@instructure/platform-sanitize 0.5.1 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -1,5 +1,5 @@
1
- import f from "dompurify";
2
- const m = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), u = "http://platform-sanitize.invalid/", p = /^\s*\/\//, b = (
1
+ import m from "dompurify";
2
+ const f = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), u = "http://platform-sanitize.invalid/", p = /^\s*\/\//, b = (
3
3
  // oxlint-disable-next-line no-control-regex -- intentional security guard
4
4
  /^[\u0000-\u0020\u007F-\u00A0\u2000-\u200F\u2028\u2029\u202F\u205F\u2060\u3000\uFEFF]*(?:javascript|data|vbscript|file):/i
5
5
  ), h = {
@@ -44,7 +44,7 @@ function A(s) {
44
44
  return "about:blank";
45
45
  try {
46
46
  const r = new URL(e, u);
47
- if (!r.href.startsWith(u) && !m.has(r.protocol))
47
+ if (!r.href.startsWith(u) && !f.has(r.protocol))
48
48
  return "about:blank";
49
49
  } catch {
50
50
  return "about:blank";
@@ -52,7 +52,7 @@ function A(s) {
52
52
  }
53
53
  try {
54
54
  const e = new URL(t, u);
55
- return !m.has(e.protocol) || (e.protocol === "http:" || e.protocol === "https:") && (e.username || e.password) ? "about:blank" : e.href.startsWith(u) ? s : t.replace(/[\x00-\x1F\u2028\u2029]/g, "").replace(/%250[9ad]/gi, "").replace(/%0[9ad]/gi, "");
55
+ return !f.has(e.protocol) || (e.protocol === "http:" || e.protocol === "https:") && (e.username || e.password) ? "about:blank" : e.href.startsWith(u) ? s : t.replace(/[\x00-\x1F\u2028\u2029]/g, "").replace(/%250[9ad]/gi, "").replace(/%0[9ad]/gi, "");
56
56
  } catch {
57
57
  return "about:blank";
58
58
  }
@@ -299,7 +299,7 @@ const y = /* @__PURE__ */ new Set([
299
299
  "caret-color",
300
300
  "accent-color",
301
301
  "appearance"
302
- ]), S = /* @__PURE__ */ new Set([
302
+ ]), k = /* @__PURE__ */ new Set([
303
303
  "src",
304
304
  "href",
305
305
  "action",
@@ -310,7 +310,7 @@ const y = /* @__PURE__ */ new Set([
310
310
  "cite",
311
311
  "longdesc",
312
312
  "xlink:href"
313
- ]), k = ["content"], E = /url\s*\(\s*['"]?(?:[a-z][a-z0-9+\-.]*:|\/\/)/i, v = /* @__PURE__ */ new Set([
313
+ ]), S = ["content"], E = /url\s*\(\s*['"]?(?:[a-z][a-z0-9+\-.]*:|\/\/)/i, v = /* @__PURE__ */ new Set([
314
314
  "allow-downloads",
315
315
  "allow-forms",
316
316
  "allow-modals",
@@ -364,7 +364,33 @@ const y = /* @__PURE__ */ new Set([
364
364
  // files from a separate sandboxed origin. object/embed also have no usable
365
365
  // sandbox attribute, so the sandbox-token hook cannot constrain them — again,
366
366
  // parity with an unsandboxed iframe, which is already permitted.
367
- ADD_TAGS: ["iframe", "semantics", "annotation", "annotation-xml", "object", "embed", "param"],
367
+ //
368
+ // maction…none are the remaining MathML presentation/layout containers from
369
+ // DOMPurify's mathMlDisallowed set (RCX-5259). They are re-added as tags only:
370
+ // unlike annotation-xml they are NOT HTML integration points, so they carry no
371
+ // namespace-confusion (mXSS) risk and need no guarding hook. Because they go in
372
+ // ADD_TAGS and not ADD_ATTR, DOMPurify keeps filtering their attributes — an
373
+ // event handler like onclick on <maction> is still stripped.
374
+ ADD_TAGS: [
375
+ "iframe",
376
+ "semantics",
377
+ "annotation",
378
+ "annotation-xml",
379
+ "object",
380
+ "embed",
381
+ "param",
382
+ "maction",
383
+ "maligngroup",
384
+ "malignmark",
385
+ "mlongdiv",
386
+ "mscarries",
387
+ "mscarry",
388
+ "msgroup",
389
+ "mstack",
390
+ "msline",
391
+ "msrow",
392
+ "none"
393
+ ],
368
394
  ADD_ATTR: [
369
395
  "allowfullscreen",
370
396
  "allow",
@@ -413,7 +439,7 @@ const y = /* @__PURE__ */ new Set([
413
439
  let a = null;
414
440
  function R() {
415
441
  if (a) return a;
416
- a = typeof f == "function" ? f(window) : f, a.addHook("afterSanitizeAttributes", (t) => {
442
+ a = typeof m == "function" ? m(window) : m, a.addHook("afterSanitizeAttributes", (t) => {
417
443
  if (!(t instanceof Element) || !t.hasAttribute("style")) return;
418
444
  const e = t.style, r = [];
419
445
  for (let i = 0; i < e.length; i++) {
@@ -434,13 +460,13 @@ function R() {
434
460
  c && !n.has(c) && e.removeProperty("position");
435
461
  const d = /* @__PURE__ */ new Set(["initial", "inherit", "unset", "revert", "revert-layer"]), o = e.getPropertyValue("opacity").trim().toLowerCase();
436
462
  o && !d.has(o) && (o.endsWith("%") ? parseFloat(o) / 100 : parseFloat(o)) < 0.05 && e.removeProperty("opacity");
437
- for (const i of k) {
463
+ for (const i of S) {
438
464
  const l = e.getPropertyValue(i);
439
465
  l && E.test(l) && e.removeProperty(i);
440
466
  }
441
467
  e.length === 0 && t.removeAttribute("style");
442
468
  }), a.addHook("uponSanitizeAttribute", (t, e) => {
443
- if (!S.has(e.attrName)) return;
469
+ if (!k.has(e.attrName)) return;
444
470
  const r = e.attrValue;
445
471
  /^\s*\/\//.test(r) ? (e.attrValue = r.trimStart().replace(/^\/\//, "https://"), e.keepAttr = !0) : /^\s*\\/.test(r) && (e.keepAttr = !1);
446
472
  }), a.addHook("uponSanitizeAttribute", (t, e) => {
@@ -1 +1 @@
1
- {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AA+kBA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
1
+ {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AAymBA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@instructure/platform-sanitize",
3
- "version": "0.5.1",
3
+ "version": "0.5.2",
4
4
  "type": "module",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.js",