create-expo-cljs-app/template/.shadow-cljs/builds/app/dev/goog-js/goog.html.safehtml.js

Create a react native application with Expo and Shadow-CLJS!

["^ ","~:resource-id",["~:shadow.build.classpath/resource","goog/html/safehtml.js"],"~:js","goog.provide(\"goog.html.SafeHtml\");\ngoog.require(\"goog.array\");\ngoog.require(\"goog.asserts\");\ngoog.require(\"goog.dom.TagName\");\ngoog.require(\"goog.dom.tags\");\ngoog.require(\"goog.html.SafeScript\");\ngoog.require(\"goog.html.SafeStyle\");\ngoog.require(\"goog.html.SafeStyleSheet\");\ngoog.require(\"goog.html.SafeUrl\");\ngoog.require(\"goog.html.TrustedResourceUrl\");\ngoog.require(\"goog.html.trustedtypes\");\ngoog.require(\"goog.i18n.bidi.Dir\");\ngoog.require(\"goog.i18n.bidi.DirectionalString\");\ngoog.require(\"goog.labs.userAgent.browser\");\ngoog.require(\"goog.object\");\ngoog.require(\"goog.string.Const\");\ngoog.require(\"goog.string.TypedString\");\ngoog.require(\"goog.string.internal\");\ngoog.html.SafeHtml = function() {\n  this.privateDoNotAccessOrElseSafeHtmlWrappedValue_ = \"\";\n  this.SAFE_HTML_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = goog.html.SafeHtml.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_;\n  this.dir_ = null;\n};\ngoog.html.SafeHtml.ENABLE_ERROR_MESSAGES = goog.define(\"goog.html.SafeHtml.ENABLE_ERROR_MESSAGES\", goog.DEBUG);\ngoog.html.SafeHtml.SUPPORT_STYLE_ATTRIBUTE = goog.define(\"goog.html.SafeHtml.SUPPORT_STYLE_ATTRIBUTE\", true);\ngoog.html.SafeHtml.prototype.implementsGoogI18nBidiDirectionalString = true;\ngoog.html.SafeHtml.prototype.getDirection = function() {\n  return this.dir_;\n};\ngoog.html.SafeHtml.prototype.implementsGoogStringTypedString = true;\ngoog.html.SafeHtml.prototype.getTypedStringValue = function() {\n  return this.privateDoNotAccessOrElseSafeHtmlWrappedValue_.toString();\n};\nif (goog.DEBUG) {\n  goog.html.SafeHtml.prototype.toString = function() {\n    return \"SafeHtml{\" + this.privateDoNotAccessOrElseSafeHtmlWrappedValue_ + \"}\";\n  };\n}\ngoog.html.SafeHtml.unwrap = function(safeHtml) {\n  return goog.html.SafeHtml.unwrapTrustedHTML(safeHtml).toString();\n};\ngoog.html.SafeHtml.unwrapTrustedHTML = function(safeHtml) {\n  if (safeHtml instanceof goog.html.SafeHtml && safeHtml.constructor === goog.html.SafeHtml && safeHtml.SAFE_HTML_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ === goog.html.SafeHtml.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_) {\n    return safeHtml.privateDoNotAccessOrElseSafeHtmlWrappedValue_;\n  } else {\n    goog.asserts.fail(\"expected object of type SafeHtml, got '\" + safeHtml + \"' of type \" + goog.typeOf(safeHtml));\n    return \"type_error:SafeHtml\";\n  }\n};\ngoog.html.SafeHtml.TextOrHtml_;\ngoog.html.SafeHtml.htmlEscape = function(textOrHtml) {\n  if (textOrHtml instanceof goog.html.SafeHtml) {\n    return textOrHtml;\n  }\n  var textIsObject = typeof textOrHtml == \"object\";\n  var dir = null;\n  if (textIsObject && textOrHtml.implementsGoogI18nBidiDirectionalString) {\n    dir = textOrHtml.getDirection();\n  }\n  var textAsString;\n  if (textIsObject && textOrHtml.implementsGoogStringTypedString) {\n    textAsString = textOrHtml.getTypedStringValue();\n  } else {\n    textAsString = String(textOrHtml);\n  }\n  return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(goog.string.internal.htmlEscape(textAsString), dir);\n};\ngoog.html.SafeHtml.htmlEscapePreservingNewlines = function(textOrHtml) {\n  if (textOrHtml instanceof goog.html.SafeHtml) {\n    return textOrHtml;\n  }\n  var html = goog.html.SafeHtml.htmlEscape(textOrHtml);\n  return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(goog.string.internal.newLineToBr(goog.html.SafeHtml.unwrap(html)), html.getDirection());\n};\ngoog.html.SafeHtml.htmlEscapePreservingNewlinesAndSpaces = function(textOrHtml) {\n  if (textOrHtml instanceof goog.html.SafeHtml) {\n    return textOrHtml;\n  }\n  var html = goog.html.SafeHtml.htmlEscape(textOrHtml);\n  return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(goog.string.internal.whitespaceEscape(goog.html.SafeHtml.unwrap(html)), html.getDirection());\n};\ngoog.html.SafeHtml.from = goog.html.SafeHtml.htmlEscape;\ngoog.html.SafeHtml.VALID_NAMES_IN_TAG_ = /^[a-zA-Z0-9-]+$/;\ngoog.html.SafeHtml.URL_ATTRIBUTES_ = goog.object.createSet(\"action\", \"cite\", \"data\", \"formaction\", \"href\", \"manifest\", \"poster\", \"src\");\ngoog.html.SafeHtml.NOT_ALLOWED_TAG_NAMES_ = goog.object.createSet(goog.dom.TagName.APPLET, goog.dom.TagName.BASE, goog.dom.TagName.EMBED, goog.dom.TagName.IFRAME, goog.dom.TagName.LINK, goog.dom.TagName.MATH, goog.dom.TagName.META, goog.dom.TagName.OBJECT, goog.dom.TagName.SCRIPT, goog.dom.TagName.STYLE, goog.dom.TagName.SVG, goog.dom.TagName.TEMPLATE);\ngoog.html.SafeHtml.AttributeValue;\ngoog.html.SafeHtml.create = function(tagName, opt_attributes, opt_content) {\n  goog.html.SafeHtml.verifyTagName(String(tagName));\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(String(tagName), opt_attributes, opt_content);\n};\ngoog.html.SafeHtml.verifyTagName = function(tagName) {\n  if (!goog.html.SafeHtml.VALID_NAMES_IN_TAG_.test(tagName)) {\n    throw new Error(goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ? \"Invalid tag name \\x3c\" + tagName + \"\\x3e.\" : \"\");\n  }\n  if (tagName.toUpperCase() in goog.html.SafeHtml.NOT_ALLOWED_TAG_NAMES_) {\n    throw new Error(goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ? \"Tag name \\x3c\" + tagName + \"\\x3e is not allowed for SafeHtml.\" : \"\");\n  }\n};\ngoog.html.SafeHtml.createIframe = function(opt_src, opt_srcdoc, opt_attributes, opt_content) {\n  if (opt_src) {\n    goog.html.TrustedResourceUrl.unwrap(opt_src);\n  }\n  var fixedAttributes = {};\n  fixedAttributes[\"src\"] = opt_src || null;\n  fixedAttributes[\"srcdoc\"] = opt_srcdoc && goog.html.SafeHtml.unwrap(opt_srcdoc);\n  var defaultAttributes = {\"sandbox\":\"\"};\n  var attributes = goog.html.SafeHtml.combineAttributes(fixedAttributes, defaultAttributes, opt_attributes);\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\"iframe\", attributes, opt_content);\n};\ngoog.html.SafeHtml.createSandboxIframe = function(opt_src, opt_srcdoc, opt_attributes, opt_content) {\n  if (!goog.html.SafeHtml.canUseSandboxIframe()) {\n    throw new Error(goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ? \"The browser does not support sandboxed iframes.\" : \"\");\n  }\n  var fixedAttributes = {};\n  if (opt_src) {\n    fixedAttributes[\"src\"] = goog.html.SafeUrl.unwrap(goog.html.SafeUrl.sanitize(opt_src));\n  } else {\n    fixedAttributes[\"src\"] = null;\n  }\n  fixedAttributes[\"srcdoc\"] = opt_srcdoc || null;\n  fixedAttributes[\"sandbox\"] = \"\";\n  var attributes = goog.html.SafeHtml.combineAttributes(fixedAttributes, {}, opt_attributes);\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\"iframe\", attributes, opt_content);\n};\ngoog.html.SafeHtml.canUseSandboxIframe = function() {\n  return goog.global[\"HTMLIFrameElement\"] && \"sandbox\" in goog.global[\"HTMLIFrameElement\"].prototype;\n};\ngoog.html.SafeHtml.createScriptSrc = function(src, opt_attributes) {\n  goog.html.TrustedResourceUrl.unwrap(src);\n  var fixedAttributes = {\"src\":src};\n  var defaultAttributes = {};\n  var attributes = goog.html.SafeHtml.combineAttributes(fixedAttributes, defaultAttributes, opt_attributes);\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\"script\", attributes);\n};\ngoog.html.SafeHtml.createScript = function(script, opt_attributes) {\n  for (var attr in opt_attributes) {\n    var attrLower = attr.toLowerCase();\n    if (attrLower == \"language\" || attrLower == \"src\" || attrLower == \"text\" || attrLower == \"type\") {\n      throw new Error(goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ? 'Cannot set \"' + attrLower + '\" attribute' : \"\");\n    }\n  }\n  var content = \"\";\n  script = goog.array.concat(script);\n  for (var i = 0; i < script.length; i++) {\n    content += goog.html.SafeScript.unwrap(script[i]);\n  }\n  var htmlContent = goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(content, goog.i18n.bidi.Dir.NEUTRAL);\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\"script\", opt_attributes, htmlContent);\n};\ngoog.html.SafeHtml.createStyle = function(styleSheet, opt_attributes) {\n  var fixedAttributes = {\"type\":\"text/css\"};\n  var defaultAttributes = {};\n  var attributes = goog.html.SafeHtml.combineAttributes(fixedAttributes, defaultAttributes, opt_attributes);\n  var content = \"\";\n  styleSheet = goog.array.concat(styleSheet);\n  for (var i = 0; i < styleSheet.length; i++) {\n    content += goog.html.SafeStyleSheet.unwrap(styleSheet[i]);\n  }\n  var htmlContent = goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(content, goog.i18n.bidi.Dir.NEUTRAL);\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\"style\", attributes, htmlContent);\n};\ngoog.html.SafeHtml.createMetaRefresh = function(url, opt_secs) {\n  var unwrappedUrl = goog.html.SafeUrl.unwrap(goog.html.SafeUrl.sanitize(url));\n  if (goog.labs.userAgent.browser.isIE() || goog.labs.userAgent.browser.isEdge()) {\n    if (goog.string.internal.contains(unwrappedUrl, \";\")) {\n      unwrappedUrl = \"'\" + unwrappedUrl.replace(/'/g, \"%27\") + \"'\";\n    }\n  }\n  var attributes = {\"http-equiv\":\"refresh\", \"content\":(opt_secs || 0) + \"; url\\x3d\" + unwrappedUrl};\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\"meta\", attributes);\n};\ngoog.html.SafeHtml.getAttrNameAndValue_ = function(tagName, name, value) {\n  if (value instanceof goog.string.Const) {\n    value = goog.string.Const.unwrap(value);\n  } else {\n    if (name.toLowerCase() == \"style\") {\n      if (goog.html.SafeHtml.SUPPORT_STYLE_ATTRIBUTE) {\n        value = goog.html.SafeHtml.getStyleValue_(value);\n      } else {\n        throw new Error(goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ? 'Attribute \"style\" not supported.' : \"\");\n      }\n    } else {\n      if (/^on/i.test(name)) {\n        throw new Error(goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ? 'Attribute \"' + name + '\" requires goog.string.Const value, \"' + value + '\" given.' : \"\");\n      } else {\n        if (name.toLowerCase() in goog.html.SafeHtml.URL_ATTRIBUTES_) {\n          if (value instanceof goog.html.TrustedResourceUrl) {\n            value = goog.html.TrustedResourceUrl.unwrap(value);\n          } else {\n            if (value instanceof goog.html.SafeUrl) {\n              value = goog.html.SafeUrl.unwrap(value);\n            } else {\n              if (typeof value === \"string\") {\n                value = goog.html.SafeUrl.sanitize(value).getTypedStringValue();\n              } else {\n                throw new Error(goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ? 'Attribute \"' + name + '\" on tag \"' + tagName + '\" requires goog.html.SafeUrl, goog.string.Const, or' + ' string, value \"' + value + '\" given.' : \"\");\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n  if (value.implementsGoogStringTypedString) {\n    value = value.getTypedStringValue();\n  }\n  goog.asserts.assert(typeof value === \"string\" || typeof value === \"number\", \"String or number value expected, got \" + typeof value + \" with value: \" + value);\n  return name + '\\x3d\"' + goog.string.internal.htmlEscape(String(value)) + '\"';\n};\ngoog.html.SafeHtml.getStyleValue_ = function(value) {\n  if (!goog.isObject(value)) {\n    throw new Error(goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ? 'The \"style\" attribute requires goog.html.SafeStyle or map ' + \"of style properties, \" + typeof value + \" given: \" + value : \"\");\n  }\n  if (!(value instanceof goog.html.SafeStyle)) {\n    value = goog.html.SafeStyle.create(value);\n  }\n  return goog.html.SafeStyle.unwrap(value);\n};\ngoog.html.SafeHtml.createWithDir = function(dir, tagName, opt_attributes, opt_content) {\n  var html = goog.html.SafeHtml.create(tagName, opt_attributes, opt_content);\n  html.dir_ = dir;\n  return html;\n};\ngoog.html.SafeHtml.join = function(separator, parts) {\n  var separatorHtml = goog.html.SafeHtml.htmlEscape(separator);\n  var dir = separatorHtml.getDirection();\n  var content = [];\n  var addArgument = function(argument) {\n    if (goog.isArray(argument)) {\n      goog.array.forEach(argument, addArgument);\n    } else {\n      var html = goog.html.SafeHtml.htmlEscape(argument);\n      content.push(goog.html.SafeHtml.unwrap(html));\n      var htmlDir = html.getDirection();\n      if (dir == goog.i18n.bidi.Dir.NEUTRAL) {\n        dir = htmlDir;\n      } else {\n        if (htmlDir != goog.i18n.bidi.Dir.NEUTRAL && dir != htmlDir) {\n          dir = null;\n        }\n      }\n    }\n  };\n  goog.array.forEach(parts, addArgument);\n  return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(content.join(goog.html.SafeHtml.unwrap(separatorHtml)), dir);\n};\ngoog.html.SafeHtml.concat = function(var_args) {\n  return goog.html.SafeHtml.join(goog.html.SafeHtml.EMPTY, Array.prototype.slice.call(arguments));\n};\ngoog.html.SafeHtml.concatWithDir = function(dir, var_args) {\n  var html = goog.html.SafeHtml.concat(goog.array.slice(arguments, 1));\n  html.dir_ = dir;\n  return html;\n};\ngoog.html.SafeHtml.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = {};\ngoog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse = function(html, dir) {\n  return (new goog.html.SafeHtml).initSecurityPrivateDoNotAccessOrElse_(html, dir);\n};\ngoog.html.SafeHtml.prototype.initSecurityPrivateDoNotAccessOrElse_ = function(html, dir) {\n  this.privateDoNotAccessOrElseSafeHtmlWrappedValue_ = goog.html.trustedtypes.PRIVATE_DO_NOT_ACCESS_OR_ELSE_POLICY ? goog.html.trustedtypes.PRIVATE_DO_NOT_ACCESS_OR_ELSE_POLICY.createHTML(html) : html;\n  this.dir_ = dir;\n  return this;\n};\ngoog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse = function(tagName, opt_attributes, opt_content) {\n  var dir = null;\n  var result = \"\\x3c\" + tagName;\n  result += goog.html.SafeHtml.stringifyAttributes(tagName, opt_attributes);\n  var content = opt_content;\n  if (content == null) {\n    content = [];\n  } else {\n    if (!goog.isArray(content)) {\n      content = [content];\n    }\n  }\n  if (goog.dom.tags.isVoidTag(tagName.toLowerCase())) {\n    goog.asserts.assert(!content.length, \"Void tag \\x3c\" + tagName + \"\\x3e does not allow content.\");\n    result += \"\\x3e\";\n  } else {\n    var html = goog.html.SafeHtml.concat(content);\n    result += \"\\x3e\" + goog.html.SafeHtml.unwrap(html) + \"\\x3c/\" + tagName + \"\\x3e\";\n    dir = html.getDirection();\n  }\n  var dirAttribute = opt_attributes && opt_attributes[\"dir\"];\n  if (dirAttribute) {\n    if (/^(ltr|rtl|auto)$/i.test(dirAttribute)) {\n      dir = goog.i18n.bidi.Dir.NEUTRAL;\n    } else {\n      dir = null;\n    }\n  }\n  return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(result, dir);\n};\ngoog.html.SafeHtml.stringifyAttributes = function(tagName, opt_attributes) {\n  var result = \"\";\n  if (opt_attributes) {\n    for (var name in opt_attributes) {\n      if (!goog.html.SafeHtml.VALID_NAMES_IN_TAG_.test(name)) {\n        throw new Error(goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ? 'Invalid attribute name \"' + name + '\".' : \"\");\n      }\n      var value = opt_attributes[name];\n      if (value == null) {\n        continue;\n      }\n      result += \" \" + goog.html.SafeHtml.getAttrNameAndValue_(tagName, name, value);\n    }\n  }\n  return result;\n};\ngoog.html.SafeHtml.combineAttributes = function(fixedAttributes, defaultAttributes, opt_attributes) {\n  var combinedAttributes = {};\n  var name;\n  for (name in fixedAttributes) {\n    goog.asserts.assert(name.toLowerCase() == name, \"Must be lower case\");\n    combinedAttributes[name] = fixedAttributes[name];\n  }\n  for (name in defaultAttributes) {\n    goog.asserts.assert(name.toLowerCase() == name, \"Must be lower case\");\n    combinedAttributes[name] = defaultAttributes[name];\n  }\n  if (opt_attributes) {\n    for (name in opt_attributes) {\n      var nameLower = name.toLowerCase();\n      if (nameLower in fixedAttributes) {\n        throw new Error(goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ? 'Cannot override \"' + nameLower + '\" attribute, got \"' + name + '\" with value \"' + opt_attributes[name] + '\"' : \"\");\n      }\n      if (nameLower in defaultAttributes) {\n        delete combinedAttributes[nameLower];\n      }\n      combinedAttributes[name] = opt_attributes[name];\n    }\n  }\n  return combinedAttributes;\n};\ngoog.html.SafeHtml.DOCTYPE_HTML = goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(\"\\x3c!DOCTYPE html\\x3e\", goog.i18n.bidi.Dir.NEUTRAL);\ngoog.html.SafeHtml.EMPTY = goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(\"\", goog.i18n.bidi.Dir.NEUTRAL);\ngoog.html.SafeHtml.BR = goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(\"\\x3cbr\\x3e\", goog.i18n.bidi.Dir.NEUTRAL);\n","~:source","// Copyright 2013 The Closure Library Authors. All Rights Reserved.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n//      http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS-IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n\n/**\n * @fileoverview The SafeHtml type and its builders.\n *\n * TODO(xtof): Link to document stating type contract.\n */\n\ngoog.provide('goog.html.SafeHtml');\n\ngoog.require('goog.array');\ngoog.require('goog.asserts');\ngoog.require('goog.dom.TagName');\ngoog.require('goog.dom.tags');\ngoog.require('goog.html.SafeScript');\ngoog.require('goog.html.SafeStyle');\ngoog.require('goog.html.SafeStyleSheet');\ngoog.require('goog.html.SafeUrl');\ngoog.require('goog.html.TrustedResourceUrl');\ngoog.require('goog.html.trustedtypes');\ngoog.require('goog.i18n.bidi.Dir');\ngoog.require('goog.i18n.bidi.DirectionalString');\ngoog.require('goog.labs.userAgent.browser');\ngoog.require('goog.object');\ngoog.require('goog.string.Const');\ngoog.require('goog.string.TypedString');\ngoog.require('goog.string.internal');\n\n\n\n/**\n * A string that is safe to use in HTML context in DOM APIs and HTML documents.\n *\n * A SafeHtml is a string-like object that carries the security type contract\n * that its value as a string will not cause untrusted script execution when\n * evaluated as HTML in a browser.\n *\n * Values of this type are guaranteed to be safe to use in HTML contexts,\n * such as, assignment to the innerHTML DOM property, or interpolation into\n * a HTML template in HTML PC_DATA context, in the sense that the use will not\n * result in a Cross-Site-Scripting vulnerability.\n *\n * Instances of this type must be created via the factory methods\n * (`goog.html.SafeHtml.create`, `goog.html.SafeHtml.htmlEscape`),\n * etc and not by invoking its constructor.  The constructor intentionally\n * takes no parameters and the type is immutable; hence only a default instance\n * corresponding to the empty string can be obtained via constructor invocation.\n *\n * Note that there is no `goog.html.SafeHtml.fromConstant`. The reason is that\n * the following code would create an unsafe HTML:\n *\n * ```\n * goog.html.SafeHtml.concat(\n *     goog.html.SafeHtml.fromConstant(goog.string.Const.from('<script>')),\n *     goog.html.SafeHtml.htmlEscape(userInput),\n *     goog.html.SafeHtml.fromConstant(goog.string.Const.from('<\\/script>')));\n * ```\n *\n * There's `goog.dom.constHtmlToNode` to create a node from constant strings\n * only.\n *\n * @see goog.html.SafeHtml.create\n * @see goog.html.SafeHtml.htmlEscape\n * @constructor\n * @final\n * @struct\n * @implements {goog.i18n.bidi.DirectionalString}\n * @implements {goog.string.TypedString}\n */\ngoog.html.SafeHtml = function() {\n  /**\n   * The contained value of this SafeHtml.  The field has a purposely ugly\n   * name to make (non-compiled) code that attempts to directly access this\n   * field stand out.\n   * @private {!TrustedHTML|string}\n   */\n  this.privateDoNotAccessOrElseSafeHtmlWrappedValue_ = '';\n\n  /**\n   * A type marker used to implement additional run-time type checking.\n   * @see goog.html.SafeHtml.unwrap\n   * @const {!Object}\n   * @private\n   */\n  this.SAFE_HTML_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ =\n      goog.html.SafeHtml.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_;\n\n  /**\n   * This SafeHtml's directionality, or null if unknown.\n   * @private {?goog.i18n.bidi.Dir}\n   */\n  this.dir_ = null;\n};\n\n\n/**\n * @define {boolean} Whether to strip out error messages or to leave them in.\n */\ngoog.html.SafeHtml.ENABLE_ERROR_MESSAGES =\n    goog.define('goog.html.SafeHtml.ENABLE_ERROR_MESSAGES', goog.DEBUG);\n\n\n/**\n * Whether the `style` attribute is supported. Set to false to avoid the byte\n * weight of `goog.html.SafeStyle` where unneeded. An error will be thrown if\n * the `style` attribute is used.\n * @define {boolean}\n */\ngoog.html.SafeHtml.SUPPORT_STYLE_ATTRIBUTE =\n    goog.define('goog.html.SafeHtml.SUPPORT_STYLE_ATTRIBUTE', true);\n\n\n/**\n * @override\n * @const\n */\ngoog.html.SafeHtml.prototype.implementsGoogI18nBidiDirectionalString = true;\n\n\n/** @override */\ngoog.html.SafeHtml.prototype.getDirection = function() {\n  return this.dir_;\n};\n\n\n/**\n * @override\n * @const\n */\ngoog.html.SafeHtml.prototype.implementsGoogStringTypedString = true;\n\n\n/**\n * Returns this SafeHtml's value as string.\n *\n * IMPORTANT: In code where it is security relevant that an object's type is\n * indeed `SafeHtml`, use `goog.html.SafeHtml.unwrap` instead of\n * this method. If in doubt, assume that it's security relevant. In particular,\n * note that goog.html functions which return a goog.html type do not guarantee\n * that the returned instance is of the right type. For example:\n *\n * <pre>\n * var fakeSafeHtml = new String('fake');\n * fakeSafeHtml.__proto__ = goog.html.SafeHtml.prototype;\n * var newSafeHtml = goog.html.SafeHtml.htmlEscape(fakeSafeHtml);\n * // newSafeHtml is just an alias for fakeSafeHtml, it's passed through by\n * // goog.html.SafeHtml.htmlEscape() as fakeSafeHtml\n * // instanceof goog.html.SafeHtml.\n * </pre>\n *\n * @see goog.html.SafeHtml.unwrap\n * @override\n */\ngoog.html.SafeHtml.prototype.getTypedStringValue = function() {\n  return this.privateDoNotAccessOrElseSafeHtmlWrappedValue_.toString();\n};\n\n\nif (goog.DEBUG) {\n  /**\n   * Returns a debug string-representation of this value.\n   *\n   * To obtain the actual string value wrapped in a SafeHtml, use\n   * `goog.html.SafeHtml.unwrap`.\n   *\n   * @see goog.html.SafeHtml.unwrap\n   * @override\n   */\n  goog.html.SafeHtml.prototype.toString = function() {\n    return 'SafeHtml{' + this.privateDoNotAccessOrElseSafeHtmlWrappedValue_ +\n        '}';\n  };\n}\n\n\n/**\n * Performs a runtime check that the provided object is indeed a SafeHtml\n * object, and returns its value.\n * @param {!goog.html.SafeHtml} safeHtml The object to extract from.\n * @return {string} The SafeHtml object's contained string, unless the run-time\n *     type check fails. In that case, `unwrap` returns an innocuous\n *     string, or, if assertions are enabled, throws\n *     `goog.asserts.AssertionError`.\n */\ngoog.html.SafeHtml.unwrap = function(safeHtml) {\n  return goog.html.SafeHtml.unwrapTrustedHTML(safeHtml).toString();\n};\n\n\n/**\n * Unwraps value as TrustedHTML if supported or as a string if not.\n * @param {!goog.html.SafeHtml} safeHtml\n * @return {!TrustedHTML|string}\n * @see goog.html.SafeHtml.unwrap\n */\ngoog.html.SafeHtml.unwrapTrustedHTML = function(safeHtml) {\n  // Perform additional run-time type-checking to ensure that safeHtml is indeed\n  // an instance of the expected type.  This provides some additional protection\n  // against security bugs due to application code that disables type checks.\n  // Specifically, the following checks are performed:\n  // 1. The object is an instance of the expected type.\n  // 2. The object is not an instance of a subclass.\n  // 3. The object carries a type marker for the expected type. \"Faking\" an\n  // object requires a reference to the type marker, which has names intended\n  // to stand out in code reviews.\n  if (safeHtml instanceof goog.html.SafeHtml &&\n      safeHtml.constructor === goog.html.SafeHtml &&\n      safeHtml.SAFE_HTML_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ ===\n          goog.html.SafeHtml.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_) {\n    return safeHtml.privateDoNotAccessOrElseSafeHtmlWrappedValue_;\n  } else {\n    goog.asserts.fail('expected object of type SafeHtml, got \\'' +\n        safeHtml + '\\' of type ' + goog.typeOf(safeHtml));\n    return 'type_error:SafeHtml';\n  }\n};\n\n\n/**\n * Shorthand for union of types that can sensibly be converted to strings\n * or might already be SafeHtml (as SafeHtml is a goog.string.TypedString).\n * @private\n * @typedef {string|number|boolean|!goog.string.TypedString|\n *           !goog.i18n.bidi.DirectionalString}\n */\ngoog.html.SafeHtml.TextOrHtml_;\n\n\n/**\n * Returns HTML-escaped text as a SafeHtml object.\n *\n * If text is of a type that implements\n * `goog.i18n.bidi.DirectionalString`, the directionality of the new\n * `SafeHtml` object is set to `text`'s directionality, if known.\n * Otherwise, the directionality of the resulting SafeHtml is unknown (i.e.,\n * `null`).\n *\n * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text to escape. If\n *     the parameter is of type SafeHtml it is returned directly (no escaping\n *     is done).\n * @return {!goog.html.SafeHtml} The escaped text, wrapped as a SafeHtml.\n */\ngoog.html.SafeHtml.htmlEscape = function(textOrHtml) {\n  if (textOrHtml instanceof goog.html.SafeHtml) {\n    return textOrHtml;\n  }\n  var textIsObject = typeof textOrHtml == 'object';\n  var dir = null;\n  if (textIsObject && textOrHtml.implementsGoogI18nBidiDirectionalString) {\n    dir = /** @type {!goog.i18n.bidi.DirectionalString} */ (textOrHtml)\n              .getDirection();\n  }\n  var textAsString;\n  if (textIsObject && textOrHtml.implementsGoogStringTypedString) {\n    textAsString = /** @type {!goog.string.TypedString} */ (textOrHtml)\n                       .getTypedStringValue();\n  } else {\n    textAsString = String(textOrHtml);\n  }\n  return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(\n      goog.string.internal.htmlEscape(textAsString), dir);\n};\n\n\n/**\n * Returns HTML-escaped text as a SafeHtml object, with newlines changed to\n * &lt;br&gt;.\n * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text to escape. If\n *     the parameter is of type SafeHtml it is returned directly (no escaping\n *     is done).\n * @return {!goog.html.SafeHtml} The escaped text, wrapped as a SafeHtml.\n */\ngoog.html.SafeHtml.htmlEscapePreservingNewlines = function(textOrHtml) {\n  if (textOrHtml instanceof goog.html.SafeHtml) {\n    return textOrHtml;\n  }\n  var html = goog.html.SafeHtml.htmlEscape(textOrHtml);\n  return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(\n      goog.string.internal.newLineToBr(goog.html.SafeHtml.unwrap(html)),\n      html.getDirection());\n};\n\n\n/**\n * Returns HTML-escaped text as a SafeHtml object, with newlines changed to\n * &lt;br&gt; and escaping whitespace to preserve spatial formatting. Character\n * entity #160 is used to make it safer for XML.\n * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text to escape. If\n *     the parameter is of type SafeHtml it is returned directly (no escaping\n *     is done).\n * @return {!goog.html.SafeHtml} The escaped text, wrapped as a SafeHtml.\n */\ngoog.html.SafeHtml.htmlEscapePreservingNewlinesAndSpaces = function(\n    textOrHtml) {\n  if (textOrHtml instanceof goog.html.SafeHtml) {\n    return textOrHtml;\n  }\n  var html = goog.html.SafeHtml.htmlEscape(textOrHtml);\n  return goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(\n      goog.string.internal.whitespaceEscape(goog.html.SafeHtml.unwrap(html)),\n      html.getDirection());\n};\n\n\n/**\n * Coerces an arbitrary object into a SafeHtml object.\n *\n * If `textOrHtml` is already of type `goog.html.SafeHtml`, the same\n * object is returned. Otherwise, `textOrHtml` is coerced to string, and\n * HTML-escaped. If `textOrHtml` is of a type that implements\n * `goog.i18n.bidi.DirectionalString`, its directionality, if known, is\n * preserved.\n *\n * @param {!goog.html.SafeHtml.TextOrHtml_} textOrHtml The text or SafeHtml to\n *     coerce.\n * @return {!goog.html.SafeHtml} The resulting SafeHtml object.\n * @deprecated Use goog.html.SafeHtml.htmlEscape.\n */\ngoog.html.SafeHtml.from = goog.html.SafeHtml.htmlEscape;\n\n\n/**\n * @const\n * @private\n */\ngoog.html.SafeHtml.VALID_NAMES_IN_TAG_ = /^[a-zA-Z0-9-]+$/;\n\n\n/**\n * Set of attributes containing URL as defined at\n * http://www.w3.org/TR/html5/index.html#attributes-1.\n * @private @const {!Object<string,boolean>}\n */\ngoog.html.SafeHtml.URL_ATTRIBUTES_ = goog.object.createSet(\n    'action', 'cite', 'data', 'formaction', 'href', 'manifest', 'poster',\n    'src');\n\n\n/**\n * Tags which are unsupported via create(). They might be supported via a\n * tag-specific create method. These are tags which might require a\n * TrustedResourceUrl in one of their attributes or a restricted type for\n * their content.\n * @private @const {!Object<string,boolean>}\n */\ngoog.html.SafeHtml.NOT_ALLOWED_TAG_NAMES_ = goog.object.createSet(\n    goog.dom.TagName.APPLET, goog.dom.TagName.BASE, goog.dom.TagName.EMBED,\n    goog.dom.TagName.IFRAME, goog.dom.TagName.LINK, goog.dom.TagName.MATH,\n    goog.dom.TagName.META, goog.dom.TagName.OBJECT, goog.dom.TagName.SCRIPT,\n    goog.dom.TagName.STYLE, goog.dom.TagName.SVG, goog.dom.TagName.TEMPLATE);\n\n\n/**\n * @typedef {string|number|goog.string.TypedString|\n *     goog.html.SafeStyle.PropertyMap|undefined}\n */\ngoog.html.SafeHtml.AttributeValue;\n\n\n/**\n * Creates a SafeHtml content consisting of a tag with optional attributes and\n * optional content.\n *\n * For convenience tag names and attribute names are accepted as regular\n * strings, instead of goog.string.Const. Nevertheless, you should not pass\n * user-controlled values to these parameters. Note that these parameters are\n * syntactically validated at runtime, and invalid values will result in\n * an exception.\n *\n * Example usage:\n *\n * goog.html.SafeHtml.create('br');\n * goog.html.SafeHtml.create('div', {'class': 'a'});\n * goog.html.SafeHtml.create('p', {}, 'a');\n * goog.html.SafeHtml.create('p', {}, goog.html.SafeHtml.create('br'));\n *\n * goog.html.SafeHtml.create('span', {\n *   'style': {'margin': '0'}\n * });\n *\n * To guarantee SafeHtml's type contract is upheld there are restrictions on\n * attribute values and tag names.\n *\n * - For attributes which contain script code (on*), a goog.string.Const is\n *   required.\n * - For attributes which contain style (style), a goog.html.SafeStyle or a\n *   goog.html.SafeStyle.PropertyMap is required.\n * - For attributes which are interpreted as URLs (e.g. src, href) a\n *   goog.html.SafeUrl, goog.string.Const or string is required. If a string\n *   is passed, it will be sanitized with SafeUrl.sanitize().\n * - For tags which can load code or set security relevant page metadata,\n *   more specific goog.html.SafeHtml.create*() functions must be used. Tags\n *   which are not supported by this function are applet, base, embed, iframe,\n *   link, math, object, script, style, svg, and template.\n *\n * @param {!goog.dom.TagName|string} tagName The name of the tag. Only tag names\n *     consisting of [a-zA-Z0-9-] are allowed. Tag names documented above are\n *     disallowed.\n * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes\n *     Mapping from attribute names to their values. Only attribute names\n *     consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes\n *     the attribute to be omitted.\n * @param {!goog.html.SafeHtml.TextOrHtml_|\n *     !Array<!goog.html.SafeHtml.TextOrHtml_>=} opt_content Content to\n *     HTML-escape and put inside the tag. This must be empty for void tags\n *     like <br>. Array elements are concatenated.\n * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.\n * @throws {Error} If invalid tag name, attribute name, or attribute value is\n *     provided.\n * @throws {goog.asserts.AssertionError} If content for void tag is provided.\n */\ngoog.html.SafeHtml.create = function(tagName, opt_attributes, opt_content) {\n  goog.html.SafeHtml.verifyTagName(String(tagName));\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\n      String(tagName), opt_attributes, opt_content);\n};\n\n\n/**\n * Verifies if the tag name is valid and if it doesn't change the context.\n * E.g. STRONG is fine but SCRIPT throws because it changes context. See\n * goog.html.SafeHtml.create for an explanation of allowed tags.\n * @param {string} tagName\n * @throws {Error} If invalid tag name is provided.\n * @package\n */\ngoog.html.SafeHtml.verifyTagName = function(tagName) {\n  if (!goog.html.SafeHtml.VALID_NAMES_IN_TAG_.test(tagName)) {\n    throw new Error(\n        goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ?\n            'Invalid tag name <' + tagName + '>.' :\n            '');\n  }\n  if (tagName.toUpperCase() in goog.html.SafeHtml.NOT_ALLOWED_TAG_NAMES_) {\n    throw new Error(\n        goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ?\n\n            'Tag name <' + tagName + '> is not allowed for SafeHtml.' :\n            '');\n  }\n};\n\n\n/**\n * Creates a SafeHtml representing an iframe tag.\n *\n * This by default restricts the iframe as much as possible by setting the\n * sandbox attribute to the empty string. If the iframe requires less\n * restrictions, set the sandbox attribute as tight as possible, but do not rely\n * on the sandbox as a security feature because it is not supported by older\n * browsers. If a sandbox is essential to security (e.g. for third-party\n * frames), use createSandboxIframe which checks for browser support.\n *\n * @see https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe#attr-sandbox\n *\n * @param {?goog.html.TrustedResourceUrl=} opt_src The value of the src\n *     attribute. If null or undefined src will not be set.\n * @param {?goog.html.SafeHtml=} opt_srcdoc The value of the srcdoc attribute.\n *     If null or undefined srcdoc will not be set.\n * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes\n *     Mapping from attribute names to their values. Only attribute names\n *     consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes\n *     the attribute to be omitted.\n * @param {!goog.html.SafeHtml.TextOrHtml_|\n *     !Array<!goog.html.SafeHtml.TextOrHtml_>=} opt_content Content to\n *     HTML-escape and put inside the tag. Array elements are concatenated.\n * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.\n * @throws {Error} If invalid tag name, attribute name, or attribute value is\n *     provided. If opt_attributes contains the src or srcdoc attributes.\n */\ngoog.html.SafeHtml.createIframe = function(\n    opt_src, opt_srcdoc, opt_attributes, opt_content) {\n  if (opt_src) {\n    // Check whether this is really TrustedResourceUrl.\n    goog.html.TrustedResourceUrl.unwrap(opt_src);\n  }\n\n  var fixedAttributes = {};\n  fixedAttributes['src'] = opt_src || null;\n  fixedAttributes['srcdoc'] =\n      opt_srcdoc && goog.html.SafeHtml.unwrap(opt_srcdoc);\n  var defaultAttributes = {'sandbox': ''};\n  var attributes = goog.html.SafeHtml.combineAttributes(\n      fixedAttributes, defaultAttributes, opt_attributes);\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\n      'iframe', attributes, opt_content);\n};\n\n\n/**\n * Creates a SafeHtml representing a sandboxed iframe tag.\n *\n * The sandbox attribute is enforced in its most restrictive mode, an empty\n * string. Consequently, the security requirements for the src and srcdoc\n * attributes are relaxed compared to SafeHtml.createIframe. This function\n * will throw on browsers that do not support the sandbox attribute, as\n * determined by SafeHtml.canUseSandboxIframe.\n *\n * The SafeHtml returned by this function can trigger downloads with no\n * user interaction on Chrome (though only a few, further attempts are blocked).\n * Firefox and IE will block all downloads from the sandbox.\n *\n * @see https://developer.mozilla.org/en/docs/Web/HTML/Element/iframe#attr-sandbox\n * @see https://lists.w3.org/Archives/Public/public-whatwg-archive/2013Feb/0112.html\n *\n * @param {string|!goog.html.SafeUrl=} opt_src The value of the src\n *     attribute. If null or undefined src will not be set.\n * @param {string=} opt_srcdoc The value of the srcdoc attribute.\n *     If null or undefined srcdoc will not be set. Will not be sanitized.\n * @param {!Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes\n *     Mapping from attribute names to their values. Only attribute names\n *     consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes\n *     the attribute to be omitted.\n * @param {!goog.html.SafeHtml.TextOrHtml_|\n *     !Array<!goog.html.SafeHtml.TextOrHtml_>=} opt_content Content to\n *     HTML-escape and put inside the tag. Array elements are concatenated.\n * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.\n * @throws {Error} If invalid tag name, attribute name, or attribute value is\n *     provided. If opt_attributes contains the src, srcdoc or sandbox\n *     attributes. If browser does not support the sandbox attribute on iframe.\n */\ngoog.html.SafeHtml.createSandboxIframe = function(\n    opt_src, opt_srcdoc, opt_attributes, opt_content) {\n  if (!goog.html.SafeHtml.canUseSandboxIframe()) {\n    throw new Error(\n        goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ?\n            'The browser does not support sandboxed iframes.' :\n            '');\n  }\n\n  var fixedAttributes = {};\n  if (opt_src) {\n    // Note that sanitize is a no-op on SafeUrl.\n    fixedAttributes['src'] =\n        goog.html.SafeUrl.unwrap(goog.html.SafeUrl.sanitize(opt_src));\n  } else {\n    fixedAttributes['src'] = null;\n  }\n  fixedAttributes['srcdoc'] = opt_srcdoc || null;\n  fixedAttributes['sandbox'] = '';\n  var attributes =\n      goog.html.SafeHtml.combineAttributes(fixedAttributes, {}, opt_attributes);\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\n      'iframe', attributes, opt_content);\n};\n\n\n/**\n * Checks if the user agent supports sandboxed iframes.\n * @return {boolean}\n */\ngoog.html.SafeHtml.canUseSandboxIframe = function() {\n  return goog.global['HTMLIFrameElement'] &&\n      ('sandbox' in goog.global['HTMLIFrameElement'].prototype);\n};\n\n\n/**\n * Creates a SafeHtml representing a script tag with the src attribute.\n * @param {!goog.html.TrustedResourceUrl} src The value of the src\n * attribute.\n * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=}\n * opt_attributes\n *     Mapping from attribute names to their values. Only attribute names\n *     consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined\n *     causes the attribute to be omitted.\n * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.\n * @throws {Error} If invalid attribute name or value is provided. If\n *     opt_attributes contains the src attribute.\n */\ngoog.html.SafeHtml.createScriptSrc = function(src, opt_attributes) {\n  // TODO(mlourenco): The charset attribute should probably be blocked. If\n  // its value is attacker controlled, the script contains attacker controlled\n  // sub-strings (even if properly escaped) and the server does not set charset\n  // then XSS is likely possible.\n  // https://html.spec.whatwg.org/multipage/scripting.html#dom-script-charset\n\n  // Check whether this is really TrustedResourceUrl.\n  goog.html.TrustedResourceUrl.unwrap(src);\n\n  var fixedAttributes = {'src': src};\n  var defaultAttributes = {};\n  var attributes = goog.html.SafeHtml.combineAttributes(\n      fixedAttributes, defaultAttributes, opt_attributes);\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\n      'script', attributes);\n};\n\n\n/**\n * Creates a SafeHtml representing a script tag. Does not allow the language,\n * src, text or type attributes to be set.\n * @param {!goog.html.SafeScript|!Array<!goog.html.SafeScript>}\n *     script Content to put inside the tag. Array elements are\n *     concatenated.\n * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes\n *     Mapping from attribute names to their values. Only attribute names\n *     consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes\n *     the attribute to be omitted.\n * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.\n * @throws {Error} If invalid attribute name or attribute value is provided. If\n *     opt_attributes contains the language, src, text or type attribute.\n */\ngoog.html.SafeHtml.createScript = function(script, opt_attributes) {\n  for (var attr in opt_attributes) {\n    var attrLower = attr.toLowerCase();\n    if (attrLower == 'language' || attrLower == 'src' || attrLower == 'text' ||\n        attrLower == 'type') {\n      throw new Error(\n          goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ?\n              'Cannot set \"' + attrLower + '\" attribute' :\n              '');\n    }\n  }\n\n  var content = '';\n  script = goog.array.concat(script);\n  for (var i = 0; i < script.length; i++) {\n    content += goog.html.SafeScript.unwrap(script[i]);\n  }\n  // Convert to SafeHtml so that it's not HTML-escaped. This is safe because\n  // as part of its contract, SafeScript should have no dangerous '<'.\n  var htmlContent =\n      goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(\n          content, goog.i18n.bidi.Dir.NEUTRAL);\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\n      'script', opt_attributes, htmlContent);\n};\n\n\n/**\n * Creates a SafeHtml representing a style tag. The type attribute is set\n * to \"text/css\".\n * @param {!goog.html.SafeStyleSheet|!Array<!goog.html.SafeStyleSheet>}\n *     styleSheet Content to put inside the tag. Array elements are\n *     concatenated.\n * @param {?Object<string, ?goog.html.SafeHtml.AttributeValue>=} opt_attributes\n *     Mapping from attribute names to their values. Only attribute names\n *     consisting of [a-zA-Z0-9-] are allowed. Value of null or undefined causes\n *     the attribute to be omitted.\n * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.\n * @throws {Error} If invalid attribute name or attribute value is provided. If\n *     opt_attributes contains the type attribute.\n */\ngoog.html.SafeHtml.createStyle = function(styleSheet, opt_attributes) {\n  var fixedAttributes = {'type': 'text/css'};\n  var defaultAttributes = {};\n  var attributes = goog.html.SafeHtml.combineAttributes(\n      fixedAttributes, defaultAttributes, opt_attributes);\n\n  var content = '';\n  styleSheet = goog.array.concat(styleSheet);\n  for (var i = 0; i < styleSheet.length; i++) {\n    content += goog.html.SafeStyleSheet.unwrap(styleSheet[i]);\n  }\n  // Convert to SafeHtml so that it's not HTML-escaped. This is safe because\n  // as part of its contract, SafeStyleSheet should have no dangerous '<'.\n  var htmlContent =\n      goog.html.SafeHtml.createSafeHtmlSecurityPrivateDoNotAccessOrElse(\n          content, goog.i18n.bidi.Dir.NEUTRAL);\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\n      'style', attributes, htmlContent);\n};\n\n\n/**\n * Creates a SafeHtml representing a meta refresh tag.\n * @param {!goog.html.SafeUrl|string} url Where to redirect. If a string is\n *     passed, it will be sanitized with SafeUrl.sanitize().\n * @param {number=} opt_secs Number of seconds until the page should be\n *     reloaded. Will be set to 0 if unspecified.\n * @return {!goog.html.SafeHtml} The SafeHtml content with the tag.\n */\ngoog.html.SafeHtml.createMetaRefresh = function(url, opt_secs) {\n\n  // Note that sanitize is a no-op on SafeUrl.\n  var unwrappedUrl = goog.html.SafeUrl.unwrap(goog.html.SafeUrl.sanitize(url));\n\n  if (goog.labs.userAgent.browser.isIE() ||\n      goog.labs.userAgent.browser.isEdge()) {\n    // IE/EDGE can't parse the content attribute if the url contains a\n    // semicolon. We can fix this by adding quotes around the url, but then we\n    // can't parse quotes in the URL correctly. Also, it seems that IE/EDGE\n    // did not unescape semicolons in these URLs at some point in the past. We\n    // take a best-effort approach.\n    //\n    // If the URL has semicolons (which may happen in some cases, see\n    // http://www.w3.org/TR/1999/REC-html401-19991224/appendix/notes.html#h-B.2\n    // for instance), wrap it in single quotes to protect the semicolons.\n    // If the URL has semicolons and single quotes, url-encode the single quotes\n    // as well.\n    //\n    // This is imperfect. Notice that both ' and ; are reserved characters in\n    // URIs, so this could do the wrong thing, but at least it will do the wrong\n    // thing in only rare cases.\n    if (goog.string.internal.contains(unwrappedUrl, ';')) {\n      unwrappedUrl = \"'\" + unwrappedUrl.replace(/'/g, '%27') + \"'\";\n    }\n  }\n  var attributes = {\n    'http-equiv': 'refresh',\n    'content': (opt_secs || 0) + '; url=' + unwrappedUrl\n  };\n\n  // This function will handle the HTML escaping for attributes.\n  return goog.html.SafeHtml.createSafeHtmlTagSecurityPrivateDoNotAccessOrElse(\n      'meta', attributes);\n};\n\n\n/**\n * @param {string} tagName The tag name.\n * @param {string} name The attribute name.\n * @param {!goog.html.SafeHtml.AttributeValue} value The attribute value.\n * @return {string} A \"name=value\" string.\n * @throws {Error} If attribute value is unsafe for the given tag and attribute.\n * @private\n */\ngoog.html.SafeHtml.getAttrNameAndValue_ = function(tagName, name, value) {\n  // If it's goog.string.Const, allow any valid attribute name.\n  if (value instanceof goog.string.Const) {\n    value = goog.string.Const.unwrap(value);\n  } else if (name.toLowerCase() == 'style') {\n    if (goog.html.SafeHtml.SUPPORT_STYLE_ATTRIBUTE) {\n      value = goog.html.SafeHtml.getStyleValue_(value);\n    } else {\n      throw new Error(\n          goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ?\n              'Attribute \"style\" not supported.' :\n              '');\n    }\n  } else if (/^on/i.test(name)) {\n    // TODO(jakubvrana): Disallow more attributes with a special meaning.\n    throw new Error(\n        goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ? 'Attribute \"' + name +\n                '\" requires goog.string.Const value, \"' + value + '\" given.' :\n                                                   '');\n    // URL attributes handled differently according to tag.\n  } else if (name.toLowerCase() in goog.html.SafeHtml.URL_ATTRIBUTES_) {\n    if (value instanceof goog.html.TrustedResourceUrl) {\n      value = goog.html.TrustedResourceUrl.unwrap(value);\n    } else if (value instanceof goog.html.SafeUrl) {\n      value = goog.html.SafeUrl.unwrap(value);\n    } else if (typeof value === 'string') {\n      value = goog.html.SafeUrl.sanitize(value).getTypedStringValue();\n    } else {\n      throw new Error(\n          goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ?\n              'Attribute \"' + name + '\" on tag \"' + tagName +\n                  '\" requires goog.html.SafeUrl, goog.string.Const, or' +\n                  ' string, value \"' + value + '\" given.' :\n              '');\n    }\n  }\n\n  // Accept SafeUrl, TrustedResourceUrl, etc. for attributes which only require\n  // HTML-escaping.\n  if (value.implementsGoogStringTypedString) {\n    // Ok to call getTypedStringValue() since there's no reliance on the type\n    // contract for security here.\n    value =\n        /** @type {!goog.string.TypedString} */ (value).getTypedStringValue();\n  }\n\n  goog.asserts.assert(\n      typeof value === 'string' || typeof value === 'number',\n      'String or number value expected, got ' + (typeof value) +\n          ' with value: ' + value);\n  return name + '=\"' + goog.string.internal.htmlEscape(String(value)) + '\"';\n};\n\n\n/**\n * Gets value allowed in \"style\" attribute.\n * @param {!goog.html.SafeHtml.AttributeValue} value It could be SafeStyle or a\n *     map which will be passed to goog.html.SafeStyle.create.\n * @return {string} Unwrapped value.\n * @throws {Error} If string value is given.\n * @private\n */\ngoog.html.SafeHtml.getStyleValue_ = function(value) {\n  if (!goog.isObject(value)) {\n    throw new Error(\n        goog.html.SafeHtml.ENABLE_ERROR_MESSAGES ?\n            'The \"style\" attribute requires goog.html.SafeStyle or map ' +\n                'of style properties, ' + (typeof value) + ' given: ' + value :\n            '');\n  }\n  if (!(value instanceof goog.html.SafeStyle)) {\n    // Process the property bag into a style object.\n    value = goog.html.SafeStyle.create(value);\n  }\n  return goog.html.SafeStyle.unwrap(value);\n};\n\n\n/**\n * Creates a SafeHtml content with known directionality consisting of a tag with\n * optional attributes and optional content.\n * @param {!goog.i18n.bidi.Dir} dir Directionality.\n * @param {string} tagName\n * @param {?Object<string, ?goog.html.SafeHtml.AttributeV