From a63d04c96d14e42492ccdba1d7f3d6ec1af022a9 Mon Sep 17 00:00:00 2001 From: Gleb Mazovetskiy Date: Wed, 13 Feb 2019 18:51:58 +0000 Subject: rake update[v4.3.1] --- assets/javascripts/bootstrap/alert.js | 4 +- assets/javascripts/bootstrap/button.js | 4 +- assets/javascripts/bootstrap/carousel.js | 4 +- assets/javascripts/bootstrap/collapse.js | 4 +- assets/javascripts/bootstrap/dropdown.js | 4 +- assets/javascripts/bootstrap/modal.js | 4 +- assets/javascripts/bootstrap/popover.js | 4 +- assets/javascripts/bootstrap/scrollspy.js | 4 +- assets/javascripts/bootstrap/tab.js | 4 +- assets/javascripts/bootstrap/toast.js | 4 +- assets/javascripts/bootstrap/tooltip.js | 165 ++++++++++++++++++++++++++++-- assets/javascripts/bootstrap/util.js | 4 +- 12 files changed, 178 insertions(+), 31 deletions(-) (limited to 'assets/javascripts/bootstrap') diff --git a/assets/javascripts/bootstrap/alert.js b/assets/javascripts/bootstrap/alert.js index 7415327..ce53097 100644 --- a/assets/javascripts/bootstrap/alert.js +++ b/assets/javascripts/bootstrap/alert.js @@ -1,5 +1,5 @@ /*! - * Bootstrap alert.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap alert.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -35,7 +35,7 @@ */ var NAME = 'alert'; - var VERSION = '4.3.0'; + var VERSION = '4.3.1'; var DATA_KEY = 'bs.alert'; var EVENT_KEY = "." + DATA_KEY; var DATA_API_KEY = '.data-api'; diff --git a/assets/javascripts/bootstrap/button.js b/assets/javascripts/bootstrap/button.js index e906cd8..0c83026 100644 --- a/assets/javascripts/bootstrap/button.js +++ b/assets/javascripts/bootstrap/button.js @@ -1,5 +1,5 @@ /*! - * Bootstrap button.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap button.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -34,7 +34,7 @@ */ var NAME = 'button'; - var VERSION = '4.3.0'; + var VERSION = '4.3.1'; var DATA_KEY = 'bs.button'; var EVENT_KEY = "." + DATA_KEY; var DATA_API_KEY = '.data-api'; diff --git a/assets/javascripts/bootstrap/carousel.js b/assets/javascripts/bootstrap/carousel.js index f74f819..4ceb87a 100644 --- a/assets/javascripts/bootstrap/carousel.js +++ b/assets/javascripts/bootstrap/carousel.js @@ -1,5 +1,5 @@ /*! - * Bootstrap carousel.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap carousel.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -69,7 +69,7 @@ */ var NAME = 'carousel'; - var VERSION = '4.3.0'; + var VERSION = '4.3.1'; var DATA_KEY = 'bs.carousel'; var EVENT_KEY = "." + DATA_KEY; var DATA_API_KEY = '.data-api'; diff --git a/assets/javascripts/bootstrap/collapse.js b/assets/javascripts/bootstrap/collapse.js index f5a9356..da00868 100644 --- a/assets/javascripts/bootstrap/collapse.js +++ b/assets/javascripts/bootstrap/collapse.js @@ -1,5 +1,5 @@ /*! - * Bootstrap collapse.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap collapse.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -69,7 +69,7 @@ */ var NAME = 'collapse'; - var VERSION = '4.3.0'; + var VERSION = '4.3.1'; var DATA_KEY = 'bs.collapse'; var EVENT_KEY = "." + DATA_KEY; var DATA_API_KEY = '.data-api'; diff --git a/assets/javascripts/bootstrap/dropdown.js b/assets/javascripts/bootstrap/dropdown.js index 08c8e51..2d011d7 100644 --- a/assets/javascripts/bootstrap/dropdown.js +++ b/assets/javascripts/bootstrap/dropdown.js @@ -1,5 +1,5 @@ /*! - * Bootstrap dropdown.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap dropdown.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -70,7 +70,7 @@ */ var NAME = 'dropdown'; - var VERSION = '4.3.0'; + var VERSION = '4.3.1'; var DATA_KEY = 'bs.dropdown'; var EVENT_KEY = "." + DATA_KEY; var DATA_API_KEY = '.data-api'; diff --git a/assets/javascripts/bootstrap/modal.js b/assets/javascripts/bootstrap/modal.js index da13eb2..da25fa1 100644 --- a/assets/javascripts/bootstrap/modal.js +++ b/assets/javascripts/bootstrap/modal.js @@ -1,5 +1,5 @@ /*! - * Bootstrap modal.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap modal.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -69,7 +69,7 @@ */ var NAME = 'modal'; - var VERSION = '4.3.0'; + var VERSION = '4.3.1'; var DATA_KEY = 'bs.modal'; var EVENT_KEY = "." + DATA_KEY; var DATA_API_KEY = '.data-api'; diff --git a/assets/javascripts/bootstrap/popover.js b/assets/javascripts/bootstrap/popover.js index 19f2e25..2d7023d 100644 --- a/assets/javascripts/bootstrap/popover.js +++ b/assets/javascripts/bootstrap/popover.js @@ -1,5 +1,5 @@ /*! - * Bootstrap popover.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap popover.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -75,7 +75,7 @@ */ var NAME = 'popover'; - var VERSION = '4.3.0'; + var VERSION = '4.3.1'; var DATA_KEY = 'bs.popover'; var EVENT_KEY = "." + DATA_KEY; var JQUERY_NO_CONFLICT = $.fn[NAME]; diff --git a/assets/javascripts/bootstrap/scrollspy.js b/assets/javascripts/bootstrap/scrollspy.js index 6658d12..782989a 100644 --- a/assets/javascripts/bootstrap/scrollspy.js +++ b/assets/javascripts/bootstrap/scrollspy.js @@ -1,5 +1,5 @@ /*! - * Bootstrap scrollspy.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap scrollspy.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -69,7 +69,7 @@ */ var NAME = 'scrollspy'; - var VERSION = '4.3.0'; + var VERSION = '4.3.1'; var DATA_KEY = 'bs.scrollspy'; var EVENT_KEY = "." + DATA_KEY; var DATA_API_KEY = '.data-api'; diff --git a/assets/javascripts/bootstrap/tab.js b/assets/javascripts/bootstrap/tab.js index 3b23bcc..0943521 100644 --- a/assets/javascripts/bootstrap/tab.js +++ b/assets/javascripts/bootstrap/tab.js @@ -1,5 +1,5 @@ /*! - * Bootstrap tab.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap tab.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -35,7 +35,7 @@ */ var NAME = 'tab'; - var VERSION = '4.3.0'; + var VERSION = '4.3.1'; var DATA_KEY = 'bs.tab'; var EVENT_KEY = "." + DATA_KEY; var DATA_API_KEY = '.data-api'; diff --git a/assets/javascripts/bootstrap/toast.js b/assets/javascripts/bootstrap/toast.js index 9c268a9..bf805f4 100644 --- a/assets/javascripts/bootstrap/toast.js +++ b/assets/javascripts/bootstrap/toast.js @@ -1,5 +1,5 @@ /*! - * Bootstrap toast.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap toast.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -69,7 +69,7 @@ */ var NAME = 'toast'; - var VERSION = '4.3.0'; + var VERSION = '4.3.1'; var DATA_KEY = 'bs.toast'; var EVENT_KEY = "." + DATA_KEY; var JQUERY_NO_CONFLICT = $.fn[NAME]; diff --git a/assets/javascripts/bootstrap/tooltip.js b/assets/javascripts/bootstrap/tooltip.js index b96de60..6a863f8 100644 --- a/assets/javascripts/bootstrap/tooltip.js +++ b/assets/javascripts/bootstrap/tooltip.js @@ -1,5 +1,5 @@ /*! - * Bootstrap tooltip.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap tooltip.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -63,6 +63,127 @@ return target; } + /** + * -------------------------------------------------------------------------- + * Bootstrap (v4.3.1): tools/sanitizer.js + * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) + * -------------------------------------------------------------------------- + */ + var uriAttrs = ['background', 'cite', 'href', 'itemtype', 'longdesc', 'poster', 'src', 'xlink:href']; + var ARIA_ATTRIBUTE_PATTERN = /^aria-[\w-]*$/i; + var DefaultWhitelist = { + // Global attributes allowed on any supplied element below. + '*': ['class', 'dir', 'id', 'lang', 'role', ARIA_ATTRIBUTE_PATTERN], + a: ['target', 'href', 'title', 'rel'], + area: [], + b: [], + br: [], + col: [], + code: [], + div: [], + em: [], + hr: [], + h1: [], + h2: [], + h3: [], + h4: [], + h5: [], + h6: [], + i: [], + img: ['src', 'alt', 'title', 'width', 'height'], + li: [], + ol: [], + p: [], + pre: [], + s: [], + small: [], + span: [], + sub: [], + sup: [], + strong: [], + u: [], + ul: [] + /** + * A pattern that recognizes a commonly useful subset of URLs that are safe. + * + * Shoutout to Angular 7 https://github.com/angular/angular/blob/7.2.4/packages/core/src/sanitization/url_sanitizer.ts + */ + + }; + var SAFE_URL_PATTERN = /^(?:(?:https?|mailto|ftp|tel|file):|[^&:/?#]*(?:[/?#]|$))/gi; + /** + * A pattern that matches safe data URLs. Only matches image, video and audio types. + * + * Shoutout to Angular 7 https://github.com/angular/angular/blob/7.2.4/packages/core/src/sanitization/url_sanitizer.ts + */ + + var DATA_URL_PATTERN = /^data:(?:image\/(?:bmp|gif|jpeg|jpg|png|tiff|webp)|video\/(?:mpeg|mp4|ogg|webm)|audio\/(?:mp3|oga|ogg|opus));base64,[a-z0-9+/]+=*$/i; + + function allowedAttribute(attr, allowedAttributeList) { + var attrName = attr.nodeName.toLowerCase(); + + if (allowedAttributeList.indexOf(attrName) !== -1) { + if (uriAttrs.indexOf(attrName) !== -1) { + return Boolean(attr.nodeValue.match(SAFE_URL_PATTERN) || attr.nodeValue.match(DATA_URL_PATTERN)); + } + + return true; + } + + var regExp = allowedAttributeList.filter(function (attrRegex) { + return attrRegex instanceof RegExp; + }); // Check if a regular expression validates the attribute. + + for (var i = 0, l = regExp.length; i < l; i++) { + if (attrName.match(regExp[i])) { + return true; + } + } + + return false; + } + + function sanitizeHtml(unsafeHtml, whiteList, sanitizeFn) { + if (unsafeHtml.length === 0) { + return unsafeHtml; + } + + if (sanitizeFn && typeof sanitizeFn === 'function') { + return sanitizeFn(unsafeHtml); + } + + var domParser = new window.DOMParser(); + var createdDocument = domParser.parseFromString(unsafeHtml, 'text/html'); + var whitelistKeys = Object.keys(whiteList); + var elements = [].slice.call(createdDocument.body.querySelectorAll('*')); + + var _loop = function _loop(i, len) { + var el = elements[i]; + var elName = el.nodeName.toLowerCase(); + + if (whitelistKeys.indexOf(el.nodeName.toLowerCase()) === -1) { + el.parentNode.removeChild(el); + return "continue"; + } + + var attributeList = [].slice.call(el.attributes); + var whitelistedAttributes = [].concat(whiteList['*'] || [], whiteList[elName] || []); + attributeList.forEach(function (attr) { + if (!allowedAttribute(attr, whitelistedAttributes)) { + el.removeAttribute(attr.nodeName); + } + }); + }; + + for (var i = 0, len = elements.length; i < len; i++) { + var _ret = _loop(i, len); + + if (_ret === "continue") continue; + } + + return createdDocument.body.innerHTML; + } + /** * ------------------------------------------------------------------------ * Constants @@ -70,12 +191,13 @@ */ var NAME = 'tooltip'; - var VERSION = '4.3.0'; + var VERSION = '4.3.1'; var DATA_KEY = 'bs.tooltip'; var EVENT_KEY = "." + DATA_KEY; var JQUERY_NO_CONFLICT = $.fn[NAME]; var CLASS_PREFIX = 'bs-tooltip'; var BSCLS_PREFIX_REGEX = new RegExp("(^|\\s)" + CLASS_PREFIX + "\\S+", 'g'); + var DISALLOWED_ATTRIBUTES = ['sanitize', 'whiteList', 'sanitizeFn']; var DefaultType = { animation: 'boolean', template: 'string', @@ -88,7 +210,10 @@ offset: '(number|string|function)', container: '(string|element|boolean)', fallbackPlacement: '(string|array)', - boundary: '(string|element)' + boundary: '(string|element)', + sanitize: 'boolean', + sanitizeFn: '(null|function)', + whiteList: 'object' }; var AttachmentMap = { AUTO: 'auto', @@ -109,7 +234,10 @@ offset: 0, container: false, fallbackPlacement: 'flip', - boundary: 'scrollParent' + boundary: 'scrollParent', + sanitize: true, + sanitizeFn: null, + whiteList: DefaultWhitelist }; var HoverState = { SHOW: 'show', @@ -426,19 +554,27 @@ }; _proto.setElementContent = function setElementContent($element, content) { - var html = this.config.html; - if (typeof content === 'object' && (content.nodeType || content.jquery)) { // Content is a DOM node or a jQuery - if (html) { + if (this.config.html) { if (!$(content).parent().is($element)) { $element.empty().append(content); } } else { $element.text($(content).text()); } + + return; + } + + if (this.config.html) { + if (this.config.sanitize) { + content = sanitizeHtml(content, this.config.whiteList, this.config.sanitizeFn); + } + + $element.html(content); } else { - $element[html ? 'html' : 'text'](content); + $element.text(content); } }; @@ -606,7 +742,13 @@ }; _proto._getConfig = function _getConfig(config) { - config = _objectSpread({}, this.constructor.Default, $(this.element).data(), typeof config === 'object' && config ? config : {}); + var dataAttributes = $(this.element).data(); + Object.keys(dataAttributes).forEach(function (dataAttr) { + if (DISALLOWED_ATTRIBUTES.indexOf(dataAttr) !== -1) { + delete dataAttributes[dataAttr]; + } + }); + config = _objectSpread({}, this.constructor.Default, dataAttributes, typeof config === 'object' && config ? config : {}); if (typeof config.delay === 'number') { config.delay = { @@ -624,6 +766,11 @@ } Util.typeCheckConfig(NAME, config, this.constructor.DefaultType); + + if (config.sanitize) { + config.template = sanitizeHtml(config.template, config.whiteList, config.sanitizeFn); + } + return config; }; diff --git a/assets/javascripts/bootstrap/util.js b/assets/javascripts/bootstrap/util.js index 3ef0c3b..4b538cb 100644 --- a/assets/javascripts/bootstrap/util.js +++ b/assets/javascripts/bootstrap/util.js @@ -1,5 +1,5 @@ /*! - * Bootstrap util.js v4.3.0 (https://getbootstrap.com/) + * Bootstrap util.js v4.3.1 (https://getbootstrap.com/) * Copyright 2011-2019 The Bootstrap Authors (https://github.com/twbs/bootstrap/graphs/contributors) * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) */ @@ -13,7 +13,7 @@ /** * -------------------------------------------------------------------------- - * Bootstrap (v4.3.0): util.js + * Bootstrap (v4.3.1): util.js * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE) * -------------------------------------------------------------------------- */ -- cgit v1.2.3