diff --git a/services/static-webserver/client/Manifest.json b/services/static-webserver/client/Manifest.json index 743a52c5c2fb..d0d68756545c 100644 --- a/services/static-webserver/client/Manifest.json +++ b/services/static-webserver/client/Manifest.json @@ -30,7 +30,7 @@ "jsondiffpatch/jsondiffpatch-0.7.3.min.js", "jsontreeviewer/jsonTree.js", "marked/marked.min.js", - "DOMPurify/purify.min.js" + "DOMPurify/purify-3.2.7.min.js" ], "css": [ "jsontreeviewer/jsonTree.css", diff --git a/services/static-webserver/client/source/class/osparc/dashboard/FolderButtonNew.js b/services/static-webserver/client/source/class/osparc/dashboard/FolderButtonNew.js index 42bdb7128b44..7438fa7da245 100644 --- a/services/static-webserver/client/source/class/osparc/dashboard/FolderButtonNew.js +++ b/services/static-webserver/client/source/class/osparc/dashboard/FolderButtonNew.js @@ -61,7 +61,6 @@ qx.Class.define("osparc.dashboard.FolderButtonNew", { control = new qx.ui.basic.Label(this.tr("New folder")).set({ anonymous: true, font: "text-14", - rich: true, }); this._add(control, { ...osparc.dashboard.FolderButtonBase.POS.TITLE, diff --git a/services/static-webserver/client/source/class/osparc/dashboard/GridButtonBase.js b/services/static-webserver/client/source/class/osparc/dashboard/GridButtonBase.js index 1a97ff977761..b92f5fde7051 100644 --- a/services/static-webserver/client/source/class/osparc/dashboard/GridButtonBase.js +++ b/services/static-webserver/client/source/class/osparc/dashboard/GridButtonBase.js @@ -188,9 +188,10 @@ qx.Class.define("osparc.dashboard.GridButtonBase", { break; } case "title": - control = new qx.ui.basic.Label().set({ + control = new osparc.ui.basic.SafeLabel().set({ textColor: "contrasted-text-light", font: "text-14", + rich: false, // do not allow multi-line titles }); layout = this.getChildControl("header"); layout.add(control, this.self().HPOS.TITLE); @@ -205,12 +206,11 @@ qx.Class.define("osparc.dashboard.GridButtonBase", { break; } case "subtitle-text": { - control = new qx.ui.basic.Label().set({ + control = new osparc.ui.basic.SafeLabel().set({ textColor: "contrasted-text-dark", alignY: "middle", allowGrowX: true, allowShrinkX: true, - rich: true, anonymous: true, font: "text-12", allowGrowY: false diff --git a/services/static-webserver/client/source/class/osparc/dashboard/GridButtonTaskPlaceholder.js b/services/static-webserver/client/source/class/osparc/dashboard/GridButtonTaskPlaceholder.js index b1a3d1896301..a88ba42c98e4 100644 --- a/services/static-webserver/client/source/class/osparc/dashboard/GridButtonTaskPlaceholder.js +++ b/services/static-webserver/client/source/class/osparc/dashboard/GridButtonTaskPlaceholder.js @@ -62,11 +62,10 @@ qx.Class.define("osparc.dashboard.GridButtonTaskPlaceholder", { let layout; switch (id) { case "state-label": { - control = new qx.ui.basic.Label().set({ + control = new osparc.ui.basic.SafeLabel().set({ textColor: "contrasted-text-dark", allowGrowX: true, allowShrinkX: true, - rich: true, anonymous: true, font: "text-12", allowGrowY: true, diff --git a/services/static-webserver/client/source/class/osparc/dashboard/GroupedCardContainer.js b/services/static-webserver/client/source/class/osparc/dashboard/GroupedCardContainer.js index 61dc00ff91dd..bab1eb7bc897 100644 --- a/services/static-webserver/client/source/class/osparc/dashboard/GroupedCardContainer.js +++ b/services/static-webserver/client/source/class/osparc/dashboard/GroupedCardContainer.js @@ -101,10 +101,12 @@ qx.Class.define("osparc.dashboard.GroupedCardContainer", { allowGrowX: false }); control.getChildControl("icon").set(osparc.utils.Utils.getThumbnailProps(32)); - control.getChildControl("label").set({ + const atomLabel = control.getChildControl("label"); + atomLabel.set({ rich: true, wrap: true - }) + }); + osparc.wrapper.DOMPurify.sanitizeLabel(atomLabel); control.getContentElement().setStyles({ "border-top-left-radius": "4px", "border-top-right-radius": "4px" diff --git a/services/static-webserver/client/source/class/osparc/dashboard/ListButtonBase.js b/services/static-webserver/client/source/class/osparc/dashboard/ListButtonBase.js index e8fa47dc9bf6..79d650e40885 100644 --- a/services/static-webserver/client/source/class/osparc/dashboard/ListButtonBase.js +++ b/services/static-webserver/client/source/class/osparc/dashboard/ListButtonBase.js @@ -75,12 +75,11 @@ qx.Class.define("osparc.dashboard.ListButtonBase", { break; } case "title": - control = new qx.ui.basic.Label().set({ + control = new osparc.ui.basic.SafeLabel().set({ textColor: "contrasted-text-light", font: "text-14", alignY: "middle", maxWidth: 300, - rich: true, }); this._add(control, { row: 0, diff --git a/services/static-webserver/client/source/class/osparc/desktop/credits/CreditsServiceListItem.js b/services/static-webserver/client/source/class/osparc/desktop/credits/CreditsServiceListItem.js index 0e5181f56317..cfc2d700cb0d 100644 --- a/services/static-webserver/client/source/class/osparc/desktop/credits/CreditsServiceListItem.js +++ b/services/static-webserver/client/source/class/osparc/desktop/credits/CreditsServiceListItem.js @@ -93,12 +93,11 @@ qx.Class.define("osparc.desktop.credits.CreditsServiceListItem", { break; } case "title": - control = new qx.ui.basic.Label().set({ + control = new osparc.ui.basic.SafeLabel().set({ font: "text-12", alignY: "middle", maxWidth: 200, allowGrowX: true, - rich: true, }); this._add(control, this.self().GRID.NAME); break; diff --git a/services/static-webserver/client/source/class/osparc/desktop/organizations/ServicesList.js b/services/static-webserver/client/source/class/osparc/desktop/organizations/ServicesList.js index d7eba64172a7..269554353c5f 100644 --- a/services/static-webserver/client/source/class/osparc/desktop/organizations/ServicesList.js +++ b/services/static-webserver/client/source/class/osparc/desktop/organizations/ServicesList.js @@ -47,7 +47,6 @@ qx.Class.define("osparc.desktop.organizations.ServicesList", { const intro = new qx.ui.basic.Label().set({ value: msg, alignX: "left", - rich: true, font: "text-13" }); return intro; diff --git a/services/static-webserver/client/source/class/osparc/desktop/organizations/TutorialsList.js b/services/static-webserver/client/source/class/osparc/desktop/organizations/TutorialsList.js index 4ef1dabf6f5c..83404ee73683 100644 --- a/services/static-webserver/client/source/class/osparc/desktop/organizations/TutorialsList.js +++ b/services/static-webserver/client/source/class/osparc/desktop/organizations/TutorialsList.js @@ -47,7 +47,6 @@ qx.Class.define("osparc.desktop.organizations.TutorialsList", { const intro = new qx.ui.basic.Label().set({ value: msg, alignX: "left", - rich: true, font: "text-13" }); return intro; diff --git a/services/static-webserver/client/source/class/osparc/desktop/preferences/pages/TagsPage.js b/services/static-webserver/client/source/class/osparc/desktop/preferences/pages/TagsPage.js index 76e0bcf3b219..f2e24e401f30 100644 --- a/services/static-webserver/client/source/class/osparc/desktop/preferences/pages/TagsPage.js +++ b/services/static-webserver/client/source/class/osparc/desktop/preferences/pages/TagsPage.js @@ -23,6 +23,8 @@ qx.Class.define("osparc.desktop.preferences.pages.TagsPage", { Once the tags are created, they can be assigned to the ") + studyLabel + this.tr(" via 'More options...' on the ") + studyLabel + this.tr(" cards."); const intro = new qx.ui.basic.Label(msg).set({ font: "text-13", + rich: true, + wrap: true }); this._add(intro); diff --git a/services/static-webserver/client/source/class/osparc/desktop/preferences/window/APIKeyBase.js b/services/static-webserver/client/source/class/osparc/desktop/preferences/window/APIKeyBase.js index 7fab9c5af019..74e84f31c88e 100644 --- a/services/static-webserver/client/source/class/osparc/desktop/preferences/window/APIKeyBase.js +++ b/services/static-webserver/client/source/class/osparc/desktop/preferences/window/APIKeyBase.js @@ -37,10 +37,9 @@ qx.Class.define("osparc.desktop.preferences.window.APIKeyBase", { members: { __addInfoText: function(infoText) { - const introLabel = new qx.ui.basic.Label(infoText).set({ + const introLabel = new osparc.ui.basic.SafeLabel(infoText).set({ paddingLeft: 5, paddingRight: 5, - rich: true }); this.add(introLabel); } diff --git a/services/static-webserver/client/source/class/osparc/desktop/wallets/WalletListItem.js b/services/static-webserver/client/source/class/osparc/desktop/wallets/WalletListItem.js index 5fe1cd5324bd..c515ab3dc1e9 100644 --- a/services/static-webserver/client/source/class/osparc/desktop/wallets/WalletListItem.js +++ b/services/static-webserver/client/source/class/osparc/desktop/wallets/WalletListItem.js @@ -95,9 +95,8 @@ qx.Class.define("osparc.desktop.wallets.WalletListItem", { }); break; case "subtitle": - control = new qx.ui.basic.Label().set({ + control = new osparc.ui.basic.SafeLabel().set({ font: "text-13", - rich: true }); this._add(control, { row: 1, diff --git a/services/static-webserver/client/source/class/osparc/desktop/wallets/WalletsList.js b/services/static-webserver/client/source/class/osparc/desktop/wallets/WalletsList.js index e20e73003f3c..08094d1b3206 100644 --- a/services/static-webserver/client/source/class/osparc/desktop/wallets/WalletsList.js +++ b/services/static-webserver/client/source/class/osparc/desktop/wallets/WalletsList.js @@ -215,10 +215,9 @@ qx.Class.define("osparc.desktop.wallets.WalletsList", { __createHeader: function(label, showCurrently) { const header = new qx.ui.container.Composite(new qx.ui.layout.HBox()); - const userWallets = new qx.ui.basic.Label().set({ + const userWallets = new osparc.ui.basic.SafeLabel().set({ value: label, alignX: "left", - rich: true, font: "text-14" }); header.add(userWallets); diff --git a/services/static-webserver/client/source/class/osparc/editor/ThumbnailEditor.js b/services/static-webserver/client/source/class/osparc/editor/ThumbnailEditor.js index c345b3762637..7f21e8f3d42b 100644 --- a/services/static-webserver/client/source/class/osparc/editor/ThumbnailEditor.js +++ b/services/static-webserver/client/source/class/osparc/editor/ThumbnailEditor.js @@ -61,17 +61,6 @@ qx.Class.define("osparc.editor.ThumbnailEditor", { "cancel": "qx.event.type.Event" }, - statics: { - sanitizeUrl: function(dirty) { - const clean = osparc.wrapper.DOMPurify.getInstance().sanitize(dirty); - if ((dirty && dirty !== clean) || (clean !== "" && !osparc.utils.Utils.isValidHttpUrl(clean))) { - osparc.FlashMessenger.logAs(qx.locale.Manager.tr("Error checking link"), "WARNING"); - return null; - } - return clean; - } - }, - members: { _createChildControlImpl: function(id) { let control; @@ -125,7 +114,7 @@ qx.Class.define("osparc.editor.ThumbnailEditor", { }); control.addListener("execute", () => { const urlField = this.getChildControl("url-field"); - const validUrl = this.self().sanitizeUrl(urlField.getValue()); + const validUrl = osparc.wrapper.DOMPurify.sanitizeUrl(urlField.getValue()); if (validUrl) { this.fireDataEvent("updateThumbnail", validUrl); } diff --git a/services/static-webserver/client/source/class/osparc/file/FolderContent.js b/services/static-webserver/client/source/class/osparc/file/FolderContent.js index 45bd8e854517..3c408a84f913 100644 --- a/services/static-webserver/client/source/class/osparc/file/FolderContent.js +++ b/services/static-webserver/client/source/class/osparc/file/FolderContent.js @@ -67,13 +67,15 @@ qx.Class.define("osparc.file.FolderContent", { height: 80, padding: 2 }); - item.getChildControl("label").set({ + const toggleLabel = item.getChildControl("label"); + toggleLabel.set({ font: "text-12", rich: true, textAlign: "center", maxWidth: 100, maxHeight: 33 // two lines }); + osparc.wrapper.DOMPurify.sanitizeLabel(toggleLabel); osparc.utils.Utils.setIdToWidget(item, "FolderViewerItem"); return item; }, diff --git a/services/static-webserver/client/source/class/osparc/form/tag/TagItem.js b/services/static-webserver/client/source/class/osparc/form/tag/TagItem.js index 0f886b1ef235..4acd72e50f11 100644 --- a/services/static-webserver/client/source/class/osparc/form/tag/TagItem.js +++ b/services/static-webserver/client/source/class/osparc/form/tag/TagItem.js @@ -104,8 +104,7 @@ qx.Class.define("osparc.form.tag.TagItem", { this.bind("color", control, "color"); break; case "description": - control = new qx.ui.basic.Label().set({ - rich: true, + control = new osparc.ui.basic.SafeLabel().set({ allowGrowX: true, alignY: "middle", }); diff --git a/services/static-webserver/client/source/class/osparc/info/ServiceUtils.js b/services/static-webserver/client/source/class/osparc/info/ServiceUtils.js index 54b44fa0cc8c..b239fe047e78 100644 --- a/services/static-webserver/client/source/class/osparc/info/ServiceUtils.js +++ b/services/static-webserver/client/source/class/osparc/info/ServiceUtils.js @@ -101,8 +101,7 @@ qx.Class.define("osparc.info.ServiceUtils", { * @param serviceData {Object} Serialized Service Object */ createAuthors: function(serviceData) { - const authors = new qx.ui.basic.Label().set({ - rich: true, + const authors = new osparc.ui.basic.SafeLabel().set({ wrap: true, maxWidth: 220, }); diff --git a/services/static-webserver/client/source/class/osparc/info/Utils.js b/services/static-webserver/client/source/class/osparc/info/Utils.js index 44670e55e576..e01cb4001ff7 100644 --- a/services/static-webserver/client/source/class/osparc/info/Utils.js +++ b/services/static-webserver/client/source/class/osparc/info/Utils.js @@ -21,10 +21,9 @@ qx.Class.define("osparc.info.Utils", { statics: { createTitle: function() { - const label = new qx.ui.basic.Label().set({ + const label = new osparc.ui.basic.SafeLabel().set({ font: "text-14", maxWidth: 600, - rich: true, wrap: true }); return label; diff --git a/services/static-webserver/client/source/class/osparc/navigation/CreditsMenuButton.js b/services/static-webserver/client/source/class/osparc/navigation/CreditsMenuButton.js deleted file mode 100644 index 6cf7bf67e5b5..000000000000 --- a/services/static-webserver/client/source/class/osparc/navigation/CreditsMenuButton.js +++ /dev/null @@ -1,115 +0,0 @@ -/* ************************************************************************ - - osparc - the simcore frontend - - https://osparc.io - - Copyright: - 2023 IT'IS Foundation, https://itis.swiss - - License: - MIT: https://opensource.org/licenses/MIT - - Authors: - * Odei Maiz (odeimaiz) - -************************************************************************ */ - -qx.Class.define("osparc.navigation.CreditsMenuButton", { - extend: qx.ui.form.Button, - - construct: function() { - this.base(arguments); - - this.set({ - font: "text-16", - padding: 1, - paddingLeft: 8, - paddingRight: 8, - marginTop: 4, - marginBottom: 4, - rich: true - }); - - this.getChildControl("label").set({ - textAlign: "right" - }); - this.getContentElement().setStyle("line-height", 1.2); - - const preferencesSettings = osparc.Preferences.getInstance(); - preferencesSettings.addListener("changeWalletIndicatorVisibility", () => this.__computeVisibility()); - preferencesSettings.addListener("changeCreditsWarningThreshold", () => this.__updateCredits()); - - const store = osparc.store.Store.getInstance(); - this.__contextWalletChanged(store.getContextWallet()); - store.addListener("changeContextWallet", () => this.__contextWalletChanged()); - - this.addListener("execute", () => { - const walletsEnabled = osparc.desktop.credits.Utils.areWalletsEnabled(); - if (walletsEnabled) { - osparc.desktop.credits.BillingCenterWindow.openWindow(); - } - }, this); - }, - - properties: { - currentUsage: { - check: "osparc.desktop.credits.CurrentUsage", - init: null, - nullable: true, - apply: "__applyCurrentUsage" - } - }, - - members: { - __applyCurrentUsage: function(currentUsage) { - if (currentUsage) { - currentUsage.addListener("changeUsedCredits", () => { - this.__updateCredits(); - }); - } - }, - - __contextWalletChanged: function() { - const store = osparc.store.Store.getInstance(); - const wallet = store.getContextWallet(); - if (wallet) { - this.__updateCredits(); - wallet.addListener("changeCreditsAvailable", () => this.__updateCredits()); - } - }, - - __updateCredits: function() { - const store = osparc.store.Store.getInstance(); - const wallet = store.getContextWallet(); - if (wallet) { - let text = "-"; - const creditsLeft = wallet.getCreditsAvailable(); - if (creditsLeft !== null) { - text = "CREDITS
"; - let nCreditsText = ""; - nCreditsText += osparc.desktop.credits.Utils.creditsToFixed(creditsLeft); - text += `${nCreditsText}`; - } - this.set({ - label: text, - textColor: osparc.desktop.credits.Utils.creditsToColor(creditsLeft, "text") - }); - } - this.__computeVisibility(); - }, - - __computeVisibility: function() { - const store = osparc.store.Store.getInstance(); - const preferencesSettings = osparc.Preferences.getInstance(); - if (preferencesSettings.getWalletIndicatorVisibility() === "warning") { - const wallet = store.getContextWallet(); - if (wallet) { - this.setVisibility(wallet.getCreditsAvailable() <= preferencesSettings.getCreditsWarningThreshold() ? "visible" : "excluded"); - } - } else if (preferencesSettings.getWalletIndicatorVisibility() === "always") { - this.setVisibility("visible"); - } - } - } -}); diff --git a/services/static-webserver/client/source/class/osparc/notification/NotificationUI.js b/services/static-webserver/client/source/class/osparc/notification/NotificationUI.js index 731b632db3a4..5e10ea1838fa 100644 --- a/services/static-webserver/client/source/class/osparc/notification/NotificationUI.js +++ b/services/static-webserver/client/source/class/osparc/notification/NotificationUI.js @@ -77,9 +77,8 @@ qx.Class.define("osparc.notification.NotificationUI", { }); break; case "title": - control = new qx.ui.basic.Label().set({ + control = new osparc.ui.basic.SafeLabel().set({ font: "text-13", - rich: true, wrap: true }); this._add(control, { @@ -88,9 +87,8 @@ qx.Class.define("osparc.notification.NotificationUI", { }); break; case "text": - control = new qx.ui.basic.Label().set({ + control = new osparc.ui.basic.SafeLabel().set({ font: "text-12", - rich: true, wrap: true }); this._add(control, { @@ -99,9 +97,8 @@ qx.Class.define("osparc.notification.NotificationUI", { }); break; case "date": - control = new qx.ui.basic.Label().set({ + control = new osparc.ui.basic.SafeLabel().set({ font: "text-11", - rich: true, wrap: true }); this._add(control, { diff --git a/services/static-webserver/client/source/class/osparc/product/quickStart/Utils.js b/services/static-webserver/client/source/class/osparc/product/quickStart/Utils.js index 2af3ce668689..c14fec627387 100644 --- a/services/static-webserver/client/source/class/osparc/product/quickStart/Utils.js +++ b/services/static-webserver/client/source/class/osparc/product/quickStart/Utils.js @@ -52,8 +52,7 @@ qx.Class.define("osparc.product.quickStart.Utils", { }, createTitle: function(title) { - const label = new qx.ui.basic.Label(title).set({ - rich: true, + const label = new osparc.ui.basic.SafeLabel().set({ font: "text-14" }); if (title) { @@ -63,8 +62,7 @@ qx.Class.define("osparc.product.quickStart.Utils", { }, createLabel: function(text) { - const label = new qx.ui.basic.Label().set({ - rich: true, + const label = new osparc.ui.basic.SafeLabel().set({ wrap: true, selectable: true, font: "text-14" diff --git a/services/static-webserver/client/source/class/osparc/share/RequestServiceAccess.js b/services/static-webserver/client/source/class/osparc/share/RequestServiceAccess.js index c80121093d99..a2bc01f92967 100644 --- a/services/static-webserver/client/source/class/osparc/share/RequestServiceAccess.js +++ b/services/static-webserver/client/source/class/osparc/share/RequestServiceAccess.js @@ -61,7 +61,6 @@ qx.Class.define("osparc.share.RequestServiceAccess", { const userGroupId = cantReadServiceData["owner"]; if (userGroupId) { const userName = new qx.ui.basic.Label().set({ - rich: true, selectable: true, }); layout.add(userName, { @@ -69,7 +68,6 @@ qx.Class.define("osparc.share.RequestServiceAccess", { column: 0 }); const email = new qx.ui.basic.Label().set({ - rich: true, selectable: true, }); layout.add(email, { @@ -78,7 +76,6 @@ qx.Class.define("osparc.share.RequestServiceAccess", { }); const appLabel = new qx.ui.basic.Label().set({ value: `${cantReadServiceData["key"]}:${osparc.service.Utils.extractVersionDisplay(cantReadServiceData["release"])}`, - rich: true, selectable: true, }); layout.add(appLabel, { diff --git a/services/static-webserver/client/source/class/osparc/ui/basic/LinkLabel.js b/services/static-webserver/client/source/class/osparc/ui/basic/LinkLabel.js index 5a44617d4d08..915653b0bdc7 100644 --- a/services/static-webserver/client/source/class/osparc/ui/basic/LinkLabel.js +++ b/services/static-webserver/client/source/class/osparc/ui/basic/LinkLabel.js @@ -29,13 +29,12 @@ */ qx.Class.define("osparc.ui.basic.LinkLabel", { - extend: qx.ui.basic.Label, + extend: osparc.ui.basic.SafeLabel, construct: function(label, url) { this.base(arguments, label); this.set({ - rich: true, allowGrowX: true }); diff --git a/services/static-webserver/client/source/class/osparc/ui/basic/SafeLabel.js b/services/static-webserver/client/source/class/osparc/ui/basic/SafeLabel.js new file mode 100644 index 000000000000..608a923bb6e0 --- /dev/null +++ b/services/static-webserver/client/source/class/osparc/ui/basic/SafeLabel.js @@ -0,0 +1,46 @@ +/* ************************************************************************ + + osparc - the simcore frontend + + https://osparc.io + + Copyright: + 2025 IT'IS Foundation, https://itis.swiss + + License: + MIT: https://opensource.org/licenses/MIT + + Authors: + * Odei Maiz (odeimaiz) + +************************************************************************ */ + +/** + * A Label that sanitizes its value to avoid XSS attacks + */ + +qx.Class.define("osparc.ui.basic.SafeLabel", { + extend: qx.ui.basic.Label, + + construct() { + this.base(arguments); + + this.set({ + rich: true, + }); + + this.addListener("changeValue", this._onChangeValue, this); + }, + + members: { + _onChangeValue(e) { + const val = e.getData(); + if (typeof val === "string") { + const sanitized = osparc.wrapper.DOMPurify.sanitize(val); + if (sanitized !== val) { + this.setValue(sanitized); + } + } + } + } +}); diff --git a/services/static-webserver/client/source/class/osparc/ui/form/renderer/DoubleV.js b/services/static-webserver/client/source/class/osparc/ui/form/renderer/DoubleV.js index 4f6ae4e9c2a3..910c495403a2 100644 --- a/services/static-webserver/client/source/class/osparc/ui/form/renderer/DoubleV.js +++ b/services/static-webserver/client/source/class/osparc/ui/form/renderer/DoubleV.js @@ -167,13 +167,12 @@ qx.Class.define("osparc.ui.form.renderer.DoubleV", { * @param name {String} The content of the label without the * trailing * and : * @param item {qx.ui.core.Widget} The item, which has the required state. - * @return {qx.ui.basic.Label} The label for the given item. + * @return {osparc.ui.basic.SafeLabel} The label for the given item. */ _createLabel: function(name, item) { - const label = new qx.ui.basic.Label(this._createLabelText(name, item)); + const label = new osparc.ui.basic.SafeLabel(this._createLabelText(name, item)); // store labels for disposal this._labels.push(label); - label.setRich(true); return label; }, diff --git a/services/static-webserver/client/source/class/osparc/ui/list/ListItem.js b/services/static-webserver/client/source/class/osparc/ui/list/ListItem.js index 2c8f661ef6b0..0cc947dff904 100644 --- a/services/static-webserver/client/source/class/osparc/ui/list/ListItem.js +++ b/services/static-webserver/client/source/class/osparc/ui/list/ListItem.js @@ -154,10 +154,9 @@ qx.Class.define("osparc.ui.list.ListItem", { }); break; case "title": - control = new qx.ui.basic.Label().set({ + control = new osparc.ui.basic.SafeLabel().set({ font: "text-14", selectable: true, - rich: true, }); this._add(control, { row: 0, @@ -165,10 +164,9 @@ qx.Class.define("osparc.ui.list.ListItem", { }); break; case "subtitle": - control = new qx.ui.basic.Label().set({ + control = new osparc.ui.basic.SafeLabel().set({ font: "text-13", selectable: true, - rich: true, }); this._add(control, { row: 1, diff --git a/services/static-webserver/client/source/class/osparc/ui/markdown/Markdown.js b/services/static-webserver/client/source/class/osparc/ui/markdown/Markdown.js index 765f6287c47e..44380919f06f 100644 --- a/services/static-webserver/client/source/class/osparc/ui/markdown/Markdown.js +++ b/services/static-webserver/client/source/class/osparc/ui/markdown/Markdown.js @@ -106,7 +106,7 @@ qx.Class.define("osparc.ui.markdown.Markdown", { const html = marked.parse(value); - const safeHtml = osparc.wrapper.DOMPurify.getInstance().sanitize(html); + const safeHtml = osparc.wrapper.DOMPurify.sanitize(html); this.setHtml(safeHtml); // for some reason the content is not immediately there diff --git a/services/static-webserver/client/source/class/osparc/ui/markdown/MarkdownChat.js b/services/static-webserver/client/source/class/osparc/ui/markdown/MarkdownChat.js index a27463a05d35..453e5c12460d 100644 --- a/services/static-webserver/client/source/class/osparc/ui/markdown/MarkdownChat.js +++ b/services/static-webserver/client/source/class/osparc/ui/markdown/MarkdownChat.js @@ -114,7 +114,7 @@ qx.Class.define("osparc.ui.markdown.MarkdownChat", { const html = marked.parse(value); - const safeHtml = osparc.wrapper.DOMPurify.getInstance().sanitize(html); + const safeHtml = osparc.wrapper.DOMPurify.sanitize(html); // flow-root prevents margin collapsing; inline style avoids extra stylesheet juggling const max = this.getMeasurerMaxWidth() || 220; diff --git a/services/static-webserver/client/source/class/osparc/widget/PreparingInputs.js b/services/static-webserver/client/source/class/osparc/widget/PreparingInputs.js index 511e62297820..d2d3c13d94e6 100644 --- a/services/static-webserver/client/source/class/osparc/widget/PreparingInputs.js +++ b/services/static-webserver/client/source/class/osparc/widget/PreparingInputs.js @@ -28,7 +28,6 @@ qx.Class.define("osparc.widget.PreparingInputs", { const text = this.tr("To proceed, we need to prepare some inputs. You can check the progress logs here:"); const title = new qx.ui.basic.Label(text).set({ font: "text-14", - rich: true }); this._add(title); diff --git a/services/static-webserver/client/source/class/osparc/workbench/NodeUI.js b/services/static-webserver/client/source/class/osparc/workbench/NodeUI.js index a4c381eb948d..6d7cc8e42861 100644 --- a/services/static-webserver/client/source/class/osparc/workbench/NodeUI.js +++ b/services/static-webserver/client/source/class/osparc/workbench/NodeUI.js @@ -73,6 +73,7 @@ qx.Class.define("osparc.workbench.NodeUI", { rich: true, cursor: "move" }); + osparc.wrapper.DOMPurify.sanitizeLabel(captionTitle); this.__nodeMoving = false; diff --git a/services/static-webserver/client/source/class/osparc/wrapper/DOMPurify.js b/services/static-webserver/client/source/class/osparc/wrapper/DOMPurify.js index 83daf3df7e48..3aa1f4550d7f 100644 --- a/services/static-webserver/client/source/class/osparc/wrapper/DOMPurify.js +++ b/services/static-webserver/client/source/class/osparc/wrapper/DOMPurify.js @@ -16,7 +16,7 @@ ************************************************************************ */ /** - * @asset(DOMPurify/purify.min.js) + * @asset(DOMPurify/purify-3.2.7.min.js) * @ignore(DOMPurify) */ @@ -34,7 +34,30 @@ qx.Class.define("osparc.wrapper.DOMPurify", { statics: { NAME: "DOMPurify", VERSION: "2.0.0", - URL: "https://github.com/cure53/DOMPurify" + URL: "https://github.com/cure53/DOMPurify", + + sanitizeUrl: function(url) { + const clean = osparc.wrapper.DOMPurify.getInstance().sanitize(url); + if ((url && url !== clean) || (clean !== "" && !osparc.utils.Utils.isValidHttpUrl(clean))) { + osparc.FlashMessenger.logAs(qx.locale.Manager.tr("Error checking link"), "WARNING"); + return null; + } + return clean; + }, + + sanitize: function(html) { + return osparc.wrapper.DOMPurify.getInstance().sanitize(html); + }, + + sanitizeLabel: function(label) { + label.addListener("changeValue", e => { + const val = e.getData(); + const sanitized = osparc.wrapper.DOMPurify.sanitize(val); + if (sanitized !== val) { + label.setValue(sanitized); + } + }); + }, }, construct: function() { @@ -50,12 +73,10 @@ qx.Class.define("osparc.wrapper.DOMPurify", { }, members: { - __diffPatcher: null, - init: function() { // initialize the script loading - let purifyPath = "DOMPurify/purify.min.js"; - let dynLoader = new qx.util.DynamicScriptLoader([ + const purifyPath = "DOMPurify/purify-3.2.7.min.js"; + const dynLoader = new qx.util.DynamicScriptLoader([ purifyPath ]); diff --git a/services/static-webserver/client/source/resource/DOMPurify/purify-3.2.7.min.js b/services/static-webserver/client/source/resource/DOMPurify/purify-3.2.7.min.js new file mode 100644 index 000000000000..62b30a9d8492 --- /dev/null +++ b/services/static-webserver/client/source/resource/DOMPurify/purify-3.2.7.min.js @@ -0,0 +1,3 @@ +/*! @license DOMPurify 3.2.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.7/LICENSE */ +!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e="undefined"!=typeof globalThis?globalThis:e||self).DOMPurify=t()}(this,(function(){"use strict";const{entries:e,setPrototypeOf:t,isFrozen:n,getPrototypeOf:o,getOwnPropertyDescriptor:r}=Object;let{freeze:i,seal:a,create:l}=Object,{apply:c,construct:s}="undefined"!=typeof Reflect&&Reflect;i||(i=function(e){return e}),a||(a=function(e){return e}),c||(c=function(e,t){for(var n=arguments.length,o=new Array(n>2?n-2:0),r=2;r1?t-1:0),o=1;o1?n-1:0),r=1;r2&&void 0!==arguments[2]?arguments[2]:h;t&&t(e,null);let i=o.length;for(;i--;){let t=o[i];if("string"==typeof t){const e=r(t);e!==t&&(n(o)||(o[i]=e),t=e)}e[t]=!0}return e}function O(e){for(let t=0;t/gm),G=a(/\$\{[\w\W]*/gm),Y=a(/^data-[\-\w.\u00B7-\uFFFF]+$/),j=a(/^aria-[\-\w]+$/),X=a(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|matrix):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),q=a(/^(?:\w+script|data):/i),$=a(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g),K=a(/^html$/i),V=a(/^[a-z][.\w]*(-[.\w]+)+$/i);var Z=Object.freeze({__proto__:null,ARIA_ATTR:j,ATTR_WHITESPACE:$,CUSTOM_ELEMENT:V,DATA_ATTR:Y,DOCTYPE_NAME:K,ERB_EXPR:W,IS_ALLOWED_URI:X,IS_SCRIPT_OR_DATA:q,MUSTACHE_EXPR:B,TMPLIT_EXPR:G});const J=1,Q=3,ee=7,te=8,ne=9,oe=function(){return"undefined"==typeof window?null:window};var re=function t(){let n=arguments.length>0&&void 0!==arguments[0]?arguments[0]:oe();const o=e=>t(e);if(o.version="3.2.7",o.removed=[],!n||!n.document||n.document.nodeType!==ne||!n.Element)return o.isSupported=!1,o;let{document:r}=n;const a=r,c=a.currentScript,{DocumentFragment:s,HTMLTemplateElement:N,Node:w,Element:O,NodeFilter:B,NamedNodeMap:W=n.NamedNodeMap||n.MozNamedAttrMap,HTMLFormElement:G,DOMParser:Y,trustedTypes:j}=n,q=O.prototype,$=D(q,"cloneNode"),V=D(q,"remove"),re=D(q,"nextSibling"),ie=D(q,"childNodes"),ae=D(q,"parentNode");if("function"==typeof N){const e=r.createElement("template");e.content&&e.content.ownerDocument&&(r=e.content.ownerDocument)}let le,ce="";const{implementation:se,createNodeIterator:ue,createDocumentFragment:me,getElementsByTagName:pe}=r,{importNode:fe}=a;let de={afterSanitizeAttributes:[],afterSanitizeElements:[],afterSanitizeShadowDOM:[],beforeSanitizeAttributes:[],beforeSanitizeElements:[],beforeSanitizeShadowDOM:[],uponSanitizeAttribute:[],uponSanitizeElement:[],uponSanitizeShadowNode:[]};o.isSupported="function"==typeof e&&"function"==typeof ae&&se&&void 0!==se.createHTMLDocument;const{MUSTACHE_EXPR:he,ERB_EXPR:ge,TMPLIT_EXPR:Te,DATA_ATTR:ye,ARIA_ATTR:Ee,IS_SCRIPT_OR_DATA:Ae,ATTR_WHITESPACE:_e,CUSTOM_ELEMENT:Se}=Z;let{IS_ALLOWED_URI:be}=Z,Ne=null;const we=R({},[...x,...L,...C,...I,...U]);let Re=null;const Oe=R({},[...z,...P,...H,...F]);let ve=Object.seal(l(null,{tagNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},attributeNameCheck:{writable:!0,configurable:!1,enumerable:!0,value:null},allowCustomizedBuiltInElements:{writable:!0,configurable:!1,enumerable:!0,value:!1}})),De=null,xe=null,Le=!0,Ce=!0,ke=!1,Ie=!0,Me=!1,Ue=!0,ze=!1,Pe=!1,He=!1,Fe=!1,Be=!1,We=!1,Ge=!0,Ye=!1,je=!0,Xe=!1,qe={},$e=null;const Ke=R({},["annotation-xml","audio","colgroup","desc","foreignobject","head","iframe","math","mi","mn","mo","ms","mtext","noembed","noframes","noscript","plaintext","script","style","svg","template","thead","title","video","xmp"]);let Ve=null;const Ze=R({},["audio","video","img","source","image","track"]);let Je=null;const Qe=R({},["alt","class","for","id","label","name","pattern","placeholder","role","summary","title","value","style","xmlns"]),et="http://www.w3.org/1998/Math/MathML",tt="http://www.w3.org/2000/svg",nt="http://www.w3.org/1999/xhtml";let ot=nt,rt=!1,it=null;const at=R({},[et,tt,nt],g);let lt=R({},["mi","mo","mn","ms","mtext"]),ct=R({},["annotation-xml"]);const st=R({},["title","style","font","a","script"]);let ut=null;const mt=["application/xhtml+xml","text/html"];let pt=null,ft=null;const dt=r.createElement("form"),ht=function(e){return e instanceof RegExp||e instanceof Function},gt=function(){let e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:{};if(!ft||ft!==e){if(e&&"object"==typeof e||(e={}),e=v(e),ut=-1===mt.indexOf(e.PARSER_MEDIA_TYPE)?"text/html":e.PARSER_MEDIA_TYPE,pt="application/xhtml+xml"===ut?g:h,Ne=_(e,"ALLOWED_TAGS")?R({},e.ALLOWED_TAGS,pt):we,Re=_(e,"ALLOWED_ATTR")?R({},e.ALLOWED_ATTR,pt):Oe,it=_(e,"ALLOWED_NAMESPACES")?R({},e.ALLOWED_NAMESPACES,g):at,Je=_(e,"ADD_URI_SAFE_ATTR")?R(v(Qe),e.ADD_URI_SAFE_ATTR,pt):Qe,Ve=_(e,"ADD_DATA_URI_TAGS")?R(v(Ze),e.ADD_DATA_URI_TAGS,pt):Ze,$e=_(e,"FORBID_CONTENTS")?R({},e.FORBID_CONTENTS,pt):Ke,De=_(e,"FORBID_TAGS")?R({},e.FORBID_TAGS,pt):v({}),xe=_(e,"FORBID_ATTR")?R({},e.FORBID_ATTR,pt):v({}),qe=!!_(e,"USE_PROFILES")&&e.USE_PROFILES,Le=!1!==e.ALLOW_ARIA_ATTR,Ce=!1!==e.ALLOW_DATA_ATTR,ke=e.ALLOW_UNKNOWN_PROTOCOLS||!1,Ie=!1!==e.ALLOW_SELF_CLOSE_IN_ATTR,Me=e.SAFE_FOR_TEMPLATES||!1,Ue=!1!==e.SAFE_FOR_XML,ze=e.WHOLE_DOCUMENT||!1,Fe=e.RETURN_DOM||!1,Be=e.RETURN_DOM_FRAGMENT||!1,We=e.RETURN_TRUSTED_TYPE||!1,He=e.FORCE_BODY||!1,Ge=!1!==e.SANITIZE_DOM,Ye=e.SANITIZE_NAMED_PROPS||!1,je=!1!==e.KEEP_CONTENT,Xe=e.IN_PLACE||!1,be=e.ALLOWED_URI_REGEXP||X,ot=e.NAMESPACE||nt,lt=e.MATHML_TEXT_INTEGRATION_POINTS||lt,ct=e.HTML_INTEGRATION_POINTS||ct,ve=e.CUSTOM_ELEMENT_HANDLING||{},e.CUSTOM_ELEMENT_HANDLING&&ht(e.CUSTOM_ELEMENT_HANDLING.tagNameCheck)&&(ve.tagNameCheck=e.CUSTOM_ELEMENT_HANDLING.tagNameCheck),e.CUSTOM_ELEMENT_HANDLING&&ht(e.CUSTOM_ELEMENT_HANDLING.attributeNameCheck)&&(ve.attributeNameCheck=e.CUSTOM_ELEMENT_HANDLING.attributeNameCheck),e.CUSTOM_ELEMENT_HANDLING&&"boolean"==typeof e.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements&&(ve.allowCustomizedBuiltInElements=e.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements),Me&&(Ce=!1),Be&&(Fe=!0),qe&&(Ne=R({},U),Re=[],!0===qe.html&&(R(Ne,x),R(Re,z)),!0===qe.svg&&(R(Ne,L),R(Re,P),R(Re,F)),!0===qe.svgFilters&&(R(Ne,C),R(Re,P),R(Re,F)),!0===qe.mathMl&&(R(Ne,I),R(Re,H),R(Re,F))),e.ADD_TAGS&&(Ne===we&&(Ne=v(Ne)),R(Ne,e.ADD_TAGS,pt)),e.ADD_ATTR&&(Re===Oe&&(Re=v(Re)),R(Re,e.ADD_ATTR,pt)),e.ADD_URI_SAFE_ATTR&&R(Je,e.ADD_URI_SAFE_ATTR,pt),e.FORBID_CONTENTS&&($e===Ke&&($e=v($e)),R($e,e.FORBID_CONTENTS,pt)),je&&(Ne["#text"]=!0),ze&&R(Ne,["html","head","body"]),Ne.table&&(R(Ne,["tbody"]),delete De.tbody),e.TRUSTED_TYPES_POLICY){if("function"!=typeof e.TRUSTED_TYPES_POLICY.createHTML)throw b('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');if("function"!=typeof e.TRUSTED_TYPES_POLICY.createScriptURL)throw b('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');le=e.TRUSTED_TYPES_POLICY,ce=le.createHTML("")}else void 0===le&&(le=function(e,t){if("object"!=typeof e||"function"!=typeof e.createPolicy)return null;let n=null;const o="data-tt-policy-suffix";t&&t.hasAttribute(o)&&(n=t.getAttribute(o));const r="dompurify"+(n?"#"+n:"");try{return e.createPolicy(r,{createHTML:e=>e,createScriptURL:e=>e})}catch(e){return console.warn("TrustedTypes policy "+r+" could not be created."),null}}(j,c)),null!==le&&"string"==typeof ce&&(ce=le.createHTML(""));i&&i(e),ft=e}},Tt=R({},[...L,...C,...k]),yt=R({},[...I,...M]),Et=function(e){f(o.removed,{element:e});try{ae(e).removeChild(e)}catch(t){V(e)}},At=function(e,t){try{f(o.removed,{attribute:t.getAttributeNode(e),from:t})}catch(e){f(o.removed,{attribute:null,from:t})}if(t.removeAttribute(e),"is"===e)if(Fe||Be)try{Et(t)}catch(e){}else try{t.setAttribute(e,"")}catch(e){}},_t=function(e){let t=null,n=null;if(He)e=""+e;else{const t=T(e,/^[\r\n\t ]+/);n=t&&t[0]}"application/xhtml+xml"===ut&&ot===nt&&(e=''+e+"");const o=le?le.createHTML(e):e;if(ot===nt)try{t=(new Y).parseFromString(o,ut)}catch(e){}if(!t||!t.documentElement){t=se.createDocument(ot,"template",null);try{t.documentElement.innerHTML=rt?ce:o}catch(e){}}const i=t.body||t.documentElement;return e&&n&&i.insertBefore(r.createTextNode(n),i.childNodes[0]||null),ot===nt?pe.call(t,ze?"html":"body")[0]:ze?t.documentElement:i},St=function(e){return ue.call(e.ownerDocument||e,e,B.SHOW_ELEMENT|B.SHOW_COMMENT|B.SHOW_TEXT|B.SHOW_PROCESSING_INSTRUCTION|B.SHOW_CDATA_SECTION,null)},bt=function(e){return e instanceof G&&("string"!=typeof e.nodeName||"string"!=typeof e.textContent||"function"!=typeof e.removeChild||!(e.attributes instanceof W)||"function"!=typeof e.removeAttribute||"function"!=typeof e.setAttribute||"string"!=typeof e.namespaceURI||"function"!=typeof e.insertBefore||"function"!=typeof e.hasChildNodes)},Nt=function(e){return"function"==typeof w&&e instanceof w};function wt(e,t,n){u(e,(e=>{e.call(o,t,n,ft)}))}const Rt=function(e){let t=null;if(wt(de.beforeSanitizeElements,e,null),bt(e))return Et(e),!0;const n=pt(e.nodeName);if(wt(de.uponSanitizeElement,e,{tagName:n,allowedTags:Ne}),Ue&&e.hasChildNodes()&&!Nt(e.firstElementChild)&&S(/<[/\w!]/g,e.innerHTML)&&S(/<[/\w!]/g,e.textContent))return Et(e),!0;if(e.nodeType===ee)return Et(e),!0;if(Ue&&e.nodeType===te&&S(/<[/\w]/g,e.data))return Et(e),!0;if(!Ne[n]||De[n]){if(!De[n]&&vt(n)){if(ve.tagNameCheck instanceof RegExp&&S(ve.tagNameCheck,n))return!1;if(ve.tagNameCheck instanceof Function&&ve.tagNameCheck(n))return!1}if(je&&!$e[n]){const t=ae(e)||e.parentNode,n=ie(e)||e.childNodes;if(n&&t){for(let o=n.length-1;o>=0;--o){const r=$(n[o],!0);r.__removalCount=(e.__removalCount||0)+1,t.insertBefore(r,re(e))}}}return Et(e),!0}return e instanceof O&&!function(e){let t=ae(e);t&&t.tagName||(t={namespaceURI:ot,tagName:"template"});const n=h(e.tagName),o=h(t.tagName);return!!it[e.namespaceURI]&&(e.namespaceURI===tt?t.namespaceURI===nt?"svg"===n:t.namespaceURI===et?"svg"===n&&("annotation-xml"===o||lt[o]):Boolean(Tt[n]):e.namespaceURI===et?t.namespaceURI===nt?"math"===n:t.namespaceURI===tt?"math"===n&&ct[o]:Boolean(yt[n]):e.namespaceURI===nt?!(t.namespaceURI===tt&&!ct[o])&&!(t.namespaceURI===et&&!lt[o])&&!yt[n]&&(st[n]||!Tt[n]):!("application/xhtml+xml"!==ut||!it[e.namespaceURI]))}(e)?(Et(e),!0):"noscript"!==n&&"noembed"!==n&&"noframes"!==n||!S(/<\/no(script|embed|frames)/i,e.innerHTML)?(Me&&e.nodeType===Q&&(t=e.textContent,u([he,ge,Te],(e=>{t=y(t,e," ")})),e.textContent!==t&&(f(o.removed,{element:e.cloneNode()}),e.textContent=t)),wt(de.afterSanitizeElements,e,null),!1):(Et(e),!0)},Ot=function(e,t,n){if(Ge&&("id"===t||"name"===t)&&(n in r||n in dt))return!1;if(Ce&&!xe[t]&&S(ye,t));else if(Le&&S(Ee,t));else if(!Re[t]||xe[t]){if(!(vt(e)&&(ve.tagNameCheck instanceof RegExp&&S(ve.tagNameCheck,e)||ve.tagNameCheck instanceof Function&&ve.tagNameCheck(e))&&(ve.attributeNameCheck instanceof RegExp&&S(ve.attributeNameCheck,t)||ve.attributeNameCheck instanceof Function&&ve.attributeNameCheck(t,e))||"is"===t&&ve.allowCustomizedBuiltInElements&&(ve.tagNameCheck instanceof RegExp&&S(ve.tagNameCheck,n)||ve.tagNameCheck instanceof Function&&ve.tagNameCheck(n))))return!1}else if(Je[t]);else if(S(be,y(n,_e,"")));else if("src"!==t&&"xlink:href"!==t&&"href"!==t||"script"===e||0!==E(n,"data:")||!Ve[e]){if(ke&&!S(Ae,y(n,_e,"")));else if(n)return!1}else;return!0},vt=function(e){return"annotation-xml"!==e&&T(e,Se)},Dt=function(e){wt(de.beforeSanitizeAttributes,e,null);const{attributes:t}=e;if(!t||bt(e))return;const n={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:Re,forceKeepAttr:void 0};let r=t.length;for(;r--;){const i=t[r],{name:a,namespaceURI:l,value:c}=i,s=pt(a),m=c;let f="value"===a?m:A(m);if(n.attrName=s,n.attrValue=f,n.keepAttr=!0,n.forceKeepAttr=void 0,wt(de.uponSanitizeAttribute,e,n),f=n.attrValue,!Ye||"id"!==s&&"name"!==s||(At(a,e),f="user-content-"+f),Ue&&S(/((--!?|])>)|<\/(style|title|textarea)/i,f)){At(a,e);continue}if("attributename"===s&&T(f,"href")){At(a,e);continue}if(n.forceKeepAttr)continue;if(!n.keepAttr){At(a,e);continue}if(!Ie&&S(/\/>/i,f)){At(a,e);continue}Me&&u([he,ge,Te],(e=>{f=y(f,e," ")}));const d=pt(e.nodeName);if(Ot(d,s,f)){if(le&&"object"==typeof j&&"function"==typeof j.getAttributeType)if(l);else switch(j.getAttributeType(d,s)){case"TrustedHTML":f=le.createHTML(f);break;case"TrustedScriptURL":f=le.createScriptURL(f)}if(f!==m)try{l?e.setAttributeNS(l,a,f):e.setAttribute(a,f),bt(e)?Et(e):p(o.removed)}catch(t){At(a,e)}}else At(a,e)}wt(de.afterSanitizeAttributes,e,null)},xt=function e(t){let n=null;const o=St(t);for(wt(de.beforeSanitizeShadowDOM,t,null);n=o.nextNode();)wt(de.uponSanitizeShadowNode,n,null),Rt(n),Dt(n),n.content instanceof s&&e(n.content);wt(de.afterSanitizeShadowDOM,t,null)};return o.sanitize=function(e){let t=arguments.length>1&&void 0!==arguments[1]?arguments[1]:{},n=null,r=null,i=null,l=null;if(rt=!e,rt&&(e="\x3c!--\x3e"),"string"!=typeof e&&!Nt(e)){if("function"!=typeof e.toString)throw b("toString is not a function");if("string"!=typeof(e=e.toString()))throw b("dirty is not a string, aborting")}if(!o.isSupported)return e;if(Pe||gt(t),o.removed=[],"string"==typeof e&&(Xe=!1),Xe){if(e.nodeName){const t=pt(e.nodeName);if(!Ne[t]||De[t])throw b("root node is forbidden and cannot be sanitized in-place")}}else if(e instanceof w)n=_t("\x3c!----\x3e"),r=n.ownerDocument.importNode(e,!0),r.nodeType===J&&"BODY"===r.nodeName||"HTML"===r.nodeName?n=r:n.appendChild(r);else{if(!Fe&&!Me&&!ze&&-1===e.indexOf("<"))return le&&We?le.createHTML(e):e;if(n=_t(e),!n)return Fe?null:We?ce:""}n&&He&&Et(n.firstChild);const c=St(Xe?e:n);for(;i=c.nextNode();)Rt(i),Dt(i),i.content instanceof s&&xt(i.content);if(Xe)return e;if(Fe){if(Be)for(l=me.call(n.ownerDocument);n.firstChild;)l.appendChild(n.firstChild);else l=n;return(Re.shadowroot||Re.shadowrootmode)&&(l=fe.call(a,l,!0)),l}let m=ze?n.outerHTML:n.innerHTML;return ze&&Ne["!doctype"]&&n.ownerDocument&&n.ownerDocument.doctype&&n.ownerDocument.doctype.name&&S(K,n.ownerDocument.doctype.name)&&(m="\n"+m),Me&&u([he,ge,Te],(e=>{m=y(m,e," ")})),le&&We?le.createHTML(m):m},o.setConfig=function(){gt(arguments.length>0&&void 0!==arguments[0]?arguments[0]:{}),Pe=!0},o.clearConfig=function(){ft=null,Pe=!1},o.isValidAttribute=function(e,t,n){ft||gt({});const o=pt(e),r=pt(t);return Ot(o,r,n)},o.addHook=function(e,t){"function"==typeof t&&f(de[e],t)},o.removeHook=function(e,t){if(void 0!==t){const n=m(de[e],t);return-1===n?void 0:d(de[e],n,1)[0]}return p(de[e])},o.removeHooks=function(e){de[e]=[]},o.removeAllHooks=function(){de={afterSanitizeAttributes:[],afterSanitizeElements:[],afterSanitizeShadowDOM:[],beforeSanitizeAttributes:[],beforeSanitizeElements:[],beforeSanitizeShadowDOM:[],uponSanitizeAttribute:[],uponSanitizeElement:[],uponSanitizeShadowNode:[]}},o}();return re})); +//# sourceMappingURL=purify.min.js.map diff --git a/services/static-webserver/client/source/resource/DOMPurify/purify.min.js b/services/static-webserver/client/source/resource/DOMPurify/purify.min.js deleted file mode 100644 index f1cc9387cbbe..000000000000 --- a/services/static-webserver/client/source/resource/DOMPurify/purify.min.js +++ /dev/null @@ -1 +0,0 @@ -!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):e.DOMPurify=t()}(this,function(){"use strict";function e(e,t){y&&y(e,null);for(var n=t.length;n--;){var r=t[n];if("string"==typeof r){var o=r.toLowerCase();o!==r&&(Object.isFrozen(t)||(t[n]=o),r=o)}e[r]=!0}return e}function t(e){var t={},n=void 0;for(n in e)g(h,e,[n])&&(t[n]=e[n]);return t}function n(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t0&&void 0!==arguments[0]?arguments[0]:O(),u=function(e){return r(e)};if(u.version="2.0.0",u.removed=[],!o||!o.document||9!==o.document.nodeType)return u.isSupported=!1,u;var h=o.document,y=!1,g=!1,v=o.document,D=o.DocumentFragment,R=o.HTMLTemplateElement,C=o.Node,H=o.NodeFilter,F=o.NamedNodeMap,z=void 0===F?o.NamedNodeMap||o.MozNamedAttrMap:F,I=o.Text,j=o.Comment,P=o.DOMParser,U=o.TrustedTypes;if("function"==typeof R){var W=v.createElement("template");W.content&&W.content.ownerDocument&&(v=W.content.ownerDocument)}var B=N(U,h),G=B?B.createHTML(""):"",q=v,V=q.implementation,Y=q.createNodeIterator,K=q.getElementsByTagName,X=q.createDocumentFragment,$=h.importNode,J={};u.isSupported=V&&void 0!==V.createHTMLDocument&&9!==v.documentMode;var Q=b,Z=T,ee=A,te=x,ne=S,re=E,oe=L,ie=null,ae=e({},[].concat(n(i),n(a),n(l),n(c),n(s))),le=null,ce=e({},[].concat(n(d),n(f),n(p),n(m))),se=null,ue=null,de=!0,fe=!0,pe=!1,me=!1,he=!1,ye=!1,ge=!1,ve=!1,be=!1,Te=!1,Ae=!1,xe=!1,Le=!0,Se=!0,Ee=!1,Me={},ke=e({},["audio","head","math","script","style","template","svg","video"]),we=e({},["audio","video","img","source","image"]),_e=null,Oe=e({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]),Ne=null,De=v.createElement("form"),Re=function(r){Ne&&Ne===r||(r&&"object"===(void 0===r?"undefined":M(r))||(r={}),ie="ALLOWED_TAGS"in r?e({},r.ALLOWED_TAGS):ae,le="ALLOWED_ATTR"in r?e({},r.ALLOWED_ATTR):ce,_e="ADD_URI_SAFE_ATTR"in r?e({},r.ADD_URI_SAFE_ATTR):Oe,se="FORBID_TAGS"in r?e({},r.FORBID_TAGS):{},ue="FORBID_ATTR"in r?e({},r.FORBID_ATTR):{},Me="USE_PROFILES"in r&&r.USE_PROFILES,de=!1!==r.ALLOW_ARIA_ATTR,fe=!1!==r.ALLOW_DATA_ATTR,pe=r.ALLOW_UNKNOWN_PROTOCOLS||!1,me=r.SAFE_FOR_JQUERY||!1,he=r.SAFE_FOR_TEMPLATES||!1,ye=r.WHOLE_DOCUMENT||!1,be=r.RETURN_DOM||!1,Te=r.RETURN_DOM_FRAGMENT||!1,Ae=r.RETURN_DOM_IMPORT||!1,xe=r.RETURN_TRUSTED_TYPE||!1,ve=r.FORCE_BODY||!1,Le=!1!==r.SANITIZE_DOM,Se=!1!==r.KEEP_CONTENT,Ee=r.IN_PLACE||!1,oe=r.ALLOWED_URI_REGEXP||oe,he&&(fe=!1),Te&&(be=!0),Me&&(ie=e({},[].concat(n(s))),le=[],!0===Me.html&&(e(ie,i),e(le,d)),!0===Me.svg&&(e(ie,a),e(le,f),e(le,m)),!0===Me.svgFilters&&(e(ie,l),e(le,f),e(le,m)),!0===Me.mathMl&&(e(ie,c),e(le,p),e(le,m))),r.ADD_TAGS&&(ie===ae&&(ie=t(ie)),e(ie,r.ADD_TAGS)),r.ADD_ATTR&&(le===ce&&(le=t(le)),e(le,r.ADD_ATTR)),r.ADD_URI_SAFE_ATTR&&e(_e,r.ADD_URI_SAFE_ATTR),Se&&(ie["#text"]=!0),ye&&e(ie,["html","head","body"]),ie.table&&e(ie,["tbody"]),_&&_(r),Ne=r)},Ce=function(e){u.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=G}},He=function(e,t){try{u.removed.push({attribute:t.getAttributeNode(e),from:t})}catch(e){u.removed.push({attribute:null,from:t})}t.removeAttribute(e)},Fe=function(t){var n=void 0,r=void 0;if(ve)t=""+t;else{var o=t.match(/^[\s]+/);(r=o&&o[0])&&(t=t.slice(r.length))}if(y)try{n=(new P).parseFromString(t,"text/html")}catch(e){}if(g&&e(se,["title"]),!n||!n.documentElement){var i=(n=V.createHTMLDocument("")).body;i.parentNode.removeChild(i.parentNode.firstElementChild),i.outerHTML=B?B.createHTML(t):t}return r&&n.body.insertBefore(v.createTextNode(r),n.body.childNodes[0]||null),K.call(n,ye?"html":"body")[0]};u.isSupported&&(function(){try{Fe('

').querySelector("svg img")&&(y=!0)}catch(e){}}(),function(){try{Fe("</title><img>").querySelector("title").innerHTML.match(/<\/title/)&&(g=!0)}catch(e){}}());var ze=function(e){return Y.call(e.ownerDocument||e,e,H.SHOW_ELEMENT|H.SHOW_COMMENT|H.SHOW_TEXT,function(){return H.FILTER_ACCEPT},!1)},Ie=function(e){return!(e instanceof I||e instanceof j)&&!("string"==typeof e.nodeName&&"string"==typeof e.textContent&&"function"==typeof e.removeChild&&e.attributes instanceof z&&"function"==typeof e.removeAttribute&&"function"==typeof e.setAttribute)},je=function(e){return"object"===(void 0===C?"undefined":M(C))?e instanceof C:e&&"object"===(void 0===e?"undefined":M(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},Pe=function(e,t,n){J[e]&&J[e].forEach(function(e){e.call(u,t,n,Ne)})},Ue=function(e){var t=void 0;if(Pe("beforeSanitizeElements",e,null),Ie(e))return Ce(e),!0;var n=e.nodeName.toLowerCase();if(Pe("uponSanitizeElement",e,{tagName:n,allowedTags:ie}),!ie[n]||se[n]){if(Se&&!ke[n]&&"function"==typeof e.insertAdjacentHTML)try{var r=e.innerHTML;e.insertAdjacentHTML("AfterEnd",B?B.createHTML(r):r)}catch(e){}return Ce(e),!0}return"noscript"===n&&e.innerHTML.match(/<\/noscript/i)?(Ce(e),!0):"noembed"===n&&e.innerHTML.match(/<\/noembed/i)?(Ce(e),!0):(!me||e.firstElementChild||e.content&&e.content.firstElementChild||!/</g.test(e.textContent)||(u.removed.push({element:e.cloneNode()}),e.innerHTML?e.innerHTML=e.innerHTML.replace(/</g,"<"):e.innerHTML=e.textContent.replace(/</g,"<")),he&&3===e.nodeType&&(t=(t=(t=e.textContent).replace(Q," ")).replace(Z," "),e.textContent!==t&&(u.removed.push({element:e.cloneNode()}),e.textContent=t)),Pe("afterSanitizeElements",e,null),!1)},We=function(e,t,n){if(Le&&("id"===t||"name"===t)&&(n in v||n in De))return!1;if(fe&&ee.test(t));else if(de&&te.test(t));else{if(!le[t]||ue[t])return!1;if(_e[t]);else if(oe.test(n.replace(re,"")));else if("src"!==t&&"xlink:href"!==t&&"href"!==t||"script"===e||0!==n.indexOf("data:")||!we[e]){if(pe&&!ne.test(n.replace(re,"")));else if(n)return!1}else;}return!0},Be=function(e){var t=void 0,n=void 0,r=void 0,o=void 0,i=void 0;Pe("beforeSanitizeAttributes",e,null);var a=e.attributes;if(a){var l={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:le};for(i=a.length;i--;){var c=t=a[i],s=c.name,d=c.namespaceURI;if(n=t.value.trim(),r=s.toLowerCase(),l.attrName=r,l.attrValue=n,l.keepAttr=!0,Pe("uponSanitizeAttribute",e,l),n=l.attrValue,"name"===r&&"IMG"===e.nodeName&&a.id)o=a.id,a=k(w,a,[]),He("id",e),He(s,e),a.indexOf(o)>i&&e.setAttribute("id",o.value);else{if("INPUT"===e.nodeName&&"type"===r&&"file"===n&&l.keepAttr&&(le[r]||!ue[r]))continue;"id"===s&&e.setAttribute(s,""),He(s,e)}if(l.keepAttr){he&&(n=(n=n.replace(Q," ")).replace(Z," "));var f=e.nodeName.toLowerCase();if(We(f,r,n))try{d?e.setAttributeNS(d,s,n):e.setAttribute(s,n),u.removed.pop()}catch(e){}}}Pe("afterSanitizeAttributes",e,null)}},Ge=function e(t){var n=void 0,r=ze(t);for(Pe("beforeSanitizeShadowDOM",t,null);n=r.nextNode();)Pe("uponSanitizeShadowNode",n,null),Ue(n)||(n.content instanceof D&&e(n.content),Be(n));Pe("afterSanitizeShadowDOM",t,null)};return u.sanitize=function(e,t){var n=void 0,r=void 0,i=void 0,a=void 0,l=void 0;if(e||(e="\x3c!--\x3e"),"string"!=typeof e&&!je(e)){if("function"!=typeof e.toString)throw new TypeError("toString is not a function");if("string"!=typeof(e=e.toString()))throw new TypeError("dirty is not a string, aborting")}if(!u.isSupported){if("object"===M(o.toStaticHTML)||"function"==typeof o.toStaticHTML){if("string"==typeof e)return o.toStaticHTML(e);if(je(e))return o.toStaticHTML(e.outerHTML)}return e}if(ge||Re(t),u.removed=[],Ee);else if(e instanceof C)1===(r=(n=Fe("\x3c!--\x3e")).ownerDocument.importNode(e,!0)).nodeType&&"BODY"===r.nodeName?n=r:"HTML"===r.nodeName?n=r:n.appendChild(r);else{if(!be&&!he&&!ye&&xe&&-1===e.indexOf("<"))return B?B.createHTML(e):e;if(!(n=Fe(e)))return be?null:G}n&&ve&&Ce(n.firstChild);for(var c=ze(Ee?e:n);i=c.nextNode();)3===i.nodeType&&i===a||Ue(i)||(i.content instanceof D&&Ge(i.content),Be(i),a=i);if(a=null,Ee)return e;if(be){if(Te)for(l=X.call(n.ownerDocument);n.firstChild;)l.appendChild(n.firstChild);else l=n;return Ae&&(l=$.call(h,l,!0)),l}var s=ye?n.outerHTML:n.innerHTML;return he&&(s=(s=s.replace(Q," ")).replace(Z," ")),B&&xe?B.createHTML(s):s},u.setConfig=function(e){Re(e),ge=!0},u.clearConfig=function(){Ne=null,ge=!1},u.isValidAttribute=function(e,t,n){Ne||Re({});var r=e.toLowerCase(),o=t.toLowerCase();return We(r,o,n)},u.addHook=function(e,t){"function"==typeof t&&(J[e]=J[e]||[],J[e].push(t))},u.removeHook=function(e){J[e]&&J[e].pop()},u.removeHooks=function(e){J[e]&&(J[e]=[])},u.removeAllHooks=function(){J={}},u}var o=Object.freeze||function(e){return e},i=o(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),a=o(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","audio","canvas","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","video","view","vkern"]),l=o(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),c=o(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"]),s=o(["#text"]),u=Object.freeze||function(e){return e},d=u(["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","controls","coords","crossorigin","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","integrity","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","minlength","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns"]),f=u(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","filterunits","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","primitiveunits","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","version","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),p=u(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),m=u(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),h=Object.hasOwnProperty,y=Object.setPrototypeOf,g=("undefined"!=typeof Reflect&&Reflect).apply;g||(g=function(e,t,n){return e.apply(t,n)});var v=Object.seal||function(e){return e},b=v(/\{\{[\s\S]*|[\s\S]*\}\}/gm),T=v(/<%[\s\S]*|[\s\S]*%>/gm),A=v(/^data-[\-\w.\u00B7-\uFFFF]/),x=v(/^aria-[\-\w]+$/),L=v(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),S=v(/^(?:\w+script|data):/i),E=v(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g),M="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},k=("undefined"!=typeof Reflect&&Reflect).apply,w=Array.prototype.slice,_=Object.freeze,O=function(){return"undefined"==typeof window?null:window};k||(k=function(e,t,n){return e.apply(t,n)});var N=function(e,t){if("object"!==(void 0===e?"undefined":M(e))||"function"!=typeof e.createPolicy)return null;var n=null;t.currentScript&&t.currentScript.hasAttribute("data-tt-policy-suffix")&&(n=t.currentScript.getAttribute("data-tt-policy-suffix"));var r="dompurify"+(n?"#"+n:"");try{return e.createPolicy(r,{createHTML:function(e){return e}})}catch(e){return console.warn("TrustedTypes policy "+r+" could not be created."),null}};return r()});