@instructure/platform-sanitize 0.3.11 → 0.3.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -1,5 +1,5 @@
1
1
  import c from "dompurify";
2
- const g = /* @__PURE__ */ new Set([
2
+ const b = /* @__PURE__ */ new Set([
3
3
  // layout
4
4
  "display",
5
5
  "float",
@@ -225,7 +225,7 @@ const g = /* @__PURE__ */ new Set([
225
225
  "caret-color",
226
226
  "accent-color",
227
227
  "appearance"
228
- ]), b = /* @__PURE__ */ new Set([
228
+ ]), m = /* @__PURE__ */ new Set([
229
229
  "src",
230
230
  "href",
231
231
  "action",
@@ -236,7 +236,7 @@ const g = /* @__PURE__ */ new Set([
236
236
  "cite",
237
237
  "longdesc",
238
238
  "xlink:href"
239
- ]), u = /^\s*(\/\/|\\)/, m = [
239
+ ]), u = /^\s*(\/\/|\\)/, w = [
240
240
  "background",
241
241
  "background-image",
242
242
  "list-style",
@@ -245,7 +245,7 @@ const g = /* @__PURE__ */ new Set([
245
245
  // content: url(...) triggers an HTTP GET even on non-pseudo elements in some
246
246
  // browsers; strip it as defense-in-depth against tracking-pixel exfiltration.
247
247
  "content"
248
- ], w = /url\s*\(\s*['"]?(?:[a-z][a-z0-9+\-.]*:|\/\/)/i, h = /* @__PURE__ */ new Set([
248
+ ], h = /url\s*\(\s*['"]?(?:[a-z][a-z0-9+\-.]*:|\/\/)/i, y = /* @__PURE__ */ new Set([
249
249
  "allow-downloads",
250
250
  "allow-forms",
251
251
  "allow-modals",
@@ -258,7 +258,7 @@ const g = /* @__PURE__ */ new Set([
258
258
  "allow-scripts",
259
259
  "allow-storage-access-by-user-activation",
260
260
  "allow-top-navigation-by-user-activation"
261
- ]), y = {
261
+ ]), d = {
262
262
  ADD_TAGS: ["iframe"],
263
263
  ADD_ATTR: [
264
264
  "allowfullscreen",
@@ -307,7 +307,7 @@ function k() {
307
307
  const e = t.style, o = [];
308
308
  for (let n = 0; n < e.length; n++) {
309
309
  const a = e.item(n);
310
- g.has(a) || o.push(a);
310
+ b.has(a) || o.push(a);
311
311
  }
312
312
  for (const n of o) e.removeProperty(n);
313
313
  const r = /* @__PURE__ */ new Set([
@@ -321,13 +321,13 @@ function k() {
321
321
  "revert-layer"
322
322
  ]), s = e.getPropertyValue("position").trim().toLowerCase();
323
323
  s && !r.has(s) && e.removeProperty("position");
324
- for (const n of m) {
324
+ for (const n of w) {
325
325
  const a = e.getPropertyValue(n);
326
- a && w.test(a) && e.removeProperty(n);
326
+ a && h.test(a) && e.removeProperty(n);
327
327
  }
328
328
  e.length === 0 && t.removeAttribute("style");
329
329
  }), i.addHook("uponSanitizeAttribute", (t, e) => {
330
- b.has(e.attrName) && u.test(e.attrValue) && (e.keepAttr = !1);
330
+ m.has(e.attrName) && u.test(e.attrValue) && (e.keepAttr = !1);
331
331
  }), i.addHook("afterSanitizeAttributes", (t) => {
332
332
  if (!(t instanceof Element) || !t.hasAttribute("srcset")) return;
333
333
  (t.getAttribute("srcset") ?? "").split(",").map((r) => r.trim().split(/\s+/)[0]).some((r) => u.test(r)) && t.removeAttribute("srcset");
@@ -338,16 +338,17 @@ function k() {
338
338
  o.add("noopener"), t.setAttribute("rel", [...o].join(" "));
339
339
  }), i.addHook("afterSanitizeAttributes", (t) => {
340
340
  if (!(t instanceof Element) || t.tagName !== "IFRAME" || !t.hasAttribute("sandbox")) return;
341
- const o = (t.getAttribute("sandbox") ?? "").toLowerCase().split(/\s+/).filter(Boolean), r = o.filter((s) => h.has(s));
341
+ const o = (t.getAttribute("sandbox") ?? "").toLowerCase().split(/\s+/).filter(Boolean), r = o.filter((s) => y.has(s));
342
342
  r.length !== o.length && t.setAttribute("sandbox", r.join(" "));
343
343
  }), i);
344
344
  }
345
- function R(t) {
345
+ function R(t, e) {
346
346
  if (typeof window > "u")
347
347
  throw new Error("sanitizeHtml requires a DOM environment (window is not defined)");
348
- return k().sanitize(t ?? "", y);
348
+ const o = e != null && e.allowFormAttributeNames ? { ...d, SANITIZE_DOM: !1 } : d;
349
+ return k().sanitize(t ?? "", o);
349
350
  }
350
- const d = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), l = "http://platform-sanitize.invalid/", f = /^\s*\/\//, p = (
351
+ const f = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), l = "http://platform-sanitize.invalid/", g = /^\s*\/\//, p = (
351
352
  // oxlint-disable-next-line no-control-regex -- intentional security guard
352
353
  /^[\u0000-\u0020\u007F-\u00A0\u2000-\u200F\u2028\u2029\u202F\u205F\u2060\u3000\uFEFF]*(?:javascript|data|vbscript|file):/i
353
354
  ), A = {
@@ -385,14 +386,14 @@ function E(t) {
385
386
  function S(t) {
386
387
  if (!t || !t.trim()) return "about:blank";
387
388
  const e = t.replace(/\\/g, "/");
388
- if (f.test(e) || p.test(e)) return "about:blank";
389
+ if (g.test(e) || p.test(e)) return "about:blank";
389
390
  if (/&[#A-Za-z]/.test(e)) {
390
391
  const o = E(e);
391
- if (f.test(o) || p.test(o))
392
+ if (g.test(o) || p.test(o))
392
393
  return "about:blank";
393
394
  try {
394
395
  const r = new URL(o, l);
395
- if (!r.href.startsWith(l) && !d.has(r.protocol))
396
+ if (!r.href.startsWith(l) && !f.has(r.protocol))
396
397
  return "about:blank";
397
398
  } catch {
398
399
  return "about:blank";
@@ -400,7 +401,7 @@ function S(t) {
400
401
  }
401
402
  try {
402
403
  const o = new URL(e, l);
403
- return !d.has(o.protocol) || (o.protocol === "http:" || o.protocol === "https:") && (o.username || o.password) ? "about:blank" : o.href.startsWith(l) ? t : e.replace(/[\x00-\x1F\u2028\u2029]/g, "").replace(/%250[9ad]/gi, "").replace(/%0[9ad]/gi, "");
404
+ return !f.has(o.protocol) || (o.protocol === "http:" || o.protocol === "https:") && (o.username || o.password) ? "about:blank" : o.href.startsWith(l) ? t : e.replace(/[\x00-\x1F\u2028\u2029]/g, "").replace(/%250[9ad]/gi, "").replace(/%0[9ad]/gi, "");
404
405
  } catch {
405
406
  return "about:blank";
406
407
  }
@@ -1,2 +1,4 @@
1
- export declare function sanitizeHtml(html: string | null | undefined): string;
1
+ export declare function sanitizeHtml(html: string | null | undefined, options?: {
2
+ allowFormAttributeNames?: boolean;
3
+ }): string;
2
4
  //# sourceMappingURL=sanitizeHtml.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AA6aA,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,MAAM,CAKpE"}
1
+ {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AA6aA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@instructure/platform-sanitize",
3
- "version": "0.3.11",
3
+ "version": "0.3.12",
4
4
  "type": "module",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.js",
@@ -17,14 +17,6 @@
17
17
  "publishConfig": {
18
18
  "access": "public"
19
19
  },
20
- "scripts": {
21
- "build": "vite build",
22
- "dev": "vite build --watch",
23
- "test": "vitest run",
24
- "test:watch": "vitest",
25
- "test:coverage": "vitest run --coverage",
26
- "type-check": "tsc --noEmit"
27
- },
28
20
  "peerDependencies": {
29
21
  "dompurify": "^3.4.0"
30
22
  },
@@ -37,5 +29,13 @@
37
29
  "vite": "^6.0.0",
38
30
  "vite-plugin-dts": "^4.0.0",
39
31
  "vitest": "^4.0.0"
32
+ },
33
+ "scripts": {
34
+ "build": "vite build",
35
+ "dev": "vite build --watch",
36
+ "test": "vitest run",
37
+ "test:watch": "vitest",
38
+ "test:coverage": "vitest run --coverage",
39
+ "type-check": "tsc --noEmit"
40
40
  }
41
- }
41
+ }