@instructure/platform-sanitize 0.5.1 → 0.5.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +41 -10
- package/dist/sanitizeHtml.d.ts.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import
|
|
2
|
-
const
|
|
1
|
+
import m from "dompurify";
|
|
2
|
+
const f = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), u = "http://platform-sanitize.invalid/", p = /^\s*\/\//, b = (
|
|
3
3
|
// oxlint-disable-next-line no-control-regex -- intentional security guard
|
|
4
4
|
/^[\u0000-\u0020\u007F-\u00A0\u2000-\u200F\u2028\u2029\u202F\u205F\u2060\u3000\uFEFF]*(?:javascript|data|vbscript|file):/i
|
|
5
5
|
), h = {
|
|
@@ -44,7 +44,7 @@ function A(s) {
|
|
|
44
44
|
return "about:blank";
|
|
45
45
|
try {
|
|
46
46
|
const r = new URL(e, u);
|
|
47
|
-
if (!r.href.startsWith(u) && !
|
|
47
|
+
if (!r.href.startsWith(u) && !f.has(r.protocol))
|
|
48
48
|
return "about:blank";
|
|
49
49
|
} catch {
|
|
50
50
|
return "about:blank";
|
|
@@ -52,7 +52,7 @@ function A(s) {
|
|
|
52
52
|
}
|
|
53
53
|
try {
|
|
54
54
|
const e = new URL(t, u);
|
|
55
|
-
return !
|
|
55
|
+
return !f.has(e.protocol) || (e.protocol === "http:" || e.protocol === "https:") && (e.username || e.password) ? "about:blank" : e.href.startsWith(u) ? s : t.replace(/[\x00-\x1F\u2028\u2029]/g, "").replace(/%250[9ad]/gi, "").replace(/%0[9ad]/gi, "");
|
|
56
56
|
} catch {
|
|
57
57
|
return "about:blank";
|
|
58
58
|
}
|
|
@@ -116,6 +116,11 @@ const y = /* @__PURE__ */ new Set([
|
|
|
116
116
|
"text-decoration",
|
|
117
117
|
"text-indent",
|
|
118
118
|
"white-space",
|
|
119
|
+
// Chrome's CSSOM expands `white-space` to these longhands when iterating
|
|
120
|
+
// element.style — the shorthand never appears in the iterator, so the hook
|
|
121
|
+
// would strip them unless listed explicitly (same as border-radius below).
|
|
122
|
+
"white-space-collapse",
|
|
123
|
+
"text-wrap-mode",
|
|
119
124
|
"vertical-align",
|
|
120
125
|
"text-transform",
|
|
121
126
|
"letter-spacing",
|
|
@@ -299,7 +304,7 @@ const y = /* @__PURE__ */ new Set([
|
|
|
299
304
|
"caret-color",
|
|
300
305
|
"accent-color",
|
|
301
306
|
"appearance"
|
|
302
|
-
]),
|
|
307
|
+
]), k = /* @__PURE__ */ new Set([
|
|
303
308
|
"src",
|
|
304
309
|
"href",
|
|
305
310
|
"action",
|
|
@@ -310,7 +315,7 @@ const y = /* @__PURE__ */ new Set([
|
|
|
310
315
|
"cite",
|
|
311
316
|
"longdesc",
|
|
312
317
|
"xlink:href"
|
|
313
|
-
]),
|
|
318
|
+
]), S = ["content"], E = /url\s*\(\s*['"]?(?:[a-z][a-z0-9+\-.]*:|\/\/)/i, v = /* @__PURE__ */ new Set([
|
|
314
319
|
"allow-downloads",
|
|
315
320
|
"allow-forms",
|
|
316
321
|
"allow-modals",
|
|
@@ -364,7 +369,33 @@ const y = /* @__PURE__ */ new Set([
|
|
|
364
369
|
// files from a separate sandboxed origin. object/embed also have no usable
|
|
365
370
|
// sandbox attribute, so the sandbox-token hook cannot constrain them — again,
|
|
366
371
|
// parity with an unsandboxed iframe, which is already permitted.
|
|
367
|
-
|
|
372
|
+
//
|
|
373
|
+
// maction…none are the remaining MathML presentation/layout containers from
|
|
374
|
+
// DOMPurify's mathMlDisallowed set (RCX-5259). They are re-added as tags only:
|
|
375
|
+
// unlike annotation-xml they are NOT HTML integration points, so they carry no
|
|
376
|
+
// namespace-confusion (mXSS) risk and need no guarding hook. Because they go in
|
|
377
|
+
// ADD_TAGS and not ADD_ATTR, DOMPurify keeps filtering their attributes — an
|
|
378
|
+
// event handler like onclick on <maction> is still stripped.
|
|
379
|
+
ADD_TAGS: [
|
|
380
|
+
"iframe",
|
|
381
|
+
"semantics",
|
|
382
|
+
"annotation",
|
|
383
|
+
"annotation-xml",
|
|
384
|
+
"object",
|
|
385
|
+
"embed",
|
|
386
|
+
"param",
|
|
387
|
+
"maction",
|
|
388
|
+
"maligngroup",
|
|
389
|
+
"malignmark",
|
|
390
|
+
"mlongdiv",
|
|
391
|
+
"mscarries",
|
|
392
|
+
"mscarry",
|
|
393
|
+
"msgroup",
|
|
394
|
+
"mstack",
|
|
395
|
+
"msline",
|
|
396
|
+
"msrow",
|
|
397
|
+
"none"
|
|
398
|
+
],
|
|
368
399
|
ADD_ATTR: [
|
|
369
400
|
"allowfullscreen",
|
|
370
401
|
"allow",
|
|
@@ -413,7 +444,7 @@ const y = /* @__PURE__ */ new Set([
|
|
|
413
444
|
let a = null;
|
|
414
445
|
function R() {
|
|
415
446
|
if (a) return a;
|
|
416
|
-
a = typeof
|
|
447
|
+
a = typeof m == "function" ? m(window) : m, a.addHook("afterSanitizeAttributes", (t) => {
|
|
417
448
|
if (!(t instanceof Element) || !t.hasAttribute("style")) return;
|
|
418
449
|
const e = t.style, r = [];
|
|
419
450
|
for (let i = 0; i < e.length; i++) {
|
|
@@ -434,13 +465,13 @@ function R() {
|
|
|
434
465
|
c && !n.has(c) && e.removeProperty("position");
|
|
435
466
|
const d = /* @__PURE__ */ new Set(["initial", "inherit", "unset", "revert", "revert-layer"]), o = e.getPropertyValue("opacity").trim().toLowerCase();
|
|
436
467
|
o && !d.has(o) && (o.endsWith("%") ? parseFloat(o) / 100 : parseFloat(o)) < 0.05 && e.removeProperty("opacity");
|
|
437
|
-
for (const i of
|
|
468
|
+
for (const i of S) {
|
|
438
469
|
const l = e.getPropertyValue(i);
|
|
439
470
|
l && E.test(l) && e.removeProperty(i);
|
|
440
471
|
}
|
|
441
472
|
e.length === 0 && t.removeAttribute("style");
|
|
442
473
|
}), a.addHook("uponSanitizeAttribute", (t, e) => {
|
|
443
|
-
if (!
|
|
474
|
+
if (!k.has(e.attrName)) return;
|
|
444
475
|
const r = e.attrValue;
|
|
445
476
|
/^\s*\/\//.test(r) ? (e.attrValue = r.trimStart().replace(/^\/\//, "https://"), e.keepAttr = !0) : /^\s*\\/.test(r) && (e.keepAttr = !1);
|
|
446
477
|
}), a.addHook("uponSanitizeAttribute", (t, e) => {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AA8mBA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
|