refactor(core): Add ngDevMode guards and new sanitization error codes

SkyZeroZx · SkyZeroZx · commit 1d143a89a28a · 2025-12-12T00:54:52.000-05:00
Adds new runtime sanitization error codes. Adds `ngDevMode` guards around
error message strings to ensure detailed diagnostics are included only
in development mode. This allows production builds to tree-shake verbose error descriptions, reducing bundle size.
diff --git a/goldens/public-api/core/errors.api.md b/goldens/public-api/core/errors.api.md
@@ -56,6 +56,10 @@ export const enum RuntimeErrorCode {
     // (undocumented)
     HOST_DIRECTIVE_UNRESOLVABLE = 307,
     // (undocumented)
+    HTML_SANITIZATION_CLOBBERED = 921,
+    // (undocumented)
+    HTML_SANITIZATION_UNSTABLE = 920,
+    // (undocumented)
     HYDRATION_MISSING_NODE = -502,
     // (undocumented)
     HYDRATION_MISSING_SIBLINGS = -501,
@@ -170,6 +174,8 @@ export const enum RuntimeErrorCode {
     // (undocumented)
     RUNTIME_DEPS_ORPHAN_COMPONENT = 981,
     // (undocumented)
+    SANITIZATION_BYPASS_TYPE_MISMATCH = 922,
+    // (undocumented)
     SIGNAL_WRITE_FROM_ILLEGAL_CONTEXT = 600,
     // (undocumented)
     TEMPLATE_STRUCTURE_ERROR = 305,
diff --git a/packages/core/src/errors.ts b/packages/core/src/errors.ts
@@ -134,6 +134,9 @@ export const enum RuntimeErrorCode {
   MISSING_DIRECTIVE_DEFINITION = 916,
   NO_COMPONENT_FACTORY_FOUND = 917,
   EXTERNAL_RESOURCE_LOADING_FAILED = 918,
+  HTML_SANITIZATION_UNSTABLE = 920,
+  HTML_SANITIZATION_CLOBBERED = 921,
+  SANITIZATION_BYPASS_TYPE_MISMATCH = 922,
 
   // Signal integration errors
   REQUIRED_INPUT_NO_VALUE = -950,
diff --git a/packages/core/src/sanitization/bypass.ts b/packages/core/src/sanitization/bypass.ts
@@ -7,6 +7,7 @@
  */
 
 import {XSS_SECURITY_URL} from '../error_details_base_url';
+import {RuntimeError, RuntimeErrorCode} from '../errors';
 
 export const enum BypassType {
   Url = 'URL',
@@ -128,7 +129,10 @@ export function allowSanitizationBypassAndThrow(value: any, type: BypassType): b
   if (actualType != null && actualType !== type) {
     // Allow ResourceURLs in URL contexts, they are strictly more trusted.
     if (actualType === BypassType.ResourceUrl && type === BypassType.Url) return true;
-    throw new Error(`Required a safe ${type}, got a ${actualType} (see ${XSS_SECURITY_URL})`);
+    throw new RuntimeError(
+      RuntimeErrorCode.SANITIZATION_BYPASS_TYPE_MISMATCH,
+      ngDevMode && `Required a safe ${type}, got a ${actualType} (see ${XSS_SECURITY_URL})`,
+    );
   }
   return actualType === type;
 }
diff --git a/packages/core/src/sanitization/html_sanitizer.ts b/packages/core/src/sanitization/html_sanitizer.ts
@@ -7,6 +7,7 @@
  */
 
 import {XSS_SECURITY_URL} from '../error_details_base_url';
+import {RuntimeError, RuntimeErrorCode} from '../errors';
 import {TrustedHTML} from '../util/security/trusted_type_defs';
 import {trustedHTMLFromString} from '../util/security/trusted_types';
 
@@ -262,8 +263,10 @@ export function getNodeName(node: Node): string {
 }
 
 function clobberedElementError(node: Node) {
-  return new Error(
-    `Failed to sanitize html because the element is clobbered: ${(node as Element).outerHTML}`,
+  return new RuntimeError(
+    RuntimeErrorCode.HTML_SANITIZATION_CLOBBERED,
+    ngDevMode &&
+      `Failed to sanitize html because the element is clobbered: ${(node as Element).outerHTML}`,
   );
 }
 
@@ -314,7 +317,10 @@ export function _sanitizeHtml(defaultDoc: any, unsafeHtmlInput: string): Trusted
 
     do {
       if (mXSSAttempts === 0) {
-        throw new Error('Failed to sanitize html because the input is unstable');
+        throw new RuntimeError(
+          RuntimeErrorCode.HTML_SANITIZATION_UNSTABLE,
+          ngDevMode && 'Failed to sanitize html because the input is unstable',
+        );
       }
       mXSSAttempts--;
 
