fix(util): Use `safevalues` to sanitize HTML strings #9070

dlarocque · 2025-05-30T17:11:38Z

Use https://www.npmjs.com/package/safevalues/v/0.3.1 to sanitize HTML strings that are potentially unsafe when attached to the DOM with innerHTML. This should fix JS conformance issues we're seeing when importing to google3.

changeset-bot · 2025-05-30T17:11:42Z

🦋 Changeset detected

Latest commit: 4d9e45f

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 30 packages

Name	Type
@firebase/util	Patch
@firebase/ai	Patch
@firebase/analytics-compat	Patch
@firebase/analytics	Patch
@firebase/app-check-compat	Patch
@firebase/app-check	Patch
@firebase/app-compat	Patch
@firebase/app	Patch
@firebase/auth-compat	Patch
@firebase/auth	Patch
@firebase/component	Patch
@firebase/data-connect	Patch
@firebase/database-compat	Patch
@firebase/database-types	Patch
@firebase/database	Patch
firebase	Patch
@firebase/firestore-compat	Patch
@firebase/firestore	Patch
@firebase/functions-compat	Patch
@firebase/functions	Patch
@firebase/installations-compat	Patch
@firebase/installations	Patch
@firebase/messaging-compat	Patch
@firebase/messaging	Patch
@firebase/performance-compat	Patch
@firebase/performance	Patch
@firebase/remote-config-compat	Patch
@firebase/remote-config	Patch
@firebase/storage-compat	Patch
@firebase/storage	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

github-actions · 2025-05-30T17:11:55Z

Vertex AI Mock Responses Check ⚠️

A newer major version of the mock responses for Vertex AI unit tests is available. update_vertexai_responses.sh should be updated to clone the latest version of the responses: v13.0

google-oss-bot · 2025-05-30T17:37:05Z

Size Analysis Report ¹

Affected Products

@firebase/auth
- connectAuthEmulator
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size-with-ext-deps 69.2 kB 80.7 kB +11.5 kB (+16.7%)
- getAuth
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size-with-ext-deps 109 kB 120 kB +11.6 kB (+10.7%)
@firebase/data-connect
- connectDataConnectEmulator
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size-with-ext-deps 35.5 kB 47.1 kB +11.5 kB (+32.5%)
@firebase/database
- connectDatabaseEmulator
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size-with-ext-deps 145 kB 156 kB +11.6 kB (+8.0%)
- getDatabase
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size-with-ext-deps 152 kB 164 kB +11.5 kB (+7.6%)
@firebase/firestore
- connectFirestoreEmulator
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size-with-ext-deps 93.3 kB 105 kB +11.5 kB (+12.4%)
- getFirestore
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size-with-ext-deps 101 kB 112 kB +11.5 kB (+11.4%)
@firebase/functions
- connectFunctionsEmulator
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size-with-ext-deps 25.3 kB 36.9 kB +11.5 kB (+45.5%)
- getFunctions
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size-with-ext-deps 33.2 kB 44.7 kB +11.5 kB (+34.7%)
@firebase/storage
- connectStorageEmulator
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size-with-ext-deps 34.8 kB 46.3 kB +11.5 kB (+33.1%)
- getStorage
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size-with-ext-deps 42.7 kB 54.2 kB +11.5 kB (+27.0%)
@firebase/util
- CONSTANTS
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 100 B 142 B +42 B (+42.0%)
- DecodeBase64StringError
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 130 B 172 B +42 B (+32.3%)
- Deferred
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 314 B 356 B +42 B (+13.4%)
- ErrorFactory
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 641 B 683 B +42 B (+6.6%)
- FirebaseError
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 642 B 684 B +42 B (+6.5%)
- MAX_VALUE_MILLIS
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 50 B 92 B +42 B (+84.0%)
- RANDOM_FACTOR
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 38 B 80 B +42 B (+110.5%)
- Sha1
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 2.08 kB 2.13 kB +42 B (+2.0%)
- areCookiesEnabled
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 130 B 172 B +42 B (+32.3%)
- assert
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 245 B 287 B +42 B (+17.1%)
- assertionError
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 211 B 253 B +42 B (+19.9%)
- async
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 121 B 163 B +42 B (+34.7%)
- base64
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 3.11 kB 3.15 kB +42 B (+1.4%)
- base64Decode
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 3.23 kB 3.27 kB +42 B (+1.3%)
- base64Encode
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 3.18 kB 3.22 kB +42 B (+1.3%)
- base64urlEncodeWithoutPadding
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 3.25 kB 3.29 kB +42 B (+1.3%)
- calculateBackoffMillis
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 203 B 245 B +42 B (+20.7%)
- contains
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 87 B 129 B +42 B (+48.3%)
- createMockUserToken
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 3.82 kB 3.86 kB +42 B (+1.1%)
- createSubscribe
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 1.85 kB 1.89 kB +42 B (+2.3%)
- decode
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 3.45 kB 3.49 kB +42 B (+1.2%)
- deepCopy
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 384 B 426 B +42 B (+10.9%)
- deepEqual
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 367 B 409 B +42 B (+11.4%)
- deepExtend
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 350 B 392 B +42 B (+12.0%)
- errorPrefix
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 77 B 119 B +42 B (+54.5%)
- extractQuerystring
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 148 B 190 B +42 B (+28.4%)
- getDefaultAppConfig
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 4.03 kB 4.07 kB +42 B (+1.0%)
- getDefaultEmulatorHost
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 4.08 kB 4.12 kB +42 B (+1.0%)
- getDefaultEmulatorHostnameAndPort
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 4.38 kB 4.42 kB +42 B (+1.0%)
- getDefaults
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 3.95 kB 3.99 kB +42 B (+1.1%)
- getExperimentalSetting
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 4.03 kB 4.08 kB +42 B (+1.0%)
- getGlobal
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 221 B 263 B +42 B (+19.0%)
- getModularInstance
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 99 B 141 B +42 B (+42.4%)
- getUA
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 154 B 196 B +42 B (+27.3%)
- isAdmin
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 3.54 kB 3.58 kB +42 B (+1.2%)
- isBrowser
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 197 B 239 B +42 B (+21.3%)
- isBrowserExtension
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 190 B 232 B +42 B (+22.1%)
- isCloudWorkstation
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 90 B 132 B +42 B (+46.7%)
- isCloudflareWorker
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 127 B 169 B +42 B (+33.1%)
- isElectron
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 207 B 249 B +42 B (+20.3%)
- isEmpty
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 125 B 167 B +42 B (+33.6%)
- isIE
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 233 B 275 B +42 B (+18.0%)
- isIndexedDBAvailable
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 109 B 151 B +42 B (+38.5%)
- isMobileCordova
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 338 B 380 B +42 B (+12.4%)
- isNode
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 4.19 kB 4.23 kB +42 B (+1.0%)
- isNodeSdk
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 140 B 182 B +42 B (+30.0%)
- isReactNative
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 113 B 155 B +42 B (+37.2%)
- isSafari
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 4.32 kB 4.36 kB +42 B (+1.0%)
- isSafariOrWebkit
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 4.37 kB 4.41 kB +42 B (+1.0%)
- isUWP
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 203 B 245 B +42 B (+20.7%)
- isValidFormat
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 3.56 kB 3.60 kB +42 B (+1.2%)
- isValidTimestamp
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 3.75 kB 3.80 kB +42 B (+1.1%)
- isWebWorker
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 146 B 188 B +42 B (+28.8%)
- issuedAtTime
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 3.58 kB 3.62 kB +42 B (+1.2%)
- jsonEval
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 57 B 99 B +42 B (+73.7%)
- map
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 144 B 186 B +42 B (+29.2%)
- ordinal
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 243 B 285 B +42 B (+17.3%)
- pingServer
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 103 B 145 B +42 B (+40.8%)
- promiseWithTimeout
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 443 B 485 B +42 B (+9.5%)
- querystring
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 278 B 320 B +42 B (+15.1%)
- querystringDecode
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 200 B 242 B +42 B (+21.0%)
- safeGet
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 118 B 160 B +42 B (+35.6%)
- stringLength
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 199 B 241 B +42 B (+21.1%)
- stringToByteArray
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 716 B 758 B +42 B (+5.9%)
- stringify
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 62 B 104 B +42 B (+67.7%)
- updateEmulatorBanner
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 4.42 kB 4.50 kB +83 B (+1.9%)
  size-with-ext-deps 4.42 kB 15.8 kB +11.4 kB (+257.6%)
  External Dependency
  Module Base (1933324) Merge (33dabb0) Diff
  safevalues
  sanitizeHtml
  + sanitizeHtml
  safevalues/dom
  setElementInnerHtml
  + setElementInnerHtml
- validateArgCount
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 252 B 294 B +42 B (+16.7%)
- validateCallback
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 198 B 240 B +42 B (+21.2%)
- validateContextObject
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 217 B 259 B +42 B (+19.4%)
- validateIndexedDBOpenable
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 404 B 446 B +42 B (+10.4%)
- validateNamespace
  Size
  Type Base (1933324) Merge (33dabb0) Diff
  size 215 B 257 B +42 B (+19.5%)

Test Logs

https://storage.googleapis.com/firebase-sdk-metric-reports/IYVhFQRgTX.html

google-oss-bot · 2025-05-30T18:36:29Z

Size Report ¹

Affected Products

@firebase/util
Type Base (1933324) Merge (ae35123) Diff
browser 29.3 kB 29.4 kB +160 B (+0.5%)
main 35.7 kB 35.9 kB +239 B (+0.7%)
module 29.3 kB 29.4 kB +160 B (+0.5%)

`bundle`

34 size changes

Type	Base (`1933324`)	Merge (`ae35123`)	Diff
auth (GoogleFBTwitterGitHubPopup)	109 kB	121 kB	+11.6 kB (+10.6%)
database (Append to a list of data)	154 kB	166 kB	+11.5 kB (+7.5%)
database (Filtering data)	153 kB	165 kB	+11.5 kB (+7.5%)
database (Listen for child events)	170 kB	181 kB	+11.5 kB (+6.8%)
database (Listen for value events + Detach listeners)	170 kB	181 kB	+11.5 kB (+6.8%)
database (Listen for value events)	170 kB	181 kB	+11.5 kB (+6.8%)
database (Read data once)	169 kB	181 kB	+11.5 kB (+6.8%)
database (Save data as transactions)	172 kB	183 kB	+11.5 kB (+6.7%)
database (Sort data)	155 kB	166 kB	+11.5 kB (+7.4%)
database (Write data)	154 kB	165 kB	+11.5 kB (+7.5%)
firestore (CSI Auto Indexing Disable and Delete)	280 kB	291 kB	+11.5 kB (+4.1%)
firestore (CSI Auto Indexing Enable)	280 kB	291 kB	+11.5 kB (+4.1%)
firestore (Persistence)	311 kB	323 kB	+11.5 kB (+3.7%)
firestore (Query Cursors)	256 kB	268 kB	+11.5 kB (+4.5%)
firestore (Query)	254 kB	265 kB	+11.5 kB (+4.5%)
firestore (Read data once)	242 kB	253 kB	+11.5 kB (+4.8%)
firestore (Read Write w Persistence)	336 kB	347 kB	+11.5 kB (+3.4%)
firestore (Realtime updates)	244 kB	255 kB	+11.5 kB (+4.7%)
firestore (Transaction)	221 kB	233 kB	+11.5 kB (+5.2%)
firestore (Write data)	220 kB	232 kB	+11.5 kB (+5.2%)
firestore-lite (Query Cursors)	109 kB	121 kB	+11.5 kB (+10.6%)
firestore-lite (Query)	105 kB	117 kB	+11.5 kB (+11.0%)
firestore-lite (Read data once)	80.6 kB	92.1 kB	+11.5 kB (+14.3%)
firestore-lite (Transaction)	106 kB	118 kB	+11.5 kB (+10.9%)
firestore-lite (Write data)	90.2 kB	102 kB	+11.5 kB (+12.8%)
functions (call)	39.4 kB	50.9 kB	+11.5 kB (+29.3%)
storage (getBytes)	47.2 kB	58.7 kB	+11.5 kB (+24.4%)
storage (getDownloadURL)	49.2 kB	60.8 kB	+11.5 kB (+23.4%)
storage (getMetadata)	48.7 kB	60.2 kB	+11.5 kB (+23.7%)
storage (list + listAll)	48.1 kB	59.6 kB	+11.5 kB (+24.0%)
storage (updateMetadata)	49.0 kB	60.5 kB	+11.5 kB (+23.6%)
storage (uploadBytes)	53.8 kB	65.3 kB	+11.5 kB (+21.4%)
storage (uploadBytesResumable)	63.8 kB	75.3 kB	+11.5 kB (+18.1%)
storage (uploadString)	54.0 kB	65.5 kB	+11.5 kB (+21.3%)

`firebase`

15 size changes

Type	Base (`1933324`)	Merge (`ae35123`)	Diff
firebase-auth-compat.js	145 kB	156 kB	+10.6 kB (+7.3%)
firebase-auth-cordova.js	142 kB	154 kB	+11.8 kB (+8.3%)
firebase-auth-web-extension.js	125 kB	137 kB	+11.8 kB (+9.4%)
firebase-auth.js	163 kB	175 kB	+11.8 kB (+7.3%)
firebase-compat.js	802 kB	813 kB	+10.7 kB (+1.3%)
firebase-data-connect.js	22.7 kB	34.5 kB	+11.8 kB (+52.0%)
firebase-database-compat.js	168 kB	179 kB	+10.6 kB (+6.3%)
firebase-database.js	192 kB	204 kB	+11.9 kB (+6.2%)
firebase-firestore-compat.js	347 kB	358 kB	+10.6 kB (+3.1%)
firebase-firestore-lite.js	137 kB	149 kB	+11.8 kB (+8.6%)
firebase-firestore.js	449 kB	461 kB	+11.9 kB (+2.6%)
firebase-functions-compat.js	14.7 kB	25.3 kB	+10.6 kB (+72.0%)
firebase-functions.js	19.5 kB	31.3 kB	+11.8 kB (+60.6%)
firebase-storage-compat.js	44.2 kB	54.8 kB	+10.6 kB (+24.0%)
firebase-storage.js	51.1 kB	62.9 kB	+11.8 kB (+23.1%)

Test Logs

https://storage.googleapis.com/firebase-sdk-metric-reports/B1reB3gzII.html

dlarocque force-pushed the dl/safevalues-emu branch from 6d33591 to 5116fde Compare May 30, 2025 18:23

fix(util): Use safevalues to sanitize HTML strings

4d9e45f

dlarocque force-pushed the dl/safevalues-emu branch from 5116fde to 4d9e45f Compare May 30, 2025 18:24

fix(util): Use safevalues to sanitize HTML strings #9070

Are you sure you want to change the base?

fix(util): Use safevalues to sanitize HTML strings #9070

Uh oh!

Conversation

dlarocque commented May 30, 2025

changeset-bot bot commented May 30, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🦋 Changeset detected

github-actions bot commented May 30, 2025

Vertex AI Mock Responses Check ⚠️

google-oss-bot commented May 30, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Size Analysis Report 1

Affected Products

@firebase/auth

connectAuthEmulator

getAuth

@firebase/data-connect

connectDataConnectEmulator

@firebase/database

connectDatabaseEmulator

getDatabase

@firebase/firestore

connectFirestoreEmulator

getFirestore

@firebase/functions

connectFunctionsEmulator

getFunctions

@firebase/storage

connectStorageEmulator

getStorage

@firebase/util

CONSTANTS

DecodeBase64StringError

Deferred

ErrorFactory

FirebaseError

MAX_VALUE_MILLIS

RANDOM_FACTOR

Sha1

areCookiesEnabled

assert

assertionError

async

base64

base64Decode

base64Encode

base64urlEncodeWithoutPadding

calculateBackoffMillis

contains

createMockUserToken

createSubscribe

decode

deepCopy

deepEqual

deepExtend

errorPrefix

extractQuerystring

getDefaultAppConfig

getDefaultEmulatorHost

getDefaultEmulatorHostnameAndPort

getDefaults

getExperimentalSetting

getGlobal

getModularInstance

getUA

isAdmin

isBrowser

isBrowserExtension

isCloudWorkstation

isCloudflareWorker

isElectron

isEmpty

isIE

isIndexedDBAvailable

isMobileCordova

isNode

isNodeSdk

isReactNative

fix(util): Use `safevalues` to sanitize HTML strings #9070

fix(util): Use `safevalues` to sanitize HTML strings #9070

changeset-bot bot commented May 30, 2025 •

edited

Loading

google-oss-bot commented May 30, 2025 •

edited

Loading

Size Analysis Report ¹

`@firebase/auth`

`connectAuthEmulator`

`getAuth`

`@firebase/data-connect`

`connectDataConnectEmulator`

`@firebase/database`

`connectDatabaseEmulator`

`getDatabase`

`@firebase/firestore`

`connectFirestoreEmulator`

`getFirestore`

`@firebase/functions`

`connectFunctionsEmulator`

`getFunctions`

`@firebase/storage`

`connectStorageEmulator`

`getStorage`

`@firebase/util`

`CONSTANTS`

`DecodeBase64StringError`

`Deferred`

`ErrorFactory`

`FirebaseError`

`MAX_VALUE_MILLIS`

`RANDOM_FACTOR`

`Sha1`

`areCookiesEnabled`

`assert`

`assertionError`

`async`

`base64`

`base64Decode`

`base64Encode`

`base64urlEncodeWithoutPadding`

`calculateBackoffMillis`

`contains`

`createMockUserToken`

`createSubscribe`

`decode`

`deepCopy`

`deepEqual`

`deepExtend`

`errorPrefix`

`extractQuerystring`

`getDefaultAppConfig`

`getDefaultEmulatorHost`

`getDefaultEmulatorHostnameAndPort`

`getDefaults`

`getExperimentalSetting`

`getGlobal`

`getModularInstance`

`getUA`

`isAdmin`

`isBrowser`

`isBrowserExtension`

`isCloudWorkstation`

`isCloudflareWorker`

`isElectron`

`isEmpty`

`isIE`

`isIndexedDBAvailable`

`isMobileCordova`

`isNode`

`isNodeSdk`

`isReactNative`

`isSafari`

`isSafariOrWebkit`

`isUWP`

`isValidFormat`

`isValidTimestamp`

`isWebWorker`

`issuedAtTime`

`jsonEval`

`map`

`ordinal`