@instructure/platform-sanitize 0.3.1 → 0.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -172,41 +172,44 @@ const d = /* @__PURE__ */ new Set([
172
172
  RETURN_TRUSTED_TYPE: !0
173
173
  };
174
174
  let i = null;
175
- function g() {
175
+ function u() {
176
176
  return i || (i = typeof a == "function" ? a(window) : a, i.addHook("afterSanitizeAttributes", (t) => {
177
177
  if (!(t instanceof Element) || !t.hasAttribute("style")) return;
178
- const e = t.style, o = [];
179
- for (let r = 0; r < e.length; r++) {
180
- const n = e.item(r);
181
- d.has(n) || o.push(n);
178
+ const e = t.style, r = [];
179
+ for (let o = 0; o < e.length; o++) {
180
+ const n = e.item(o);
181
+ d.has(n) || r.push(n);
182
182
  }
183
- for (const r of o) e.removeProperty(r);
183
+ for (const o of r) e.removeProperty(o);
184
184
  e.length === 0 && t.removeAttribute("style");
185
185
  }), i.addHook("uponSanitizeAttribute", (t, e) => {
186
186
  c.has(e.attrName) && l.test(e.attrValue) && (e.keepAttr = !1);
187
187
  }), i.addHook("afterSanitizeAttributes", (t) => {
188
188
  if (!(t instanceof Element) || !t.hasAttribute("srcset")) return;
189
- (t.getAttribute("srcset") ?? "").split(",").map((r) => r.trim().split(/\s+/)[0]).some((r) => l.test(r)) && t.removeAttribute("srcset");
189
+ (t.getAttribute("srcset") ?? "").split(",").map((o) => o.trim().split(/\s+/)[0]).some((o) => l.test(o)) && t.removeAttribute("srcset");
190
190
  }), i);
191
191
  }
192
- function p(t) {
192
+ function h(t) {
193
193
  if (typeof window > "u")
194
194
  throw new Error("sanitizeHtml requires a DOM environment (window is not defined)");
195
- return g().sanitize(t ?? "", f);
195
+ return u().sanitize(t ?? "", f);
196
196
  }
197
- const m = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), s = "http://platform-sanitize.invalid/", u = /^\s*\/\//;
198
- function h(t) {
197
+ const g = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), s = "http://platform-sanitize.invalid/", p = /^\s*\/\//, b = (
198
+ // biome-ignore lint/suspicious/noControlCharactersInRegex: intentional security guard
199
+ /^[\u0000-\u0020\u007F-\u00A0\u2000-\u200F\u2028\u2029\u202F\u205F\u2060\u3000\uFEFF]*(?:javascript|data|vbscript|file):/i
200
+ );
201
+ function w(t) {
199
202
  if (!t || !t.trim()) return "about:blank";
200
203
  const e = t.replace(/\\/g, "/");
201
- if (u.test(e)) return "about:blank";
204
+ if (p.test(e) || b.test(e)) return "about:blank";
202
205
  try {
203
- const o = new URL(e, s);
204
- return m.has(o.protocol) ? o.href.startsWith(s) ? t : o.href : "about:blank";
206
+ const r = new URL(e, s);
207
+ return !g.has(r.protocol) || (r.protocol === "http:" || r.protocol === "https:") && (r.username || r.password) ? "about:blank" : r.href.startsWith(s) ? t : e.replace(/[\x00-\x1F]/g, "").replace(/%0[ad]/gi, "");
205
208
  } catch {
206
209
  return "about:blank";
207
210
  }
208
211
  }
209
212
  export {
210
- p as sanitizeHtml,
211
- h as sanitizeUrl
213
+ h as sanitizeHtml,
214
+ w as sanitizeUrl
212
215
  };
@@ -1 +1 @@
1
- {"version":3,"file":"sanitizeUrl.d.ts","sourceRoot":"","sources":["../src/sanitizeUrl.ts"],"names":[],"mappings":"AAwBA,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAiBlE"}
1
+ {"version":3,"file":"sanitizeUrl.d.ts","sourceRoot":"","sources":["../src/sanitizeUrl.ts"],"names":[],"mappings":"AA2CA,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAiClE"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@instructure/platform-sanitize",
3
- "version": "0.3.1",
3
+ "version": "0.3.4",
4
4
  "type": "module",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.js",
@@ -18,11 +18,11 @@
18
18
  "access": "public"
19
19
  },
20
20
  "peerDependencies": {
21
- "dompurify": "^3.0.0"
21
+ "dompurify": "^3.4.0"
22
22
  },
23
23
  "devDependencies": {
24
24
  "@vitest/coverage-v8": "^4.0.17",
25
- "dompurify": "^3.0.0",
25
+ "dompurify": "^3.4.0",
26
26
  "jsdom": "^25.0.0",
27
27
  "typescript": "^5.3.0",
28
28
  "vite": "^6.0.0",