msb-public
/
svelte
mirror of https://github.com/sveltejs/svelte
1
0
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into sites

Browse Source
pull/8237/head
Puru Vijay 2 years ago
parent ae2a089221 e875a76ad1
commit 7d3f565f3f
10 changed files with 59 additions and 11 deletions
Show Stats Download Patch File Download Diff File

5
CHANGELOG.md
Unescape View File

@ -1,5 +1,10 @@
# Svelte changelog
## Unreleased
* Make `noreferrer` warning less zealous ([#6289](https://github.com/sveltejs/svelte/issues/6289))
* `trusted-types` CSP compatibility for Web Components ([#8134](https://github.com/sveltejs/svelte/issues/8134))
## 3.55.1
* Fix `draw` transition with delay showing a dot at the beginning of the path ([#6816](https://github.com/sveltejs/svelte/issues/6816))

2
LICENSE.md
Unescape View File

@ -1,4 +1,4 @@
Copyright (c) 2016-22 [these people](https://github.com/sveltejs/svelte/graphs/contributors)
Copyright (c) 2016-23 [these people](https://github.com/sveltejs/svelte/graphs/contributors)
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

17
src/compiler/compile/nodes/Element.ts
Unescape View File

@ -621,22 +621,23 @@ export default class Element extends Node {
const name_attribute = attribute_map.get('name');
const target_attribute = attribute_map.get('target');
if (target_attribute && target_attribute.get_static_value() === '_blank' && href_attribute) {
// links with target="_blank" should have noopener or noreferrer: https://developer.chrome.com/docs/lighthouse/best-practices/external-anchors-use-rel-noopener/
// modern browsers add noopener by default, so we only need to check legacy browsers
// legacy browsers don't support noopener so we only check for noreferrer there
if (component.compile_options.legacy && target_attribute && target_attribute.get_static_value() === '_blank' && href_attribute) {
const href_static_value = href_attribute.get_static_value() ? href_attribute.get_static_value().toLowerCase() : null;
if (href_static_value === null || href_static_value.match(/^(https?:)?\/\//i)) {
const rel = attribute_map.get('rel');
if (rel == null || rel.is_static) {
const rel_values = rel ? rel.get_static_value().split(regex_any_repeated_whitespaces) : [];
const expected_values = ['noreferrer'];
expected_values.forEach(expected_value => {
if (!rel || rel && rel_values.indexOf(expected_value) < 0) {
if (!rel || !rel_values.includes('noreferrer')) {
component.warn(this, {
code: `security-anchor-rel-${expected_value}`,
message: `Security: Anchor with "target=_blank" should have rel attribute containing the value "${expected_value}"`
code: 'security-anchor-rel-noreferrer',
message:
'Security: Anchor with "target=_blank" should have rel attribute containing the value "noreferrer"'
});
}
});
}
}
}
}

5
src/compiler/compile/render_dom/index.ts
Unescape View File

@ -531,7 +531,10 @@ export default function dom(
constructor(options) {
super();
${css.code && b`this.shadowRoot.innerHTML = \`<style>${css.code.replace(regex_backslashes, '\\\\')}${css_sourcemap_enabled && options.dev ? `\n/*# sourceMappingURL=${css.map.toUrl()} */` : ''}</style>\`;`}
${css.code && b`
const style = document.createElement('style');
style.textContent = \`${css.code.replace(regex_backslashes, '\\\\')}${css_sourcemap_enabled && options.dev ? `\n/*# sourceMappingURL=${css.map.toUrl()} */` : ''}\`
this.shadowRoot.appendChild(style)`}
@init(this, { target: this.shadowRoot, props: ${init_props}, customElement: true }, ${definition}, ${has_create_fragment ? 'create_fragment' : 'null'}, ${not_equal}, ${prop_indexes}, null, ${dirty});

4
test/js/samples/css-shadow-dom-keyframes/expected.js
Unescape View File

@ -34,7 +34,9 @@ function create_fragment(ctx) {
class Component extends SvelteElement {
constructor(options) {
super();
this.shadowRoot.innerHTML = `<style>div{animation:foo 1s}@keyframes foo{0%{opacity:0}100%{opacity:1}}</style>`;
const style = document.createElement('style');
style.textContent = `div{animation:foo 1s}@keyframes foo{0%{opacity:0}100%{opacity:1}}`;
this.shadowRoot.appendChild(style);
init(
this,

3
test/validator/samples/security-anchor-rel-noreferer-legacy/_config.js
Unescape View File

@ -0,0 +1,3 @@
export default {
legacy: true
};

0
test/validator/samples/security-anchor-rel-noreferrer/input.svelte → test/validator/samples/security-anchor-rel-noreferer-legacy/input.svelte
Unescape View File

0
test/validator/samples/security-anchor-rel-noreferrer/warnings.json → test/validator/samples/security-anchor-rel-noreferer-legacy/warnings.json
Unescape View File

33
test/validator/samples/security-anchor-rel-noreferer/input.svelte
Unescape View File

@ -0,0 +1,33 @@
<a href="https://svelte.dev" target="_blank">svelte website (invalid)</a>
<a href="https://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
<a href="https://svelte.dev" target="_blank" rel="noopener">svelte website (invalid)</a>
<a href={'https://svelte.dev'} target="_blank">svelte website (invalid)</a>
<a href={'https://svelte.dev'} target="_blank" rel="">svelte website (invalid)</a>
<a href={'https://svelte.dev'} target="_blank" rel="noopener">svelte website (invalid)</a>
<a href="//svelte.dev" target="_blank">svelte website (invalid)</a>
<a href="//svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
<a href="//svelte.dev" target="_blank" rel="noopener">svelte website (invalid)</a>
<a href="http://svelte.dev" target="_blank">svelte website (invalid)</a>
<a href="http://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
<a href="http://svelte.dev" target="_blank" rel="noopener">svelte website (invalid)</a>
<a href="HTTP://svelte.dev" target="_blank">svelte website (invalid)</a>
<a href="HTTP://svelte.dev" target="_blank" rel="">svelte website (invalid)</a>
<a href="HTTP://svelte.dev" target="_blank" rel="noopener">svelte website (invalid)</a>
<a href={'HTTPS://svelte.dev'} target="_blank">svelte website (invalid)</a>
<a href={'HTTPS://svelte.dev'} target="_blank" rel="">svelte website (invalid)</a>
<a href={'HTTPS://svelte.dev'} target="_blank" rel="noopener">svelte website (invalid)</a>
<a href="same-host" target="_blank">Same host (valid)</a>
<a href="same-host" target="_blank" rel="">Same host (valid)</a>
<a href="same-host" target="_blank" rel="noopener">Same host (valid)</a>
<a href="http://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="http://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<a href="HTTP://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="HTTP://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<a href="https://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="https://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="HTTPS://svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<a href="//svelte.dev" target="_blank" rel="noreferrer">svelte website (valid)</a>
<a href="//svelte.dev" target="_blank" rel="noreferrer noopener">svelte website (valid)</a>
<!-- dynamic rel value should not warn-->
<a href="//svelte.dev" target="_blank" rel={`${Math.random()}`}>svelte website (valid)</a>

1
test/validator/samples/security-anchor-rel-noreferer/warnings.json
Unescape View File

@ -0,0 +1 @@
[]
Write Preview
Loading…
Cancel
Save