@instructure/platform-sanitize 0.3.11 → 0.3.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +18 -17
- package/dist/sanitizeHtml.d.ts +3 -1
- package/dist/sanitizeHtml.d.ts.map +1 -1
- package/package.json +10 -10
package/dist/index.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import c from "dompurify";
|
|
2
|
-
const
|
|
2
|
+
const b = /* @__PURE__ */ new Set([
|
|
3
3
|
// layout
|
|
4
4
|
"display",
|
|
5
5
|
"float",
|
|
@@ -225,7 +225,7 @@ const g = /* @__PURE__ */ new Set([
|
|
|
225
225
|
"caret-color",
|
|
226
226
|
"accent-color",
|
|
227
227
|
"appearance"
|
|
228
|
-
]),
|
|
228
|
+
]), m = /* @__PURE__ */ new Set([
|
|
229
229
|
"src",
|
|
230
230
|
"href",
|
|
231
231
|
"action",
|
|
@@ -236,7 +236,7 @@ const g = /* @__PURE__ */ new Set([
|
|
|
236
236
|
"cite",
|
|
237
237
|
"longdesc",
|
|
238
238
|
"xlink:href"
|
|
239
|
-
]), u = /^\s*(\/\/|\\)/,
|
|
239
|
+
]), u = /^\s*(\/\/|\\)/, w = [
|
|
240
240
|
"background",
|
|
241
241
|
"background-image",
|
|
242
242
|
"list-style",
|
|
@@ -245,7 +245,7 @@ const g = /* @__PURE__ */ new Set([
|
|
|
245
245
|
// content: url(...) triggers an HTTP GET even on non-pseudo elements in some
|
|
246
246
|
// browsers; strip it as defense-in-depth against tracking-pixel exfiltration.
|
|
247
247
|
"content"
|
|
248
|
-
],
|
|
248
|
+
], h = /url\s*\(\s*['"]?(?:[a-z][a-z0-9+\-.]*:|\/\/)/i, y = /* @__PURE__ */ new Set([
|
|
249
249
|
"allow-downloads",
|
|
250
250
|
"allow-forms",
|
|
251
251
|
"allow-modals",
|
|
@@ -258,7 +258,7 @@ const g = /* @__PURE__ */ new Set([
|
|
|
258
258
|
"allow-scripts",
|
|
259
259
|
"allow-storage-access-by-user-activation",
|
|
260
260
|
"allow-top-navigation-by-user-activation"
|
|
261
|
-
]),
|
|
261
|
+
]), d = {
|
|
262
262
|
ADD_TAGS: ["iframe"],
|
|
263
263
|
ADD_ATTR: [
|
|
264
264
|
"allowfullscreen",
|
|
@@ -307,7 +307,7 @@ function k() {
|
|
|
307
307
|
const e = t.style, o = [];
|
|
308
308
|
for (let n = 0; n < e.length; n++) {
|
|
309
309
|
const a = e.item(n);
|
|
310
|
-
|
|
310
|
+
b.has(a) || o.push(a);
|
|
311
311
|
}
|
|
312
312
|
for (const n of o) e.removeProperty(n);
|
|
313
313
|
const r = /* @__PURE__ */ new Set([
|
|
@@ -321,13 +321,13 @@ function k() {
|
|
|
321
321
|
"revert-layer"
|
|
322
322
|
]), s = e.getPropertyValue("position").trim().toLowerCase();
|
|
323
323
|
s && !r.has(s) && e.removeProperty("position");
|
|
324
|
-
for (const n of
|
|
324
|
+
for (const n of w) {
|
|
325
325
|
const a = e.getPropertyValue(n);
|
|
326
|
-
a &&
|
|
326
|
+
a && h.test(a) && e.removeProperty(n);
|
|
327
327
|
}
|
|
328
328
|
e.length === 0 && t.removeAttribute("style");
|
|
329
329
|
}), i.addHook("uponSanitizeAttribute", (t, e) => {
|
|
330
|
-
|
|
330
|
+
m.has(e.attrName) && u.test(e.attrValue) && (e.keepAttr = !1);
|
|
331
331
|
}), i.addHook("afterSanitizeAttributes", (t) => {
|
|
332
332
|
if (!(t instanceof Element) || !t.hasAttribute("srcset")) return;
|
|
333
333
|
(t.getAttribute("srcset") ?? "").split(",").map((r) => r.trim().split(/\s+/)[0]).some((r) => u.test(r)) && t.removeAttribute("srcset");
|
|
@@ -338,16 +338,17 @@ function k() {
|
|
|
338
338
|
o.add("noopener"), t.setAttribute("rel", [...o].join(" "));
|
|
339
339
|
}), i.addHook("afterSanitizeAttributes", (t) => {
|
|
340
340
|
if (!(t instanceof Element) || t.tagName !== "IFRAME" || !t.hasAttribute("sandbox")) return;
|
|
341
|
-
const o = (t.getAttribute("sandbox") ?? "").toLowerCase().split(/\s+/).filter(Boolean), r = o.filter((s) =>
|
|
341
|
+
const o = (t.getAttribute("sandbox") ?? "").toLowerCase().split(/\s+/).filter(Boolean), r = o.filter((s) => y.has(s));
|
|
342
342
|
r.length !== o.length && t.setAttribute("sandbox", r.join(" "));
|
|
343
343
|
}), i);
|
|
344
344
|
}
|
|
345
|
-
function R(t) {
|
|
345
|
+
function R(t, e) {
|
|
346
346
|
if (typeof window > "u")
|
|
347
347
|
throw new Error("sanitizeHtml requires a DOM environment (window is not defined)");
|
|
348
|
-
|
|
348
|
+
const o = e != null && e.allowFormAttributeNames ? { ...d, SANITIZE_DOM: !1 } : d;
|
|
349
|
+
return k().sanitize(t ?? "", o);
|
|
349
350
|
}
|
|
350
|
-
const
|
|
351
|
+
const f = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), l = "http://platform-sanitize.invalid/", g = /^\s*\/\//, p = (
|
|
351
352
|
// oxlint-disable-next-line no-control-regex -- intentional security guard
|
|
352
353
|
/^[\u0000-\u0020\u007F-\u00A0\u2000-\u200F\u2028\u2029\u202F\u205F\u2060\u3000\uFEFF]*(?:javascript|data|vbscript|file):/i
|
|
353
354
|
), A = {
|
|
@@ -385,14 +386,14 @@ function E(t) {
|
|
|
385
386
|
function S(t) {
|
|
386
387
|
if (!t || !t.trim()) return "about:blank";
|
|
387
388
|
const e = t.replace(/\\/g, "/");
|
|
388
|
-
if (
|
|
389
|
+
if (g.test(e) || p.test(e)) return "about:blank";
|
|
389
390
|
if (/&[#A-Za-z]/.test(e)) {
|
|
390
391
|
const o = E(e);
|
|
391
|
-
if (
|
|
392
|
+
if (g.test(o) || p.test(o))
|
|
392
393
|
return "about:blank";
|
|
393
394
|
try {
|
|
394
395
|
const r = new URL(o, l);
|
|
395
|
-
if (!r.href.startsWith(l) && !
|
|
396
|
+
if (!r.href.startsWith(l) && !f.has(r.protocol))
|
|
396
397
|
return "about:blank";
|
|
397
398
|
} catch {
|
|
398
399
|
return "about:blank";
|
|
@@ -400,7 +401,7 @@ function S(t) {
|
|
|
400
401
|
}
|
|
401
402
|
try {
|
|
402
403
|
const o = new URL(e, l);
|
|
403
|
-
return !
|
|
404
|
+
return !f.has(o.protocol) || (o.protocol === "http:" || o.protocol === "https:") && (o.username || o.password) ? "about:blank" : o.href.startsWith(l) ? t : e.replace(/[\x00-\x1F\u2028\u2029]/g, "").replace(/%250[9ad]/gi, "").replace(/%0[9ad]/gi, "");
|
|
404
405
|
} catch {
|
|
405
406
|
return "about:blank";
|
|
406
407
|
}
|
package/dist/sanitizeHtml.d.ts
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AA6aA,wBAAgB,YAAY,
|
|
1
|
+
{"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AA6aA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@instructure/platform-sanitize",
|
|
3
|
-
"version": "0.3.
|
|
3
|
+
"version": "0.3.12",
|
|
4
4
|
"type": "module",
|
|
5
5
|
"main": "./dist/index.js",
|
|
6
6
|
"module": "./dist/index.js",
|
|
@@ -17,14 +17,6 @@
|
|
|
17
17
|
"publishConfig": {
|
|
18
18
|
"access": "public"
|
|
19
19
|
},
|
|
20
|
-
"scripts": {
|
|
21
|
-
"build": "vite build",
|
|
22
|
-
"dev": "vite build --watch",
|
|
23
|
-
"test": "vitest run",
|
|
24
|
-
"test:watch": "vitest",
|
|
25
|
-
"test:coverage": "vitest run --coverage",
|
|
26
|
-
"type-check": "tsc --noEmit"
|
|
27
|
-
},
|
|
28
20
|
"peerDependencies": {
|
|
29
21
|
"dompurify": "^3.4.0"
|
|
30
22
|
},
|
|
@@ -37,5 +29,13 @@
|
|
|
37
29
|
"vite": "^6.0.0",
|
|
38
30
|
"vite-plugin-dts": "^4.0.0",
|
|
39
31
|
"vitest": "^4.0.0"
|
|
32
|
+
},
|
|
33
|
+
"scripts": {
|
|
34
|
+
"build": "vite build",
|
|
35
|
+
"dev": "vite build --watch",
|
|
36
|
+
"test": "vitest run",
|
|
37
|
+
"test:watch": "vitest",
|
|
38
|
+
"test:coverage": "vitest run --coverage",
|
|
39
|
+
"type-check": "tsc --noEmit"
|
|
40
40
|
}
|
|
41
|
-
}
|
|
41
|
+
}
|