@instructure/platform-sanitize 0.3.17 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -252,16 +252,7 @@ const m = /* @__PURE__ */ new Set([
252
252
  "cite",
253
253
  "longdesc",
254
254
  "xlink:href"
255
- ]), h = [
256
- "background",
257
- "background-image",
258
- "list-style",
259
- "list-style-image",
260
- "cursor",
261
- // content: url(...) triggers an HTTP GET even on non-pseudo elements in some
262
- // browsers; strip it as defense-in-depth against tracking-pixel exfiltration.
263
- "content"
264
- ], y = /url\s*\(\s*['"]?(?:[a-z][a-z0-9+\-.]*:|\/\/)/i, k = /* @__PURE__ */ new Set([
255
+ ]), h = ["content"], y = /url\s*\(\s*['"]?(?:[a-z][a-z0-9+\-.]*:|\/\/)/i, A = /* @__PURE__ */ new Set([
265
256
  "allow-downloads",
266
257
  "allow-forms",
267
258
  "allow-modals",
@@ -320,7 +311,7 @@ const m = /* @__PURE__ */ new Set([
320
311
  FORCE_BODY: !0
321
312
  };
322
313
  let a = null;
323
- function A() {
314
+ function k() {
324
315
  return a || (a = typeof d == "function" ? d(window) : d, a.addHook("afterSanitizeAttributes", (r) => {
325
316
  if (!(r instanceof Element) || !r.hasAttribute("style")) return;
326
317
  const t = r.style, e = [];
@@ -374,7 +365,7 @@ function A() {
374
365
  e.add("noopener"), r.setAttribute("rel", [...e].join(" "));
375
366
  }), a.addHook("afterSanitizeAttributes", (r) => {
376
367
  if (!(r instanceof Element) || r.tagName !== "IFRAME" || !r.hasAttribute("sandbox")) return;
377
- const e = (r.getAttribute("sandbox") ?? "").toLowerCase().split(/\s+/).filter(Boolean), o = e.filter((l) => k.has(l));
368
+ const e = (r.getAttribute("sandbox") ?? "").toLowerCase().split(/\s+/).filter(Boolean), o = e.filter((l) => A.has(l));
378
369
  o.length !== e.length && r.setAttribute("sandbox", o.join(" "));
379
370
  }), a);
380
371
  }
@@ -382,9 +373,9 @@ function v(r, t) {
382
373
  if (typeof window > "u")
383
374
  throw new Error("sanitizeHtml requires a DOM environment (window is not defined)");
384
375
  const e = t != null && t.allowFormAttributeNames ? { ...f, SANITIZE_DOM: !1 } : f;
385
- return A().sanitize(r ?? "", e);
376
+ return k().sanitize(r ?? "", e);
386
377
  }
387
- const p = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), c = "http://platform-sanitize.invalid/", g = /^\s*\/\//, b = (
378
+ const p = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), c = "http://platform-sanitize.invalid/", b = /^\s*\/\//, g = (
388
379
  // oxlint-disable-next-line no-control-regex -- intentional security guard
389
380
  /^[\u0000-\u0020\u007F-\u00A0\u2000-\u200F\u2028\u2029\u202F\u205F\u2060\u3000\uFEFF]*(?:javascript|data|vbscript|file):/i
390
381
  ), S = {
@@ -422,10 +413,10 @@ function E(r) {
422
413
  function R(r) {
423
414
  if (!r || !r.trim()) return "about:blank";
424
415
  const t = r.replace(/\\/g, "/");
425
- if (g.test(t) || b.test(t)) return "about:blank";
416
+ if (b.test(t) || g.test(t)) return "about:blank";
426
417
  if (/&[#A-Za-z]/.test(t)) {
427
418
  const e = E(t);
428
- if (g.test(e) || b.test(e))
419
+ if (b.test(e) || g.test(e))
429
420
  return "about:blank";
430
421
  try {
431
422
  const o = new URL(e, c);
@@ -1 +1 @@
1
- {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AAgeA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
1
+ {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AA6dA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@instructure/platform-sanitize",
3
- "version": "0.3.17",
3
+ "version": "0.4.0",
4
4
  "type": "module",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.js",