Merge remote-tracking branch 'origin/master' into new-geo-projections

Author: archmoj

.circleci/config.yml

@@ -204,6 +204,9 @@ jobs:
             echo https://$CIRCLE_BUILD_NUM-$PROJECT_NUM-gh.circle-artifacts.com/0/dist/plotly.js
             echo https://$CIRCLE_BUILD_NUM-$PROJECT_NUM-gh.circle-artifacts.com/0/dist/plotly.min.js
             echo https://$CIRCLE_BUILD_NUM-$PROJECT_NUM-gh.circle-artifacts.com/0/dist/plot-schema.json
+      - run:
+          name: Test plot-schema.json diff - If failed, after (npm start) you could run (npm run schema && git add test/plot-schema.json && git commit -m "update plot-schema diff")
+          command: diff --unified --color dist/plot-schema.json test/plot-schema.json
       - run:
           name: Test plotly.min.js import using requirejs
           command: npm run test-requirejs

.circleci/env_image.sh

@@ -1,6 +1,8 @@
 #!/bin/sh
+# install required fonts
 sudo apt-get install fonts-liberation2 fonts-open-sans fonts-noto-cjk fonts-noto-color-emoji && \
 sudo python3 .circleci/download_google_fonts.py && \
 sudo cp -r .circleci/fonts/ /usr/share/ && \
 sudo fc-cache -f && \
+# install kaleido & plotly
 sudo python3 -m pip install kaleido==0.2.1 plotly==5.1.0 --progress-bar off

.github/PULL_REQUEST_TEMPLATE.md

@@ -9,11 +9,14 @@ Thanks for your interest in plotly.js!
 ### Features, Bug fixes, and others:
 
 Before opening a pull request, developer should:
+1. make sure they are not on the `master` branch of their fork as using `master` for a pull request would make it difficult to fetch `upstream` changes.
+2. fetch latest changes from `upstream/master` into your fork i.e. `origin/master` then pull `origin/master` from you local `master`.
+3. then `git rebase master` their local dev branch off the latest `master` which should be sync with `upstream/master` at this time.
+4. make sure to **not** `git add` the `dist/` folder (the `dist/` is updated only on version bumps).
+5. make sure to commit changes to the `package-lock.json` file (if any new dependency required).
+6. provide a title and write an overview of what the PR attempts to do with a link to the issue they are trying to address.
+7. select the _Allow edits from maintainers_ option (see this [article](https://help.github.com/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork/) for more details).
 
-- `git rebase` their local branch off the latest `master`,
-- make sure to **not** `git add` the `dist/` folder (the `dist/` is updated only on version bumps),
-- make sure to commit changes to the `package-lock.json` file (if any new dependency required),
-- write an overview of what the PR attempts to do,
-- select the _Allow edits from maintainers_ option (see this [article](https://help.github.com/articles/allowing-changes-to-a-pull-request-branch-created-from-a-fork/) for more details).
-
-Note that it is forbidden to force push (i.e. `git push -f`) to remote branches associated with opened pull requests. Force pushes make it hard for maintainers to keep track of updates. Therefore, if required, please `git merge master` into your PR branch instead of `git rebase master`.
+After opening a pull request, developer:
+ - should create a new small markdown log file using the PR number e.g. `1010_fix.md` or `1010_add.md` inside `draftlogs` folder as described in this [README](https://github.com/plotly/plotly.js/blob/master/draftlogs/README.md), commit it and push.
+ - should **not** force push (i.e. `git push -f`) to remote branches associated with opened pull requests. Force pushes make it hard for maintainers to keep track of updates. Therefore, if required, please fetch `upstream/master` and "merge" with master instead of "rebase".

CHANGELOG.md

@@ -9,6 +9,18 @@ To see all merged commits on the master branch that will be part of the next plo
 
 where X.Y.Z is the semver of most recent plotly.js release.
 
+## [2.2.1] -- 2021-07-06
+
+### Fixed
+ - Fix to improve sanitizing href inputs for SVG and HTML text elements [[#5803](https://github.com/plotly/plotly.js/pull/5803)]
+
+
+## [1.58.5] -- 2021-07-06
+
+### Fixed
+ - Fix to improve sanitizing href inputs for SVG and HTML text elements [[#5803](https://github.com/plotly/plotly.js/pull/5803)]
+
+
 ## [2.2.0] -- 2021-06-28
 
 ### Added

CONTRIBUTING.md

@@ -138,14 +138,19 @@ Three additional helpers exist that are refreshed every second:
 There is also a search bar in the top right of the dashboard. This fuzzy-searches
 image mocks based on their file name and trace type.
 
-#### Alternative to test dashboard
+#### Step 5: Regenerate plot-schema in "test" folder then review & commit potential changes
 
-Use the [`plotly-mock-viewer`](https://github.com/rreusser/plotly-mock-viewer)
-which has live-reloading and a bunch of other cool features.
-An online version of `plotly-mock-viewer` is available at <https://rreusser.github.io/plotly-mock-viewer/>
-which uses <https://cdn.plot.ly/plotly-latest.min.js>
+```bash
+npm run schema
+```
+
+#### Step 6: Review & commit potential changes made to test/plot-schema.json
 
-#### Other npm scripts
+> If you are editing attribute descriptions or implementing a new feature this file located in the test folder records the proposed changes to the API. Note that there is another plot-schema.json file located in the dist folder, which should only be updated by the maintainers at release time.
+
+**IMPORTANT:** please do not change and commit any files in the "dist" folder
+
+#### Other npm scripts that may be of interest in development
 
 - `npm run preprocess`: pre-processes the css and svg source file in js. This
   script must be run manually when updating the css and svg source files.
@@ -207,17 +212,40 @@ npm run test-jasmine -- --help
 npm run test-jasmine -- --info
 ```
 
-### Draft new baseline
-Install fonts and tools
+### Draft new baselines
+#### With docker:
+> If you prefer using docker each time you need to
+```sh
+docker run -it -v "$(pwd)":/plotly.js circleci/python:3.8.9 bash
+# then inside the docker
+cd plotly.js
+sudo bash .circleci/env_image.sh
+```
+
+#### Without docker:
+> Otherwise you may need to install `python 3.8`
+Then upgrade `pip` if needed
 ```sh
-# install required fonts (if missing) on ubuntu
-sudo cp -r .circleci/fonts/ /usr/share/ && sudo fc-cache -f
-# upgrade pip (if needed)
 python3 -m pip install --upgrade pip
-# install kaleido
-python3 -m pip install kaleido
-# install plotly
-python3 -m pip install plotly
+```
+
+To install required fonts and tools see this [shell script](https://github.com/plotly/plotly.js/blob/master/.circleci/env_image.sh).
+
+#### Scripts to generate/update new baselines with/without docker:
+```sh
+python3 test/image/make_baseline.py = mock_1 mock_2
+```
+
+> Alternatively using npm & node.js (which are not available in the python docker by default)
+
+```sh
+npm run baseline mock_1 mock_2
+```
+
+Or
+
+```sh
+npm run baseline mock_*
 ```
 
 **IMPORTANT:** the `baseline`, `test-image` and `test-export` scripts do **not** bundle the source files before

README.md

@@ -55,7 +55,7 @@ You may also consider using [`plotly.js-dist`](https://www.npmjs.com/package/plo
 
 ```html
 <head>
-    <script src="https://cdn.plot.ly/plotly-2.2.0.min.js"></script>
+    <script src="https://cdn.plot.ly/plotly-2.2.1.min.js"></script>
 </head>
 <body>
     <div id="gd"></div>
@@ -72,7 +72,7 @@ You may also consider using [`plotly.js-dist`](https://www.npmjs.com/package/plo
 Alternatively you may consider using [native ES6 import](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Modules) in the script tag.
 ```html
 <script type="module">
-    import "https://cdn.plot.ly/plotly-2.2.0.min.js"
+    import "https://cdn.plot.ly/plotly-2.2.1.min.js"
     Plotly.newPlot("gd", [{ y: [1, 2, 3] }])
 </script>
 ```
@@ -82,10 +82,10 @@ Fastly supports Plotly.js with free CDN service. Read more at <https://www.fastl
 ### Un-minified versions are also available on CDN
 While non-minified source files may contain characters outside UTF-8, it is recommended that you specify the `charset` when loading those bundles.
 ```html
-<script src="https://cdn.plot.ly/plotly-2.2.0.js" charset="utf-8"></script>
+<script src="https://cdn.plot.ly/plotly-2.2.1.js" charset="utf-8"></script>
 ```
 
-> Please note that as of v2 the "plotly-latest" outputs (e.g. https://cdn.plot.ly/plotly-latest.min.js) will no longer be updated on the CDN, and will stay at the last v1 patch v1.58.4. Therefore, to use the CDN with plotly.js v2 and higher, you must specify an exact plotly.js version.
+> Please note that as of v2 the "plotly-latest" outputs (e.g. https://cdn.plot.ly/plotly-latest.min.js) will no longer be updated on the CDN, and will stay at the last v1 patch v1.58.5. Therefore, to use the CDN with plotly.js v2 and higher, you must specify an exact plotly.js version.
 
 To support MathJax, you need to load version two of MathJax e.g. `v2.7.5` files from CDN or npm.
 ```html

dist/README.md

@@ -46,9 +46,9 @@ The main plotly.js bundles weight in at:
 | 8 MB | 3.4 MB | 1019.6 kB | 8.3 MB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-2.2.0.js
+> https://cdn.plot.ly/plotly-2.2.1.js
 
-> https://cdn.plot.ly/plotly-2.2.0.min.js
+> https://cdn.plot.ly/plotly-2.2.1.min.js
 
 
 #### npm packages
@@ -94,9 +94,9 @@ The `basic` partial bundle contains trace modules `bar`, `pie` and `scatter`.
 | 2.7 MB | 1007.3 kB | 327.3 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-basic-2.2.0.js
+> https://cdn.plot.ly/plotly-basic-2.2.1.js
 
-> https://cdn.plot.ly/plotly-basic-2.2.0.min.js
+> https://cdn.plot.ly/plotly-basic-2.2.1.min.js
 
 
 #### npm packages
@@ -114,12 +114,12 @@ The `cartesian` partial bundle contains trace modules `bar`, `box`, `contour`, `
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 3.3 MB | 1.2 MB | 398.7 kB |
+| 3.3 MB | 1.2 MB | 398.8 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-cartesian-2.2.0.js
+> https://cdn.plot.ly/plotly-cartesian-2.2.1.js
 
-> https://cdn.plot.ly/plotly-cartesian-2.2.0.min.js
+> https://cdn.plot.ly/plotly-cartesian-2.2.1.min.js
 
 
 #### npm packages
@@ -137,12 +137,12 @@ The `geo` partial bundle contains trace modules `choropleth`, `scatter` and `sca
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 2.9 MB | 1 MB | 337.3 kB |
+| 2.9 MB | 1 MB | 337.4 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-geo-2.2.0.js
+> https://cdn.plot.ly/plotly-geo-2.2.1.js
 
-> https://cdn.plot.ly/plotly-geo-2.2.0.min.js
+> https://cdn.plot.ly/plotly-geo-2.2.1.min.js
 
 
 #### npm packages
@@ -163,9 +163,9 @@ The `gl3d` partial bundle contains trace modules `cone`, `isosurface`, `mesh3d`,
 | 3.8 MB | 1.5 MB | 482.7 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-gl3d-2.2.0.js
+> https://cdn.plot.ly/plotly-gl3d-2.2.1.js
 
-> https://cdn.plot.ly/plotly-gl3d-2.2.0.min.js
+> https://cdn.plot.ly/plotly-gl3d-2.2.1.min.js
 
 
 #### npm packages
@@ -183,12 +183,12 @@ The `gl2d` partial bundle contains trace modules `heatmapgl`, `parcoords`, `poin
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 3.8 MB | 1.5 MB | 503.1 kB |
+| 3.8 MB | 1.5 MB | 503.2 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-gl2d-2.2.0.js
+> https://cdn.plot.ly/plotly-gl2d-2.2.1.js
 
-> https://cdn.plot.ly/plotly-gl2d-2.2.0.min.js
+> https://cdn.plot.ly/plotly-gl2d-2.2.1.min.js
 
 
 #### npm packages
@@ -209,9 +209,9 @@ The `mapbox` partial bundle contains trace modules `choroplethmapbox`, `densitym
 | 4.4 MB | 1.8 MB | 525 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-mapbox-2.2.0.js
+> https://cdn.plot.ly/plotly-mapbox-2.2.1.js
 
-> https://cdn.plot.ly/plotly-mapbox-2.2.0.min.js
+> https://cdn.plot.ly/plotly-mapbox-2.2.1.min.js
 
 
 #### npm packages
@@ -229,12 +229,12 @@ The `finance` partial bundle contains trace modules `bar`, `candlestick`, `funne
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 3 MB | 1.1 MB | 353.5 kB |
+| 3 MB | 1.1 MB | 353.6 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-finance-2.2.0.js
+> https://cdn.plot.ly/plotly-finance-2.2.1.js
 
-> https://cdn.plot.ly/plotly-finance-2.2.0.min.js
+> https://cdn.plot.ly/plotly-finance-2.2.1.min.js
 
 
 #### npm packages
@@ -252,12 +252,12 @@ The `strict` partial bundle contains trace modules `bar`, `barpolar`, `box`, `ca
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 6.7 MB | 2.8 MB | 840.4 kB |
+| 6.7 MB | 2.8 MB | 840.5 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-strict-2.2.0.js
+> https://cdn.plot.ly/plotly-strict-2.2.1.js
 
-> https://cdn.plot.ly/plotly-strict-2.2.0.min.js
+> https://cdn.plot.ly/plotly-strict-2.2.1.min.js
 
 
 #### npm packages

dist/plotly-basic.js

@@ -1,5 +1,5 @@
 /**
-* plotly.js (basic) v2.2.0
+* plotly.js (basic) v2.2.1
 * Copyright 2012-2021, Plotly, Inc.
 * All rights reserved.
 * Licensed under the MIT license
@@ -49233,14 +49233,9 @@ function buildSVGText(containerNode, str) {
                     var href = getQuotedMatch(extra, HREFMATCH);
 
                     if(href) {
-                        // check safe protocols
-                        var dummyAnchor = document.createElement('a');
-                        dummyAnchor.href = href;
-                        if(PROTOCOLS.indexOf(dummyAnchor.protocol) !== -1) {
-                            // Decode href to allow both already encoded and not encoded
-                            // URIs. Without decoding prior encoding, an already encoded
-                            // URI would be encoded twice producing a semantically different URI.
-                            nodeSpec.href = encodeURI(decodeURI(href));
+                        var safeHref = sanitizeHref(href);
+                        if(safeHref) {
+                            nodeSpec.href = safeHref;
                             nodeSpec.target = getQuotedMatch(extra, TARGETMATCH) || '_blank';
                             nodeSpec.popup = getQuotedMatch(extra, POPUPMATCH);
                         }
@@ -49255,6 +49250,27 @@ function buildSVGText(containerNode, str) {
     return hasLink;
 }
 
+function sanitizeHref(href) {
+    var decodedHref = encodeURI(decodeURI(href));
+    var dummyAnchor1 = document.createElement('a');
+    var dummyAnchor2 = document.createElement('a');
+    dummyAnchor1.href = href;
+    dummyAnchor2.href = decodedHref;
+
+    var p1 = dummyAnchor1.protocol;
+    var p2 = dummyAnchor2.protocol;
+
+    // check safe protocols
+    if(
+        PROTOCOLS.indexOf(p1) !== -1 &&
+        PROTOCOLS.indexOf(p2) !== -1
+    ) {
+        return decodedHref;
+    } else {
+        return '';
+    }
+}
+
 /*
  * sanitizeHTML: port of buildSVGText aimed at providing a clean subset of HTML
  * @param {string} str: the html string to clean
@@ -49289,10 +49305,9 @@ exports.sanitizeHTML = function sanitizeHTML(str) {
                     var href = getQuotedMatch(extra, HREFMATCH);
 
                     if(href) {
-                        var dummyAnchor = document.createElement('a');
-                        dummyAnchor.href = href;
-                        if(PROTOCOLS.indexOf(dummyAnchor.protocol) !== -1) {
-                            nodeAttrs.href = encodeURI(decodeURI(href));
+                        var safeHref = sanitizeHref(href);
+                        if(safeHref) {
+                            nodeAttrs.href = safeHref;
                             var target = getQuotedMatch(extra, TARGETMATCH);
                             if(target) {
                                 nodeAttrs.target = target;
@@ -84237,7 +84252,7 @@ function getSortFunc(opts, d2c) {
 'use strict';
 
 // package version injected by `npm run preprocess`
-exports.version = '2.2.0';
+exports.version = '2.2.1';
 
 },{}]},{},[8])(8)
 });