@instructure/platform-sanitize 0.3.13 → 0.3.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -228,10 +228,11 @@ const p = /* @__PURE__ */ new Set([
228
228
  "counter-increment",
229
229
  "content",
230
230
  // UI / interaction
231
- // pointer-events is included: RCE uses it legitimately (e.g. non-interactive
232
- // decorative overlays). It is not in the overlay-phishing class because it
233
- // cannot reposition elements — position/z-index remain blocked.
231
+ // pointer-events and z-index are safe: neither can reposition elements
232
+ // outside the container. The overlay-phishing risk comes from position:fixed/sticky,
233
+ // which SAFE_POSITION_VALUES strips.
234
234
  "pointer-events",
235
+ "z-index",
235
236
  "caret-color",
236
237
  "accent-color",
237
238
  "appearance"
@@ -289,7 +290,8 @@ const p = /* @__PURE__ */ new Set([
289
290
  // expressions; `arg` labels sub-expressions referenced by intent.
290
291
  // These are plain string annotations — no URL-loading, no code execution.
291
292
  "intent",
292
- "arg"
293
+ "arg",
294
+ "loading"
293
295
  ],
294
296
  // Rails UJS turns data-method/data-remote/etc. on clickable elements into
295
297
  // state-changing requests carrying the victim's CSRF token. Strip them so
@@ -1 +1 @@
1
- {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AAubA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
1
+ {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AAybA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@instructure/platform-sanitize",
3
- "version": "0.3.13",
3
+ "version": "0.3.14",
4
4
  "type": "module",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.js",