@instructure/platform-sanitize 0.3.13 → 0.3.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +6 -4
- package/dist/sanitizeHtml.d.ts.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -228,10 +228,11 @@ const p = /* @__PURE__ */ new Set([
|
|
|
228
228
|
"counter-increment",
|
|
229
229
|
"content",
|
|
230
230
|
// UI / interaction
|
|
231
|
-
// pointer-events
|
|
232
|
-
//
|
|
233
|
-
//
|
|
231
|
+
// pointer-events and z-index are safe: neither can reposition elements
|
|
232
|
+
// outside the container. The overlay-phishing risk comes from position:fixed/sticky,
|
|
233
|
+
// which SAFE_POSITION_VALUES strips.
|
|
234
234
|
"pointer-events",
|
|
235
|
+
"z-index",
|
|
235
236
|
"caret-color",
|
|
236
237
|
"accent-color",
|
|
237
238
|
"appearance"
|
|
@@ -289,7 +290,8 @@ const p = /* @__PURE__ */ new Set([
|
|
|
289
290
|
// expressions; `arg` labels sub-expressions referenced by intent.
|
|
290
291
|
// These are plain string annotations — no URL-loading, no code execution.
|
|
291
292
|
"intent",
|
|
292
|
-
"arg"
|
|
293
|
+
"arg",
|
|
294
|
+
"loading"
|
|
293
295
|
],
|
|
294
296
|
// Rails UJS turns data-method/data-remote/etc. on clickable elements into
|
|
295
297
|
// state-changing requests carrying the victim's CSRF token. Strip them so
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AAybA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
|