fix(youtube-player): use safevalues

andrewseguin · andrewseguin · commit d3d4362e67c0 · 2025-04-10T10:47:05.000-06:00
diff --git a/package.json b/package.json
@@ -68,7 +68,8 @@
     "rxjs": "^6.6.7",
     "rxjs-tslint-rules": "^4.34.8",
     "tslib": "^2.3.1",
-    "zone.js": "~0.15.0"
+    "zone.js": "~0.15.0",
+    "safevalues": "^1.2.0"
   },
   "devDependencies": {
     "@angular-devkit/build-angular": "^20.0.0-next.4",
diff --git a/pkg-externals.bzl b/pkg-externals.bzl
@@ -49,6 +49,8 @@ PKG_EXTERNALS = [
     "rxjs",
     "rxjs/operators",
     "selenium-webdriver",
+    "safevalues",
+    "safevalues/dom",
 ]
 
 # Creates externals for a given package and its entry-points.
diff --git a/src/youtube-player/BUILD.bazel b/src/youtube-player/BUILD.bazel
@@ -38,6 +38,7 @@ ng_project(
         "//:node_modules/@angular/core",
         "//:node_modules/@types/youtube",
         "//:node_modules/rxjs",
+        "//:node_modules/safevalues",
         "//src:dev_mode_types",
     ],
 )
diff --git a/src/youtube-player/package.json b/src/youtube-player/package.json
@@ -18,7 +18,8 @@
   "homepage": "https://github.com/angular/components/tree/main/src/youtube-player#readme",
   "dependencies": {
     "@types/youtube": "^0.1.0",
-    "tslib": "^2.3.0"
+    "tslib": "^2.3.0",
+    "safevalues": "^1.2.0"
   },
   "peerDependencies": {
     "@angular/core": "0.0.0-NG",
diff --git a/src/youtube-player/youtube-player.ts b/src/youtube-player/youtube-player.ts
@@ -32,6 +32,8 @@ import {
   EventEmitter,
 } from '@angular/core';
 import {isPlatformBrowser} from '@angular/common';
+import {trustedResourceUrl} from 'safevalues';
+import {setScriptSrc} from 'safevalues/dom';
 import {Observable, of as observableOf, Subject, BehaviorSubject, fromEventPattern} from 'rxjs';
 import {takeUntil, switchMap} from 'rxjs/operators';
 import {PlaceholderImageQuality, YouTubePlayerPlaceholder} from './youtube-player-placeholder';
@@ -743,7 +745,7 @@ function loadApi(nonce: string | null): void {
   }
 
   // We can use `document` directly here, because this logic doesn't run outside the browser.
-  const url = 'https://www.youtube.com/iframe_api';
+  const url = trustedResourceUrl`https://www.youtube.com/iframe_api`;
   const script = document.createElement('script');
   const callback = (event: Event) => {
     script.removeEventListener('load', callback);
@@ -759,7 +761,7 @@ function loadApi(nonce: string | null): void {
   };
   script.addEventListener('load', callback);
   script.addEventListener('error', callback);
-  (script as any).src = url;
+  setScriptSrc(script, url);
   script.async = true;
 
   if (nonce) {
diff --git a/yarn.lock b/yarn.lock
@@ -12152,6 +12152,11 @@ safe-stable-stringify@^2.3.1:
   resolved "https://registry.yarnpkg.com/safer-buffer/-/safer-buffer-2.1.2.tgz#44fa161b0187b9549dd84bb91802f9bd8385cd6a"
   integrity sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==
 
+safevalues@^1.2.0:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/safevalues/-/safevalues-1.2.0.tgz#f9e646d6ebf31788004ef192d2a7d646c9896bb2"
+  integrity sha512-zIsuhjYvJCjfsfjoim2ab6gLKFYAnTiDSJGh0cC3T44L/4kNLL90hBG2BzrXPrHA3f8Ms8FSJ1mljKH5dVR1cw==
+
 sass-loader@16.0.5:
   version "16.0.5"
   resolved "https://registry.yarnpkg.com/sass-loader/-/sass-loader-16.0.5.tgz#257bc90119ade066851cafe7f2c3f3504c7cda98"

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,8 @@ PKG_EXTERNALS = [`
`49`	`49`	`"rxjs",`
`50`	`50`	`"rxjs/operators",`
`51`	`51`	`"selenium-webdriver",`
	`52`	`+ "safevalues",`
	`53`	`+ "safevalues/dom",`
`52`	`54`	`]`
`53`	`55`
`54`	`56`	`# Creates externals for a given package and its entry-points.`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@ ng_project(`
`38`	`38`	`"//:node_modules/@angular/core",`
`39`	`39`	`"//:node_modules/@types/youtube",`
`40`	`40`	`"//:node_modules/rxjs",`
	`41`	`+ "//:node_modules/safevalues",`
`41`	`42`	`"//src:dev_mode_types",`
`42`	`43`	`],`
`43`	`44`	`)`