fix(compiler): only promote Trusted Types to constants when necessary (#39554)
Previously all constant values of security-sensitive attributes and properties were promoted to Trusted Types. While this is not inherently bad, it is also not optimal. Use the newly added Trusted Types schema to restrict promotion to constants that are in a Trusted Types-relevant context. PR Close #39554
This commit is contained in:
parent
c8a99ef458
commit
4916870dff
|
@ -24,6 +24,7 @@ import {mapLiteral} from '../../output/map_util';
|
|||
import * as o from '../../output/output_ast';
|
||||
import {ParseError, ParseSourceSpan} from '../../parse_util';
|
||||
import {DomElementSchemaRegistry} from '../../schema/dom_element_schema_registry';
|
||||
import {isTrustedTypesSink} from '../../schema/trusted_types_sinks';
|
||||
import {CssSelector, SelectorMatcher} from '../../selector';
|
||||
import {BindingParser} from '../../template_parser/binding_parser';
|
||||
import {error, partitionArray} from '../../util';
|
||||
|
@ -2151,6 +2152,7 @@ export function resolveSanitizationFn(context: core.SecurityContext, isAttribute
|
|||
|
||||
function trustedConstAttribute(tagName: string, attr: t.TextAttribute): o.Expression {
|
||||
const value = asLiteral(attr.value);
|
||||
if (isTrustedTypesSink(tagName, attr.name)) {
|
||||
switch (elementRegistry.securityContext(tagName, attr.name, /* isAttribute */ true)) {
|
||||
case core.SecurityContext.HTML:
|
||||
return o.importExpr(R3.trustConstantHtml).callFn([value], attr.valueSpan);
|
||||
|
@ -2161,6 +2163,9 @@ function trustedConstAttribute(tagName: string, attr: t.TextAttribute): o.Expres
|
|||
default:
|
||||
return value;
|
||||
}
|
||||
} else {
|
||||
return value;
|
||||
}
|
||||
}
|
||||
|
||||
function isSingleElementTemplate(children: t.Node[]): children is[t.Element] {
|
||||
|
|
Loading…
Reference in New Issue