKey': {
|
185 | enumerable: true,
|
186 | value: 'web-contract-types/TrustedURL',
|
187 | },
|
188 | });
|
189 |
|
190 |
|
191 | function minterFor(TrustedTypeT) {
|
192 | let warned = false;
|
193 | function singleWarningFallback(x) {
|
194 | if (!warned) {
|
195 | warned = true;
|
196 |
|
197 | console.warn(
|
198 | `web-contract-types not authorized to create ${ TrustedTypeT.name
|
199 | }. Maybe check your mintable grants used to initialize node-sec-patterns.`);
|
200 | }
|
201 | return `${ x }`;
|
202 | }
|
203 |
|
204 | return require[keysSymbol].unbox(
|
205 | Mintable.minterFor(TrustedTypeT),
|
206 | () => true,
|
207 | singleWarningFallback);
|
208 | }
|
209 |
|
210 |
|
211 | const mintTrustedHTML = minterFor(TrustedHTML);
|
212 | const isTrustedHTML = Mintable.verifierFor(TrustedHTML);
|
213 |
|
214 | const mintTrustedResourceURL = minterFor(TrustedResourceURL);
|
215 | const isTrustedResourceURL = Mintable.verifierFor(TrustedResourceURL);
|
216 |
|
217 | const mintTrustedScript = minterFor(TrustedScript);
|
218 | const isTrustedScript = Mintable.verifierFor(TrustedScript);
|
219 |
|
220 | const mintTrustedURL = minterFor(TrustedURL);
|
221 | const isTrustedURL = Mintable.verifierFor(TrustedURL);
|
222 |
|
223 |
|
224 | defineProperties(
|
225 | TrustedHTML,
|
226 | {
|
227 | 'concat': {
|
228 | enumerable: true,
|
229 |
|
230 | value: function concat(...els) {
|
231 | let content = '';
|
232 | for (const element of els) {
|
233 | if (!isTrustedHTML(element)) {
|
234 | throw new TypeError(`Expected TrustedHTML not ${ element }`);
|
235 | }
|
236 | content += element.content;
|
237 | }
|
238 | return mintTrustedHTML(content);
|
239 | },
|
240 | },
|
241 | 'empty': {
|
242 | enumerable: true,
|
243 | value: freeze(mintTrustedHTML('')),
|
244 | },
|
245 | 'escape': {
|
246 | enumerable: true,
|
247 |
|
248 | value: function escape(val) {
|
249 | return (isTrustedHTML(val)) ? val : mintTrustedHTML(htmlEscapeString(val));
|
250 | },
|
251 | },
|
252 | 'fromScript': {
|
253 | enumerable: true,
|
254 |
|
255 | value: function fromScript(src, { nonce, type, async, defer } = {}) {
|
256 |
|
257 | let html = '<!-- --><script';
|
258 | if (nonce) {
|
259 | html += ` nonce="${ htmlEscapeString(nonce) }"`;
|
260 | }
|
261 | if (type) {
|
262 | html += ` type="${ htmlEscapeString(type) }"`;
|
263 | }
|
264 | if (async) {
|
265 | html += ' async="async"';
|
266 | }
|
267 | if (defer) {
|
268 | html += ' defer="defer"';
|
269 | }
|
270 | if (isTrustedResourceURL(src)) {
|
271 | html += ` src="${ htmlEscapeString(src.content) }">`;
|
272 | } else if (isTrustedScript(src)) {
|
273 | const { content } = src;
|
274 | if (apply(reTest, SCRIPT_OR_CDATA_END, [ content ])) {
|
275 | throw new Error(`TrustedScript is not embeddable in HTML ${ content }`);
|
276 | }
|
277 |
|
278 | html += `>//<![CDATA[\n${ content }\n//]]>`;
|
279 | } else {
|
280 | throw new TypeError('Expected either a TrustedResourceURL or a TrustedScript for src');
|
281 | }
|
282 | html += '</script>';
|
283 | return mintTrustedHTML(html);
|
284 | },
|
285 | },
|
286 | 'is': {
|
287 | enumerable: true,
|
288 | value: isTrustedHTML,
|
289 | },
|
290 | });
|
291 |
|
292 | const innocuousResourceURL = freeze(mintTrustedURL('about:invalid#TrustedResourceURL'));
|
293 |
|
294 | defineProperties(
|
295 | TrustedResourceURL,
|
296 | {
|
297 | 'fromScript': {
|
298 | enumerable: true,
|
299 |
|
300 | value: function fromScript(script) {
|
301 | if (isTrustedScript(script)) {
|
302 | return mintTrustedResourceURL(
|
303 |
|
304 |
|
305 | `data:text/javascript;charset=UTF-8,${ encodeURIComponent(script.content) }#`);
|
306 | }
|
307 | throw new TypeError('Expected TrustedScript');
|
308 | },
|
309 | },
|
310 | 'innocuousURL': {
|
311 | enumerable: true,
|
312 | value: innocuousResourceURL,
|
313 | },
|
314 | 'is': {
|
315 | enumerable: true,
|
316 | value: isTrustedResourceURL,
|
317 | },
|
318 | });
|
319 |
|
320 | const LS_GLOBAL = /\u2028/g;
|
321 | const PS_GLOBAL = /\u2029/g;
|
322 |
|
323 | defineProperties(
|
324 | TrustedScript,
|
325 | {
|
326 | 'expressionFromJSON': {
|
327 | enumerable: true,
|
328 |
|
329 | value: function expressionFromJSON(...args) {
|
330 | const json = JSONstringify(...args);
|
331 |
|
332 | let javascript = apply(replace, json, [ LS_GLOBAL, '\\u2028' ]);
|
333 | javascript = apply(replace, javascript, [ PS_GLOBAL, '\\u2029' ]);
|
334 | return mintTrustedScript(`(${ javascript })`);
|
335 | },
|
336 | },
|
337 | 'innocuousScript': {
|
338 | enumerable: true,
|
339 | value: freeze(mintTrustedScript('[][0]/*TrustedScript*/')),
|
340 | },
|
341 | 'is': {
|
342 | enumerable: true,
|
343 | value: isTrustedScript,
|
344 | },
|
345 | });
|
346 |
|
347 |
|
348 | const SCHEME_AND_REST = /^[\t\n\f\r ]*([^/:?#]+:)?([\s\S]*?)[\t\n\f\r ]*$/;
|
349 |
|
350 |
|
351 |
|
352 |
|
353 |
|
354 | const SAFE_SCHEME_WHITELIST = {
|
355 | __proto__: null,
|
356 | 'http:': true,
|
357 | 'https:': true,
|
358 | 'mailto:': true,
|
359 | 'tel:': true,
|
360 | };
|
361 |
|
362 | const innocuousURL = freeze(mintTrustedURL('about:invalid#TrustedURL'));
|
363 |
|
364 | defineProperties(
|
365 | TrustedURL,
|
366 | {
|
367 | 'innocuousURL': {
|
368 | enumerable: true,
|
369 | value: innocuousURL,
|
370 | },
|
371 | 'sanitize': {
|
372 | enumerable: true,
|
373 |
|
374 | value: function sanitize(val, fallback = innocuousURL) {
|
375 | if (isTrustedURL(val)) {
|
376 | return val;
|
377 | }
|
378 | if (isTrustedResourceURL(val)) {
|
379 | return mintTrustedURL(val);
|
380 | }
|
381 | const str = `${ val }`;
|
382 | const [ , scheme, schemeSpecificPart ] = apply(reExec, SCHEME_AND_REST, [ str ]);
|
383 | if (!scheme) {
|
384 | return mintTrustedURL(schemeSpecificPart);
|
385 | }
|
386 | const canonScheme = scheme.toLowerCase();
|
387 | if (SAFE_SCHEME_WHITELIST[canonScheme]) {
|
388 | return mintTrustedURL(`${ canonScheme }${ schemeSpecificPart }`);
|
389 | }
|
390 | return fallback;
|
391 | },
|
392 | },
|
393 | 'is': {
|
394 | enumerable: true,
|
395 | value: isTrustedURL,
|
396 | },
|
397 | });
|
398 |
|
399 |
|
400 | module.exports = freeze({
|
401 | TrustedHTML,
|
402 | TrustedResourceURL,
|
403 | TrustedScript,
|
404 | TrustedURL,
|
405 | });
|