create-expo-cljs-app
Version:
Create a react native application with Expo and Shadow-CLJS!
1 lines • 65.6 kB
JavaScript
["^ ","~:resource-id",["~:shadow.build.classpath/resource","goog/html/safestyle.js"],"~:js","goog.provide(\"goog.html.SafeStyle\");\ngoog.require(\"goog.array\");\ngoog.require(\"goog.asserts\");\ngoog.require(\"goog.html.SafeUrl\");\ngoog.require(\"goog.string.Const\");\ngoog.require(\"goog.string.TypedString\");\ngoog.require(\"goog.string.internal\");\ngoog.html.SafeStyle = function() {\n this.privateDoNotAccessOrElseSafeStyleWrappedValue_ = \"\";\n this.SAFE_STYLE_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = goog.html.SafeStyle.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_;\n};\ngoog.html.SafeStyle.prototype.implementsGoogStringTypedString = true;\ngoog.html.SafeStyle.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = {};\ngoog.html.SafeStyle.fromConstant = function(style) {\n var styleString = goog.string.Const.unwrap(style);\n if (styleString.length === 0) {\n return goog.html.SafeStyle.EMPTY;\n }\n goog.asserts.assert(goog.string.internal.endsWith(styleString, \";\"), \"Last character of style string is not ';': \" + styleString);\n goog.asserts.assert(goog.string.internal.contains(styleString, \":\"), \"Style string must contain at least one ':', to \" + 'specify a \"name: value\" pair: ' + styleString);\n return goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(styleString);\n};\ngoog.html.SafeStyle.prototype.getTypedStringValue = function() {\n return this.privateDoNotAccessOrElseSafeStyleWrappedValue_;\n};\nif (goog.DEBUG) {\n goog.html.SafeStyle.prototype.toString = function() {\n return \"SafeStyle{\" + this.privateDoNotAccessOrElseSafeStyleWrappedValue_ + \"}\";\n };\n}\ngoog.html.SafeStyle.unwrap = function(safeStyle) {\n if (safeStyle instanceof goog.html.SafeStyle && safeStyle.constructor === goog.html.SafeStyle && safeStyle.SAFE_STYLE_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ === goog.html.SafeStyle.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_) {\n return safeStyle.privateDoNotAccessOrElseSafeStyleWrappedValue_;\n } else {\n goog.asserts.fail(\"expected object of type SafeStyle, got '\" + safeStyle + \"' of type \" + goog.typeOf(safeStyle));\n return \"type_error:SafeStyle\";\n }\n};\ngoog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse = function(style) {\n return (new goog.html.SafeStyle).initSecurityPrivateDoNotAccessOrElse_(style);\n};\ngoog.html.SafeStyle.prototype.initSecurityPrivateDoNotAccessOrElse_ = function(style) {\n this.privateDoNotAccessOrElseSafeStyleWrappedValue_ = style;\n return this;\n};\ngoog.html.SafeStyle.EMPTY = goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(\"\");\ngoog.html.SafeStyle.INNOCUOUS_STRING = \"zClosurez\";\ngoog.html.SafeStyle.PropertyValue;\ngoog.html.SafeStyle.PropertyMap;\ngoog.html.SafeStyle.create = function(map) {\n var style = \"\";\n for (var name in map) {\n if (!/^[-_a-zA-Z0-9]+$/.test(name)) {\n throw new Error(\"Name allows only [-_a-zA-Z0-9], got: \" + name);\n }\n var value = map[name];\n if (value == null) {\n continue;\n }\n if (goog.isArray(value)) {\n value = goog.array.map(value, goog.html.SafeStyle.sanitizePropertyValue_).join(\" \");\n } else {\n value = goog.html.SafeStyle.sanitizePropertyValue_(value);\n }\n style += name + \":\" + value + \";\";\n }\n if (!style) {\n return goog.html.SafeStyle.EMPTY;\n }\n return goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(style);\n};\ngoog.html.SafeStyle.sanitizePropertyValue_ = function(value) {\n if (value instanceof goog.html.SafeUrl) {\n var url = goog.html.SafeUrl.unwrap(value);\n return 'url(\"' + url.replace(/</g, \"%3c\").replace(/[\\\\\"]/g, \"\\\\$\\x26\") + '\")';\n }\n var result = value instanceof goog.string.Const ? goog.string.Const.unwrap(value) : goog.html.SafeStyle.sanitizePropertyValueString_(String(value));\n if (/[{;}]/.test(result)) {\n throw new goog.asserts.AssertionError(\"Value does not allow [{;}], got: %s.\", [result]);\n }\n return result;\n};\ngoog.html.SafeStyle.sanitizePropertyValueString_ = function(value) {\n var valueWithoutFunctions = value.replace(goog.html.SafeStyle.FUNCTIONS_RE_, \"$1\").replace(goog.html.SafeStyle.FUNCTIONS_RE_, \"$1\").replace(goog.html.SafeStyle.URL_RE_, \"url\");\n if (!goog.html.SafeStyle.VALUE_RE_.test(valueWithoutFunctions)) {\n goog.asserts.fail(\"String value allows only \" + goog.html.SafeStyle.VALUE_ALLOWED_CHARS_ + \" and simple functions, got: \" + value);\n return goog.html.SafeStyle.INNOCUOUS_STRING;\n } else {\n if (goog.html.SafeStyle.COMMENT_RE_.test(value)) {\n goog.asserts.fail(\"String value disallows comments, got: \" + value);\n return goog.html.SafeStyle.INNOCUOUS_STRING;\n } else {\n if (!goog.html.SafeStyle.hasBalancedQuotes_(value)) {\n goog.asserts.fail(\"String value requires balanced quotes, got: \" + value);\n return goog.html.SafeStyle.INNOCUOUS_STRING;\n } else {\n if (!goog.html.SafeStyle.hasBalancedSquareBrackets_(value)) {\n goog.asserts.fail(\"String value requires balanced square brackets and one\" + \" identifier per pair of brackets, got: \" + value);\n return goog.html.SafeStyle.INNOCUOUS_STRING;\n }\n }\n }\n }\n return goog.html.SafeStyle.sanitizeUrl_(value);\n};\ngoog.html.SafeStyle.hasBalancedQuotes_ = function(value) {\n var outsideSingle = true;\n var outsideDouble = true;\n for (var i = 0; i < value.length; i++) {\n var c = value.charAt(i);\n if (c == \"'\" && outsideDouble) {\n outsideSingle = !outsideSingle;\n } else {\n if (c == '\"' && outsideSingle) {\n outsideDouble = !outsideDouble;\n }\n }\n }\n return outsideSingle && outsideDouble;\n};\ngoog.html.SafeStyle.hasBalancedSquareBrackets_ = function(value) {\n var outside = true;\n var tokenRe = /^[-_a-zA-Z0-9]$/;\n for (var i = 0; i < value.length; i++) {\n var c = value.charAt(i);\n if (c == \"]\") {\n if (outside) {\n return false;\n }\n outside = true;\n } else {\n if (c == \"[\") {\n if (!outside) {\n return false;\n }\n outside = false;\n } else {\n if (!outside && !tokenRe.test(c)) {\n return false;\n }\n }\n }\n }\n return outside;\n};\ngoog.html.SafeStyle.VALUE_ALLOWED_CHARS_ = \"[-,.\\\"'%_!# a-zA-Z0-9\\\\[\\\\]]\";\ngoog.html.SafeStyle.VALUE_RE_ = new RegExp(\"^\" + goog.html.SafeStyle.VALUE_ALLOWED_CHARS_ + \"+$\");\ngoog.html.SafeStyle.URL_RE_ = new RegExp(\"\\\\b(url\\\\([ \\t\\n]*)(\" + \"'[ -\\x26(-\\\\[\\\\]-~]*'\" + '|\"[ !#-\\\\[\\\\]-~]*\"' + \"|[!#-\\x26*-\\\\[\\\\]-~]*\" + \")([ \\t\\n]*\\\\))\", \"g\");\ngoog.html.SafeStyle.ALLOWED_FUNCTIONS_ = [\"calc\", \"cubic-bezier\", \"fit-content\", \"hsl\", \"hsla\", \"matrix\", \"minmax\", \"repeat\", \"rgb\", \"rgba\", \"(rotate|scale|translate)(X|Y|Z|3d)?\", ];\ngoog.html.SafeStyle.FUNCTIONS_RE_ = new RegExp(\"\\\\b(\" + goog.html.SafeStyle.ALLOWED_FUNCTIONS_.join(\"|\") + \")\" + \"\\\\([-+*/0-9a-z.%\\\\[\\\\], ]+\\\\)\", \"g\");\ngoog.html.SafeStyle.COMMENT_RE_ = /\\/\\*/;\ngoog.html.SafeStyle.sanitizeUrl_ = function(value) {\n return value.replace(goog.html.SafeStyle.URL_RE_, function(match, before, url, after) {\n var quote = \"\";\n url = url.replace(/^(['\"])(.*)\\1$/, function(match, start, inside) {\n quote = start;\n return inside;\n });\n var sanitized = goog.html.SafeUrl.sanitize(url).getTypedStringValue();\n return before + quote + sanitized + quote + after;\n });\n};\ngoog.html.SafeStyle.concat = function(var_args) {\n var style = \"\";\n var addArgument = function(argument) {\n if (goog.isArray(argument)) {\n goog.array.forEach(argument, addArgument);\n } else {\n style += goog.html.SafeStyle.unwrap(argument);\n }\n };\n goog.array.forEach(arguments, addArgument);\n if (!style) {\n return goog.html.SafeStyle.EMPTY;\n }\n return goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(style);\n};\n","~:source","// Copyright 2014 The Closure Library Authors. All Rights Reserved.\n//\n// Licensed under the Apache License, Version 2.0 (the \"License\");\n// you may not use this file except in compliance with the License.\n// You may obtain a copy of the License at\n//\n// http://www.apache.org/licenses/LICENSE-2.0\n//\n// Unless required by applicable law or agreed to in writing, software\n// distributed under the License is distributed on an \"AS-IS\" BASIS,\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\n// See the License for the specific language governing permissions and\n// limitations under the License.\n\n/**\n * @fileoverview The SafeStyle type and its builders.\n *\n * TODO(xtof): Link to document stating type contract.\n */\n\ngoog.provide('goog.html.SafeStyle');\n\ngoog.require('goog.array');\ngoog.require('goog.asserts');\ngoog.require('goog.html.SafeUrl');\ngoog.require('goog.string.Const');\ngoog.require('goog.string.TypedString');\ngoog.require('goog.string.internal');\n\n\n\n/**\n * A string-like object which represents a sequence of CSS declarations\n * ({@code propertyName1: propertyvalue1; propertyName2: propertyValue2; ...})\n * and that carries the security type contract that its value, as a string,\n * will not cause untrusted script execution (XSS) when evaluated as CSS in a\n * browser.\n *\n * Instances of this type must be created via the factory methods\n * (`goog.html.SafeStyle.create` or\n * `goog.html.SafeStyle.fromConstant`) and not by invoking its\n * constructor. The constructor intentionally takes no parameters and the type\n * is immutable; hence only a default instance corresponding to the empty string\n * can be obtained via constructor invocation.\n *\n * SafeStyle's string representation can safely be:\n * <ul>\n * <li>Interpolated as the content of a *quoted* HTML style attribute.\n * However, the SafeStyle string *must be HTML-attribute-escaped* before\n * interpolation.\n * <li>Interpolated as the content of a {}-wrapped block within a stylesheet.\n * '<' characters in the SafeStyle string *must be CSS-escaped* before\n * interpolation. The SafeStyle string is also guaranteed not to be able\n * to introduce new properties or elide existing ones.\n * <li>Interpolated as the content of a {}-wrapped block within an HTML\n * <style> element. '<' characters in the SafeStyle string\n * *must be CSS-escaped* before interpolation.\n * <li>Assigned to the style property of a DOM node. The SafeStyle string\n * should not be escaped before being assigned to the property.\n * </ul>\n *\n * A SafeStyle may never contain literal angle brackets. Otherwise, it could\n * be unsafe to place a SafeStyle into a <style> tag (where it can't\n * be HTML escaped). For example, if the SafeStyle containing\n * \"{@code font: 'foo <style/><script>evil</script>'}\" were\n * interpolated within a <style> tag, this would then break out of the\n * style context into HTML.\n *\n * A SafeStyle may contain literal single or double quotes, and as such the\n * entire style string must be escaped when used in a style attribute (if\n * this were not the case, the string could contain a matching quote that\n * would escape from the style attribute).\n *\n * Values of this type must be composable, i.e. for any two values\n * `style1` and `style2` of this type,\n * {@code goog.html.SafeStyle.unwrap(style1) +\n * goog.html.SafeStyle.unwrap(style2)} must itself be a value that satisfies\n * the SafeStyle type constraint. This requirement implies that for any value\n * `style` of this type, `goog.html.SafeStyle.unwrap(style)` must\n * not end in a \"property value\" or \"property name\" context. For example,\n * a value of {@code background:url(\"} or {@code font-} would not satisfy the\n * SafeStyle contract. This is because concatenating such strings with a\n * second value that itself does not contain unsafe CSS can result in an\n * overall string that does. For example, if {@code javascript:evil())\"} is\n * appended to {@code background:url(\"}, the resulting string may result in\n * the execution of a malicious script.\n *\n * TODO(mlourenco): Consider whether we should implement UTF-8 interchange\n * validity checks and blacklisting of newlines (including Unicode ones) and\n * other whitespace characters (\\t, \\f). Document here if so and also update\n * SafeStyle.fromConstant().\n *\n * The following example values comply with this type's contract:\n * <ul>\n * <li><pre>width: 1em;</pre>\n * <li><pre>height:1em;</pre>\n * <li><pre>width: 1em;height: 1em;</pre>\n * <li><pre>background:url('http://url');</pre>\n * </ul>\n * In addition, the empty string is safe for use in a CSS attribute.\n *\n * The following example values do NOT comply with this type's contract:\n * <ul>\n * <li><pre>background: red</pre> (missing a trailing semi-colon)\n * <li><pre>background:</pre> (missing a value and a trailing semi-colon)\n * <li><pre>1em</pre> (missing an attribute name, which provides context for\n * the value)\n * </ul>\n *\n * @see goog.html.SafeStyle#create\n * @see goog.html.SafeStyle#fromConstant\n * @see http://www.w3.org/TR/css3-syntax/\n * @constructor\n * @final\n * @struct\n * @implements {goog.string.TypedString}\n */\ngoog.html.SafeStyle = function() {\n /**\n * The contained value of this SafeStyle. The field has a purposely\n * ugly name to make (non-compiled) code that attempts to directly access this\n * field stand out.\n * @private {string}\n */\n this.privateDoNotAccessOrElseSafeStyleWrappedValue_ = '';\n\n /**\n * A type marker used to implement additional run-time type checking.\n * @see goog.html.SafeStyle#unwrap\n * @const {!Object}\n * @private\n */\n this.SAFE_STYLE_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ =\n goog.html.SafeStyle.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_;\n};\n\n\n/**\n * @override\n * @const\n */\ngoog.html.SafeStyle.prototype.implementsGoogStringTypedString = true;\n\n\n/**\n * Type marker for the SafeStyle type, used to implement additional\n * run-time type checking.\n * @const {!Object}\n * @private\n */\ngoog.html.SafeStyle.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = {};\n\n\n/**\n * Creates a SafeStyle object from a compile-time constant string.\n *\n * `style` should be in the format\n * {@code name: value; [name: value; ...]} and must not have any < or >\n * characters in it. This is so that SafeStyle's contract is preserved,\n * allowing the SafeStyle to correctly be interpreted as a sequence of CSS\n * declarations and without affecting the syntactic structure of any\n * surrounding CSS and HTML.\n *\n * This method performs basic sanity checks on the format of `style`\n * but does not constrain the format of `name` and `value`, except\n * for disallowing tag characters.\n *\n * @param {!goog.string.Const} style A compile-time-constant string from which\n * to create a SafeStyle.\n * @return {!goog.html.SafeStyle} A SafeStyle object initialized to\n * `style`.\n */\ngoog.html.SafeStyle.fromConstant = function(style) {\n var styleString = goog.string.Const.unwrap(style);\n if (styleString.length === 0) {\n return goog.html.SafeStyle.EMPTY;\n }\n goog.asserts.assert(\n goog.string.internal.endsWith(styleString, ';'),\n 'Last character of style string is not \\';\\': ' + styleString);\n goog.asserts.assert(\n goog.string.internal.contains(styleString, ':'),\n 'Style string must contain at least one \\':\\', to ' +\n 'specify a \"name: value\" pair: ' + styleString);\n return goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(\n styleString);\n};\n\n\n/**\n * Returns this SafeStyle's value as a string.\n *\n * IMPORTANT: In code where it is security relevant that an object's type is\n * indeed `SafeStyle`, use `goog.html.SafeStyle.unwrap` instead of\n * this method. If in doubt, assume that it's security relevant. In particular,\n * note that goog.html functions which return a goog.html type do not guarantee\n * the returned instance is of the right type. For example:\n *\n * <pre>\n * var fakeSafeHtml = new String('fake');\n * fakeSafeHtml.__proto__ = goog.html.SafeHtml.prototype;\n * var newSafeHtml = goog.html.SafeHtml.htmlEscape(fakeSafeHtml);\n * // newSafeHtml is just an alias for fakeSafeHtml, it's passed through by\n * // goog.html.SafeHtml.htmlEscape() as fakeSafeHtml\n * // instanceof goog.html.SafeHtml.\n * </pre>\n *\n * @see goog.html.SafeStyle#unwrap\n * @override\n */\ngoog.html.SafeStyle.prototype.getTypedStringValue = function() {\n return this.privateDoNotAccessOrElseSafeStyleWrappedValue_;\n};\n\n\nif (goog.DEBUG) {\n /**\n * Returns a debug string-representation of this value.\n *\n * To obtain the actual string value wrapped in a SafeStyle, use\n * `goog.html.SafeStyle.unwrap`.\n *\n * @see goog.html.SafeStyle#unwrap\n * @override\n */\n goog.html.SafeStyle.prototype.toString = function() {\n return 'SafeStyle{' + this.privateDoNotAccessOrElseSafeStyleWrappedValue_ +\n '}';\n };\n}\n\n\n/**\n * Performs a runtime check that the provided object is indeed a\n * SafeStyle object, and returns its value.\n *\n * @param {!goog.html.SafeStyle} safeStyle The object to extract from.\n * @return {string} The safeStyle object's contained string, unless\n * the run-time type check fails. In that case, `unwrap` returns an\n * innocuous string, or, if assertions are enabled, throws\n * `goog.asserts.AssertionError`.\n */\ngoog.html.SafeStyle.unwrap = function(safeStyle) {\n // Perform additional Run-time type-checking to ensure that\n // safeStyle is indeed an instance of the expected type. This\n // provides some additional protection against security bugs due to\n // application code that disables type checks.\n // Specifically, the following checks are performed:\n // 1. The object is an instance of the expected type.\n // 2. The object is not an instance of a subclass.\n // 3. The object carries a type marker for the expected type. \"Faking\" an\n // object requires a reference to the type marker, which has names intended\n // to stand out in code reviews.\n if (safeStyle instanceof goog.html.SafeStyle &&\n safeStyle.constructor === goog.html.SafeStyle &&\n safeStyle.SAFE_STYLE_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ ===\n goog.html.SafeStyle.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_) {\n return safeStyle.privateDoNotAccessOrElseSafeStyleWrappedValue_;\n } else {\n goog.asserts.fail('expected object of type SafeStyle, got \\'' +\n safeStyle + '\\' of type ' + goog.typeOf(safeStyle));\n return 'type_error:SafeStyle';\n }\n};\n\n\n/**\n * Package-internal utility method to create SafeStyle instances.\n *\n * @param {string} style The string to initialize the SafeStyle object with.\n * @return {!goog.html.SafeStyle} The initialized SafeStyle object.\n * @package\n */\ngoog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse = function(\n style) {\n return new goog.html.SafeStyle().initSecurityPrivateDoNotAccessOrElse_(style);\n};\n\n\n/**\n * Called from createSafeStyleSecurityPrivateDoNotAccessOrElse(). This\n * method exists only so that the compiler can dead code eliminate static\n * fields (like EMPTY) when they're not accessed.\n * @param {string} style\n * @return {!goog.html.SafeStyle}\n * @private\n */\ngoog.html.SafeStyle.prototype.initSecurityPrivateDoNotAccessOrElse_ = function(\n style) {\n this.privateDoNotAccessOrElseSafeStyleWrappedValue_ = style;\n return this;\n};\n\n\n/**\n * A SafeStyle instance corresponding to the empty string.\n * @const {!goog.html.SafeStyle}\n */\ngoog.html.SafeStyle.EMPTY =\n goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse('');\n\n\n/**\n * The innocuous string generated by goog.html.SafeStyle.create when passed\n * an unsafe value.\n * @const {string}\n */\ngoog.html.SafeStyle.INNOCUOUS_STRING = 'zClosurez';\n\n\n/**\n * A single property value.\n * @typedef {string|!goog.string.Const|!goog.html.SafeUrl}\n */\ngoog.html.SafeStyle.PropertyValue;\n\n\n/**\n * Mapping of property names to their values.\n * We don't support numbers even though some values might be numbers (e.g.\n * line-height or 0 for any length). The reason is that most numeric values need\n * units (e.g. '1px') and allowing numbers could cause users forgetting about\n * them.\n * @typedef {!Object<string, ?goog.html.SafeStyle.PropertyValue|\n * ?Array<!goog.html.SafeStyle.PropertyValue>>}\n */\ngoog.html.SafeStyle.PropertyMap;\n\n\n/**\n * Creates a new SafeStyle object from the properties specified in the map.\n * @param {goog.html.SafeStyle.PropertyMap} map Mapping of property names to\n * their values, for example {'margin': '1px'}. Names must consist of\n * [-_a-zA-Z0-9]. Values might be strings consisting of\n * [-,.'\"%_!# a-zA-Z0-9[\\]], where \", ', and [] must be properly balanced.\n * We also allow simple functions like rgb() and url() which sanitizes its\n * contents. Other values must be wrapped in goog.string.Const. URLs might\n * be passed as goog.html.SafeUrl which will be wrapped into url(\"\"). We\n * also support array whose elements are joined with ' '. Null value causes\n * skipping the property.\n * @return {!goog.html.SafeStyle}\n * @throws {Error} If invalid name is provided.\n * @throws {goog.asserts.AssertionError} If invalid value is provided. With\n * disabled assertions, invalid value is replaced by\n * goog.html.SafeStyle.INNOCUOUS_STRING.\n */\ngoog.html.SafeStyle.create = function(map) {\n var style = '';\n for (var name in map) {\n if (!/^[-_a-zA-Z0-9]+$/.test(name)) {\n throw new Error('Name allows only [-_a-zA-Z0-9], got: ' + name);\n }\n var value = map[name];\n if (value == null) {\n continue;\n }\n if (goog.isArray(value)) {\n value = goog.array.map(value, goog.html.SafeStyle.sanitizePropertyValue_)\n .join(' ');\n } else {\n value = goog.html.SafeStyle.sanitizePropertyValue_(value);\n }\n style += name + ':' + value + ';';\n }\n if (!style) {\n return goog.html.SafeStyle.EMPTY;\n }\n return goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(\n style);\n};\n\n\n/**\n * Checks and converts value to string.\n * @param {!goog.html.SafeStyle.PropertyValue} value\n * @return {string}\n * @private\n */\ngoog.html.SafeStyle.sanitizePropertyValue_ = function(value) {\n if (value instanceof goog.html.SafeUrl) {\n var url = goog.html.SafeUrl.unwrap(value);\n return 'url(\"' + url.replace(/</g, '%3c').replace(/[\\\\\"]/g, '\\\\$&') + '\")';\n }\n var result = value instanceof goog.string.Const ?\n goog.string.Const.unwrap(value) :\n goog.html.SafeStyle.sanitizePropertyValueString_(String(value));\n // These characters can be used to change context and we don't want that even\n // with const values.\n if (/[{;}]/.test(result)) {\n throw new goog.asserts.AssertionError(\n 'Value does not allow [{;}], got: %s.', [result]);\n }\n return result;\n};\n\n\n/**\n * Checks string value.\n * @param {string} value\n * @return {string}\n * @private\n */\ngoog.html.SafeStyle.sanitizePropertyValueString_ = function(value) {\n // Some CSS property values permit nested functions. We allow one level of\n // nesting, and all nested functions must also be in the FUNCTIONS_RE_ list.\n var valueWithoutFunctions =\n value.replace(goog.html.SafeStyle.FUNCTIONS_RE_, '$1')\n .replace(goog.html.SafeStyle.FUNCTIONS_RE_, '$1')\n .replace(goog.html.SafeStyle.URL_RE_, 'url');\n if (!goog.html.SafeStyle.VALUE_RE_.test(valueWithoutFunctions)) {\n goog.asserts.fail(\n 'String value allows only ' + goog.html.SafeStyle.VALUE_ALLOWED_CHARS_ +\n ' and simple functions, got: ' + value);\n return goog.html.SafeStyle.INNOCUOUS_STRING;\n } else if (goog.html.SafeStyle.COMMENT_RE_.test(value)) {\n goog.asserts.fail('String value disallows comments, got: ' + value);\n return goog.html.SafeStyle.INNOCUOUS_STRING;\n } else if (!goog.html.SafeStyle.hasBalancedQuotes_(value)) {\n goog.asserts.fail('String value requires balanced quotes, got: ' + value);\n return goog.html.SafeStyle.INNOCUOUS_STRING;\n } else if (!goog.html.SafeStyle.hasBalancedSquareBrackets_(value)) {\n goog.asserts.fail(\n 'String value requires balanced square brackets and one' +\n ' identifier per pair of brackets, got: ' + value);\n return goog.html.SafeStyle.INNOCUOUS_STRING;\n }\n return goog.html.SafeStyle.sanitizeUrl_(value);\n};\n\n\n/**\n * Checks that quotes (\" and ') are properly balanced inside a string. Assumes\n * that neither escape (\\) nor any other character that could result in\n * breaking out of a string parsing context are allowed;\n * see http://www.w3.org/TR/css3-syntax/#string-token-diagram.\n * @param {string} value Untrusted CSS property value.\n * @return {boolean} True if property value is safe with respect to quote\n * balancedness.\n * @private\n */\ngoog.html.SafeStyle.hasBalancedQuotes_ = function(value) {\n var outsideSingle = true;\n var outsideDouble = true;\n for (var i = 0; i < value.length; i++) {\n var c = value.charAt(i);\n if (c == \"'\" && outsideDouble) {\n outsideSingle = !outsideSingle;\n } else if (c == '\"' && outsideSingle) {\n outsideDouble = !outsideDouble;\n }\n }\n return outsideSingle && outsideDouble;\n};\n\n\n/**\n * Checks that square brackets ([ and ]) are properly balanced inside a string,\n * and that the content in the square brackets is one ident-token;\n * see https://www.w3.org/TR/css-syntax-3/#ident-token-diagram.\n * For practicality, and in line with other restrictions posed on SafeStyle\n * strings, we restrict the character set allowable in the ident-token to\n * [-_a-zA-Z0-9].\n * @param {string} value Untrusted CSS property value.\n * @return {boolean} True if property value is safe with respect to square\n * bracket balancedness.\n * @private\n */\ngoog.html.SafeStyle.hasBalancedSquareBrackets_ = function(value) {\n var outside = true;\n var tokenRe = /^[-_a-zA-Z0-9]$/;\n for (var i = 0; i < value.length; i++) {\n var c = value.charAt(i);\n if (c == ']') {\n if (outside) return false; // Unbalanced ].\n outside = true;\n } else if (c == '[') {\n if (!outside) return false; // No nesting.\n outside = false;\n } else if (!outside && !tokenRe.test(c)) {\n return false;\n }\n }\n return outside;\n};\n\n\n/**\n * Characters allowed in goog.html.SafeStyle.VALUE_RE_.\n * @private {string}\n */\ngoog.html.SafeStyle.VALUE_ALLOWED_CHARS_ = '[-,.\"\\'%_!# a-zA-Z0-9\\\\[\\\\]]';\n\n\n/**\n * Regular expression for safe values.\n *\n * Quotes (\" and ') are allowed, but a check must be done elsewhere to ensure\n * they're balanced.\n *\n * Square brackets ([ and ]) are allowed, but a check must be done elsewhere\n * to ensure they're balanced. The content inside a pair of square brackets must\n * be one alphanumeric identifier.\n *\n * ',' allows multiple values to be assigned to the same property\n * (e.g. background-attachment or font-family) and hence could allow\n * multiple values to get injected, but that should pose no risk of XSS.\n *\n * The expression checks only for XSS safety, not for CSS validity.\n * @const {!RegExp}\n * @private\n */\ngoog.html.SafeStyle.VALUE_RE_ =\n new RegExp('^' + goog.html.SafeStyle.VALUE_ALLOWED_CHARS_ + '+$');\n\n\n/**\n * Regular expression for url(). We support URLs allowed by\n * https://www.w3.org/TR/css-syntax-3/#url-token-diagram without using escape\n * sequences. Use percent-encoding if you need to use special characters like\n * backslash.\n * @private @const {!RegExp}\n */\ngoog.html.SafeStyle.URL_RE_ = new RegExp(\n '\\\\b(url\\\\([ \\t\\n]*)(' +\n '\\'[ -&(-\\\\[\\\\]-~]*\\'' + // Printable characters except ' and \\.\n '|\"[ !#-\\\\[\\\\]-~]*\"' + // Printable characters except \" and \\.\n '|[!#-&*-\\\\[\\\\]-~]*' + // Printable characters except [ \"'()\\\\].\n ')([ \\t\\n]*\\\\))',\n 'g');\n\n/**\n * Names of functions allowed in FUNCTIONS_RE_.\n * @private @const {!Array<string>}\n */\ngoog.html.SafeStyle.ALLOWED_FUNCTIONS_ = [\n 'calc',\n 'cubic-bezier',\n 'fit-content',\n 'hsl',\n 'hsla',\n 'matrix',\n 'minmax',\n 'repeat',\n 'rgb',\n 'rgba',\n '(rotate|scale|translate)(X|Y|Z|3d)?',\n];\n\n\n/**\n * Regular expression for simple functions.\n * @private @const {!RegExp}\n */\ngoog.html.SafeStyle.FUNCTIONS_RE_ = new RegExp(\n '\\\\b(' + goog.html.SafeStyle.ALLOWED_FUNCTIONS_.join('|') + ')' +\n '\\\\([-+*/0-9a-z.%\\\\[\\\\], ]+\\\\)',\n 'g');\n\n\n/**\n * Regular expression for comments. These are disallowed in CSS property values.\n * @private @const {!RegExp}\n */\ngoog.html.SafeStyle.COMMENT_RE_ = /\\/\\*/;\n\n\n/**\n * Sanitize URLs inside url().\n *\n * NOTE: We could also consider using CSS.escape once that's available in the\n * browsers. However, loosely matching URL e.g. with url\\(.*\\) and then escaping\n * the contents would result in a slightly different language than CSS leading\n * to confusion of users. E.g. url(\")\") is valid in CSS but it would be invalid\n * as seen by our parser. On the other hand, url(\\) is invalid in CSS but our\n * parser would be fine with it.\n *\n * @param {string} value Untrusted CSS property value.\n * @return {string}\n * @private\n */\ngoog.html.SafeStyle.sanitizeUrl_ = function(value) {\n return value.replace(\n goog.html.SafeStyle.URL_RE_, function(match, before, url, after) {\n var quote = '';\n url = url.replace(/^(['\"])(.*)\\1$/, function(match, start, inside) {\n quote = start;\n return inside;\n });\n var sanitized = goog.html.SafeUrl.sanitize(url).getTypedStringValue();\n return before + quote + sanitized + quote + after;\n });\n};\n\n\n/**\n * Creates a new SafeStyle object by concatenating the values.\n * @param {...(!goog.html.SafeStyle|!Array<!goog.html.SafeStyle>)} var_args\n * SafeStyles to concatenate.\n * @return {!goog.html.SafeStyle}\n */\ngoog.html.SafeStyle.concat = function(var_args) {\n var style = '';\n\n /**\n * @param {!goog.html.SafeStyle|!Array<!goog.html.SafeStyle>} argument\n */\n var addArgument = function(argument) {\n if (goog.isArray(argument)) {\n goog.array.forEach(argument, addArgument);\n } else {\n style += goog.html.SafeStyle.unwrap(argument);\n }\n };\n\n goog.array.forEach(arguments, addArgument);\n if (!style) {\n return goog.html.SafeStyle.EMPTY;\n }\n return goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(\n style);\n};\n","~:compiled-at",1613924115764,"~:source-map-json","{\n\"version\":3,\n\"file\":\"goog.html.safestyle.js\",\n\"lineCount\":178,\n\"mappings\":\"AAoBAA,IAAA,CAAKC,OAAL,CAAa,qBAAb,CAAA;AAEAD,IAAA,CAAKE,OAAL,CAAa,YAAb,CAAA;AACAF,IAAA,CAAKE,OAAL,CAAa,cAAb,CAAA;AACAF,IAAA,CAAKE,OAAL,CAAa,mBAAb,CAAA;AACAF,IAAA,CAAKE,OAAL,CAAa,mBAAb,CAAA;AACAF,IAAA,CAAKE,OAAL,CAAa,yBAAb,CAAA;AACAF,IAAA,CAAKE,OAAL,CAAa,sBAAb,CAAA;AA0FAF,IAAA,CAAKG,IAAL,CAAUC,SAAV,GAAsBC,QAAQ,EAAG;AAO/B,MAAA,CAAKC,8CAAL,GAAsD,EAAtD;AAQA,MAAA,CAAKC,kDAAL,GACIP,IADJ,CACSG,IADT,CACcC,SADd,CACwBI,uCADxB;AAf+B,CAAjC;AAwBAR,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBK,SAApB,CAA8BC,+BAA9B,GAAgE,IAAhE;AASAV,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBI,uCAApB,GAA8D,EAA9D;AAsBAR,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBO,YAApB,GAAmCC,QAAQ,CAACC,KAAD,CAAQ;AACjD,MAAIC,cAAcd,IAAA,CAAKe,MAAL,CAAYC,KAAZ,CAAkBC,MAAlB,CAAyBJ,KAAzB,CAAlB;AACA,MAAIC,WAAJ,CAAgBI,MAAhB,KAA2B,CAA3B;AACE,WAAOlB,IAAP,CAAYG,IAAZ,CAAiBC,SAAjB,CAA2Be,KAA3B;AADF;AAGAnB,MAAA,CAAKoB,OAAL,CAAaC,MAAb,CACIrB,IAAA,CAAKe,MAAL,CAAYO,QAAZ,CAAqBC,QAArB,CAA8BT,WAA9B,EAA2C,GAA3C,CADJ,EAEI,6CAFJ,GAEsDA,WAFtD,CAAA;AAGAd,MAAA,CAAKoB,OAAL,CAAaC,MAAb,CACIrB,IAAA,CAAKe,MAAL,CAAYO,QAAZ,CAAqBE,QAArB,CAA8BV,WAA9B,EAA2C,GAA3C,CADJ,EAEI,iDAFJ,GAGQ,gCAHR,GAG2CA,WAH3C,CAAA;AAIA,SAAOd,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBqB,+CAApB,CACHX,WADG,CAAP;AAZiD,CAAnD;AAsCAd,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBK,SAApB,CAA8BiB,mBAA9B,GAAoDC,QAAQ,EAAG;AAC7D,SAAO,IAAP,CAAYrB,8CAAZ;AAD6D,CAA/D;AAKA,IAAIN,IAAJ,CAAS4B,KAAT;AAUE5B,MAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBK,SAApB,CAA8BoB,QAA9B,GAAyCC,QAAQ,EAAG;AAClD,WAAO,YAAP,GAAsB,IAAtB,CAA2BxB,8CAA3B,GACI,GADJ;AADkD,GAApD;AAVF;AA2BAN,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBa,MAApB,GAA6Bc,QAAQ,CAACC,SAAD,CAAY;AAW/C,MAAIA,SAAJ,YAAyBhC,IAAzB,CAA8BG,IAA9B,CAAmCC,SAAnC,IACI4B,SADJ,CACcC,WADd,KAC8BjC,IAD9B,CACmCG,IADnC,CACwCC,SADxC,IAEI4B,SAFJ,CAEczB,kDAFd,KAGQP,IAHR,CAGaG,IAHb,CAGkBC,SAHlB,CAG4BI,uCAH5B;AAIE,WAAOwB,SAAP,CAAiB1B,8CAAjB;AAJF,QAKO;AACLN,QAAA,CAAKoB,OAAL,CAAac,IAAb,CAAkB,0CAAlB,GACIF,SADJ,GACgB,YADhB,GACgChC,IAAA,CAAKmC,MAAL,CAAYH,SAAZ,CADhC,CAAA;AAEA,WAAO,sBAAP;AAHK;AAhBwC,CAAjD;AA+BAhC,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBqB,+CAApB,GAAsEW,QAAQ,CAC1EvB,KAD0E,CACnE;AACT,SAAO,CAAA,IAAIb,IAAJ,CAASG,IAAT,CAAcC,SAAd,EAA0BiC,qCAA1B,CAAgExB,KAAhE,CAAP;AADS,CADX;AAcAb,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBK,SAApB,CAA8B4B,qCAA9B,GAAsEC,QAAQ,CAC1EzB,KAD0E,CACnE;AACT,MAAA,CAAKP,8CAAL,GAAsDO,KAAtD;AACA,SAAO,IAAP;AAFS,CADX;AAWAb,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBe,KAApB,GACInB,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBqB,+CAApB,CAAoE,EAApE,CADJ;AASAzB,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBmC,gBAApB,GAAuC,WAAvC;AAOAvC,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBoC,aAApB;AAYAxC,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBqC,WAApB;AAoBAzC,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBsC,MAApB,GAA6BC,QAAQ,CAACC,GAAD,CAAM;AACzC,MAAI/B,QAAQ,EAAZ;AACA,OAAK,IAAIgC,IAAT,GAAiBD,IAAjB,CAAsB;AACpB,QAAI,CAAC,kBAAA,CAAmBE,IAAnB,CAAwBD,IAAxB,CAAL;AACE,YAAM,IAAIE,KAAJ,CAAU,uCAAV,GAAoDF,IAApD,CAAN;AADF;AAGA,QAAIG,QAAQJ,GAAA,CAAIC,IAAJ,CAAZ;AACA,QAAIG,KAAJ,IAAa,IAAb;AACE;AADF;AAGA,QAAIhD,IAAA,CAAKiD,OAAL,CAAaD,KAAb,CAAJ;AACEA,WAAA,GAAQhD,IAAA,CAAKkD,KAAL,CAAWN,GAAX,CAAeI,KAAf,EAAsBhD,IAAtB,CAA2BG,IAA3B,CAAgCC,SAAhC,CAA0C+C,sBAA1C,CAAA,CACKC,IADL,CACU,GADV,CAAR;AADF;AAIEJ,WAAA,GAAQhD,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoB+C,sBAApB,CAA2CH,KAA3C,CAAR;AAJF;AAMAnC,SAAA,IAASgC,IAAT,GAAgB,GAAhB,GAAsBG,KAAtB,GAA8B,GAA9B;AAdoB;AAgBtB,MAAI,CAACnC,KAAL;AACE,WAAOb,IAAP,CAAYG,IAAZ,CAAiBC,SAAjB,CAA2Be,KAA3B;AADF;AAGA,SAAOnB,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBqB,+CAApB,CACHZ,KADG,CAAP;AArByC,CAA3C;AAgCAb,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoB+C,sBAApB,GAA6CE,QAAQ,CAACL,KAAD,CAAQ;AAC3D,MAAIA,KAAJ,YAAqBhD,IAArB,CAA0BG,IAA1B,CAA+BmD,OAA/B,CAAwC;AACtC,QAAIC,MAAMvD,IAAA,CAAKG,IAAL,CAAUmD,OAAV,CAAkBrC,MAAlB,CAAyB+B,KAAzB,CAAV;AACA,WAAO,OAAP,GAAiBO,GAAA,CAAIC,OAAJ,CAAY,IAAZ,EAAkB,KAAlB,CAAA,CAAyBA,OAAzB,CAAiC,QAAjC,EAA2C,SAA3C,CAAjB,GAAsE,IAAtE;AAFsC;AAIxC,MAAIC,SAAST,KAAA,YAAiBhD,IAAjB,CAAsBe,MAAtB,CAA6BC,KAA7B,GACThB,IAAA,CAAKe,MAAL,CAAYC,KAAZ,CAAkBC,MAAlB,CAAyB+B,KAAzB,CADS,GAEThD,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBsD,4BAApB,CAAiDC,MAAA,CAAOX,KAAP,CAAjD,CAFJ;AAKA,MAAI,OAAA,CAAQF,IAAR,CAAaW,MAAb,CAAJ;AACE,UAAM,IAAIzD,IAAJ,CAASoB,OAAT,CAAiBwC,cAAjB,CACF,sCADE,EACsC,CAACH,MAAD,CADtC,CAAN;AADF;AAIA,SAAOA,MAAP;AAd2D,CAA7D;AAwBAzD,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBsD,4BAApB,GAAmDG,QAAQ,CAACb,KAAD,CAAQ;AAGjE,MAAIc,wBACAd,KAAA,CAAMQ,OAAN,CAAcxD,IAAd,CAAmBG,IAAnB,CAAwBC,SAAxB,CAAkC2D,aAAlC,EAAiD,IAAjD,CAAA,CACKP,OADL,CACaxD,IADb,CACkBG,IADlB,CACuBC,SADvB,CACiC2D,aADjC,EACgD,IADhD,CAAA,CAEKP,OAFL,CAEaxD,IAFb,CAEkBG,IAFlB,CAEuBC,SAFvB,CAEiC4D,OAFjC,EAE0C,KAF1C,CADJ;AAIA,MAAI,CAAChE,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoB6D,SAApB,CAA8BnB,IAA9B,CAAmCgB,qBAAnC,CAAL,CAAgE;AAC9D9D,QAAA,CAAKoB,OAAL,CAAac,IAAb,CACI,2BADJ,GACkClC,IADlC,CACuCG,IADvC,CAC4CC,SAD5C,CACsD8D,oBADtD,GAEI,8BAFJ,GAEqClB,KAFrC,CAAA;AAGA,WAAOhD,IAAP,CAAYG,IAAZ,CAAiBC,SAAjB,CAA2BmC,gBAA3B;AAJ8D,GAAhE;AAKO,QAAIvC,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoB+D,WAApB,CAAgCrB,IAAhC,CAAqCE,KAArC,CAAJ,CAAiD;AACtDhD,UAAA,CAAKoB,OAAL,CAAac,IAAb,CAAkB,wCAAlB,GAA6Dc,KAA7D,CAAA;AACA,aAAOhD,IAAP,CAAYG,IAAZ,CAAiBC,SAAjB,CAA2BmC,gBAA3B;AAFsD,KAAjD;AAGA,UAAI,CAACvC,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBgE,kBAApB,CAAuCpB,KAAvC,CAAL,CAAoD;AACzDhD,YAAA,CAAKoB,OAAL,CAAac,IAAb,CAAkB,8CAAlB,GAAmEc,KAAnE,CAAA;AACA,eAAOhD,IAAP,CAAYG,IAAZ,CAAiBC,SAAjB,CAA2BmC,gBAA3B;AAFyD,OAApD;AAGA,YAAI,CAACvC,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBiE,0BAApB,CAA+CrB,KAA/C,CAAL,CAA4D;AACjEhD,cAAA,CAAKoB,OAAL,CAAac,IAAb,CACI,wDADJ,GAEI,yCAFJ,GAEgDc,KAFhD,CAAA;AAGA,iBAAOhD,IAAP,CAAYG,IAAZ,CAAiBC,SAAjB,CAA2BmC,gBAA3B;AAJiE;AAH5D;AAHA;AALP;AAiBA,SAAOvC,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBkE,YAApB,CAAiCtB,KAAjC,CAAP;AAxBiE,CAAnE;AAsCAhD,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBgE,kBAApB,GAAyCG,QAAQ,CAACvB,KAAD,CAAQ;AACvD,MAAIwB,gBAAgB,IAApB;AACA,MAAIC,gBAAgB,IAApB;AACA,OAAK,IAAIC,IAAI,CAAb,EAAgBA,CAAhB,GAAoB1B,KAApB,CAA0B9B,MAA1B,EAAkCwD,CAAA,EAAlC,CAAuC;AACrC,QAAIC,IAAI3B,KAAA,CAAM4B,MAAN,CAAaF,CAAb,CAAR;AACA,QAAIC,CAAJ,IAAS,GAAT,IAAgBF,aAAhB;AACED,mBAAA,GAAgB,CAACA,aAAjB;AADF;AAEO,UAAIG,CAAJ,IAAS,GAAT,IAAgBH,aAAhB;AACLC,qBAAA,GAAgB,CAACA,aAAjB;AADK;AAFP;AAFqC;AAQvC,SAAOD,aAAP,IAAwBC,aAAxB;AAXuD,CAAzD;AA2BAzE,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBiE,0BAApB,GAAiDQ,QAAQ,CAAC7B,KAAD,CAAQ;AAC/D,MAAI8B,UAAU,IAAd;AACA,MAAIC,UAAU,iBAAd;AACA,OAAK,IAAIL,IAAI,CAAb,EAAgBA,CAAhB,GAAoB1B,KAApB,CAA0B9B,MAA1B,EAAkCwD,CAAA,EAAlC,CAAuC;AACrC,QAAIC,IAAI3B,KAAA,CAAM4B,MAAN,CAAaF,CAAb,CAAR;AACA,QAAIC,CAAJ,IAAS,GAAT,CAAc;AACZ,UAAIG,OAAJ;AAAa,eAAO,KAAP;AAAb;AACAA,aAAA,GAAU,IAAV;AAFY,KAAd;AAGO,UAAIH,CAAJ,IAAS,GAAT,CAAc;AACnB,YAAI,CAACG,OAAL;AAAc,iBAAO,KAAP;AAAd;AACAA,eAAA,GAAU,KAAV;AAFmB,OAAd;AAGA,YAAI,CAACA,OAAL,IAAgB,CAACC,OAAA,CAAQjC,IAAR,CAAa6B,CAAb,CAAjB;AACL,iBAAO,KAAP;AADK;AAHA;AAHP;AAFqC;AAYvC,SAAOG,OAAP;AAf+D,CAAjE;AAuBA9E,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoB8D,oBAApB,GAA2C,8BAA3C;AAqBAlE,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoB6D,SAApB,GACI,IAAIe,MAAJ,CAAW,GAAX,GAAiBhF,IAAjB,CAAsBG,IAAtB,CAA2BC,SAA3B,CAAqC8D,oBAArC,GAA4D,IAA5D,CADJ;AAWAlE,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoB4D,OAApB,GAA8B,IAAIgB,MAAJ,CAC1B,sBAD0B,GAEtB,uBAFsB,GAGtB,oBAHsB,GAItB,uBAJsB,GAKtB,gBALsB,EAM1B,GAN0B,CAA9B;AAYAhF,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoB6E,kBAApB,GAAyC,CACvC,MADuC,EAEvC,cAFuC,EAGvC,aAHuC,EAIvC,KAJuC,EAKvC,MALuC,EAMvC,QANuC,EAOvC,QAPuC,EAQvC,QARuC,EASvC,KATuC,EAUvC,MAVuC,EAWvC,qCAXuC,GAAzC;AAmBAjF,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoB2D,aAApB,GAAoC,IAAIiB,MAAJ,CAChC,MADgC,GACvBhF,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoB6E,kBAApB,CAAuC7B,IAAvC,CAA4C,GAA5C,CADuB,GAC4B,GAD5B,GAE5B,+BAF4B,EAGhC,GAHgC,CAApC;AAUApD,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoB+D,WAApB,GAAkC,MAAlC;AAiBAnE,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBkE,YAApB,GAAmCY,QAAQ,CAAClC,KAAD,CAAQ;AACjD,SAAOA,KAAA,CAAMQ,OAAN,CACHxD,IADG,CACEG,IADF,CACOC,SADP,CACiB4D,OADjB,EAC0B,QAAQ,CAACmB,KAAD,EAAQC,MAAR,EAAgB7B,GAAhB,EAAqB8B,KAArB,CAA4B;AAC/D,QAAIC,QAAQ,EAAZ;AACA/B,OAAA,GAAMA,GAAA,CAAIC,OAAJ,CAAY,gBAAZ,EAA8B,QAAQ,CAAC2B,KAAD,EAAQI,KAAR,EAAeC,MAAf,CAAuB;AACjEF,WAAA,GAAQC,KAAR;AACA,aAAOC,MAAP;AAFiE,KAA7D,CAAN;AAIA,QAAIC,YAAYzF,IAAA,CAAKG,IAAL,CAAUmD,OAAV,CAAkBoC,QAAlB,CAA2BnC,GAA3B,CAAA,CAAgC7B,mBAAhC,EAAhB;AACA,WAAO0D,MAAP,GAAgBE,KAAhB,GAAwBG,SAAxB,GAAoCH,KAApC,GAA4CD,KAA5C;AAP+D,GAD9D,CAAP;AADiD,CAAnD;AAoBArF,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBuF,MAApB,GAA6BC,QAAQ,CAACC,QAAD,CAAW;AAC9C,MAAIhF,QAAQ,EAAZ;AAKA,MAAIiF,cAAcA,QAAQ,CAACC,QAAD,CAAW;AACnC,QAAI/F,IAAA,CAAKiD,OAAL,CAAa8C,QAAb,CAAJ;AACE/F,UAAA,CAAKkD,KAAL,CAAW8C,OAAX,CAAmBD,QAAnB,EAA6BD,WAA7B,CAAA;AADF;AAGEjF,WAAA,IAASb,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBa,MAApB,CAA2B8E,QAA3B,CAAT;AAHF;AADmC,GAArC;AAQA/F,MAAA,CAAKkD,KAAL,CAAW8C,OAAX,CAAmBC,SAAnB,EAA8BH,WAA9B,CAAA;AACA,MAAI,CAACjF,KAAL;AACE,WAAOb,IAAP,CAAYG,IAAZ,CAAiBC,SAAjB,CAA2Be,KAA3B;AADF;AAGA,SAAOnB,IAAA,CAAKG,IAAL,CAAUC,SAAV,CAAoBqB,+CAApB,CACHZ,KADG,CAAP;AAlB8C,CAAhD;;\",\n\"sources\":[\"goog/html/safestyle.js\"],\n\"sourcesContent\":[\"// Copyright 2014 The Closure Library Authors. All Rights Reserved.\\n//\\n// Licensed under the Apache License, Version 2.0 (the \\\"License\\\");\\n// you may not use this file except in compliance with the License.\\n// You may obtain a copy of the License at\\n//\\n// http://www.apache.org/licenses/LICENSE-2.0\\n//\\n// Unless required by applicable law or agreed to in writing, software\\n// distributed under the License is distributed on an \\\"AS-IS\\\" BASIS,\\n// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\\n// See the License for the specific language governing permissions and\\n// limitations under the License.\\n\\n/**\\n * @fileoverview The SafeStyle type and its builders.\\n *\\n * TODO(xtof): Link to document stating type contract.\\n */\\n\\ngoog.provide('goog.html.SafeStyle');\\n\\ngoog.require('goog.array');\\ngoog.require('goog.asserts');\\ngoog.require('goog.html.SafeUrl');\\ngoog.require('goog.string.Const');\\ngoog.require('goog.string.TypedString');\\ngoog.require('goog.string.internal');\\n\\n\\n\\n/**\\n * A string-like object which represents a sequence of CSS declarations\\n * ({@code propertyName1: propertyvalue1; propertyName2: propertyValue2; ...})\\n * and that carries the security type contract that its value, as a string,\\n * will not cause untrusted script execution (XSS) when evaluated as CSS in a\\n * browser.\\n *\\n * Instances of this type must be created via the factory methods\\n * (`goog.html.SafeStyle.create` or\\n * `goog.html.SafeStyle.fromConstant`) and not by invoking its\\n * constructor. The constructor intentionally takes no parameters and the type\\n * is immutable; hence only a default instance corresponding to the empty string\\n * can be obtained via constructor invocation.\\n *\\n * SafeStyle's string representation can safely be:\\n * <ul>\\n * <li>Interpolated as the content of a *quoted* HTML style attribute.\\n * However, the SafeStyle string *must be HTML-attribute-escaped* before\\n * interpolation.\\n * <li>Interpolated as the content of a {}-wrapped block within a stylesheet.\\n * '<' characters in the SafeStyle string *must be CSS-escaped* before\\n * interpolation. The SafeStyle string is also guaranteed not to be able\\n * to introduce new properties or elide existing ones.\\n * <li>Interpolated as the content of a {}-wrapped block within an HTML\\n * <style> element. '<' characters in the SafeStyle string\\n * *must be CSS-escaped* before interpolation.\\n * <li>Assigned to the style property of a DOM node. The SafeStyle string\\n * should not be escaped before being assigned to the property.\\n * </ul>\\n *\\n * A SafeStyle may never contain literal angle brackets. Otherwise, it could\\n * be unsafe to place a SafeStyle into a <style> tag (where it can't\\n * be HTML escaped). For example, if the SafeStyle containing\\n * \\\"{@code font: 'foo <style/><script>evil</script>'}\\\" were\\n * interpolated within a <style> tag, this would then break out of the\\n * style context into HTML.\\n *\\n * A SafeStyle may contain literal single or double quotes, and as such the\\n * entire style string must be escaped when used in a style attribute (if\\n * this were not the case, the string could contain a matching quote that\\n * would escape from the style attribute).\\n *\\n * Values of this type must be composable, i.e. for any two values\\n * `style1` and `style2` of this type,\\n * {@code goog.html.SafeStyle.unwrap(style1) +\\n * goog.html.SafeStyle.unwrap(style2)} must itself be a value that satisfies\\n * the SafeStyle type constraint. This requirement implies that for any value\\n * `style` of this type, `goog.html.SafeStyle.unwrap(style)` must\\n * not end in a \\\"property value\\\" or \\\"property name\\\" context. For example,\\n * a value of {@code background:url(\\\"} or {@code font-} would not satisfy the\\n * SafeStyle contract. This is because concatenating such strings with a\\n * second value that itself does not contain unsafe CSS can result in an\\n * overall string that does. For example, if {@code javascript:evil())\\\"} is\\n * appended to {@code background:url(\\\"}, the resulting string may result in\\n * the execution of a malicious script.\\n *\\n * TODO(mlourenco): Consider whether we should implement UTF-8 interchange\\n * validity checks and blacklisting of newlines (including Unicode ones) and\\n * other whitespace characters (\\\\t, \\\\f). Document here if so and also update\\n * SafeStyle.fromConstant().\\n *\\n * The following example values comply with this type's contract:\\n * <ul>\\n * <li><pre>width: 1em;</pre>\\n * <li><pre>height:1em;</pre>\\n * <li><pre>width: 1em;height: 1em;</pre>\\n * <li><pre>background:url('http://url');</pre>\\n * </ul>\\n * In addition, the empty string is safe for use in a CSS attribute.\\n *\\n * The following example values do NOT comply with this type's contract:\\n * <ul>\\n * <li><pre>background: red</pre> (missing a trailing semi-colon)\\n * <li><pre>background:</pre> (missing a value and a trailing semi-colon)\\n * <li><pre>1em</pre> (missing an attribute name, which provides context for\\n * the value)\\n * </ul>\\n *\\n * @see goog.html.SafeStyle#create\\n * @see goog.html.SafeStyle#fromConstant\\n * @see http://www.w3.org/TR/css3-syntax/\\n * @constructor\\n * @final\\n * @struct\\n * @implements {goog.string.TypedString}\\n */\\ngoog.html.SafeStyle = function() {\\n /**\\n * The contained value of this SafeStyle. The field has a purposely\\n * ugly name to make (non-compiled) code that attempts to directly access this\\n * field stand out.\\n * @private {string}\\n */\\n this.privateDoNotAccessOrElseSafeStyleWrappedValue_ = '';\\n\\n /**\\n * A type marker used to implement additional run-time type checking.\\n * @see goog.html.SafeStyle#unwrap\\n * @const {!Object}\\n * @private\\n */\\n this.SAFE_STYLE_TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ =\\n goog.html.SafeStyle.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_;\\n};\\n\\n\\n/**\\n * @override\\n * @const\\n */\\ngoog.html.SafeStyle.prototype.implementsGoogStringTypedString = true;\\n\\n\\n/**\\n * Type marker for the SafeStyle type, used to implement additional\\n * run-time type checking.\\n * @const {!Object}\\n * @private\\n */\\ngoog.html.SafeStyle.TYPE_MARKER_GOOG_HTML_SECURITY_PRIVATE_ = {};\\n\\n\\n/**\\n * Creates a SafeStyle object from a compile-time constant string.\\n *\\n * `style` should be in the format\\n * {@code name: value; [name: value; ...]} and must not have any < or >\\n * characters in it. This is so that SafeStyle's contract is preserved,\\n * allowing the SafeStyle to correctly be interpreted as a sequence of CSS\\n * declarations and without affecting the syntactic structure of any\\n * surrounding CSS and HTML.\\n *\\n * This method performs basic sanity checks on the format of `style`\\n * but does not constrain the format of `name` and `value`, except\\n * for disallowing tag characters.\\n *\\n * @param {!goog.string.Const} style A compile-time-constant string from which\\n * to create a SafeStyle.\\n * @return {!goog.html.SafeStyle} A SafeStyle object initialized to\\n * `style`.\\n */\\ngoog.html.SafeStyle.fromConstant = function(style) {\\n var styleString = goog.string.Const.unwrap(style);\\n if (styleString.length === 0) {\\n return goog.html.SafeStyle.EMPTY;\\n }\\n goog.asserts.assert(\\n goog.string.internal.endsWith(styleString, ';'),\\n 'Last character of style string is not \\\\';\\\\': ' + styleString);\\n goog.asserts.assert(\\n goog.string.internal.contains(styleString, ':'),\\n 'Style string must contain at least one \\\\':\\\\', to ' +\\n 'specify a \\\"name: value\\\" pair: ' + styleString);\\n return goog.html.SafeStyle.createSafeStyleSecurityPrivateDoNotAccessOrElse(\\n styleString);\\n};\\n\\n\\n/**\\n * Returns this SafeStyle's value as a string.\\n *\\n * IMPORTANT: In code where it is security relevant that an object's type is\\n * indeed `SafeStyle`, use `goog.html.SafeStyle.unwrap` instead of\\n * this method. If in doubt, assume that it's security relevant. In particular,\\n * note that goog.html functions which return a goog.html type do not guarantee\\n * the returned instance is of the right type. For example:\\n *\\n * <pre>\\n * var fakeSafeHtml = new String('fake');\\n * fakeSafeHtml.__proto__ = goog.html.SafeHtml.prototype;\\n * var newSafeHtml = goog.html.SafeHtml.htmlEscape(fakeSafeHtml);\\n * // newSafeHtml is just an alias for fakeSafeHtml, it's passed through by\\n * // goog.html.SafeHtml.htmlEscape() as fakeSafeHtml\\n * // instanceof goog.html.SafeHtml.\\n * </pre>\\n *\\n * @see goog.html.SafeStyle#unwrap\\n * @override\\n */\\ngoog.html.SafeStyle.prototype.getTypedStringValue = function() {\\n return this.privateDoNotAccessOrElseSafeStyleWrappedValue_;\\n};\\n\\n\\nif (goog.DEBUG) {\\n /**\\n * Returns a debug string-representation of this value.\\n *\\n * To obtain the actual string value wrapped in a SafeStyle, use\\n * `goog.html.SafeStyle.unwrap`.\\n *\\n * @see goog.html.SafeStyle#unwrap\\n * @override\\n */\\n goog.html.SafeStyle.prototype.toString = function() {\\n return 'SafeStyle{' + this.privateDoNotAccessOrElseSafeStyleWrappedValue_ +\\n '}';\\n };\\n}\\n\\n\\n/**\\n * Performs a runtime check that the provided object is indeed a\\n * SafeStyle object, and returns its value.\\n *\\n * @param {!goog.html.SafeStyle} safeStyle The object to extract from.\\n * @return {string} The safeStyle object's contained string, unless\\n * the run-time type check fails. In that case, `unwrap` returns an\\n * innocuous string, or, if assertions are enabled, throws\\n * `goog.asserts.AssertionError`.\\n */\\ngoog.html.SafeStyle.unwrap = function(safeStyle) {\\n // Perform additional Run-time type-checking to ensure that\\n // safeStyle is indeed an instance of the expected type. This\\n // provides some additional protection against security bugs due to\\n // applicati