CoCalc -- dangerousStyleValue.js

Summer of Sage Days 2015: San Diego (sd64.25), etc.

react / react-0.13.3 / examples / basic-commonjs / node_modules / reactify / node_modules / react-tools / src / browser / ui / dom / dangerousStyleValue.js

⁸¹¹⁵⁹ views

1
/**
2
 * Copyright 2013-2014, Facebook, Inc.
3
 * All rights reserved.
4
 *
5
 * This source code is licensed under the BSD-style license found in the
6
 * LICENSE file in the root directory of this source tree. An additional grant
7
 * of patent rights can be found in the PATENTS file in the same directory.
8
 *
9
 * @providesModule dangerousStyleValue
10
 * @typechecks static-only
11
 */
12

13
"use strict";
14

15
var CSSProperty = require('CSSProperty');
16

17
var isUnitlessNumber = CSSProperty.isUnitlessNumber;
18

19
/**
20
 * Convert a value into the proper css writable value. The style name `name`
21
 * should be logical (no hyphens), as specified
22
 * in `CSSProperty.isUnitlessNumber`.
23
 *
24
 * @param {string} name CSS property name such as `topMargin`.
25
 * @param {*} value CSS property value such as `10px`.
26
 * @return {string} Normalized style value with dimensions applied.
27
 */
28
function dangerousStyleValue(name, value) {
29
  // Note that we've removed escapeTextForBrowser() calls here since the
30
  // whole string will be escaped when the attribute is injected into
31
  // the markup. If you provide unsafe user data here they can inject
32
  // arbitrary CSS which may be problematic (I couldn't repro this):
33
  // https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
34
  // http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/
35
  // This is not an XSS hole but instead a potential CSS injection issue
36
  // which has lead to a greater discussion about how we're going to
37
  // trust URLs moving forward. See #2115901
38

39
  var isEmpty = value == null || typeof value === 'boolean' || value === '';
40
  if (isEmpty) {
41
    return '';
42
  }
43

44
  var isNonNumeric = isNaN(value);
45
  if (isNonNumeric || value === 0 ||
46
      isUnitlessNumber.hasOwnProperty(name) && isUnitlessNumber[name]) {
47
    return '' + value; // cast to string
48
  }
49

50
  if (typeof value === 'string') {
51
    value = value.trim();
52
  }
53
  return value + 'px';
54
}
55

56
module.exports = dangerousStyleValue;
57

58

Product

Resources

Company