{"version":3,"sources":["webpack://jrs-ui/../js-sdk/src/common/util/xssUtil.js"],"names":["htmlTagWhiteList","escapeMap","regexKeys","map","str","arr","k","Object","prototype","hasOwnProperty","call","push","replace","unescapeMap","hardEscapeRegex","RegExp","join","_stringCanonicObfuscator","obfChar","obfuscatedStr","i","length","charAt","canonicExclusionMap","key","obfuscStr","addCanonicObfuscArr","c","addObfuscStr","reverseCanonicExclusionMap","canonicExclusionRegex","reverseCanonicExclusionRegex","_canonicalize","string","test","match","dec","String","fromCharCode","group","parseInt","entityNameDecodingMap","regexpEscapeMap","keys","toLowerCase","_getXssNonce","jrsConfigs","Error","_getNoncePrefix","undefined","noncePrefix","xssNonce","_getHtmlTagWhitelist","configHtmlTagWhitelist","_getConfigHtmlTagWhitelist","whitelistInitialized","startsWith","substr","_getWhitelistLeftRegex","leftTagRegexp","whitelistRegexInsert","_getWhitelistRightRegex","rightTagRegexp","_defaultAttribSoftEscapeMap","_getAttribSoftHtmlEscapeMap","attribSoftEscapeArr","configAttribSoftHtmlEscapeMap","configRegexArr","configReplArr","err","console","warn","softHtmlEscape","options","indexOf","noncePref","substring","jsKeyword","jsKeywordSearchRegExp","split","_removeBreakUpCharacters","whiteList","Array","whitelistRegexStr","rtLeftTagRegexp","rtRightTagRegexp","tmpLeftTagRegexp","tmpRightTagRegexp","lastIndex","escapeTags","tmpTagWhiteList","attribSoftHtmlEscapeMap","regexArr","replArr","regex","replacement","hardEscape","unescape","unescapeRegexp","canonicalize"],"mappings":"iIA6BIA,EAAmB,49BAanBC,EAAY,CACZ,IAAK,QACL,IAAK,QACL,IAAK,OACL,IAAK,OACL,IAAK,SACL,IAAK,SAWLC,EAAY,SAASC,GACrB,IAN2BC,EAMvBC,EAAM,GACV,IAAK,IAAIC,KAAKH,EACNI,OAAOC,UAAUC,eAAeC,KAAKP,EAAKG,IAC1CD,EAAIM,KARE,OADaP,EASME,GARZ,GAAKF,EAAIQ,QAAQ,yBAA0B,SAUhE,OAAOP,GAIPQ,EAAe,WACf,IAQOP,EARHH,EAAM,CACF,SAAU,IACV,SAAU,IACV,SAAU,IACV,SAAU,IACV,QAAS,IACT,SAAU,IACV,QAAS,KAEjB,IAAKG,KAAKL,EACFM,OAAOC,UAAUC,eAAeC,KAAKT,EAAWK,KAChDH,EAAIF,EAAUK,IAAMA,GAG5B,OAAOH,EAfQ,GAmBfW,EAAkBC,OAAO,MAAQb,EAAUD,GAAWe,KAAK,KAAO,IAAK,KAqBvEC,EAA2B,SAAUb,EAAKc,GAE1C,IADA,IAAIC,EAAgBD,EACXE,EAAI,EAAGA,EAAIhB,EAAIiB,SAAUD,EAC9BD,GAAiBf,EAAIkB,OAAOF,GAC5BD,GAAiBD,EAGrB,OAAOC,GAQPI,EAAuB,WACvB,IAAcC,EAAVrB,EAAM,GAEV,IAAKqB,KAAOvB,EACR,GAAIM,OAAOC,UAAUC,eAAeC,KAAKT,EAAWuB,GAAM,CACtD,IAAIC,EAAYxB,EAAUuB,GAC1BrB,EAAIsB,GAAaR,EAAyBQ,EAAW,KAM7D,IADA,IAAIC,EAAsB,CAAC,YAAa,eAC/BC,EAAI,EAAGA,EAAID,EAAoBL,SAAUM,EAAG,CACjD,IAAIC,EAAeF,EAAoBC,GACvCxB,EAAIyB,GAAgBX,EAAyBW,EAAc,KAG/D,OAAOzB,EAjBgB,GAoBvB0B,EAA8B,WAC9B,IAAcL,EAAVrB,EAAM,GACV,IAAKqB,KAAOD,EACJhB,OAAOC,UAAUC,eAAeC,KAAKa,EAAqBC,KAC1DrB,EAAIoB,EAAoBC,IAAQA,GAIxC,OAAOrB,EARuB,GAW9B2B,EAAwBf,OAAO,MAAQb,EAAUqB,GAAqBP,KAAK,KAAO,IAAK,KACvFe,EAA+BhB,OAAO,MAAQb,EAAU2B,GAA4Bb,KAAK,KAAO,IAAK,KAWzG,SAASgB,EAAcC,GACnBA,EAAmB,MAAVA,EAAiB,GAAKA,EAsB/BA,GAJAA,GAfAA,EAASH,EAAsBI,KAAKD,GAAUA,EAAOrB,QAAQkB,GAAuB,SAASK,GAAS,OAAOZ,EAAoBY,MAAaF,GAe9HrB,QAAQ,cAAe,SAACuB,EAAOC,GAAR,OAAgBC,OAAOC,aAAaF,OAI3DxB,QAAQ,sBAAuB,SAACuB,EAAOI,GAAR,OAAkBF,OAAOC,aAAaE,SAASD,EAAO,QAGrG,IAAME,EAAwB,CAC1B,QAAS,KACT,YAAa,KACb,QAAS,IACT,UAAW,IACX,WAAY,IAEZ,OAAQ,KACR,WAAY,KACZ,OAAQ,IACR,SAAU,IACV,UAAW,KAETC,EAAkB3B,OAAO,MAAQR,OAAOoC,KAAKF,GAAuBzB,KAAK,KAAO,IAAK,MAM3F,OALAiB,EAASA,EAAOrB,QAAQ8B,GAAiB,SAACP,GAAD,OAAWM,EAAsBN,EAAMS,kBAGhFX,EAASF,EAA6BG,KAAKD,GAAUA,EAAOrB,QAAQmB,GAA8B,SAASI,GAAS,OAAON,EAA2BM,MAAaF,EA6BvK,SAASY,IACL,IAAKC,aACD,MAAM,IAAIC,MAAM,+DAGpB,OAAOD,aAUX,SAASE,IACL,QAAoCC,IAAhCD,EAAgBE,YAA2B,CAC3C,IAAIC,EAAWN,IACf,IAAKM,EACD,OAAO,KACXH,EAAgBE,YAAc,WAAUC,EAAW,UAGvD,OAAOH,EAAgBE,YA6B3B,SAASE,IACL,IAAIC,EAnBR,WACI,IAAIA,EAAyBP,wBAI7B,OAFAO,EAA4D,iBAA3BA,EAAsCA,EAAyB,IAChDzC,QAAQ,MAAM,IAejC0C,GAU7B,OANID,EAAuBhC,OAAS,IAAM+B,EAAqBG,uBAC3DvD,EACKqD,EAAuBG,WAAW,KAAOxD,EAAmB,IAAMqD,EAAuBI,OAAO,GAAKJ,EAC1GD,EAAqBG,sBAAuB,GAGzCvD,EASX,SAAS0D,IACL,QAA6CT,IAAzCS,EAAuBC,cACvB,OAAOD,EAAuBC,cAElC,IACIC,EADYR,IACqBxC,QAAQ,KAAK,QAGlD,OAFA8C,EAAuBC,cAAiB5C,OAAO,SAAW6C,EAAuB,WAAY,MAEtFF,EAAuBC,cASlC,SAASE,IACL,QAA+CZ,IAA3CY,EAAwBC,eACxB,OAAOD,EAAwBC,eAEnC,IACIF,EADYR,IACqBxC,QAAQ,KAAK,QAGlD,OAFAiD,EAAwBC,eAAiB/C,OAAO,QAAU6C,EAAuB,OAAQ,MAElFC,EAAwBC,eAQnC,IAAIC,EAA8B,CAC9B,MAAS,CACL,kBACA,mBACA,kBAEJ,YAAe,CACX,GACA,kBACA,0BAQR,SAASC,IACL,QAAwDf,IAApDe,EAA4BC,oBAC5B,OAAOD,EAA4BC,oBAEvC,IAAIC,EAPGpB,+BAQP,IAAKoB,EAED,OADAF,EAA4BC,oBAAsBF,EAC3CC,EAA4BC,oBAGvC,IACI,IAAIE,EAAiB,GACjBC,EAAgB,GACpB,IAAK,IAAI9D,KAAK4D,EACNA,EAA8BzD,eAAeH,KAC7C6D,EAAexD,KAAKI,OAAQT,EAAG,OAC/B8D,EAAczD,KAAKuD,EAA8B5D,KASzD,OALA0D,EAA4BC,oBAAsB,CAC9C,MAASE,EACT,YAAeC,GAGZJ,EAA4BC,oBAEvC,MAAOI,GAEH,OADAC,QAAQC,KAAK,wFACNP,EAA4BC,qBAwJ3C,SACIO,eAxHqB,SAASvC,EAAQwC,GAItC,GAFAA,EAAUA,GAAW,KAzUC,iBADIrE,EAyU1B6B,EAAmB,MAAVA,EAAiB,GAAKA,IAxUG7B,aAAeiC,SAI7CjC,EAAIsE,QAAQ,KAAO,GAAKtE,EAAIsE,QAAQ,KAAO,EAwU3C,OAAOzC,EA7UK,IAAU7B,EAoVtBuE,EAAY3B,IAChB,GAAI2B,GAA2C,IAA9B1C,EAAOyC,QAAQC,GAC5B,OAAO1C,EAAO2C,UAAUD,EAAUtD,QAGtC,IAAI8B,EAAWN,IACf,GAAIM,GAAYlB,EAAOyC,QAAQvB,IAAa,EACxC,OAAOlB,EAOX,GAHAA,EAhOJ,SAAmCA,GAI/B,IAAM4C,EAAY,cACZC,EAAwB/D,OAAO8D,EAAUE,MAAM,IAAI/D,KAAK,aAAc,MAC5E,OAAOiB,EAAOrB,QAAQkE,EAAuBD,GA0NpCG,CAFT/C,EAASD,EAAcC,IAKnBwC,EAAQQ,WAAaR,EAAQQ,qBAAqBC,OAAST,EAAQQ,UAAU5D,OAAS,EAAG,CAEzF,IAAI8D,EAAoBV,EAAQQ,UAAUjE,KAAK,QAC3CoE,EAAkBrE,OAAO,SAAWoE,EAAoB,WAAY,MACxElD,EAASmD,EAAgBlD,KAAKD,GAAUA,EAAOrB,QAAQwE,EAAiB,QAAUnD,EAGlF,IAAIoD,EAAmBtE,OAAO,QAAUoE,EAAoB,OAAQ,MAGpElD,EAAS0C,GAFT1C,EAASoD,EAAiBnD,KAAKD,GAAUA,EAAOrB,QAAQyE,EAAkB,SAAWpD,OAIpF,CACD,IAAIqD,EAAmB5B,IAA0B6B,EAAoB1B,IAIrE,GAHAyB,EAAiBE,UAAY,EAC7BD,EAAkBC,UAAY,EAE1Bf,EAAQgB,YAAchB,EAAQgB,sBAAsBP,MAAO,CAE3D,IADA,IAAIQ,EAAkBtC,IACbhC,EAAI,EAAGA,EAAIqD,EAAQgB,WAAWpE,SAAUD,EAC7CsE,EAAkBA,EAAgB9E,QAAQ6D,EAAQgB,WAAWrE,GAAK,IAAK,IAG3EkE,EAAmBvE,OAAO,SAAW2E,EAAgB9E,QAAQ,KAAM,QAAU,WAAY,MACzF2E,EAAoBxE,OAAO,QAAU2E,EAAgB9E,QAAQ,KAAM,QAAU,OAAQ,MAIzFqB,EAASqD,EAAiBpD,KAAKD,GAAUA,EAAOrB,QAAQ0E,EAAkB,QAAUrD,EAGpFA,EAASsD,EAAkBrD,KAAKD,GAAUA,EAAOrB,QAAQ2E,EAAmB,SAAWtD,EAO3F,IAJA,IAAI0D,EAA0B3B,IAC1B4B,EAAWD,EAAuB,MAClCE,EAAUF,EAAuB,YAE5BrF,EAAE,EAAGA,EAAEsF,EAASvE,SAAUf,EAAG,CAClC,IAAIwF,EAAQF,EAAStF,GACrBwF,EAAMN,UAAY,EAElB,IAAIO,EAAcF,EAAQvF,GAC1B2B,EAAS6D,EAAM5D,KAAKD,GAAUA,EAAOrB,QAAQkF,EAAOC,GAAe9D,EAGvE,OAAOA,GAiDP+D,WA1CiB,SAAS/D,GAG1B,KAAyB,iBAFzBA,EAAmB,MAAVA,EAAiB,GAAKA,IAEMA,aAAkBI,QACnD,OAAOJ,EAIX,IAAI0C,EAAY3B,IAMhB,OALI2B,GAA2C,IAA9B1C,EAAOyC,QAAQC,KAC5B1C,EAASA,EAAO2C,UAAUD,EAAUtD,SAExCP,EAAgB0E,UAAY,EAC5BvD,EAASnB,EAAgBoB,KAAKD,GAAUA,EAAOrB,QAAQE,GAAiB,SAASqB,GAAS,OAAOlC,EAAUkC,MAAaF,GA8BxHgE,SAzBe,SAAShE,GAGxB,KAAyB,iBAFzBA,EAAmB,MAAVA,EAAiB,GAAKA,IAEMA,aAAkBI,QACnD,OAAOJ,EAKX,IAAI0C,EAAY3B,IACZ2B,GAA2C,IAA9B1C,EAAOyC,QAAQC,KAC5B1C,EAASA,EAAO2C,UAAUD,EAAUtD,SAGxC,IAAI8B,EAAWN,IACf,GAAIM,GAAYlB,EAAOyC,QAAQvB,IAAa,EACxC,OAAOlB,EAEX,IAAIiE,EAAiBnF,OAAO,MAAQb,EAAUW,GAAaG,KAAK,KAAO,IAAK,MAC5E,OAAOkF,EAAehE,KAAKD,GAAUA,EAAOrB,QAAQsF,GAAgB,SAAS/D,GAAS,OAAOtB,EAAYsB,MAAaF,GAOtHkE,aAAcnE","file":"_chunks/chunk.4612.js","sourcesContent":["/*\n * Copyright (C) 2005 - 2022 TIBCO Software Inc. All rights reserved.\n * http://www.jaspersoft.com.\n *\n * Unless you have purchased a commercial license agreement from Jaspersoft,\n * the following license terms apply:\n *\n * This program is free software: you can redistribute it and/or modify\n * it under the terms of the GNU Affero General Public License as\n * published by the Free Software Foundation, either version 3 of the\n * License, or (at your option) any later version.\n *\n * This program is distributed in the hope that it will be useful,\n * but WITHOUT ANY WARRANTY; without even the implied warranty of\n * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n * GNU Affero General Public License for more details.\n *\n * You should have received a copy of the GNU Affero General Public License\n * along with this program. If not, see <http://www.gnu.org/licenses/>.\n */\n\n/**\n * This is a standalone module.  jQuery,prototype, etc. - depend on this\n * @author: Borys Kolesnykov\n *\n */\n\nimport jrsConfigs from '../../jrs.configs';\n\nvar htmlTagWhiteList = 'a,abbr,acronym,address,animate,animateMotion,animateTransform,area,article,aside,b,bdi,bdo,big,blockquote,body,br,button,' +\n    'canvas,caption,center,circle,cite,clipPath,code,col,colgroup,color-profile,dd,defs,desc,details,dfn,discard,div,dl,dt,ellipse,em,' +\n    'feBlend,feColorMatrix,feComponentTransfer,feComposite,feConvolveMatrix,feDiffuseLighting,feDisplacementMap,feDistantLight,feFlood,feFuncA,feFuncB,feFuncG,feFuncR,feGaussianBlur,feImage,feMerge,feMergeNode,feMorphology,feOffset,fePointLight,feSpecularLighting,feSpotLight,feTile,feTurbulence,' +\n    'fieldset,filter,font,footer,form,h1,h2,h3,h4,h5,h6,head,' +\n    'header,hr,html,i,g,image,img,input,js-templateNonce,label,legend,li,line,linearGradient,main,map,mark,marker,mask,menu,menuitem,meta,metadata,mpath,nav,ol,option,p,path,pattern,polygon,polyline,' +\n    'pre,radialGradient,rect,section,select,set,small,span,stop,strike,strong,style,sub,summary,sup,svg,switch,symbol,table,tbody,td,text,textPath,textarea,tfoot,th,thead,title,tr,tspan,u,ul,use,view';\n\n// None of the chars in the values of the map should appear as the map key to\n// avoid multiple escaping in a case like xssUtil.hardEscape(xssUtil.hardEscape(str))\n// Also, the escapeMap keys should NOT contain any initial values of unescapeMap.map.\n// The canonicalization would be broken.  Eg. if escapeMap has a key 'c',\n// 'javas&#99;ript' won't be canonicalized to 'javascript', because canonicExclusionMap\n// would have {'&#99;': '*&*#*9*9*;*'}. '&#99;' would be excluded from canonic.\nvar escapeMap = {\n    '(': '&#40;',\n    ')': '&#41;',\n    '<': '&lt;',\n    '>': '&gt;',\n    '\"': '&quot;',\n    \"'\": '&#39;'\n};\n\n// here, we are escaping all the characters in str that are special in regex's.\n// The str returned here is used to further construct a regex as follows: (?: str ).\n// Eg. str = \"a{}\" results in \"a\\{\\}\" after replace().\nvar makeStringRegex = function(str){\n    return str == null ? '' : str.replace(/[-\\/\\\\^$*+?.()|[\\]{}]/g, '\\\\$&')\n};\n\n// Need to escape chars like ) and ( in order to construct correct regex later /(?: \\)|\\( )/g\nvar regexKeys = function(map) {\n    var arr = [];\n    for (var k in map) {\n        if (Object.prototype.hasOwnProperty.call(map, k))\n            arr.push(makeStringRegex(k));\n    }\n    return arr;\n};\n\n// unescapeMap is made from reverse of escapeMap + extra chars.\nvar unescapeMap = (function() {\n    var map = {\n            '&#111;': 'o',\n            '&#110;': 'n',\n            '&#115;': 's',\n            '&#114;': 'r',\n            '&#99;': 'c',\n            '&#100;': 'd',\n            '&amp;': '&'\n        }, k;\n    for (k in escapeMap) {\n        if (Object.prototype.hasOwnProperty.call(escapeMap, k))\n            map[escapeMap[k]] = k;\n    }\n\n    return map;\n})();\n\n//'hard' escape regex\nvar hardEscapeRegex = RegExp('(?:' + regexKeys(escapeMap).join('|') + ')', 'g');\n\n/*\n    'str' func argument should not be escaped (func returns false) if:\n    - str is not a String\n    - str is not an HTML; does not contain < and >\n */\nvar _isHTMLString = function (str) {\n    if (!(typeof(str) === 'string' || str instanceof String))\n        return false;\n\n    // not an HTML string\n    if (str.indexOf('<') < 0 && str.indexOf('>') < 0)\n        return false;\n\n    return true;\n};\n\n// This func. takes a string on input and retuns the string obfuscated it with an input char (obfChar).\n// It intersperses the obfuscation char around all the input string chars.\n// E.g.  &#40; is converted to *&*#*4*0*;* value\nvar _stringCanonicObfuscator = function (str, obfChar) {\n    var obfuscatedStr = obfChar;\n    for (var i = 0; i < str.length; ++i) {\n        obfuscatedStr += str.charAt(i);\n        obfuscatedStr += obfChar;\n    }\n\n    return obfuscatedStr;\n};\n\n// The keys of canonicExclusionMap are the html encoded characters that are not canonicalized during soft\n// escape (They are the values from escapeMap used in hardEscape func).  The values of the canonicExclusionMap\n// are its modified keys such that canonicalization does not decode the map keys found in the string.\n// It should be unlikely that these mutant values would be found in the application data stream.\n// If the values are found in the string by accident, they would be replaced by the map keys (danger)\nvar canonicExclusionMap = (function() {\n    var map = {}, key;\n\n    for (key in escapeMap) {\n        if (Object.prototype.hasOwnProperty.call(escapeMap, key)) {\n            var obfuscStr = escapeMap[key];\n            map[obfuscStr] = _stringCanonicObfuscator(obfuscStr, '*');\n        }\n    }\n\n    //textarea needs to be obfuscated because we are inserting into <textarea> elem. to canonicalize.  Firefox breaks in this case.\n    var addCanonicObfuscArr = ['<textarea', '</textarea>'];\n    for (var c = 0; c < addCanonicObfuscArr.length; ++c) {\n        var addObfuscStr = addCanonicObfuscArr[c];\n        map[addObfuscStr] = _stringCanonicObfuscator(addObfuscStr, '*');\n    }\n\n    return map;\n})();\n\nvar reverseCanonicExclusionMap = (function () {\n    var map = {}, key;\n    for (key in canonicExclusionMap) {\n        if (Object.prototype.hasOwnProperty.call(canonicExclusionMap, key)) {\n            map[canonicExclusionMap[key]] = key;\n        }\n    }\n\n    return map;\n})();\n\nvar canonicExclusionRegex = RegExp('(?:' + regexKeys(canonicExclusionMap).join('|') + ')', 'g');\nvar reverseCanonicExclusionRegex = RegExp('(?:' + regexKeys(reverseCanonicExclusionMap).join('|') + ')', 'g');\n\n/**\n * Canonicalize/decode characters of interest from the HTML encoding (DEC, HEX and Entity name) to ASCII characters.\n * Hard escaped characters listed as keys in escapeMap are not canonicalized to prevent soft\n * escape from reversing the hard escape as in xssUtil.softHtmlEscape(xssUtil.hardEscape(str))\n *\n * @param string\n * @returns canonicalized {string}\n * @private\n */\nfunction _canonicalize(string) {\n    string = string == null ? '' : string;\n\n    // exclude potentially hard escaped chars from escapeMap values\n    string = canonicExclusionRegex.test(string) ? string.replace(canonicExclusionRegex, function(match) { return canonicExclusionMap[match]; }) : string;\n\n    // In this block, we need to decode characters in the string '/:=javascriptond' from their encoded variants.\n    // This string of characters is based on next strings:\n    //     'javascript:' -- used to define javascript action taken by tags\n    //     'on=' -- used to define actions taken by tags\n    //     'srcdoc' -- used to define srcdoc attribute of the iframe\n    // Other encoded symbols are not important to our XSS protection because any XSS threat depend on these characters.\n    // For the reference on encodings you may take a look here:\n    // https://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references#Character_entity_references_in_HTML\n    // It seems like there are just 3 encodings (DEC, HEX and Entity name) which are supported across browsers\n    // as of 2022.\n\n    // translating DEC encoded symbols into characters. It's like '&#47' or '&#47;' into '/'\n    // yes, this approach translates all DEC-encodings, which is OK with us\n    string = string.replace(/&#(\\d+);?/g, ((match, dec) => String.fromCharCode(dec) ));\n\n    // translating HEX encoded symbols into characters. It's like '&#x2F' or '&#x2F;' into '/'\n    // yes, again, this approach translates all HEX-encodings, which is OK with us\n    string = string.replace(/&#x([a-f0-9]+);?/ig, ((match, group) => String.fromCharCode(parseInt(group, 16)) ));\n\n    // translating Entity-name encoded symbols into characters. It's like '&sol;' into '/'\n    const entityNameDecodingMap = {\n        '&tab;': '\\t',\n        '&newline;': '\\n',\n        '&sol;': '/',\n        '&colon;': ':',\n        '&equals;': '=',\n\n        '&tab': '\\t',\n        '&newline': '\\n',\n        '&sol': '/',\n        '&colon': ':',\n        '&equals': '='\n    };\n    const regexpEscapeMap = RegExp('(?:' + Object.keys(entityNameDecodingMap).join('|') + ')', 'ig');\n    string = string.replace(regexpEscapeMap, (match) => entityNameDecodingMap[match.toLowerCase()] );\n\n    // revert the chars excluded above to their original values\n    string = reverseCanonicExclusionRegex.test(string) ? string.replace(reverseCanonicExclusionRegex, function(match) { return reverseCanonicExclusionMap[match]; }) : string;\n\n    return string;\n}\n\n/**\n * Removes tabulation, new line and \"carriage return\" characters from the string \"javascript:\"\n *\n * @param string\n * @returns string\n * @private\n */\nfunction _removeBreakUpCharacters (string) {\n    // We are removing \"tab\", \"new line\" and \"carriage return\" characters inserted into \"javascript:\" string, so from\n    // \"ja\\tva\\r\\nscript:\" we are getting \"javascript:\"\n\n    const jsKeyword = 'javascript:';\n    const jsKeywordSearchRegExp = RegExp(jsKeyword.split('').join('[\\t\\r\\n]*'), 'ig');\n    return string.replace(jsKeywordSearchRegExp, jsKeyword);\n}\n\n/**\n * In visualize, jquery & xssUtil dependency are loaded before 'settings';\n * hence, it's possible for jrsConfigs.xssNonce to be undefined till jrsConfigs is\n * populated from 'settings'.\n *\n * @returns xssNonce\n * @private\n */\nfunction _getXssNonce() {\n    if (!jrsConfigs.xssNonce) {\n        throw new Error('xssNonce is not set. No render is allowed without xssNonce.');\n    }\n\n    return jrsConfigs.xssNonce;\n}\n\n/**\n * noncePrefix is used to prefix the result of xssUtil.softHtmlEscape(str, {whitelist: ['img']}), so that\n * the result is not overwritten during the subsequent call for html output -> xssUtil.softHtmlEscape(str)\n *\n * @returns nonce prefix\n * @private\n */\nfunction _getNoncePrefix() {\n    if (_getNoncePrefix.noncePrefix === undefined) {\n        var xssNonce = _getXssNonce();\n        if (!xssNonce)\n            return null;\n        _getNoncePrefix.noncePrefix = '<!--@' + xssNonce + '@-->'\n    }\n\n    return _getNoncePrefix.noncePrefix;\n}\n\n/**\n * In visualize, jquery & xssUtil dependency are loaded before 'settings';\n * hence, it's possible for jrsConfigs.xssHtmlTagWhiteList to be undefined till jrsConfigs is\n * populated from 'settings'.\n *\n * @returns configured htmlTagWhiteList (on the server)\n * @private\n */\nfunction _getConfigHtmlTagWhitelist() {\n    var configHtmlTagWhitelist = jrsConfigs.xssHtmlTagWhiteList;\n\n    configHtmlTagWhitelist = (typeof configHtmlTagWhitelist === 'string' ? configHtmlTagWhitelist : \"\");\n    configHtmlTagWhitelist = configHtmlTagWhitelist.replace(/\\s/g,'');   //remove the spaces from xss.soft.html.escape.tag.whitelist in security-config.properties\n    return configHtmlTagWhitelist;\n}\n\n/**\n * If htmlTagWhiteList is configured on the server, replace/modify htmlTagWhiteList with the server value.\n * if the 'configured htmlTagWhiteList' starts with +, the tags in config are added to the hard-coded htmlTagWhiteList;\n * otherwise, 'configured htmlTagWhiteList' replaces htmlTagWhiteList\n *\n * If there is no configuration on the server, return the default hard-coded htmlTagWhiteList.\n *\n * @returns htmlTagWhiteList\n * @private\n */\nfunction _getHtmlTagWhitelist() {\n    var configHtmlTagWhitelist = _getConfigHtmlTagWhitelist();\n\n    // if jrsConfigs.xssHtmlTagWhiteList starts with +, the tags are added to the htmlTagWhiteList;\n    // o/w, jrsConfigs.xssHtmlTagWhiteList replaces htmlTagWhiteList\n    if (configHtmlTagWhitelist.length > 0 && !_getHtmlTagWhitelist.whitelistInitialized) {\n        htmlTagWhiteList =\n            (configHtmlTagWhitelist.startsWith(\"+\") ? htmlTagWhiteList + ',' + configHtmlTagWhitelist.substr(1) : configHtmlTagWhitelist);\n        _getHtmlTagWhitelist.whitelistInitialized = true;\n    }\n\n    return htmlTagWhiteList;\n}\n\n/**\n * Construct left HTML tag regext from htmlTagWhiteList.\n *\n * @return {RegExp}\n * @private\n */\nfunction _getWhitelistLeftRegex() {\n    if (_getWhitelistLeftRegex.leftTagRegexp !== undefined)\n        return _getWhitelistLeftRegex.leftTagRegexp;\n\n    var whitelist = _getHtmlTagWhitelist();\n    var whitelistRegexInsert = whitelist.replace(/,/g,'\\\\b|');\n    _getWhitelistLeftRegex.leftTagRegexp =  RegExp('<(?!/|' + whitelistRegexInsert + '\\\\b|!--)', 'ig');\n\n    return _getWhitelistLeftRegex.leftTagRegexp;\n}\n\n/**\n * Construct right HTML tag regext from htmlTagWhiteList.\n *\n * @return {RegExp}\n * @private\n */\nfunction _getWhitelistRightRegex() {\n    if (_getWhitelistRightRegex.rightTagRegexp !== undefined)\n        return _getWhitelistRightRegex.rightTagRegexp;\n\n    var whitelist = _getHtmlTagWhitelist();\n    var whitelistRegexInsert = whitelist.replace(/,/g,'\\\\b|');\n    _getWhitelistRightRegex.rightTagRegexp = RegExp('</(?!' + whitelistRegexInsert + '\\\\b)', 'ig');\n\n    return _getWhitelistRightRegex.rightTagRegexp;\n}\n\n// Regex map used to escape HTML tag attributes which produce javascript context.\n// During 'soft' html escape, the map keys are converted into Regexp(\\b<key>\\b, 'gi')\n// and replaced with the corresponding map values.\n// Important: the code of _canonicalize() method is based on characters used in regexs defined here.\n// So if you going to add some new symbols into any regex pattern, please, consider checking code of _canonicalize().\nvar _defaultAttribSoftEscapeMap = {\n    'regex': [\n        /\\bjavascript:/ig,\n        /\\bon(\\w+?)\\s*=/ig,\n        /\\bsrcdoc\\s*=/ig\n    ],\n    'replacement': [\n        '',\n        '&#111;&#110;$1=',\n        '&#115;&#114;&#99;doc='\n    ]\n};\n\nfunction _getConfigAttribSoftHtmlEscapeMap() {\n    return jrsConfigs.xssAttribSoftHtmlEscapeMap;\n}\n\nfunction _getAttribSoftHtmlEscapeMap() {\n    if (_getAttribSoftHtmlEscapeMap.attribSoftEscapeArr !== undefined)\n        return _getAttribSoftHtmlEscapeMap.attribSoftEscapeArr;\n\n    var configAttribSoftHtmlEscapeMap = _getConfigAttribSoftHtmlEscapeMap();\n    if (!configAttribSoftHtmlEscapeMap) {\n        _getAttribSoftHtmlEscapeMap.attribSoftEscapeArr = _defaultAttribSoftEscapeMap;\n        return _getAttribSoftHtmlEscapeMap.attribSoftEscapeArr;\n    }\n\n    try {\n        var configRegexArr = [];\n        var configReplArr = [];\n        for (var k in configAttribSoftHtmlEscapeMap) {\n            if (configAttribSoftHtmlEscapeMap.hasOwnProperty(k)) {\n                configRegexArr.push(RegExp( k, 'ig'));\n                configReplArr.push(configAttribSoftHtmlEscapeMap[k]);\n            }\n        }\n\n        _getAttribSoftHtmlEscapeMap.attribSoftEscapeArr = {\n            'regex': configRegexArr,\n            'replacement': configReplArr\n        };\n\n        return _getAttribSoftHtmlEscapeMap.attribSoftEscapeArr\n    }\n    catch (err) {\n        console.warn(\"Unable to parse xss.soft.html.escape.attrib.map.  Using _defaultAttribSoftEscapeMap.\"); // eslint-disable-line no-console\n        return _getAttribSoftHtmlEscapeMap.attribSoftEscapeArr;\n    }\n}\n\n/*\n        _xssSoftHtmlEscape performs 'soft HTML escape': an escape of html such that no Javascript is executed in the browser.\n        _xssSoftHtmlEscape escapes parenthesis and <.  < is escaped only if it's not followed by a valid html tag as defined by\n        htmlTagWhiteList or options.whitelist.  _xssSoftHtmlEscape also escapes some HTML attributes switching the HTML context\n        to Javascript.\n\n        If the 'string' input is not an HTML or contains a session nonce, soft HTML escape is not applied.\n        Session nonce marks the HTML as safe; that HTML does not require escaping against XSS.  This lets us\n        mark our html templates as safe (allows to include javascript and gives a performance boost).\n\n        Note: it's important that applying this function more than once does not escape the string multiple times.\n        Multiple escapes will break UI.\n        E.g. < is replaced with &lt;.  None of the chars & l t or ; should be escaped. If, say, & were replaced with\n        &amp;, < would become &amp;lt; after two escapes instead of staying &lt;.\n\n        Note2: The regular expressions are defined outside the function to improve performance.  The regex's\n        persist on the page; they have an internal state parameter lastIndex (last match loc.).  It's important\n        to reset lastIndex=0 before using each regex, so that the regex exec. results are correct.  Alternatively,\n        one can recreate the regex on each function call.\n\n        Parameters:\n        string - string to be purged of XSS via 'soft' HTML escape.\n        options.whitelist - [array] if defined, substitutes htmlTagWhiteList tags.  Tags in whitelist won't be escaped.\n                            This option is useful when we want to prevent the text input rendered as HTML.\n                            E.g. options.whitelist=['a'].  <a> won't be escaped. <img> will be escaped as &lt;img>.\n        options.escapeTags - [array] the tags excluded from htmlTagWhiteList; those tags would be escaped.\n                            E.g. options.escapeTags = ['iframe'].  <iframe > would become &lt;iframe >.\n                            This option is available only when whitelist is not specified.\n     */\nvar _xssSoftHtmlEscape = function(string, options) {\n    string = string == null ? '' : string;\n    options = options || { };\n\n    if (!_isHTMLString(string))\n        return string;\n\n    // The case in which options.whitelist escape was applied first; string starts with nonce.\n    // Avoid the subsequent escape during html output on the page.\n    // E.g. jquery.html(xssUtil.softHtmlEscape(str, {whitelist:['img']})).  If not for the following statement,\n    // subsequent call to xssUtil.softHtmlEscape inside jquery.html would use the default htmlTagWhiteList\n    // and would write over options.whitelist escape.  noncePrefix is an html comment to avoid showing it on the page.\n    var noncePref = _getNoncePrefix();\n    if (noncePref && string.indexOf(noncePref) === 0)\n        return string.substring(noncePref.length);\n\n    // If the string contains nonce (not noncePrefix in the 1st pos-n), it comes from JRS; it's safe to exec javascript.\n    var xssNonce = _getXssNonce();\n    if (xssNonce && string.indexOf(xssNonce) >= 0)\n        return string;\n\n    string = _canonicalize(string);\n\n    string = _removeBreakUpCharacters(string);\n\n    //avoid escaping < or > in <TAG> or </TAG>, where TAG is white-listed\n    if (options.whiteList && options.whiteList instanceof Array && options.whiteList.length > 0) {\n        //escape <TAG>\n        var whitelistRegexStr = options.whiteList.join('\\\\b|');\n        var rtLeftTagRegexp = RegExp('<(?!/|' + whitelistRegexStr + '\\\\b|!--)', 'ig');\n        string = rtLeftTagRegexp.test(string) ? string.replace(rtLeftTagRegexp, '&lt;') : string;\n\n        //escape </TAG>\n        var rtRightTagRegexp = RegExp('</(?!' + whitelistRegexStr + '\\\\b)', 'ig');\n        string = rtRightTagRegexp.test(string) ? string.replace(rtRightTagRegexp, '&lt;/') : string;\n\n        string = noncePref + string;\n    }\n    else {\n        var tmpLeftTagRegexp = _getWhitelistLeftRegex(), tmpRightTagRegexp = _getWhitelistRightRegex();\n        tmpLeftTagRegexp.lastIndex = 0;\n        tmpRightTagRegexp.lastIndex = 0;\n\n        if (options.escapeTags && options.escapeTags instanceof Array) {\n            var tmpTagWhiteList = _getHtmlTagWhitelist();\n            for (var i = 0; i < options.escapeTags.length; ++i) {\n                tmpTagWhiteList = tmpTagWhiteList.replace(options.escapeTags[i] + ',', '')\n            }\n\n            tmpLeftTagRegexp = RegExp('<(?!/|' + tmpTagWhiteList.replace(/,/g, '\\\\b|') + '\\\\b|!--)', 'ig');\n            tmpRightTagRegexp = RegExp('</(?!' + tmpTagWhiteList.replace(/,/g, '\\\\b|') + '\\\\b)', 'ig');\n        }\n\n        //escape <TAG>\n        string = tmpLeftTagRegexp.test(string) ? string.replace(tmpLeftTagRegexp, '&lt;') : string;\n\n        //escape </TAG>\n        string = tmpRightTagRegexp.test(string) ? string.replace(tmpRightTagRegexp, '&lt;/') : string;\n    }\n\n    var attribSoftHtmlEscapeMap = _getAttribSoftHtmlEscapeMap();\n    var regexArr = attribSoftHtmlEscapeMap['regex'];\n    var replArr = attribSoftHtmlEscapeMap['replacement'];\n\n    for (var k=0; k<regexArr.length; ++k) {\n        var regex = regexArr[k];\n        regex.lastIndex = 0;\n\n        var replacement = replArr[k];\n        string = regex.test(string) ? string.replace(regex, replacement) : string;\n    }\n\n    return string;\n};\n\n/*\n     Unlike 'soft' HTML escape (_xssSoftHtmlEscape), this function simply escapes based on escapeMap key-value pairs.\n     It will break all html and javasctipt.\n */\nvar _xssHardEscape = function(string) {\n    string = string == null ? '' : string;\n\n    if (!(typeof(string) === 'string' || string instanceof String))\n        return string;\n\n    // The case in which soft html escape with options.whitelist was applied first; string starts with nonce.\n    // Remove nonce prefix.  Hard escape happens anyways.\n    var noncePref = _getNoncePrefix();\n    if (noncePref && string.indexOf(noncePref) === 0)\n        string = string.substring(noncePref.length);\n\n    hardEscapeRegex.lastIndex = 0;\n    string = hardEscapeRegex.test(string) ? string.replace(hardEscapeRegex, function(match) { return escapeMap[match]; }) : string;\n    return string;\n};\n\n//Unescape function\nvar _xssUnescape = function(string) {\n    string = string == null ? '' : string;\n\n    if (!(typeof(string) === 'string' || string instanceof String)) {\n        return string;\n    }\n\n    // after soft escape with options.whitelist, the string will have a nonce prefix.\n    // Remove it to unescape the string in xssUtil.unescape(xssUtil.softHtmlEscape(string, {whitelist: ['a','div']})).\n    var noncePref = _getNoncePrefix();\n    if (noncePref && string.indexOf(noncePref) === 0)\n        string = string.substring(noncePref.length);\n\n    // If the string contains nonce, it comes from JRS: was not escaped\n    var xssNonce = _getXssNonce();\n    if (xssNonce && string.indexOf(xssNonce) >= 0)\n        return string;\n\n    var unescapeRegexp = RegExp('(?:' + regexKeys(unescapeMap).join('|') + ')', 'ig');\n    return unescapeRegexp.test(string) ? string.replace(unescapeRegexp, function(match) { return unescapeMap[match]; }) : string;\n};\n\nexport default {\n    softHtmlEscape: _xssSoftHtmlEscape,\n    hardEscape: _xssHardEscape,\n    unescape: _xssUnescape,\n    canonicalize: _canonicalize\n};\n"],"sourceRoot":""}