@instructure/platform-sanitize 0.5.1 → 0.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +36 -10
- package/dist/sanitizeHtml.d.ts.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import
|
|
2
|
-
const
|
|
1
|
+
import m from "dompurify";
|
|
2
|
+
const f = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), u = "http://platform-sanitize.invalid/", p = /^\s*\/\//, b = (
|
|
3
3
|
// oxlint-disable-next-line no-control-regex -- intentional security guard
|
|
4
4
|
/^[\u0000-\u0020\u007F-\u00A0\u2000-\u200F\u2028\u2029\u202F\u205F\u2060\u3000\uFEFF]*(?:javascript|data|vbscript|file):/i
|
|
5
5
|
), h = {
|
|
@@ -44,7 +44,7 @@ function A(s) {
|
|
|
44
44
|
return "about:blank";
|
|
45
45
|
try {
|
|
46
46
|
const r = new URL(e, u);
|
|
47
|
-
if (!r.href.startsWith(u) && !
|
|
47
|
+
if (!r.href.startsWith(u) && !f.has(r.protocol))
|
|
48
48
|
return "about:blank";
|
|
49
49
|
} catch {
|
|
50
50
|
return "about:blank";
|
|
@@ -52,7 +52,7 @@ function A(s) {
|
|
|
52
52
|
}
|
|
53
53
|
try {
|
|
54
54
|
const e = new URL(t, u);
|
|
55
|
-
return !
|
|
55
|
+
return !f.has(e.protocol) || (e.protocol === "http:" || e.protocol === "https:") && (e.username || e.password) ? "about:blank" : e.href.startsWith(u) ? s : t.replace(/[\x00-\x1F\u2028\u2029]/g, "").replace(/%250[9ad]/gi, "").replace(/%0[9ad]/gi, "");
|
|
56
56
|
} catch {
|
|
57
57
|
return "about:blank";
|
|
58
58
|
}
|
|
@@ -299,7 +299,7 @@ const y = /* @__PURE__ */ new Set([
|
|
|
299
299
|
"caret-color",
|
|
300
300
|
"accent-color",
|
|
301
301
|
"appearance"
|
|
302
|
-
]),
|
|
302
|
+
]), k = /* @__PURE__ */ new Set([
|
|
303
303
|
"src",
|
|
304
304
|
"href",
|
|
305
305
|
"action",
|
|
@@ -310,7 +310,7 @@ const y = /* @__PURE__ */ new Set([
|
|
|
310
310
|
"cite",
|
|
311
311
|
"longdesc",
|
|
312
312
|
"xlink:href"
|
|
313
|
-
]),
|
|
313
|
+
]), S = ["content"], E = /url\s*\(\s*['"]?(?:[a-z][a-z0-9+\-.]*:|\/\/)/i, v = /* @__PURE__ */ new Set([
|
|
314
314
|
"allow-downloads",
|
|
315
315
|
"allow-forms",
|
|
316
316
|
"allow-modals",
|
|
@@ -364,7 +364,33 @@ const y = /* @__PURE__ */ new Set([
|
|
|
364
364
|
// files from a separate sandboxed origin. object/embed also have no usable
|
|
365
365
|
// sandbox attribute, so the sandbox-token hook cannot constrain them — again,
|
|
366
366
|
// parity with an unsandboxed iframe, which is already permitted.
|
|
367
|
-
|
|
367
|
+
//
|
|
368
|
+
// maction…none are the remaining MathML presentation/layout containers from
|
|
369
|
+
// DOMPurify's mathMlDisallowed set (RCX-5259). They are re-added as tags only:
|
|
370
|
+
// unlike annotation-xml they are NOT HTML integration points, so they carry no
|
|
371
|
+
// namespace-confusion (mXSS) risk and need no guarding hook. Because they go in
|
|
372
|
+
// ADD_TAGS and not ADD_ATTR, DOMPurify keeps filtering their attributes — an
|
|
373
|
+
// event handler like onclick on <maction> is still stripped.
|
|
374
|
+
ADD_TAGS: [
|
|
375
|
+
"iframe",
|
|
376
|
+
"semantics",
|
|
377
|
+
"annotation",
|
|
378
|
+
"annotation-xml",
|
|
379
|
+
"object",
|
|
380
|
+
"embed",
|
|
381
|
+
"param",
|
|
382
|
+
"maction",
|
|
383
|
+
"maligngroup",
|
|
384
|
+
"malignmark",
|
|
385
|
+
"mlongdiv",
|
|
386
|
+
"mscarries",
|
|
387
|
+
"mscarry",
|
|
388
|
+
"msgroup",
|
|
389
|
+
"mstack",
|
|
390
|
+
"msline",
|
|
391
|
+
"msrow",
|
|
392
|
+
"none"
|
|
393
|
+
],
|
|
368
394
|
ADD_ATTR: [
|
|
369
395
|
"allowfullscreen",
|
|
370
396
|
"allow",
|
|
@@ -413,7 +439,7 @@ const y = /* @__PURE__ */ new Set([
|
|
|
413
439
|
let a = null;
|
|
414
440
|
function R() {
|
|
415
441
|
if (a) return a;
|
|
416
|
-
a = typeof
|
|
442
|
+
a = typeof m == "function" ? m(window) : m, a.addHook("afterSanitizeAttributes", (t) => {
|
|
417
443
|
if (!(t instanceof Element) || !t.hasAttribute("style")) return;
|
|
418
444
|
const e = t.style, r = [];
|
|
419
445
|
for (let i = 0; i < e.length; i++) {
|
|
@@ -434,13 +460,13 @@ function R() {
|
|
|
434
460
|
c && !n.has(c) && e.removeProperty("position");
|
|
435
461
|
const d = /* @__PURE__ */ new Set(["initial", "inherit", "unset", "revert", "revert-layer"]), o = e.getPropertyValue("opacity").trim().toLowerCase();
|
|
436
462
|
o && !d.has(o) && (o.endsWith("%") ? parseFloat(o) / 100 : parseFloat(o)) < 0.05 && e.removeProperty("opacity");
|
|
437
|
-
for (const i of
|
|
463
|
+
for (const i of S) {
|
|
438
464
|
const l = e.getPropertyValue(i);
|
|
439
465
|
l && E.test(l) && e.removeProperty(i);
|
|
440
466
|
}
|
|
441
467
|
e.length === 0 && t.removeAttribute("style");
|
|
442
468
|
}), a.addHook("uponSanitizeAttribute", (t, e) => {
|
|
443
|
-
if (!
|
|
469
|
+
if (!k.has(e.attrName)) return;
|
|
444
470
|
const r = e.attrValue;
|
|
445
471
|
/^\s*\/\//.test(r) ? (e.attrValue = r.trimStart().replace(/^\/\//, "https://"), e.keepAttr = !0) : /^\s*\\/.test(r) && (e.keepAttr = !1);
|
|
446
472
|
}), a.addHook("uponSanitizeAttribute", (t, e) => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AAymBA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
|