diff options
Diffstat (limited to 'node_modules/angular/angular.js')
| -rw-r--r-- | node_modules/angular/angular.js | 364 |
1 files changed, 234 insertions, 130 deletions
diff --git a/node_modules/angular/angular.js b/node_modules/angular/angular.js index 5de5618431..e67a6906e8 100644 --- a/node_modules/angular/angular.js +++ b/node_modules/angular/angular.js @@ -1,6 +1,6 @@ /** - * @license AngularJS v1.8.0 - * (c) 2010-2020 Google, Inc. http://angularjs.org + * @license AngularJS v1.8.2 + * (c) 2010-2020 Google LLC. http://angularjs.org * License: MIT */ (function(window) {'use strict'; @@ -99,7 +99,7 @@ function isValidObjectMaxDepth(maxDepth) { function minErr(module, ErrorConstructor) { ErrorConstructor = ErrorConstructor || Error; - var url = 'https://errors.angularjs.org/1.8.0/'; + var url = 'https://errors.angularjs.org/1.8.2/'; var regex = url.replace('.', '\\.') + '[\\s\\S]*'; var errRegExp = new RegExp(regex, 'g'); @@ -1671,7 +1671,7 @@ function allowAutoBootstrap(document) { link.href = src.value; if (document.location.origin === link.origin) { - // Same-origin resources are always allowed, even for non-whitelisted schemes. + // Same-origin resources are always allowed, even for banned URL schemes. return true; } // Disabled bootstrapping unless angular.js was loaded from a known scheme used on the web. @@ -2828,11 +2828,11 @@ function toDebugString(obj, maxDepth) { var version = { // These placeholder strings will be replaced by grunt's `build` task. // They need to be double- or single-quoted. - full: '1.8.0', + full: '1.8.2', major: 1, minor: 8, - dot: 0, - codeName: 'nested-vaccination' + dot: 2, + codeName: 'meteoric-mining' }; @@ -2983,7 +2983,7 @@ function publishExternalAPI(angular) { }); } ]) - .info({ angularVersion: '1.8.0' }); + .info({ angularVersion: '1.8.2' }); } /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * @@ -8428,8 +8428,8 @@ function $TemplateCacheProvider() { * * Based on the context, other options may exist to mark a value as trusted / configure the behavior * of {@link ng.$sce}. For example, to restrict the `RESOURCE_URL` context to specific origins, use - * the {@link $sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist()} - * and {@link $sceDelegateProvider#resourceUrlBlacklist resourceUrlBlacklist()}. + * the {@link $sceDelegateProvider#trustedResourceUrlList trustedResourceUrlList()} + * and {@link $sceDelegateProvider#bannedResourceUrlList bannedResourceUrlList()}. * * {@link ng.$sce#what-trusted-context-types-are-supported- Find out more about the different context types}. * @@ -8438,7 +8438,7 @@ function $TemplateCacheProvider() { * By default, `$sce` will throw an error if it detects untrusted HTML content, and will not bind the * content. * However, if you include the {@link ngSanitize ngSanitize module}, it will try to sanitize the - * potentially dangerous HTML, e.g. strip non-whitelisted tags and attributes when binding to + * potentially dangerous HTML, e.g. strip non-trusted tags and attributes when binding to * `innerHTML`. * * @example @@ -9020,63 +9020,105 @@ function $CompileProvider($provide, $$sanitizeUriProvider) { /** * @ngdoc method - * @name $compileProvider#aHrefSanitizationWhitelist + * @name $compileProvider#aHrefSanitizationTrustedUrlList * @kind function * * @description - * Retrieves or overrides the default regular expression that is used for whitelisting of safe + * Retrieves or overrides the default regular expression that is used for determining trusted safe * urls during a[href] sanitization. * * The sanitization is a security measure aimed at preventing XSS attacks via html links. * * Any url about to be assigned to a[href] via data-binding is first normalized and turned into - * an absolute url. Afterwards, the url is matched against the `aHrefSanitizationWhitelist` + * an absolute url. Afterwards, the url is matched against the `aHrefSanitizationTrustedUrlList` * regular expression. If a match is found, the original url is written into the dom. Otherwise, * the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM. * - * @param {RegExp=} regexp New regexp to whitelist urls with. + * @param {RegExp=} regexp New regexp to trust urls with. * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.aHrefSanitizationWhitelist = function(regexp) { + this.aHrefSanitizationTrustedUrlList = function(regexp) { if (isDefined(regexp)) { - $$sanitizeUriProvider.aHrefSanitizationWhitelist(regexp); + $$sanitizeUriProvider.aHrefSanitizationTrustedUrlList(regexp); return this; } else { - return $$sanitizeUriProvider.aHrefSanitizationWhitelist(); + return $$sanitizeUriProvider.aHrefSanitizationTrustedUrlList(); } }; /** * @ngdoc method - * @name $compileProvider#imgSrcSanitizationWhitelist + * @name $compileProvider#aHrefSanitizationWhitelist + * @kind function + * + * @deprecated + * sinceVersion="1.8.1" + * + * This method is deprecated. Use {@link $compileProvider#aHrefSanitizationTrustedUrlList + * aHrefSanitizationTrustedUrlList} instead. + */ + Object.defineProperty(this, 'aHrefSanitizationWhitelist', { + get: function() { + return this.aHrefSanitizationTrustedUrlList; + }, + set: function(value) { + this.aHrefSanitizationTrustedUrlList = value; + } + }); + + + /** + * @ngdoc method + * @name $compileProvider#imgSrcSanitizationTrustedUrlList * @kind function * * @description - * Retrieves or overrides the default regular expression that is used for whitelisting of safe + * Retrieves or overrides the default regular expression that is used for determining trusted safe * urls during img[src] sanitization. * * The sanitization is a security measure aimed at prevent XSS attacks via html links. * * Any url about to be assigned to img[src] via data-binding is first normalized and turned into - * an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationWhitelist` + * an absolute url. Afterwards, the url is matched against the `imgSrcSanitizationTrustedUrlList` * regular expression. If a match is found, the original url is written into the dom. Otherwise, * the absolute url is prefixed with `'unsafe:'` string and only then is it written into the DOM. * - * @param {RegExp=} regexp New regexp to whitelist urls with. + * @param {RegExp=} regexp New regexp to trust urls with. * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.imgSrcSanitizationWhitelist = function(regexp) { + this.imgSrcSanitizationTrustedUrlList = function(regexp) { if (isDefined(regexp)) { - $$sanitizeUriProvider.imgSrcSanitizationWhitelist(regexp); + $$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(regexp); return this; } else { - return $$sanitizeUriProvider.imgSrcSanitizationWhitelist(); + return $$sanitizeUriProvider.imgSrcSanitizationTrustedUrlList(); } }; + + /** + * @ngdoc method + * @name $compileProvider#imgSrcSanitizationWhitelist + * @kind function + * + * @deprecated + * sinceVersion="1.8.1" + * + * This method is deprecated. Use {@link $compileProvider#imgSrcSanitizationTrustedUrlList + * imgSrcSanitizationTrustedUrlList} instead. + */ + Object.defineProperty(this, 'imgSrcSanitizationWhitelist', { + get: function() { + return this.imgSrcSanitizationTrustedUrlList; + }, + set: function(value) { + this.imgSrcSanitizationTrustedUrlList = value; + } + }); + /** * @ngdoc method * @name $compileProvider#debugInfoEnabled @@ -12327,7 +12369,7 @@ function $HttpProvider() { /** * @ngdoc property - * @name $httpProvider#xsrfWhitelistedOrigins + * @name $httpProvider#xsrfTrustedOrigins * @description * * Array containing URLs whose origins are trusted to receive the XSRF token. See the @@ -12341,7 +12383,7 @@ function $HttpProvider() { * Examples: `http://example.com`, `https://api.example.com:9876` * * <div class="alert alert-warning"> - * It is not possible to whitelist specific URLs/paths. The `path`, `query` and `fragment` parts + * It is not possible to trust specific URLs/paths. The `path`, `query` and `fragment` parts * of a URL will be ignored. For example, `https://foo.com/path/bar?query=baz#fragment` will be * treated as `https://foo.com`, meaning that **all** requests to URLs starting with * `https://foo.com/` will include the XSRF token. @@ -12352,9 +12394,9 @@ function $HttpProvider() { * ```js * // App served from `https://example.com/`. * angular. - * module('xsrfWhitelistedOriginsExample', []). + * module('xsrfTrustedOriginsExample', []). * config(['$httpProvider', function($httpProvider) { - * $httpProvider.xsrfWhitelistedOrigins.push('https://api.example.com'); + * $httpProvider.xsrfTrustedOrigins.push('https://api.example.com'); * }]). * run(['$http', function($http) { * // The XSRF token will be sent. @@ -12365,7 +12407,27 @@ function $HttpProvider() { * }]); * ``` */ - var xsrfWhitelistedOrigins = this.xsrfWhitelistedOrigins = []; + var xsrfTrustedOrigins = this.xsrfTrustedOrigins = []; + + /** + * @ngdoc property + * @name $httpProvider#xsrfWhitelistedOrigins + * @description + * + * @deprecated + * sinceVersion="1.8.1" + * + * This property is deprecated. Use {@link $httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins} + * instead. + */ + Object.defineProperty(this, 'xsrfWhitelistedOrigins', { + get: function() { + return this.xsrfTrustedOrigins; + }, + set: function(origins) { + this.xsrfTrustedOrigins = origins; + } + }); this.$get = ['$browser', '$httpBackend', '$$cookieReader', '$cacheFactory', '$rootScope', '$q', '$injector', '$sce', function($browser, $httpBackend, $$cookieReader, $cacheFactory, $rootScope, $q, $injector, $sce) { @@ -12393,7 +12455,7 @@ function $HttpProvider() { /** * A function to check request URLs against a list of allowed origins. */ - var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfWhitelistedOrigins); + var urlIsAllowedOrigin = urlIsAllowedOriginFactory(xsrfTrustedOrigins); /** * @ngdoc service @@ -12767,16 +12829,16 @@ function $HttpProvider() { * The header will — by default — **not** be set for cross-domain requests. This * prevents unauthorized servers (e.g. malicious or compromised 3rd-party APIs) from gaining * access to your users' XSRF tokens and exposing them to Cross Site Request Forgery. If you - * want to, you can whitelist additional origins to also receive the XSRF token, by adding them - * to {@link ng.$httpProvider#xsrfWhitelistedOrigins xsrfWhitelistedOrigins}. This might be + * want to, you can trust additional origins to also receive the XSRF token, by adding them + * to {@link ng.$httpProvider#xsrfTrustedOrigins xsrfTrustedOrigins}. This might be * useful, for example, if your application, served from `example.com`, needs to access your API * at `api.example.com`. - * See {@link ng.$httpProvider#xsrfWhitelistedOrigins $httpProvider.xsrfWhitelistedOrigins} for + * See {@link ng.$httpProvider#xsrfTrustedOrigins $httpProvider.xsrfTrustedOrigins} for * more details. * * <div class="alert alert-danger"> * **Warning**<br /> - * Only whitelist origins that you have control over and make sure you understand the + * Only trusted origins that you have control over and make sure you understand the * implications of doing so. * </div> * @@ -12903,8 +12965,8 @@ function $HttpProvider() { <file name="script.js"> angular.module('httpExample', []) .config(['$sceDelegateProvider', function($sceDelegateProvider) { - // We must whitelist the JSONP endpoint that we are using to show that we trust it - $sceDelegateProvider.resourceUrlWhitelist([ + // We must add the JSONP endpoint that we are using to the trusted list to show that we trust it + $sceDelegateProvider.trustedResourceUrlList([ 'self', 'https://angularjs.org/**' ]); @@ -13161,8 +13223,8 @@ function $HttpProvider() { * * Note that, since JSONP requests are sensitive because the response is given full access to the browser, * the url must be declared, via {@link $sce} as a trusted resource URL. - * You can trust a URL by adding it to the whitelist via - * {@link $sceDelegateProvider#resourceUrlWhitelist `$sceDelegateProvider.resourceUrlWhitelist`} or + * You can trust a URL by adding it to the trusted resource URL list via + * {@link $sceDelegateProvider#trustedResourceUrlList `$sceDelegateProvider.trustedResourceUrlList`} or * by explicitly trusting the URL via {@link $sce#trustAsResourceUrl `$sce.trustAsResourceUrl(url)`}. * * You should avoid generating the URL for the JSONP request from user provided data. @@ -19898,12 +19960,12 @@ function $RootScopeProvider() { */ function $$SanitizeUriProvider() { - var aHrefSanitizationWhitelist = /^\s*(https?|s?ftp|mailto|tel|file):/, - imgSrcSanitizationWhitelist = /^\s*((https?|ftp|file|blob):|data:image\/)/; + var aHrefSanitizationTrustedUrlList = /^\s*(https?|s?ftp|mailto|tel|file):/, + imgSrcSanitizationTrustedUrlList = /^\s*((https?|ftp|file|blob):|data:image\/)/; /** * @description - * Retrieves or overrides the default regular expression that is used for whitelisting of safe + * Retrieves or overrides the default regular expression that is used for determining trusted safe * urls during a[href] sanitization. * * The sanitization is a security measure aimed at prevent XSS attacks via HTML anchor links. @@ -19912,27 +19974,27 @@ function $$SanitizeUriProvider() { * the $sce.URL security context. When interpolation occurs a call is made to `$sce.trustAsUrl(url)` * which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize the potentially malicious URL. * - * If the URL matches the `aHrefSanitizationWhitelist` regular expression, it is returned unchanged. + * If the URL matches the `aHrefSanitizationTrustedUrlList` regular expression, it is returned unchanged. * * If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written * to the DOM it is inactive and potentially malicious code will not be executed. * - * @param {RegExp=} regexp New regexp to whitelist urls with. + * @param {RegExp=} regexp New regexp to trust urls with. * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.aHrefSanitizationWhitelist = function(regexp) { + this.aHrefSanitizationTrustedUrlList = function(regexp) { if (isDefined(regexp)) { - aHrefSanitizationWhitelist = regexp; + aHrefSanitizationTrustedUrlList = regexp; return this; } - return aHrefSanitizationWhitelist; + return aHrefSanitizationTrustedUrlList; }; /** * @description - * Retrieves or overrides the default regular expression that is used for whitelisting of safe + * Retrieves or overrides the default regular expression that is used for determining trusted safe * urls during img[src] sanitization. * * The sanitization is a security measure aimed at prevent XSS attacks via HTML image src links. @@ -19942,27 +20004,28 @@ function $$SanitizeUriProvider() { * `$sce.trustAsMediaUrl(url)` which in turn may call `$$sanitizeUri(url, isMedia)` to sanitize * the potentially malicious URL. * - * If the URL matches the `aImgSanitizationWhitelist` regular expression, it is returned unchanged. + * If the URL matches the `imgSrcSanitizationTrustedUrlList` regular expression, it is returned + * unchanged. * * If there is no match the URL is returned prefixed with `'unsafe:'` to ensure that when it is written * to the DOM it is inactive and potentially malicious code will not be executed. * - * @param {RegExp=} regexp New regexp to whitelist urls with. + * @param {RegExp=} regexp New regexp to trust urls with. * @returns {RegExp|ng.$compileProvider} Current RegExp if called without value or self for * chaining otherwise. */ - this.imgSrcSanitizationWhitelist = function(regexp) { + this.imgSrcSanitizationTrustedUrlList = function(regexp) { if (isDefined(regexp)) { - imgSrcSanitizationWhitelist = regexp; + imgSrcSanitizationTrustedUrlList = regexp; return this; } - return imgSrcSanitizationWhitelist; + return imgSrcSanitizationTrustedUrlList; }; this.$get = function() { return function sanitizeUri(uri, isMediaUrl) { // if (!uri) return uri; - var regex = isMediaUrl ? imgSrcSanitizationWhitelist : aHrefSanitizationWhitelist; + var regex = isMediaUrl ? imgSrcSanitizationTrustedUrlList : aHrefSanitizationTrustedUrlList; var normalizedVal = urlResolve(uri && uri.trim()).href; if (normalizedVal !== '' && !normalizedVal.match(regex)) { return 'unsafe:' + normalizedVal; @@ -20090,10 +20153,10 @@ function adjustMatchers(matchers) { * The default instance of `$sceDelegate` should work out of the box with little pain. While you * can override it completely to change the behavior of `$sce`, the common case would * involve configuring the {@link ng.$sceDelegateProvider $sceDelegateProvider} instead by setting - * your own whitelists and blacklists for trusting URLs used for loading AngularJS resources such as - * templates. Refer {@link ng.$sceDelegateProvider#resourceUrlWhitelist - * $sceDelegateProvider.resourceUrlWhitelist} and {@link - * ng.$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist} + * your own trusted and banned resource lists for trusting URLs used for loading AngularJS resources + * such as templates. Refer {@link ng.$sceDelegateProvider#trustedResourceUrlList + * $sceDelegateProvider.trustedResourceUrlList} and {@link + * ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList} */ /** @@ -20106,12 +20169,12 @@ function adjustMatchers(matchers) { * The `$sceDelegateProvider` provider allows developers to configure the {@link ng.$sceDelegate * $sceDelegate service}, used as a delegate for {@link ng.$sce Strict Contextual Escaping (SCE)}. * - * The `$sceDelegateProvider` allows one to get/set the whitelists and blacklists used to ensure - * that the URLs used for sourcing AngularJS templates and other script-running URLs are safe (all - * places that use the `$sce.RESOURCE_URL` context). See - * {@link ng.$sceDelegateProvider#resourceUrlWhitelist $sceDelegateProvider.resourceUrlWhitelist} - * and - * {@link ng.$sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider.resourceUrlBlacklist}, + * The `$sceDelegateProvider` allows one to get/set the `trustedResourceUrlList` and + * `bannedResourceUrlList` used to ensure that the URLs used for sourcing AngularJS templates and + * other script-running URLs are safe (all places that use the `$sce.RESOURCE_URL` context). See + * {@link ng.$sceDelegateProvider#trustedResourceUrlList + * $sceDelegateProvider.trustedResourceUrlList} and + * {@link ng.$sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider.bannedResourceUrlList}, * * For the general details about this service in AngularJS, read the main page for {@link ng.$sce * Strict Contextual Escaping (SCE)}. @@ -20127,98 +20190,139 @@ function adjustMatchers(matchers) { * * ``` * angular.module('myApp', []).config(function($sceDelegateProvider) { - * $sceDelegateProvider.resourceUrlWhitelist([ + * $sceDelegateProvider.trustedResourceUrlList([ * // Allow same origin resource loads. * 'self', * // Allow loading from our assets domain. Notice the difference between * and **. * 'http://srv*.assets.example.com/**' * ]); * - * // The blacklist overrides the whitelist so the open redirect here is blocked. - * $sceDelegateProvider.resourceUrlBlacklist([ + * // The banned resource URL list overrides the trusted resource URL list so the open redirect + * // here is blocked. + * $sceDelegateProvider.bannedResourceUrlList([ * 'http://myapp.example.com/clickThru**' * ]); * }); * ``` - * Note that an empty whitelist will block every resource URL from being loaded, and will require + * Note that an empty trusted resource URL list will block every resource URL from being loaded, and will require * you to manually mark each one as trusted with `$sce.trustAsResourceUrl`. However, templates * requested by {@link ng.$templateRequest $templateRequest} that are present in * {@link ng.$templateCache $templateCache} will not go through this check. If you have a mechanism * to populate your templates in that cache at config time, then it is a good idea to remove 'self' - * from that whitelist. This helps to mitigate the security impact of certain types of issues, like - * for instance attacker-controlled `ng-includes`. + * from the trusted resource URL lsit. This helps to mitigate the security impact of certain types + * of issues, like for instance attacker-controlled `ng-includes`. */ function $SceDelegateProvider() { this.SCE_CONTEXTS = SCE_CONTEXTS; // Resource URLs can also be trusted by policy. - var resourceUrlWhitelist = ['self'], - resourceUrlBlacklist = []; + var trustedResourceUrlList = ['self'], + bannedResourceUrlList = []; /** * @ngdoc method - * @name $sceDelegateProvider#resourceUrlWhitelist + * @name $sceDelegateProvider#trustedResourceUrlList * @kind function * - * @param {Array=} whitelist When provided, replaces the resourceUrlWhitelist with the value - * provided. This must be an array or null. A snapshot of this array is used so further - * changes to the array are ignored. + * @param {Array=} trustedResourceUrlList When provided, replaces the trustedResourceUrlList with + * the value provided. This must be an array or null. A snapshot of this array is used so + * further changes to the array are ignored. * Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items * allowed in this array. * - * @return {Array} The currently set whitelist array. + * @return {Array} The currently set trusted resource URL array. * * @description - * Sets/Gets the whitelist of trusted resource URLs. + * Sets/Gets the list trusted of resource URLs. * - * The **default value** when no whitelist has been explicitly set is `['self']` allowing only - * same origin resource requests. + * The **default value** when no `trustedResourceUrlList` has been explicitly set is `['self']` + * allowing only same origin resource requests. * * <div class="alert alert-warning"> - * **Note:** the default whitelist of 'self' is not recommended if your app shares its origin - * with other apps! It is a good idea to limit it to only your application's directory. + * **Note:** the default `trustedResourceUrlList` of 'self' is not recommended if your app shares + * its origin with other apps! It is a good idea to limit it to only your application's directory. * </div> */ - this.resourceUrlWhitelist = function(value) { + this.trustedResourceUrlList = function(value) { if (arguments.length) { - resourceUrlWhitelist = adjustMatchers(value); + trustedResourceUrlList = adjustMatchers(value); } - return resourceUrlWhitelist; + return trustedResourceUrlList; }; /** * @ngdoc method - * @name $sceDelegateProvider#resourceUrlBlacklist + * @name $sceDelegateProvider#resourceUrlWhitelist + * @kind function + * + * @deprecated + * sinceVersion="1.8.1" + * + * This method is deprecated. Use {@link $sceDelegateProvider#trustedResourceUrlList + * trustedResourceUrlList} instead. + */ + Object.defineProperty(this, 'resourceUrlWhitelist', { + get: function() { + return this.trustedResourceUrlList; + }, + set: function(value) { + this.trustedResourceUrlList = value; + } + }); + + /** + * @ngdoc method + * @name $sceDelegateProvider#bannedResourceUrlList * @kind function * - * @param {Array=} blacklist When provided, replaces the resourceUrlBlacklist with the value - * provided. This must be an array or null. A snapshot of this array is used so further - * changes to the array are ignored.</p><p> + * @param {Array=} bannedResourceUrlList When provided, replaces the `bannedResourceUrlList` with + * the value provided. This must be an array or null. A snapshot of this array is used so + * further changes to the array are ignored.</p><p> * Follow {@link ng.$sce#resourceUrlPatternItem this link} for a description of the items * allowed in this array.</p><p> - * The typical usage for the blacklist is to **block + * The typical usage for the `bannedResourceUrlList` is to **block * [open redirects](http://cwe.mitre.org/data/definitions/601.html)** served by your domain as * these would otherwise be trusted but actually return content from the redirected domain. * </p><p> - * Finally, **the blacklist overrides the whitelist** and has the final say. + * Finally, **the banned resource URL list overrides the trusted resource URL list** and has + * the final say. * - * @return {Array} The currently set blacklist array. + * @return {Array} The currently set `bannedResourceUrlList` array. * * @description - * Sets/Gets the blacklist of trusted resource URLs. + * Sets/Gets the `bannedResourceUrlList` of trusted resource URLs. * - * The **default value** when no whitelist has been explicitly set is the empty array (i.e. there - * is no blacklist.) + * The **default value** when no trusted resource URL list has been explicitly set is the empty + * array (i.e. there is no `bannedResourceUrlList`.) */ - - this.resourceUrlBlacklist = function(value) { + this.bannedResourceUrlList = function(value) { if (arguments.length) { - resourceUrlBlacklist = adjustMatchers(value); + bannedResourceUrlList = adjustMatchers(value); } - return resourceUrlBlacklist; + return bannedResourceUrlList; }; + /** + * @ngdoc method + * @name $sceDelegateProvider#resourceUrlBlacklist + * @kind function + * + * @deprecated + * sinceVersion="1.8.1" + * + * This method is deprecated. Use {@link $sceDelegateProvider#bannedResourceUrlList + * bannedResourceUrlList} instead. + */ + Object.defineProperty(this, 'resourceUrlBlacklist', { + get: function() { + return this.bannedResourceUrlList; + }, + set: function(value) { + this.bannedResourceUrlList = value; + } + }); + this.$get = ['$injector', '$$sanitizeUri', function($injector, $$sanitizeUri) { var htmlSanitizer = function htmlSanitizer(html) { @@ -20242,17 +20346,17 @@ function $SceDelegateProvider() { function isResourceUrlAllowedByPolicy(url) { var parsedUrl = urlResolve(url.toString()); var i, n, allowed = false; - // Ensure that at least one item from the whitelist allows this url. - for (i = 0, n = resourceUrlWhitelist.length; i < n; i++) { - if (matchUrl(resourceUrlWhitelist[i], parsedUrl)) { + // Ensure that at least one item from the trusted resource URL list allows this url. + for (i = 0, n = trustedResourceUrlList.length; i < n; i++) { + if (matchUrl(trustedResourceUrlList[i], parsedUrl)) { allowed = true; break; } } if (allowed) { - // Ensure that no item from the blacklist blocked this url. - for (i = 0, n = resourceUrlBlacklist.length; i < n; i++) { - if (matchUrl(resourceUrlBlacklist[i], parsedUrl)) { + // Ensure that no item from the banned resource URL list has blocked this url. + for (i = 0, n = bannedResourceUrlList.length; i < n; i++) { + if (matchUrl(bannedResourceUrlList[i], parsedUrl)) { allowed = false; break; } @@ -20373,9 +20477,9 @@ function $SceDelegateProvider() { * The contexts that can be sanitized are $sce.MEDIA_URL, $sce.URL and $sce.HTML. The first two are available * by default, and the third one relies on the `$sanitize` service (which may be loaded through * the `ngSanitize` module). Furthermore, for $sce.RESOURCE_URL context, a plain string may be - * accepted if the resource url policy defined by {@link ng.$sceDelegateProvider#resourceUrlWhitelist - * `$sceDelegateProvider.resourceUrlWhitelist`} and {@link ng.$sceDelegateProvider#resourceUrlBlacklist - * `$sceDelegateProvider.resourceUrlBlacklist`} accepts that resource. + * accepted if the resource url policy defined by {@link ng.$sceDelegateProvider#trustedResourceUrlList + * `$sceDelegateProvider.trustedResourceUrlList`} and {@link ng.$sceDelegateProvider#bannedResourceUrlList + * `$sceDelegateProvider.bannedResourceUrlList`} accepts that resource. * * This function will throw if the safe type isn't appropriate for this context, or if the * value given cannot be accepted in the context (which might be caused by sanitization not @@ -20469,9 +20573,9 @@ function $SceDelegateProvider() { * * To systematically block XSS security bugs, AngularJS treats all values as untrusted by default in * HTML or sensitive URL bindings. When binding untrusted values, AngularJS will automatically - * run security checks on them (sanitizations, whitelists, depending on context), or throw when it - * cannot guarantee the security of the result. That behavior depends strongly on contexts: HTML - * can be sanitized, but template URLs cannot, for instance. + * run security checks on them (sanitizations, trusted URL resource, depending on context), or throw + * when it cannot guarantee the security of the result. That behavior depends strongly on contexts: + * HTML can be sanitized, but template URLs cannot, for instance. * * To illustrate this, consider the `ng-bind-html` directive. It renders its value directly as HTML: * we call that the *context*. When given an untrusted input, AngularJS will attempt to sanitize it @@ -20550,8 +20654,8 @@ function $SceDelegateProvider() { * By default, AngularJS only loads templates from the same domain and protocol as the application * document. This is done by calling {@link ng.$sce#getTrustedResourceUrl * $sce.getTrustedResourceUrl} on the template URL. To load templates from other domains and/or - * protocols, you may either {@link ng.$sceDelegateProvider#resourceUrlWhitelist whitelist - * them} or {@link ng.$sce#trustAsResourceUrl wrap it} into a trusted value. + * protocols, you may either add them to the {@link ng.$sceDelegateProvider#trustedResourceUrlList + * trustedResourceUrlList} or {@link ng.$sce#trustAsResourceUrl wrap them} into trusted values. * * *Please note*: * The browser's @@ -20579,8 +20683,8 @@ function $SceDelegateProvider() { * templates in `ng-include` from your application's domain without having to even know about SCE. * It blocks loading templates from other domains or loading templates over http from an https * served document. You can change these by setting your own custom {@link - * ng.$sceDelegateProvider#resourceUrlWhitelist whitelists} and {@link - * ng.$sceDelegateProvider#resourceUrlBlacklist blacklists} for matching such URLs. + * ng.$sceDelegateProvider#trustedResourceUrlList trusted resource URL list} and {@link + * ng.$sceDelegateProvider#bannedResourceUrlList banned resource URL list} for matching such URLs. * * This significantly reduces the overhead. It is far easier to pay the small overhead and have an * application that's secure and can be audited to verify that with much more ease than bolting @@ -20595,7 +20699,7 @@ function $SceDelegateProvider() { * | `$sce.CSS` | For CSS that's safe to source into the application. Currently unused. Feel free to use it in your own directives. | * | `$sce.MEDIA_URL` | For URLs that are safe to render as media. Is automatically converted from string by sanitizing when needed. | * | `$sce.URL` | For URLs that are safe to follow as links. Is automatically converted from string by sanitizing when needed. Note that `$sce.URL` makes a stronger statement about the URL than `$sce.MEDIA_URL` does and therefore contexts requiring values trusted for `$sce.URL` can be used anywhere that values trusted for `$sce.MEDIA_URL` are required.| - * | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application. Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.) <br><br>Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` or `$sce.MEDIA_URL` do and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` or `$sce.MEDIA_URL` are required. <br><br> The {@link $sceDelegateProvider#resourceUrlWhitelist $sceDelegateProvider#resourceUrlWhitelist()} and {@link $sceDelegateProvider#resourceUrlBlacklist $sceDelegateProvider#resourceUrlBlacklist()} can be used to restrict trusted origins for `RESOURCE_URL` | + * | `$sce.RESOURCE_URL` | For URLs that are not only safe to follow as links, but whose contents are also safe to include in your application. Examples include `ng-include`, `src` / `ngSrc` bindings for tags other than `IMG` (e.g. `IFRAME`, `OBJECT`, etc.) <br><br>Note that `$sce.RESOURCE_URL` makes a stronger statement about the URL than `$sce.URL` or `$sce.MEDIA_URL` do and therefore contexts requiring values trusted for `$sce.RESOURCE_URL` can be used anywhere that values trusted for `$sce.URL` or `$sce.MEDIA_URL` are required. <br><br> The {@link $sceDelegateProvider#trustedResourceUrlList $sceDelegateProvider#trustedResourceUrlList()} and {@link $sceDelegateProvider#bannedResourceUrlList $sceDelegateProvider#bannedResourceUrlList()} can be used to restrict trusted origins for `RESOURCE_URL` | * | `$sce.JS` | For JavaScript that is safe to execute in your application's context. Currently unused. Feel free to use it in your own directives. | * * @@ -20613,7 +20717,7 @@ function $SceDelegateProvider() { * There are no CSS or JS context bindings in AngularJS currently, so their corresponding `$sce.trustAs` * functions aren't useful yet. This might evolve. * - * ### Format of items in {@link ng.$sceDelegateProvider#resourceUrlWhitelist resourceUrlWhitelist}/{@link ng.$sceDelegateProvider#resourceUrlBlacklist Blacklist} <a name="resourceUrlPatternItem"></a> + * ### Format of items in {@link ng.$sceDelegateProvider#trustedResourceUrlList trustedResourceUrlList}/{@link ng.$sceDelegateProvider#bannedResourceUrlList bannedResourceUrlList} <a name="resourceUrlPatternItem"></a> * * Each element in these arrays must be one of the following: * @@ -20627,7 +20731,7 @@ function $SceDelegateProvider() { * match themselves. * - `*`: matches zero or more occurrences of any character other than one of the following 6 * characters: '`:`', '`/`', '`.`', '`?`', '`&`' and '`;`'. It's a useful wildcard for use - * in a whitelist. + * for matching resource URL lists. * - `**`: matches zero or more occurrences of *any* character. As such, it's not * appropriate for use in a scheme, domain, etc. as it would match too much. (e.g. * http://**.example.com/ would match http://evil.com/?ignore=.example.com/ and that might @@ -21431,10 +21535,10 @@ function $TemplateRequestProvider() { handleRequestFn.totalPendingRequests++; // We consider the template cache holds only trusted templates, so - // there's no need to go through whitelisting again for keys that already - // are included in there. This also makes AngularJS accept any script - // directive, no matter its name. However, we still need to unwrap trusted - // types. + // there's no need to go through adding the template again to the trusted + // resources for keys that already are included in there. This also makes + // AngularJS accept any script directive, no matter its name. However, we + // still need to unwrap trusted types. if (!isString(tpl) || isUndefined($templateCache.get(tpl))) { tpl = $sce.getTrustedResourceUrl(tpl); } @@ -21839,20 +21943,20 @@ function urlIsSameOriginAsBaseUrl(requestUrl) { } /** - * Create a function that can check a URL's origin against a list of allowed/whitelisted origins. + * Create a function that can check a URL's origin against a list of allowed/trusted origins. * The current location's origin is implicitly trusted. * - * @param {string[]} whitelistedOriginUrls - A list of URLs (strings), whose origins are trusted. + * @param {string[]} trustedOriginUrls - A list of URLs (strings), whose origins are trusted. * * @returns {Function} - A function that receives a URL (string or parsed URL object) and returns * whether it is of an allowed origin. */ -function urlIsAllowedOriginFactory(whitelistedOriginUrls) { - var parsedAllowedOriginUrls = [originUrl].concat(whitelistedOriginUrls.map(urlResolve)); +function urlIsAllowedOriginFactory(trustedOriginUrls) { + var parsedAllowedOriginUrls = [originUrl].concat(trustedOriginUrls.map(urlResolve)); /** * Check whether the specified URL (string or parsed URL object) has an origin that is allowed - * based on a list of whitelisted-origin URLs. The current location's origin is implicitly + * based on a list of trusted-origin URLs. The current location's origin is implicitly * trusted. * * @param {string|Object} requestUrl - The URL to be checked (provided as a string that will be @@ -29599,9 +29703,9 @@ var ngIfDirective = ['$animate', '$compile', function($animate, $compile) { * By default, the template URL is restricted to the same domain and protocol as the * application document. This is done by calling {@link $sce#getTrustedResourceUrl * $sce.getTrustedResourceUrl} on it. To load templates from other domains or protocols - * you may either {@link ng.$sceDelegateProvider#resourceUrlWhitelist whitelist them} or - * {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to AngularJS's {@link - * ng.$sce Strict Contextual Escaping}. + * you may either add them to your {@link ng.$sceDelegateProvider#trustedResourceUrlList trusted + * resource URL list} or {@link $sce#trustAsResourceUrl wrap them} as trusted values. Refer to + * AngularJS's {@link ng.$sce Strict Contextual Escaping}. * * In addition, the browser's * [Same Origin Policy](https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest) |