diff --git a/compiled/facebook-www/REVISION b/compiled/facebook-www/REVISION
index 66772c12329bb..ab4a639da9c77 100644
--- a/compiled/facebook-www/REVISION
+++ b/compiled/facebook-www/REVISION
@@ -1 +1 @@
-6786563f3cbbc9b16d5a8187207b5bd904386e53
+9f8daa6cb5aae476cf54611874ea7522243c6ba6
diff --git a/compiled/facebook-www/ReactDOM-dev.classic.js b/compiled/facebook-www/ReactDOM-dev.classic.js
index f964e2fab7916..6bf70aa183a6b 100644
--- a/compiled/facebook-www/ReactDOM-dev.classic.js
+++ b/compiled/facebook-www/ReactDOM-dev.classic.js
@@ -7324,6 +7324,7 @@ if (__DEV__) {
warnUnknownProperties(type, props, eventRegistry);
}
+ // A javascript: URL can contain leading C0 control or \u0020 SPACE,
// and any newline or tab are filtered out as if they're not part of the URL.
// https://url.spec.whatwg.org/#url-parsing
// Tab or newline are defined as \r\n\t:
@@ -7333,22 +7334,17 @@ if (__DEV__) {
// https://infra.spec.whatwg.org/#c0-control-or-space
/* eslint-disable max-len */
-
var isJavaScriptProtocol =
/^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
function sanitizeURL(url) {
// We should never have symbols here because they get filtered out elsewhere.
// eslint-disable-next-line react-internal/safe-string-coercion
- var stringifiedURL = "" + url;
-
- {
- if (isJavaScriptProtocol.test(stringifiedURL)) {
- // Return a different javascript: url that doesn't cause any side-effects and just
- // throws if ever visited.
- // eslint-disable-next-line no-script-url
- return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
- }
+ if (isJavaScriptProtocol.test("" + url)) {
+ // Return a different javascript: url that doesn't cause any side-effects and just
+ // throws if ever visited.
+ // eslint-disable-next-line no-script-url
+ return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
}
return url;
@@ -36319,7 +36315,7 @@ if (__DEV__) {
return root;
}
- var ReactVersion = "19.0.0-www-classic-654adadc";
+ var ReactVersion = "19.0.0-www-classic-45168b08";
function createPortal$1(
children,
diff --git a/compiled/facebook-www/ReactDOM-dev.modern.js b/compiled/facebook-www/ReactDOM-dev.modern.js
index 847ef2ad01a4c..f005ab3fd6e8a 100644
--- a/compiled/facebook-www/ReactDOM-dev.modern.js
+++ b/compiled/facebook-www/ReactDOM-dev.modern.js
@@ -7158,6 +7158,7 @@ if (__DEV__) {
warnUnknownProperties(type, props, eventRegistry);
}
+ // A javascript: URL can contain leading C0 control or \u0020 SPACE,
// and any newline or tab are filtered out as if they're not part of the URL.
// https://url.spec.whatwg.org/#url-parsing
// Tab or newline are defined as \r\n\t:
@@ -7167,22 +7168,17 @@ if (__DEV__) {
// https://infra.spec.whatwg.org/#c0-control-or-space
/* eslint-disable max-len */
-
var isJavaScriptProtocol =
/^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
function sanitizeURL(url) {
// We should never have symbols here because they get filtered out elsewhere.
// eslint-disable-next-line react-internal/safe-string-coercion
- var stringifiedURL = "" + url;
-
- {
- if (isJavaScriptProtocol.test(stringifiedURL)) {
- // Return a different javascript: url that doesn't cause any side-effects and just
- // throws if ever visited.
- // eslint-disable-next-line no-script-url
- return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
- }
+ if (isJavaScriptProtocol.test("" + url)) {
+ // Return a different javascript: url that doesn't cause any side-effects and just
+ // throws if ever visited.
+ // eslint-disable-next-line no-script-url
+ return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
}
return url;
@@ -36166,7 +36162,7 @@ if (__DEV__) {
return root;
}
- var ReactVersion = "19.0.0-www-modern-ee9a7879";
+ var ReactVersion = "19.0.0-www-modern-2212f44c";
function createPortal$1(
children,
diff --git a/compiled/facebook-www/ReactDOMServer-dev.classic.js b/compiled/facebook-www/ReactDOMServer-dev.classic.js
index ffb6bb1637076..7422165cc1c9c 100644
--- a/compiled/facebook-www/ReactDOMServer-dev.classic.js
+++ b/compiled/facebook-www/ReactDOMServer-dev.classic.js
@@ -19,7 +19,7 @@ if (__DEV__) {
var React = require("react");
var ReactDOM = require("react-dom");
- var ReactVersion = "19.0.0-www-classic-b55c583a";
+ var ReactVersion = "19.0.0-www-classic-86d66ddc";
// This refers to a WWW module.
var warningWWW = require("warning");
@@ -2317,6 +2317,7 @@ if (__DEV__) {
.replace(msPattern, "-ms-");
}
+ // A javascript: URL can contain leading C0 control or \u0020 SPACE,
// and any newline or tab are filtered out as if they're not part of the URL.
// https://url.spec.whatwg.org/#url-parsing
// Tab or newline are defined as \r\n\t:
@@ -2326,22 +2327,17 @@ if (__DEV__) {
// https://infra.spec.whatwg.org/#c0-control-or-space
/* eslint-disable max-len */
-
var isJavaScriptProtocol =
/^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
function sanitizeURL(url) {
// We should never have symbols here because they get filtered out elsewhere.
// eslint-disable-next-line react-internal/safe-string-coercion
- var stringifiedURL = "" + url;
-
- {
- if (isJavaScriptProtocol.test(stringifiedURL)) {
- // Return a different javascript: url that doesn't cause any side-effects and just
- // throws if ever visited.
- // eslint-disable-next-line no-script-url
- return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
- }
+ if (isJavaScriptProtocol.test("" + url)) {
+ // Return a different javascript: url that doesn't cause any side-effects and just
+ // throws if ever visited.
+ // eslint-disable-next-line no-script-url
+ return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
}
return url;
diff --git a/compiled/facebook-www/ReactDOMServer-dev.modern.js b/compiled/facebook-www/ReactDOMServer-dev.modern.js
index 7d00fcba2795c..92f0bbab7986e 100644
--- a/compiled/facebook-www/ReactDOMServer-dev.modern.js
+++ b/compiled/facebook-www/ReactDOMServer-dev.modern.js
@@ -19,7 +19,7 @@ if (__DEV__) {
var React = require("react");
var ReactDOM = require("react-dom");
- var ReactVersion = "19.0.0-www-modern-173398fa";
+ var ReactVersion = "19.0.0-www-modern-194c6b4a";
// This refers to a WWW module.
var warningWWW = require("warning");
@@ -2317,6 +2317,7 @@ if (__DEV__) {
.replace(msPattern, "-ms-");
}
+ // A javascript: URL can contain leading C0 control or \u0020 SPACE,
// and any newline or tab are filtered out as if they're not part of the URL.
// https://url.spec.whatwg.org/#url-parsing
// Tab or newline are defined as \r\n\t:
@@ -2326,22 +2327,17 @@ if (__DEV__) {
// https://infra.spec.whatwg.org/#c0-control-or-space
/* eslint-disable max-len */
-
var isJavaScriptProtocol =
/^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
function sanitizeURL(url) {
// We should never have symbols here because they get filtered out elsewhere.
// eslint-disable-next-line react-internal/safe-string-coercion
- var stringifiedURL = "" + url;
-
- {
- if (isJavaScriptProtocol.test(stringifiedURL)) {
- // Return a different javascript: url that doesn't cause any side-effects and just
- // throws if ever visited.
- // eslint-disable-next-line no-script-url
- return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
- }
+ if (isJavaScriptProtocol.test("" + url)) {
+ // Return a different javascript: url that doesn't cause any side-effects and just
+ // throws if ever visited.
+ // eslint-disable-next-line no-script-url
+ return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
}
return url;
diff --git a/compiled/facebook-www/ReactDOMServerStreaming-dev.modern.js b/compiled/facebook-www/ReactDOMServerStreaming-dev.modern.js
index 178523914aa2b..071000956d1f7 100644
--- a/compiled/facebook-www/ReactDOMServerStreaming-dev.modern.js
+++ b/compiled/facebook-www/ReactDOMServerStreaming-dev.modern.js
@@ -2314,6 +2314,7 @@ if (__DEV__) {
.replace(msPattern, "-ms-");
}
+ // A javascript: URL can contain leading C0 control or \u0020 SPACE,
// and any newline or tab are filtered out as if they're not part of the URL.
// https://url.spec.whatwg.org/#url-parsing
// Tab or newline are defined as \r\n\t:
@@ -2323,22 +2324,17 @@ if (__DEV__) {
// https://infra.spec.whatwg.org/#c0-control-or-space
/* eslint-disable max-len */
-
var isJavaScriptProtocol =
/^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
function sanitizeURL(url) {
// We should never have symbols here because they get filtered out elsewhere.
// eslint-disable-next-line react-internal/safe-string-coercion
- var stringifiedURL = "" + url;
-
- {
- if (isJavaScriptProtocol.test(stringifiedURL)) {
- // Return a different javascript: url that doesn't cause any side-effects and just
- // throws if ever visited.
- // eslint-disable-next-line no-script-url
- return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
- }
+ if (isJavaScriptProtocol.test("" + url)) {
+ // Return a different javascript: url that doesn't cause any side-effects and just
+ // throws if ever visited.
+ // eslint-disable-next-line no-script-url
+ return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
}
return url;
diff --git a/compiled/facebook-www/ReactDOMTesting-dev.classic.js b/compiled/facebook-www/ReactDOMTesting-dev.classic.js
index 55eb75e48a6dc..e2c0d8c161fa8 100644
--- a/compiled/facebook-www/ReactDOMTesting-dev.classic.js
+++ b/compiled/facebook-www/ReactDOMTesting-dev.classic.js
@@ -7461,6 +7461,7 @@ if (__DEV__) {
warnUnknownProperties(type, props, eventRegistry);
}
+ // A javascript: URL can contain leading C0 control or \u0020 SPACE,
// and any newline or tab are filtered out as if they're not part of the URL.
// https://url.spec.whatwg.org/#url-parsing
// Tab or newline are defined as \r\n\t:
@@ -7470,22 +7471,17 @@ if (__DEV__) {
// https://infra.spec.whatwg.org/#c0-control-or-space
/* eslint-disable max-len */
-
var isJavaScriptProtocol =
/^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
function sanitizeURL(url) {
// We should never have symbols here because they get filtered out elsewhere.
// eslint-disable-next-line react-internal/safe-string-coercion
- var stringifiedURL = "" + url;
-
- {
- if (isJavaScriptProtocol.test(stringifiedURL)) {
- // Return a different javascript: url that doesn't cause any side-effects and just
- // throws if ever visited.
- // eslint-disable-next-line no-script-url
- return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
- }
+ if (isJavaScriptProtocol.test("" + url)) {
+ // Return a different javascript: url that doesn't cause any side-effects and just
+ // throws if ever visited.
+ // eslint-disable-next-line no-script-url
+ return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
}
return url;
@@ -36943,7 +36939,7 @@ if (__DEV__) {
return root;
}
- var ReactVersion = "19.0.0-www-classic-de144cc2";
+ var ReactVersion = "19.0.0-www-classic-475fb13a";
function createPortal$1(
children,
diff --git a/compiled/facebook-www/ReactDOMTesting-dev.modern.js b/compiled/facebook-www/ReactDOMTesting-dev.modern.js
index 4acd6b2ff73ca..b77d31d243006 100644
--- a/compiled/facebook-www/ReactDOMTesting-dev.modern.js
+++ b/compiled/facebook-www/ReactDOMTesting-dev.modern.js
@@ -7295,6 +7295,7 @@ if (__DEV__) {
warnUnknownProperties(type, props, eventRegistry);
}
+ // A javascript: URL can contain leading C0 control or \u0020 SPACE,
// and any newline or tab are filtered out as if they're not part of the URL.
// https://url.spec.whatwg.org/#url-parsing
// Tab or newline are defined as \r\n\t:
@@ -7304,22 +7305,17 @@ if (__DEV__) {
// https://infra.spec.whatwg.org/#c0-control-or-space
/* eslint-disable max-len */
-
var isJavaScriptProtocol =
/^[\u0000-\u001F ]*j[\r\n\t]*a[\r\n\t]*v[\r\n\t]*a[\r\n\t]*s[\r\n\t]*c[\r\n\t]*r[\r\n\t]*i[\r\n\t]*p[\r\n\t]*t[\r\n\t]*\:/i;
function sanitizeURL(url) {
// We should never have symbols here because they get filtered out elsewhere.
// eslint-disable-next-line react-internal/safe-string-coercion
- var stringifiedURL = "" + url;
-
- {
- if (isJavaScriptProtocol.test(stringifiedURL)) {
- // Return a different javascript: url that doesn't cause any side-effects and just
- // throws if ever visited.
- // eslint-disable-next-line no-script-url
- return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
- }
+ if (isJavaScriptProtocol.test("" + url)) {
+ // Return a different javascript: url that doesn't cause any side-effects and just
+ // throws if ever visited.
+ // eslint-disable-next-line no-script-url
+ return "javascript:throw new Error('React has blocked a javascript: URL as a security precaution.')";
}
return url;
@@ -36790,7 +36786,7 @@ if (__DEV__) {
return root;
}
- var ReactVersion = "19.0.0-www-modern-4e8b0ce1";
+ var ReactVersion = "19.0.0-www-modern-5757544c";
function createPortal$1(
children,
diff --git a/compiled/facebook-www/__test_utils__/ReactAllWarnings.js b/compiled/facebook-www/__test_utils__/ReactAllWarnings.js
index 8875df1870495..732dfbcd3f7af 100644
--- a/compiled/facebook-www/__test_utils__/ReactAllWarnings.js
+++ b/compiled/facebook-www/__test_utils__/ReactAllWarnings.js
@@ -73,7 +73,6 @@ export default [
"A component suspended inside an `act` scope, but the `act` call was not awaited. When testing React components that depend on asynchronous data, you must await the result:\n\nawait act(() => ...)",
"A component was suspended by an uncached promise. Creating promises inside a Client Component or hook is not yet supported, except via a Suspense-compatible library or framework.",
"A context consumer was rendered with multiple children, or a child that isn't a function. A context consumer expects a single child that is a function. If you did pass a function, make sure there is no trailing or leading whitespace around it.",
- "A future version of React will block javascript: URLs as a security precaution. Use event handlers instead if you can. If you need to generate unsafe HTML try using dangerouslySetInnerHTML instead. React was passed %s.",
"A nested %s was passed to row #%s in . Wrap it in an additional SuspenseList to configure its revealOrder: ... {%s} ... ",
"A pointerId must be passed to \"%s\"",
"A props object containing a \"key\" prop is being spread into JSX:\n let props = %s;\n <%s {...props} />\nReact keys must be passed directly to JSX without using spread:\n let props = %s;\n <%s key={someKey} {...props} />",