github/svgedit
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

- Build: Update dist

Browse Source
This commit is contained in:
Brett Zamir
2018-09-25 03:12:11 +08:00
parent 704336c0f2
commit 459a6b8f89
12 changed files with 142 additions and 56 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
dist/extensions/ext-helloworld.js vendored
View File

@@ -112,7 +112,7 @@ var svgEditorExtension_helloworld = (function () {
// Must match the icon ID in helloworld-icon.xml
id: 'hello_world',
// Fallback, e.g., for `file://` access
// Fallback, e.g., for `file:///` access
icon: svgEditor.curConfig.extIconsPath + 'helloworld.png',
// This indicates that the button will be added to the "mode"

83
dist/extensions/ext-imagelib.js vendored
View File

@@ -1,6 +1,12 @@
var svgEditorExtension_imagelib = (function () {
'use strict';
var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) {
return typeof obj;
} : function (obj) {
return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj;
};
var asyncToGenerator = function (fn) {
return function () {
var gen = fn.apply(this, arguments);
@@ -44,8 +50,9 @@ var svgEditorExtension_imagelib = (function () {
init: function () {
var _ref2 = asyncToGenerator( /*#__PURE__*/regeneratorRuntime.mark(function _callee(_ref) {
var decode64 = _ref.decode64,
importLocale = _ref.importLocale;
var imagelibStrings, svgEditor, $, uiStrings, svgCanvas, closeBrowser, importImage, pending, mode, multiArr, transferStopped, preview, submit, toggleMulti, showBrowser, buttons;
importLocale = _ref.importLocale,
dropXMLInternalSubset = _ref.dropXMLInternalSubset;
var imagelibStrings, modularVersion, allowedImageLibOrigins, svgEditor, $, uiStrings, svgCanvas, extIconsPath, closeBrowser, importImage, pending, mode, multiArr, transferStopped, preview, submit, toggleMulti, showBrowser, buttons;
return regeneratorRuntime.wrap(function _callee$(_context) {
while (1) {
switch (_context.prev = _context.next) {
@@ -107,16 +114,15 @@ var svgEditorExtension_imagelib = (function () {
cancel.prepend($.getSvgIcon('cancel', true));
back.prepend($.getSvgIcon('tool_imagelib', true));
var modularVersion = !('svgEditor' in window) || !window.svgEditor || window.svgEditor.modules !== false;
$.each(imagelibStrings.imgLibs, function (i, _ref3) {
var name = _ref3.name,
url = _ref3.url,
description = _ref3.description;
imagelibStrings.imgLibs.forEach(function (_ref6) {
var name = _ref6.name,
url = _ref6.url,
description = _ref6.description;
$('<li>').appendTo(libOpts).text(name).on('click touchend', function () {
frame.attr('src',
// Todo: Adopt some standard formatting library like `fluent.js` instead
url.replace('{path}', svgEditor.curConfig.extIconsPath).replace('{modularVersion}', modularVersion ? imagelibStrings.moduleEnding || '-es' : '')).show();
url).show();
header.text(name);
libOpts.hide();
back.show();
@@ -191,21 +197,37 @@ var svgEditorExtension_imagelib = (function () {
case 6:
imagelibStrings = _context.sent;
modularVersion = !('svgEditor' in window) || !window.svgEditor || window.svgEditor.modules !== false;
imagelibStrings.imgLibs = imagelibStrings.imgLibs.map(function (_ref3) {
var name = _ref3.name,
url = _ref3.url,
description = _ref3.description;
url = url.replace(/\{path\}/g, extIconsPath).replace(/\{modularVersion\}/g, modularVersion ? imagelibStrings.moduleEnding || '-es' : '');
return { name: name, url: url, description: description };
});
allowedImageLibOrigins = imagelibStrings.imgLibs.map(function (_ref4) {
var url = _ref4.url;
return new URL(url).origin;
});
svgEditor = this;
$ = jQuery;
uiStrings = svgEditor.uiStrings, svgCanvas = svgEditor.canvas;
uiStrings = svgEditor.uiStrings, svgCanvas = svgEditor.canvas, extIconsPath = svgEditor.curConfig.extIconsPath;
pending = {};
mode = 's';
multiArr = [];
transferStopped = false;
preview = void 0, submit = void 0;
// Receive `postMessage` data
window.addEventListener('message', function (evt) {
// Receive `postMessage` data
var response = evt.data;
window.addEventListener('message', function (_ref5) {
var origin = _ref5.origin,
response = _ref5.data;
if (!response || typeof response !== 'string') {
if (!response || !['string', 'object'].includes(typeof response === 'undefined' ? 'undefined' : _typeof(response))) {
// Do nothing
return;
}
@@ -213,8 +235,17 @@ var svgEditorExtension_imagelib = (function () {
// Todo: This block can be removed (and the above check changed to
// insist on an object) if embedAPI moves away from a string to
// an object (if IE9 support not needed)
response = JSON.parse(response);
if (response.namespace !== 'imagelib') {
response = (typeof response === 'undefined' ? 'undefined' : _typeof(response)) === 'object' ? response : JSON.parse(response);
if (response.namespace !== 'imagelib' &&
// Allow this alternative per https://github.com/SVG-Edit/svgedit/issues/274
// so that older libraries may post with `namespace-key` and not
// break older SVG-Edit versions which insisted on the *absence*
// of a `namespace` property
response['namespace-key'] !== 'imagelib') {
return;
}
if (!allowedImageLibOrigins.includes('*') && !allowedImageLibOrigins.includes(origin)) {
console.log('Origin ' + origin + ' not whitelisted for posting to ' + window.origin);
return;
}
} catch (e) {
@@ -249,7 +280,8 @@ var svgEditorExtension_imagelib = (function () {
transferStopped = false;
curMeta = response;
pending[curMeta.id] = curMeta;
// Should be safe to add dynamic property as passed metadata
pending[curMeta.id] = curMeta; // lgtm [js/remote-property-injection]
var name = curMeta.name || 'file';
@@ -263,7 +295,7 @@ var svgEditorExtension_imagelib = (function () {
$('#dialog_box').hide();
});
} else {
entry = $('<div>' + message + '</div>').data('id', curMeta.id);
entry = $('<div>').text(message).data('id', curMeta.id);
preview.append(entry);
curMeta.entry = entry;
}
@@ -330,14 +362,15 @@ var svgEditorExtension_imagelib = (function () {
title = curMeta.name;
} else {
// Try to find a title
var xml = new DOMParser().parseFromString(response, 'text/xml').documentElement;
// `dropXMLInternalSubset` is to help prevent the billion laughs attack
var xml = new DOMParser().parseFromString(dropXMLInternalSubset(response), 'text/xml').documentElement; // lgtm [js/xml-bomb]
title = $(xml).children('title').first().text() || '(SVG #' + response.length + ')';
}
if (curMeta) {
preview.children().each(function () {
if ($(this).data('id') === id) {
if (curMeta.preview_url) {
$(this).html('<img src="' + curMeta.preview_url + '">' + title);
$(this).html($('<span>').append($('<img>').attr('src', curMeta.preview_url), document.createTextNode(title)));
} else {
$(this).text(title);
}
@@ -345,7 +378,7 @@ var svgEditorExtension_imagelib = (function () {
}
});
} else {
preview.append('<div>' + title + '</div>');
preview.append($('<div>').text(title));
submit.removeAttr('disabled');
}
} else {
@@ -353,9 +386,9 @@ var svgEditorExtension_imagelib = (function () {
title = curMeta.name || '';
}
if (curMeta && curMeta.preview_url) {
entry = '<img src="' + curMeta.preview_url + '">' + title;
entry = $('<span>').append($('<img>').attr('src', curMeta.preview_url), document.createTextNode(title));
} else {
entry = '<img src="' + response + '">';
entry = $('<img>').attr('src', response);
}
if (curMeta) {
@@ -392,14 +425,14 @@ var svgEditorExtension_imagelib = (function () {
buttons = [{
id: 'tool_imagelib',
type: 'app_menu', // _flyout
icon: svgEditor.curConfig.extIconsPath + 'imagelib.png',
icon: extIconsPath + 'imagelib.png',
position: 4,
events: {
mouseup: showBrowser
}
}];
return _context.abrupt('return', {
svgicons: svgEditor.curConfig.extIconsPath + 'ext-imagelib.xml',
svgicons: extIconsPath + 'ext-imagelib.xml',
buttons: imagelibStrings.buttons.map(function (button, i) {
return Object.assign(buttons[i], button);
}),
@@ -408,7 +441,7 @@ var svgEditorExtension_imagelib = (function () {
}
});
case 18:
case 21:
case 'end':
return _context.stop();
}

6
dist/extensions/ext-xdomain-messaging.js vendored
View File

@@ -30,15 +30,15 @@ var svgEditorExtension_xdomain_messaging = (function () {
try {
window.addEventListener('message', function (e) {
// We accept and post strings for the sake of IE9 support
if (typeof e.data !== 'string' || e.data.charAt() === '|') {
if (!e.data || !['string', 'object'].includes(_typeof(e.data)) || e.data.charAt() === '|') {
return;
}
var data = JSON.parse(e.data);
var data = _typeof(e.data) === 'object' ? e.data : JSON.parse(e.data);
if (!data || (typeof data === 'undefined' ? 'undefined' : _typeof(data)) !== 'object' || data.namespace !== 'svgCanvas') {
return;
}
// The default is not to allow any origins, including even the same domain or
// if run on a file:// URL See svgedit-config-es.js for an example of how
// if run on a `file:///` URL. See `svgedit-config-es.js` for an example of how
// to configure
var allowedOrigins = svgEditor.curConfig.allowedOrigins;

2
dist/extensions/imagelib/index.js vendored
View File

@@ -48,7 +48,7 @@
try {
data = canvas.toDataURL();
} catch (err) {
// This fails in Firefox with file:// URLs :(
// This fails in Firefox with `file:///` URLs :(
alert('Data URL conversion failed: ' + err);
data = '';
}

23
dist/index-es.js vendored
View File

@@ -7218,6 +7218,17 @@ var init$2 = function init$$1(editorContext) {
svgroot_ = editorContext.getSVGRoot();
};
/**
* Used to prevent the [Billion laughs attack]{@link https://en.wikipedia.org/wiki/Billion_laughs_attack}
* @function module:utilities.dropXMLInteralSubset
* @param {string} str String to be processed
* @returns {string} The string with entity declarations in the internal subset removed
* @todo This might be needed in other places `parseFromString` is used even without LGTM flagging
*/
var dropXMLInteralSubset = function dropXMLInteralSubset(str) {
return str.replace(/(<!DOCTYPE\s+\w*\s*\[).*(\?\]>)/, '$1$2');
};
/**
* Converts characters in a string to XML-friendly entities.
* @function module:utilities.toXml
@@ -19746,6 +19757,7 @@ function SvgCanvas(container, config) {
* @property {module:history.HistoryCommand} BatchCommand
* @property {module:history.HistoryCommand} ChangeElementCommand
* @property {module:utilities.decode64} decode64
* @property {module:utilities.dropXMLInteralSubset} dropXMLInteralSubset
* @property {module:utilities.encode64} encode64
* @property {module:svgcanvas~ffClone} ffClone
* @property {module:svgcanvas~findDuplicateGradient} findDuplicateGradient
@@ -19785,6 +19797,7 @@ function SvgCanvas(container, config) {
BatchCommand: BatchCommand$1,
ChangeElementCommand: ChangeElementCommand$1,
decode64: decode64,
dropXMLInteralSubset: dropXMLInteralSubset,
encode64: encode64,
ffClone: ffClone,
findDefs: findDefs,
@@ -25039,7 +25052,7 @@ defaultExtensions = ['ext-connector.js', 'ext-eyedropper.js', 'ext-grid.js', 'ex
* @property {boolean} [emptyStorageOnDecline=false] Used by `ext-storage.js`; empty any prior storage if the user declines to store
* @property {string[]} [extensions=module:SVGEditor~defaultExtensions] Extensions to load on startup. Use an array in `setConfig` and comma separated file names in the URL. Extension names must begin with "ext-". Note that as of version 2.7, paths containing "/", "\", or ":", are disallowed for security reasons. Although previous versions of this list would entirely override the default list, as of version 2.7, the defaults will always be added to this explicit list unless the configuration `noDefaultExtensions` is included.
* @property {module:SVGEditor.Stylesheet[]} [stylesheets=["@default"]] An array of required stylesheets to load in parallel; include the value `"@default"` within this array to ensure all default stylesheets are loaded.
* @property {string[]} [allowedOrigins=[]] Used by `ext-xdomain-messaging.js` to indicate which origins are permitted for cross-domain messaging (e.g., between the embedded editor and main editor code). Besides explicit domains, one might add '' to allow all domains (not recommended for privacy/data integrity of your user's content!), `window.location.origin` for allowing the same origin (should be safe if you trust all apps on your domain), 'null' to allow `file://` URL usage
* @property {string[]} [allowedOrigins=[]] Used by `ext-xdomain-messaging.js` to indicate which origins are permitted for cross-domain messaging (e.g., between the embedded editor and main editor code). Besides explicit domains, one might add '*' to allow all domains (not recommended for privacy/data integrity of your user's content!), `window.location.origin` for allowing the same origin (should be safe if you trust all apps on your domain), 'null' to allow `file:///` URL usage
* @property {null|PlainObject} [colorPickerCSS=null] Object of CSS properties mapped to values (for jQuery) to apply to the color picker. See {@link http://api.jquery.com/css/#css-properties}. A `null` value (the default) will cause the CSS to default to `left` with a position equal to that of the `fill_color` or `stroke_color` element minus 140, and a `bottom` equal to 40
* @property {string} [paramurl] This was available via URL only. Allowed an un-encoded URL within the query string (use "url" or "source" with a data: URI instead)
* @property {Float} [canvas_expansion=3] The minimum area visible outside the canvas, as a multiple of the image dimensions. The larger the number, the more one can scroll outside the canvas.
@@ -25155,17 +25168,17 @@ curConfig = {
extensions: [],
stylesheets: [],
/**
* Can use window.location.origin to indicate the current
* Can use `location.origin` to indicate the current
* origin. Can contain a '*' to allow all domains or 'null' (as
* a string) to support all file:// URLs. Cannot be set by
* a string) to support all `file:///` URLs. Cannot be set by
* URL for security reasons (not safe, at least for
* privacy or data integrity of SVG content).
* Might have been fairly safe to allow
* `new URL(window.location.href).origin` by default but
* `new URL(location.href).origin` by default but
* avoiding it ensures some more security that even third
* party apps on the same domain also cannot communicate
* with this app by default.
* For use with ext-xdomain-messaging.js
* For use with `ext-xdomain-messaging.js`
* @todo We might instead make as a user-facing preference.
*/
allowedOrigins: []

2
dist/index-es.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
dist/index-es.min.js.map vendored
View File

File diff suppressed because one or more lines are too long

23
dist/index-umd.js vendored
View File

@@ -7224,6 +7224,17 @@
svgroot_ = editorContext.getSVGRoot();
};
/**
* Used to prevent the [Billion laughs attack]{@link https://en.wikipedia.org/wiki/Billion_laughs_attack}
* @function module:utilities.dropXMLInteralSubset
* @param {string} str String to be processed
* @returns {string} The string with entity declarations in the internal subset removed
* @todo This might be needed in other places `parseFromString` is used even without LGTM flagging
*/
var dropXMLInteralSubset = function dropXMLInteralSubset(str) {
return str.replace(/(<!DOCTYPE\s+\w*\s*\[).*(\?\]>)/, '$1$2');
};
/**
* Converts characters in a string to XML-friendly entities.
* @function module:utilities.toXml
@@ -19752,6 +19763,7 @@
* @property {module:history.HistoryCommand} BatchCommand
* @property {module:history.HistoryCommand} ChangeElementCommand
* @property {module:utilities.decode64} decode64
* @property {module:utilities.dropXMLInteralSubset} dropXMLInteralSubset
* @property {module:utilities.encode64} encode64
* @property {module:svgcanvas~ffClone} ffClone
* @property {module:svgcanvas~findDuplicateGradient} findDuplicateGradient
@@ -19791,6 +19803,7 @@
BatchCommand: BatchCommand$1,
ChangeElementCommand: ChangeElementCommand$1,
decode64: decode64,
dropXMLInteralSubset: dropXMLInteralSubset,
encode64: encode64,
ffClone: ffClone,
findDefs: findDefs,
@@ -25045,7 +25058,7 @@
* @property {boolean} [emptyStorageOnDecline=false] Used by `ext-storage.js`; empty any prior storage if the user declines to store
* @property {string[]} [extensions=module:SVGEditor~defaultExtensions] Extensions to load on startup. Use an array in `setConfig` and comma separated file names in the URL. Extension names must begin with "ext-". Note that as of version 2.7, paths containing "/", "\", or ":", are disallowed for security reasons. Although previous versions of this list would entirely override the default list, as of version 2.7, the defaults will always be added to this explicit list unless the configuration `noDefaultExtensions` is included.
* @property {module:SVGEditor.Stylesheet[]} [stylesheets=["@default"]] An array of required stylesheets to load in parallel; include the value `"@default"` within this array to ensure all default stylesheets are loaded.
* @property {string[]} [allowedOrigins=[]] Used by `ext-xdomain-messaging.js` to indicate which origins are permitted for cross-domain messaging (e.g., between the embedded editor and main editor code). Besides explicit domains, one might add '' to allow all domains (not recommended for privacy/data integrity of your user's content!), `window.location.origin` for allowing the same origin (should be safe if you trust all apps on your domain), 'null' to allow `file://` URL usage
* @property {string[]} [allowedOrigins=[]] Used by `ext-xdomain-messaging.js` to indicate which origins are permitted for cross-domain messaging (e.g., between the embedded editor and main editor code). Besides explicit domains, one might add '*' to allow all domains (not recommended for privacy/data integrity of your user's content!), `window.location.origin` for allowing the same origin (should be safe if you trust all apps on your domain), 'null' to allow `file:///` URL usage
* @property {null|PlainObject} [colorPickerCSS=null] Object of CSS properties mapped to values (for jQuery) to apply to the color picker. See {@link http://api.jquery.com/css/#css-properties}. A `null` value (the default) will cause the CSS to default to `left` with a position equal to that of the `fill_color` or `stroke_color` element minus 140, and a `bottom` equal to 40
* @property {string} [paramurl] This was available via URL only. Allowed an un-encoded URL within the query string (use "url" or "source" with a data: URI instead)
* @property {Float} [canvas_expansion=3] The minimum area visible outside the canvas, as a multiple of the image dimensions. The larger the number, the more one can scroll outside the canvas.
@@ -25161,17 +25174,17 @@
extensions: [],
stylesheets: [],
/**
* Can use window.location.origin to indicate the current
* Can use `location.origin` to indicate the current
* origin. Can contain a '*' to allow all domains or 'null' (as
* a string) to support all file:// URLs. Cannot be set by
* a string) to support all `file:///` URLs. Cannot be set by
* URL for security reasons (not safe, at least for
* privacy or data integrity of SVG content).
* Might have been fairly safe to allow
* `new URL(window.location.href).origin` by default but
* `new URL(location.href).origin` by default but
* avoiding it ensures some more security that even third
* party apps on the same domain also cannot communicate
* with this app by default.
* For use with ext-xdomain-messaging.js
* For use with `ext-xdomain-messaging.js`
* @todo We might instead make as a user-facing preference.
*/
allowedOrigins: []

2
dist/index-umd.min.js vendored
View File

File diff suppressed because one or more lines are too long

2
dist/index-umd.min.js.map vendored
View File

File diff suppressed because one or more lines are too long