@instructure/platform-sanitize 0.5.1 → 0.5.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -1,5 +1,5 @@
1
- import f from "dompurify";
2
- const m = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), u = "http://platform-sanitize.invalid/", p = /^\s*\/\//, b = (
1
+ import m from "dompurify";
2
+ const f = /* @__PURE__ */ new Set(["http:", "https:", "mailto:", "tel:"]), u = "http://platform-sanitize.invalid/", p = /^\s*\/\//, b = (
3
3
  // oxlint-disable-next-line no-control-regex -- intentional security guard
4
4
  /^[\u0000-\u0020\u007F-\u00A0\u2000-\u200F\u2028\u2029\u202F\u205F\u2060\u3000\uFEFF]*(?:javascript|data|vbscript|file):/i
5
5
  ), h = {
@@ -44,7 +44,7 @@ function A(s) {
44
44
  return "about:blank";
45
45
  try {
46
46
  const r = new URL(e, u);
47
- if (!r.href.startsWith(u) && !m.has(r.protocol))
47
+ if (!r.href.startsWith(u) && !f.has(r.protocol))
48
48
  return "about:blank";
49
49
  } catch {
50
50
  return "about:blank";
@@ -52,7 +52,7 @@ function A(s) {
52
52
  }
53
53
  try {
54
54
  const e = new URL(t, u);
55
- return !m.has(e.protocol) || (e.protocol === "http:" || e.protocol === "https:") && (e.username || e.password) ? "about:blank" : e.href.startsWith(u) ? s : t.replace(/[\x00-\x1F\u2028\u2029]/g, "").replace(/%250[9ad]/gi, "").replace(/%0[9ad]/gi, "");
55
+ return !f.has(e.protocol) || (e.protocol === "http:" || e.protocol === "https:") && (e.username || e.password) ? "about:blank" : e.href.startsWith(u) ? s : t.replace(/[\x00-\x1F\u2028\u2029]/g, "").replace(/%250[9ad]/gi, "").replace(/%0[9ad]/gi, "");
56
56
  } catch {
57
57
  return "about:blank";
58
58
  }
@@ -116,6 +116,11 @@ const y = /* @__PURE__ */ new Set([
116
116
  "text-decoration",
117
117
  "text-indent",
118
118
  "white-space",
119
+ // Chrome's CSSOM expands `white-space` to these longhands when iterating
120
+ // element.style — the shorthand never appears in the iterator, so the hook
121
+ // would strip them unless listed explicitly (same as border-radius below).
122
+ "white-space-collapse",
123
+ "text-wrap-mode",
119
124
  "vertical-align",
120
125
  "text-transform",
121
126
  "letter-spacing",
@@ -299,7 +304,7 @@ const y = /* @__PURE__ */ new Set([
299
304
  "caret-color",
300
305
  "accent-color",
301
306
  "appearance"
302
- ]), S = /* @__PURE__ */ new Set([
307
+ ]), k = /* @__PURE__ */ new Set([
303
308
  "src",
304
309
  "href",
305
310
  "action",
@@ -310,7 +315,7 @@ const y = /* @__PURE__ */ new Set([
310
315
  "cite",
311
316
  "longdesc",
312
317
  "xlink:href"
313
- ]), k = ["content"], E = /url\s*\(\s*['"]?(?:[a-z][a-z0-9+\-.]*:|\/\/)/i, v = /* @__PURE__ */ new Set([
318
+ ]), S = ["content"], E = /url\s*\(\s*['"]?(?:[a-z][a-z0-9+\-.]*:|\/\/)/i, v = /* @__PURE__ */ new Set([
314
319
  "allow-downloads",
315
320
  "allow-forms",
316
321
  "allow-modals",
@@ -364,7 +369,33 @@ const y = /* @__PURE__ */ new Set([
364
369
  // files from a separate sandboxed origin. object/embed also have no usable
365
370
  // sandbox attribute, so the sandbox-token hook cannot constrain them — again,
366
371
  // parity with an unsandboxed iframe, which is already permitted.
367
- ADD_TAGS: ["iframe", "semantics", "annotation", "annotation-xml", "object", "embed", "param"],
372
+ //
373
+ // maction…none are the remaining MathML presentation/layout containers from
374
+ // DOMPurify's mathMlDisallowed set (RCX-5259). They are re-added as tags only:
375
+ // unlike annotation-xml they are NOT HTML integration points, so they carry no
376
+ // namespace-confusion (mXSS) risk and need no guarding hook. Because they go in
377
+ // ADD_TAGS and not ADD_ATTR, DOMPurify keeps filtering their attributes — an
378
+ // event handler like onclick on <maction> is still stripped.
379
+ ADD_TAGS: [
380
+ "iframe",
381
+ "semantics",
382
+ "annotation",
383
+ "annotation-xml",
384
+ "object",
385
+ "embed",
386
+ "param",
387
+ "maction",
388
+ "maligngroup",
389
+ "malignmark",
390
+ "mlongdiv",
391
+ "mscarries",
392
+ "mscarry",
393
+ "msgroup",
394
+ "mstack",
395
+ "msline",
396
+ "msrow",
397
+ "none"
398
+ ],
368
399
  ADD_ATTR: [
369
400
  "allowfullscreen",
370
401
  "allow",
@@ -413,7 +444,7 @@ const y = /* @__PURE__ */ new Set([
413
444
  let a = null;
414
445
  function R() {
415
446
  if (a) return a;
416
- a = typeof f == "function" ? f(window) : f, a.addHook("afterSanitizeAttributes", (t) => {
447
+ a = typeof m == "function" ? m(window) : m, a.addHook("afterSanitizeAttributes", (t) => {
417
448
  if (!(t instanceof Element) || !t.hasAttribute("style")) return;
418
449
  const e = t.style, r = [];
419
450
  for (let i = 0; i < e.length; i++) {
@@ -434,13 +465,13 @@ function R() {
434
465
  c && !n.has(c) && e.removeProperty("position");
435
466
  const d = /* @__PURE__ */ new Set(["initial", "inherit", "unset", "revert", "revert-layer"]), o = e.getPropertyValue("opacity").trim().toLowerCase();
436
467
  o && !d.has(o) && (o.endsWith("%") ? parseFloat(o) / 100 : parseFloat(o)) < 0.05 && e.removeProperty("opacity");
437
- for (const i of k) {
468
+ for (const i of S) {
438
469
  const l = e.getPropertyValue(i);
439
470
  l && E.test(l) && e.removeProperty(i);
440
471
  }
441
472
  e.length === 0 && t.removeAttribute("style");
442
473
  }), a.addHook("uponSanitizeAttribute", (t, e) => {
443
- if (!S.has(e.attrName)) return;
474
+ if (!k.has(e.attrName)) return;
444
475
  const r = e.attrValue;
445
476
  /^\s*\/\//.test(r) ? (e.attrValue = r.trimStart().replace(/^\/\//, "https://"), e.keepAttr = !0) : /^\s*\\/.test(r) && (e.keepAttr = !1);
446
477
  }), a.addHook("uponSanitizeAttribute", (t, e) => {
@@ -1 +1 @@
1
- {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AA+kBA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
1
+ {"version":3,"file":"sanitizeHtml.d.ts","sourceRoot":"","sources":["../src/sanitizeHtml.ts"],"names":[],"mappings":"AA8mBA,wBAAgB,YAAY,CAC1B,IAAI,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EAC/B,OAAO,CAAC,EAAE;IAAE,uBAAuB,CAAC,EAAE,OAAO,CAAA;CAAE,GAC9C,MAAM,CASR"}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@instructure/platform-sanitize",
3
- "version": "0.5.1",
3
+ "version": "0.5.3",
4
4
  "type": "module",
5
5
  "main": "./dist/index.js",
6
6
  "module": "./dist/index.js",