From b15f8523f3e4003b38fce8c2376e83634a60fd77 Mon Sep 17 00:00:00 2001 From: Justin Goping Date: Fri, 25 Feb 2022 15:36:42 +0000 Subject: [PATCH] Fix various tsec violations without use of policy --- packages/next/client/dev/fouc.ts | 5 ++++- packages/next/lib/recursive-delete.ts | 4 ++-- .../components/Overlay/maintain--tab-focus.ts | 15 +++++++++++---- tsec-exemptions.json | 9 ++------- 4 files changed, 19 insertions(+), 14 deletions(-) diff --git a/packages/next/client/dev/fouc.ts b/packages/next/client/dev/fouc.ts index 07e09f2c4bc1..bca480e22719 100644 --- a/packages/next/client/dev/fouc.ts +++ b/packages/next/client/dev/fouc.ts @@ -1,9 +1,12 @@ +// This wrapper function is used to avoid raising a Trusted Types violation. +const safeSetTimeout = (callback: () => void) => setTimeout(callback) + // This function is used to remove Next.js' no-FOUC styles workaround for using // `style-loader` in development. It must be called before hydration, or else // rendering won't have the correct computed values in effects. export function displayContent(): Promise { return new Promise((resolve) => { - ;(window.requestAnimationFrame || setTimeout)(function () { + ;(window.requestAnimationFrame || safeSetTimeout)(function () { for ( var x = document.querySelectorAll('[data-next-hide-fouc]'), i = x.length; diff --git a/packages/next/lib/recursive-delete.ts b/packages/next/lib/recursive-delete.ts index 76ed97712fb3..ccd443c4c2fa 100644 --- a/packages/next/lib/recursive-delete.ts +++ b/packages/next/lib/recursive-delete.ts @@ -1,9 +1,9 @@ import { Dirent, promises } from 'fs' import { join, isAbsolute, dirname } from 'path' -import { promisify } from 'util' import isError from './is-error' -const sleep = promisify(setTimeout) +const sleep = (timeout: number) => + new Promise((resolve) => setTimeout(resolve, timeout)) const unlinkPath = async (p: string, isDir = false, t = 1): Promise => { try { diff --git a/packages/react-dev-overlay/src/internal/components/Overlay/maintain--tab-focus.ts b/packages/react-dev-overlay/src/internal/components/Overlay/maintain--tab-focus.ts index 879db0409401..a9ef31097ce6 100644 --- a/packages/react-dev-overlay/src/internal/components/Overlay/maintain--tab-focus.ts +++ b/packages/react-dev-overlay/src/internal/components/Overlay/maintain--tab-focus.ts @@ -804,11 +804,18 @@ var focusSummary = { } function makeFocusableForeignObject() { - var fragment = document.createElement('div') - fragment.innerHTML = - '\n \n ' + // Constructs + // without raising a Trusted Types violation + var foreignObject = document.createElementNS( + 'http://www.w3.org/2000/svg', + 'foreignObject' + ) + foreignObject.width.baseVal.value = 30 + foreignObject.height.baseVal.value = 30 + foreignObject.appendChild(document.createElement('input')) + foreignObject.lastChild.type = 'text' - return fragment.firstChild.firstChild + return foreignObject } function focusSvgForeignObjectHack(element) { diff --git a/tsec-exemptions.json b/tsec-exemptions.json index acbcecdaa91c..ed01f28e893e 100644 --- a/tsec-exemptions.json +++ b/tsec-exemptions.json @@ -1,8 +1,7 @@ { "ban-element-innerhtml-assignments": [ "packages/next/client/head-manager.ts", - "packages/next/client/script.tsx", - "packages/react-dev-overlay/src/internal/components/Overlay/maintain--tab-focus.ts" + "packages/next/client/script.tsx" ], "ban-element-setattribute": [ "packages/next/client/head-manager.ts", @@ -10,9 +9,5 @@ ], "ban-script-content-assignments": ["packages/next/client/script.tsx"], "ban-script-src-assignments": ["packages/next/client/script.tsx"], - "ban-trustedtypes-createpolicy": ["packages/next/client/trusted-types.ts"], - "ban-window-stringfunctiondef": [ - "packages/next/lib/recursive-delete.ts", - "packages/next/client/dev/fouc.ts" - ] + "ban-trustedtypes-createpolicy": ["packages/next/client/trusted-types.ts"] }