@seed-ship/mcp-ui-solid 5.3.0 → 5.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +7 -0
- package/dist/components/UIResourceRenderer.cjs +1 -1
- package/dist/components/UIResourceRenderer.js +1 -1
- package/dist/node_modules/.pnpm/{dompurify@3.3.3 → dompurify@3.4.1}/node_modules/dompurify/dist/purify.es.cjs +114 -53
- package/dist/node_modules/.pnpm/dompurify@3.4.1/node_modules/dompurify/dist/purify.es.cjs.map +1 -0
- package/dist/node_modules/.pnpm/{dompurify@3.3.3 → dompurify@3.4.1}/node_modules/dompurify/dist/purify.es.js +114 -53
- package/dist/node_modules/.pnpm/dompurify@3.4.1/node_modules/dompurify/dist/purify.es.js.map +1 -0
- package/package.json +2 -2
- package/tsconfig.tsbuildinfo +1 -1
- package/dist/node_modules/.pnpm/dompurify@3.3.3/node_modules/dompurify/dist/purify.es.cjs.map +0 -1
- package/dist/node_modules/.pnpm/dompurify@3.3.3/node_modules/dompurify/dist/purify.es.js.map +0 -1
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,13 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [5.3.1] - 2026-04-25
|
|
9
|
+
|
|
10
|
+
### Security
|
|
11
|
+
|
|
12
|
+
- Bump `dompurify` from `^3.3.3` → `^3.4.1` to resolve 4 open Dependabot advisories : SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode, FORBID_TAGS bypass via function-form ADD_TAGS, prototype-pollution → XSS via CUSTOM_ELEMENT_HANDLING fallback, and ADD_TAGS short-circuit FORBID_TAGS bypass. All fixed in 3.4.0.
|
|
13
|
+
- No API surface change. 484/484 tests pass.
|
|
14
|
+
|
|
8
15
|
## [5.3.0] - 2026-04-22
|
|
9
16
|
|
|
10
17
|
### Added — A. `<ElicitationForm>` schema-driven renderer
|
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
Object.defineProperty(exports, Symbol.toStringTag, { value: "Module" });
|
|
3
3
|
const web = require("solid-js/web");
|
|
4
|
-
const purify_es = require("../node_modules/.pnpm/dompurify@3.
|
|
4
|
+
const purify_es = require("../node_modules/.pnpm/dompurify@3.4.1/node_modules/dompurify/dist/purify.es.cjs");
|
|
5
5
|
const solidJs = require("solid-js");
|
|
6
6
|
const validation = require("../services/validation.cjs");
|
|
7
7
|
const GenerativeUIErrorBoundary = require("./GenerativeUIErrorBoundary.cjs");
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
import { delegateEvents, createComponent, getNextElement, template, getNextMarker, insert, effect, style, className, setProperty, setAttribute, runHydrationEvents, memo, isServer, use, addEventListener, classList, setStyleProperty } from "solid-js/web";
|
|
2
|
-
import purify from "../node_modules/.pnpm/dompurify@3.
|
|
2
|
+
import purify from "../node_modules/.pnpm/dompurify@3.4.1/node_modules/dompurify/dist/purify.es.js";
|
|
3
3
|
import { createMemo, For, Show, createSignal, createEffect } from "solid-js";
|
|
4
4
|
import { validateComponent, getIframeSandbox, DEFAULT_RESOURCE_LIMITS } from "../services/validation.js";
|
|
5
5
|
import { GenerativeUIErrorBoundary } from "./GenerativeUIErrorBoundary.js";
|
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
"use strict";
|
|
2
|
-
/*! @license DOMPurify 3.
|
|
2
|
+
/*! @license DOMPurify 3.4.1 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.4.1/LICENSE */
|
|
3
3
|
const {
|
|
4
4
|
entries,
|
|
5
5
|
setPrototypeOf,
|
|
@@ -47,13 +47,19 @@ const arrayLastIndexOf = unapply(Array.prototype.lastIndexOf);
|
|
|
47
47
|
const arrayPop = unapply(Array.prototype.pop);
|
|
48
48
|
const arrayPush = unapply(Array.prototype.push);
|
|
49
49
|
const arraySplice = unapply(Array.prototype.splice);
|
|
50
|
+
const arrayIsArray = Array.isArray;
|
|
50
51
|
const stringToLowerCase = unapply(String.prototype.toLowerCase);
|
|
51
52
|
const stringToString = unapply(String.prototype.toString);
|
|
52
53
|
const stringMatch = unapply(String.prototype.match);
|
|
53
54
|
const stringReplace = unapply(String.prototype.replace);
|
|
54
55
|
const stringIndexOf = unapply(String.prototype.indexOf);
|
|
55
56
|
const stringTrim = unapply(String.prototype.trim);
|
|
57
|
+
const numberToString = unapply(Number.prototype.toString);
|
|
58
|
+
const booleanToString = unapply(Boolean.prototype.toString);
|
|
59
|
+
const bigintToString = typeof BigInt === "undefined" ? null : unapply(BigInt.prototype.toString);
|
|
60
|
+
const symbolToString = typeof Symbol === "undefined" ? null : unapply(Symbol.prototype.toString);
|
|
56
61
|
const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
|
|
62
|
+
const objectToString = unapply(Object.prototype.toString);
|
|
57
63
|
const regExpTest = unapply(RegExp.prototype.test);
|
|
58
64
|
const typeErrorCreate = unconstruct(TypeError);
|
|
59
65
|
function unapply(func) {
|
|
@@ -80,6 +86,9 @@ function addToSet(set, array) {
|
|
|
80
86
|
if (setPrototypeOf) {
|
|
81
87
|
setPrototypeOf(set, null);
|
|
82
88
|
}
|
|
89
|
+
if (!arrayIsArray(array)) {
|
|
90
|
+
return set;
|
|
91
|
+
}
|
|
83
92
|
let l = array.length;
|
|
84
93
|
while (l--) {
|
|
85
94
|
let element = array[l];
|
|
@@ -110,7 +119,7 @@ function clone(object) {
|
|
|
110
119
|
for (const [property, value] of entries(object)) {
|
|
111
120
|
const isPropertyExist = objectHasOwnProperty(object, property);
|
|
112
121
|
if (isPropertyExist) {
|
|
113
|
-
if (
|
|
122
|
+
if (arrayIsArray(value)) {
|
|
114
123
|
newObject[property] = cleanArray(value);
|
|
115
124
|
} else if (value && typeof value === "object" && value.constructor === Object) {
|
|
116
125
|
newObject[property] = clone(value);
|
|
@@ -121,6 +130,44 @@ function clone(object) {
|
|
|
121
130
|
}
|
|
122
131
|
return newObject;
|
|
123
132
|
}
|
|
133
|
+
function stringifyValue(value) {
|
|
134
|
+
switch (typeof value) {
|
|
135
|
+
case "string": {
|
|
136
|
+
return value;
|
|
137
|
+
}
|
|
138
|
+
case "number": {
|
|
139
|
+
return numberToString(value);
|
|
140
|
+
}
|
|
141
|
+
case "boolean": {
|
|
142
|
+
return booleanToString(value);
|
|
143
|
+
}
|
|
144
|
+
case "bigint": {
|
|
145
|
+
return bigintToString ? bigintToString(value) : "0";
|
|
146
|
+
}
|
|
147
|
+
case "symbol": {
|
|
148
|
+
return symbolToString ? symbolToString(value) : "Symbol()";
|
|
149
|
+
}
|
|
150
|
+
case "undefined": {
|
|
151
|
+
return objectToString(value);
|
|
152
|
+
}
|
|
153
|
+
case "function":
|
|
154
|
+
case "object": {
|
|
155
|
+
if (value === null) {
|
|
156
|
+
return objectToString(value);
|
|
157
|
+
}
|
|
158
|
+
const valueAsRecord = value;
|
|
159
|
+
const valueToString = lookupGetter(valueAsRecord, "toString");
|
|
160
|
+
if (typeof valueToString === "function") {
|
|
161
|
+
const stringified = valueToString(valueAsRecord);
|
|
162
|
+
return typeof stringified === "string" ? stringified : objectToString(stringified);
|
|
163
|
+
}
|
|
164
|
+
return objectToString(value);
|
|
165
|
+
}
|
|
166
|
+
default: {
|
|
167
|
+
return objectToString(value);
|
|
168
|
+
}
|
|
169
|
+
}
|
|
170
|
+
}
|
|
124
171
|
function lookupGetter(object, prop) {
|
|
125
172
|
while (object !== null) {
|
|
126
173
|
const desc = getOwnPropertyDescriptor(object, prop);
|
|
@@ -139,6 +186,14 @@ function lookupGetter(object, prop) {
|
|
|
139
186
|
}
|
|
140
187
|
return fallbackValue;
|
|
141
188
|
}
|
|
189
|
+
function isRegex(value) {
|
|
190
|
+
try {
|
|
191
|
+
regExpTest(value, "");
|
|
192
|
+
return true;
|
|
193
|
+
} catch (_unused) {
|
|
194
|
+
return false;
|
|
195
|
+
}
|
|
196
|
+
}
|
|
142
197
|
const html$1 = freeze(["a", "abbr", "acronym", "address", "area", "article", "aside", "audio", "b", "bdi", "bdo", "big", "blink", "blockquote", "body", "br", "button", "canvas", "caption", "center", "cite", "code", "col", "colgroup", "content", "data", "datalist", "dd", "decorator", "del", "details", "dfn", "dialog", "dir", "div", "dl", "dt", "element", "em", "fieldset", "figcaption", "figure", "font", "footer", "form", "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html", "i", "img", "input", "ins", "kbd", "label", "legend", "li", "main", "map", "mark", "marquee", "menu", "menuitem", "meter", "nav", "nobr", "ol", "optgroup", "option", "output", "p", "picture", "pre", "progress", "q", "rp", "rt", "ruby", "s", "samp", "search", "section", "select", "shadow", "slot", "small", "source", "spacer", "span", "strike", "strong", "style", "sub", "summary", "sup", "table", "tbody", "td", "template", "textarea", "tfoot", "th", "thead", "time", "tr", "track", "tt", "u", "ul", "var", "video", "wbr"]);
|
|
143
198
|
const svg$1 = freeze(["svg", "a", "altglyph", "altglyphdef", "altglyphitem", "animatecolor", "animatemotion", "animatetransform", "circle", "clippath", "defs", "desc", "ellipse", "enterkeyhint", "exportparts", "filter", "font", "g", "glyph", "glyphref", "hkern", "image", "inputmode", "line", "lineargradient", "marker", "mask", "metadata", "mpath", "part", "path", "pattern", "polygon", "polyline", "radialgradient", "rect", "stop", "style", "switch", "symbol", "text", "textpath", "title", "tref", "tspan", "view", "vkern"]);
|
|
144
199
|
const svgFilters = freeze(["feBlend", "feColorMatrix", "feComponentTransfer", "feComposite", "feConvolveMatrix", "feDiffuseLighting", "feDisplacementMap", "feDistantLight", "feDropShadow", "feFlood", "feFuncA", "feFuncB", "feFuncG", "feFuncR", "feGaussianBlur", "feImage", "feMerge", "feMergeNode", "feMorphology", "feOffset", "fePointLight", "feSpecularLighting", "feSpotLight", "feTile", "feTurbulence"]);
|
|
@@ -146,9 +201,9 @@ const svgDisallowed = freeze(["animate", "color-profile", "cursor", "discard", "
|
|
|
146
201
|
const mathMl$1 = freeze(["math", "menclose", "merror", "mfenced", "mfrac", "mglyph", "mi", "mlabeledtr", "mmultiscripts", "mn", "mo", "mover", "mpadded", "mphantom", "mroot", "mrow", "ms", "mspace", "msqrt", "mstyle", "msub", "msup", "msubsup", "mtable", "mtd", "mtext", "mtr", "munder", "munderover", "mprescripts"]);
|
|
147
202
|
const mathMlDisallowed = freeze(["maction", "maligngroup", "malignmark", "mlongdiv", "mscarries", "mscarry", "msgroup", "mstack", "msline", "msrow", "semantics", "annotation", "annotation-xml", "mprescripts", "none"]);
|
|
148
203
|
const text = freeze(["#text"]);
|
|
149
|
-
const html = freeze(["accept", "action", "align", "alt", "autocapitalize", "autocomplete", "autopictureinpicture", "autoplay", "background", "bgcolor", "border", "capture", "cellpadding", "cellspacing", "checked", "cite", "class", "clear", "color", "cols", "colspan", "controls", "controlslist", "coords", "crossorigin", "datetime", "decoding", "default", "dir", "disabled", "disablepictureinpicture", "disableremoteplayback", "download", "draggable", "enctype", "enterkeyhint", "exportparts", "face", "for", "headers", "height", "hidden", "high", "href", "hreflang", "id", "inert", "inputmode", "integrity", "ismap", "kind", "label", "lang", "list", "loading", "loop", "low", "max", "maxlength", "media", "method", "min", "minlength", "multiple", "muted", "name", "nonce", "noshade", "novalidate", "nowrap", "open", "optimum", "part", "pattern", "placeholder", "playsinline", "popover", "popovertarget", "popovertargetaction", "poster", "preload", "pubdate", "radiogroup", "readonly", "rel", "required", "rev", "reversed", "role", "rows", "rowspan", "spellcheck", "scope", "selected", "shape", "size", "sizes", "slot", "span", "srclang", "start", "src", "srcset", "step", "style", "summary", "tabindex", "title", "translate", "type", "usemap", "valign", "value", "width", "wrap", "xmlns"
|
|
204
|
+
const html = freeze(["accept", "action", "align", "alt", "autocapitalize", "autocomplete", "autopictureinpicture", "autoplay", "background", "bgcolor", "border", "capture", "cellpadding", "cellspacing", "checked", "cite", "class", "clear", "color", "cols", "colspan", "controls", "controlslist", "coords", "crossorigin", "datetime", "decoding", "default", "dir", "disabled", "disablepictureinpicture", "disableremoteplayback", "download", "draggable", "enctype", "enterkeyhint", "exportparts", "face", "for", "headers", "height", "hidden", "high", "href", "hreflang", "id", "inert", "inputmode", "integrity", "ismap", "kind", "label", "lang", "list", "loading", "loop", "low", "max", "maxlength", "media", "method", "min", "minlength", "multiple", "muted", "name", "nonce", "noshade", "novalidate", "nowrap", "open", "optimum", "part", "pattern", "placeholder", "playsinline", "popover", "popovertarget", "popovertargetaction", "poster", "preload", "pubdate", "radiogroup", "readonly", "rel", "required", "rev", "reversed", "role", "rows", "rowspan", "spellcheck", "scope", "selected", "shape", "size", "sizes", "slot", "span", "srclang", "start", "src", "srcset", "step", "style", "summary", "tabindex", "title", "translate", "type", "usemap", "valign", "value", "width", "wrap", "xmlns"]);
|
|
150
205
|
const svg = freeze(["accent-height", "accumulate", "additive", "alignment-baseline", "amplitude", "ascent", "attributename", "attributetype", "azimuth", "basefrequency", "baseline-shift", "begin", "bias", "by", "class", "clip", "clippathunits", "clip-path", "clip-rule", "color", "color-interpolation", "color-interpolation-filters", "color-profile", "color-rendering", "cx", "cy", "d", "dx", "dy", "diffuseconstant", "direction", "display", "divisor", "dur", "edgemode", "elevation", "end", "exponent", "fill", "fill-opacity", "fill-rule", "filter", "filterunits", "flood-color", "flood-opacity", "font-family", "font-size", "font-size-adjust", "font-stretch", "font-style", "font-variant", "font-weight", "fx", "fy", "g1", "g2", "glyph-name", "glyphref", "gradientunits", "gradienttransform", "height", "href", "id", "image-rendering", "in", "in2", "intercept", "k", "k1", "k2", "k3", "k4", "kerning", "keypoints", "keysplines", "keytimes", "lang", "lengthadjust", "letter-spacing", "kernelmatrix", "kernelunitlength", "lighting-color", "local", "marker-end", "marker-mid", "marker-start", "markerheight", "markerunits", "markerwidth", "maskcontentunits", "maskunits", "max", "mask", "mask-type", "media", "method", "mode", "min", "name", "numoctaves", "offset", "operator", "opacity", "order", "orient", "orientation", "origin", "overflow", "paint-order", "path", "pathlength", "patterncontentunits", "patterntransform", "patternunits", "points", "preservealpha", "preserveaspectratio", "primitiveunits", "r", "rx", "ry", "radius", "refx", "refy", "repeatcount", "repeatdur", "restart", "result", "rotate", "scale", "seed", "shape-rendering", "slope", "specularconstant", "specularexponent", "spreadmethod", "startoffset", "stddeviation", "stitchtiles", "stop-color", "stop-opacity", "stroke-dasharray", "stroke-dashoffset", "stroke-linecap", "stroke-linejoin", "stroke-miterlimit", "stroke-opacity", "stroke", "stroke-width", "style", "surfacescale", "systemlanguage", "tabindex", "tablevalues", "targetx", "targety", "transform", "transform-origin", "text-anchor", "text-decoration", "text-rendering", "textlength", "type", "u1", "u2", "unicode", "values", "viewbox", "visibility", "version", "vert-adv-y", "vert-origin-x", "vert-origin-y", "width", "word-spacing", "wrap", "writing-mode", "xchannelselector", "ychannelselector", "x", "x1", "x2", "xmlns", "y", "y1", "y2", "z", "zoomandpan"]);
|
|
151
|
-
const mathMl = freeze(["accent", "accentunder", "align", "bevelled", "close", "
|
|
206
|
+
const mathMl = freeze(["accent", "accentunder", "align", "bevelled", "close", "columnalign", "columnlines", "columnspacing", "columnspan", "denomalign", "depth", "dir", "display", "displaystyle", "encoding", "fence", "frame", "height", "href", "id", "largeop", "length", "linethickness", "lquote", "lspace", "mathbackground", "mathcolor", "mathsize", "mathvariant", "maxsize", "minsize", "movablelimits", "notation", "numalign", "open", "rowalign", "rowlines", "rowspacing", "rowspan", "rspace", "rquote", "scriptlevel", "scriptminsize", "scriptsizemultiplier", "selection", "separator", "separators", "stretchy", "subscriptshift", "supscriptshift", "symmetric", "voffset", "width", "xmlns"]);
|
|
152
207
|
const xml = freeze(["xlink:href", "xml:id", "xlink:title", "xml:space", "xmlns:xlink"]);
|
|
153
208
|
const MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm);
|
|
154
209
|
const ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);
|
|
@@ -230,7 +285,7 @@ const _createHooksMap = function _createHooksMap2() {
|
|
|
230
285
|
function createDOMPurify() {
|
|
231
286
|
let window2 = arguments.length > 0 && arguments[0] !== void 0 ? arguments[0] : getGlobal();
|
|
232
287
|
const DOMPurify = (root) => createDOMPurify(root);
|
|
233
|
-
DOMPurify.version = "3.
|
|
288
|
+
DOMPurify.version = "3.4.1";
|
|
234
289
|
DOMPurify.removed = [];
|
|
235
290
|
if (!window2 || !window2.document || window2.document.nodeType !== NODE_TYPE.document || !window2.Element) {
|
|
236
291
|
DOMPurify.isSupported = false;
|
|
@@ -385,15 +440,15 @@ function createDOMPurify() {
|
|
|
385
440
|
PARSER_MEDIA_TYPE = // eslint-disable-next-line unicorn/prefer-includes
|
|
386
441
|
SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? DEFAULT_PARSER_MEDIA_TYPE : cfg.PARSER_MEDIA_TYPE;
|
|
387
442
|
transformCaseFunc = PARSER_MEDIA_TYPE === "application/xhtml+xml" ? stringToString : stringToLowerCase;
|
|
388
|
-
ALLOWED_TAGS = objectHasOwnProperty(cfg, "ALLOWED_TAGS") ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
|
|
389
|
-
ALLOWED_ATTR = objectHasOwnProperty(cfg, "ALLOWED_ATTR") ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
|
|
390
|
-
ALLOWED_NAMESPACES = objectHasOwnProperty(cfg, "ALLOWED_NAMESPACES") ? addToSet({}, cfg.ALLOWED_NAMESPACES, stringToString) : DEFAULT_ALLOWED_NAMESPACES;
|
|
391
|
-
URI_SAFE_ATTRIBUTES = objectHasOwnProperty(cfg, "ADD_URI_SAFE_ATTR") ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), cfg.ADD_URI_SAFE_ATTR, transformCaseFunc) : DEFAULT_URI_SAFE_ATTRIBUTES;
|
|
392
|
-
DATA_URI_TAGS = objectHasOwnProperty(cfg, "ADD_DATA_URI_TAGS") ? addToSet(clone(DEFAULT_DATA_URI_TAGS), cfg.ADD_DATA_URI_TAGS, transformCaseFunc) : DEFAULT_DATA_URI_TAGS;
|
|
393
|
-
FORBID_CONTENTS = objectHasOwnProperty(cfg, "FORBID_CONTENTS") ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
|
|
394
|
-
FORBID_TAGS = objectHasOwnProperty(cfg, "FORBID_TAGS") ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : clone({});
|
|
395
|
-
FORBID_ATTR = objectHasOwnProperty(cfg, "FORBID_ATTR") ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : clone({});
|
|
396
|
-
USE_PROFILES = objectHasOwnProperty(cfg, "USE_PROFILES") ? cfg.USE_PROFILES : false;
|
|
443
|
+
ALLOWED_TAGS = objectHasOwnProperty(cfg, "ALLOWED_TAGS") && arrayIsArray(cfg.ALLOWED_TAGS) ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
|
|
444
|
+
ALLOWED_ATTR = objectHasOwnProperty(cfg, "ALLOWED_ATTR") && arrayIsArray(cfg.ALLOWED_ATTR) ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
|
|
445
|
+
ALLOWED_NAMESPACES = objectHasOwnProperty(cfg, "ALLOWED_NAMESPACES") && arrayIsArray(cfg.ALLOWED_NAMESPACES) ? addToSet({}, cfg.ALLOWED_NAMESPACES, stringToString) : DEFAULT_ALLOWED_NAMESPACES;
|
|
446
|
+
URI_SAFE_ATTRIBUTES = objectHasOwnProperty(cfg, "ADD_URI_SAFE_ATTR") && arrayIsArray(cfg.ADD_URI_SAFE_ATTR) ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), cfg.ADD_URI_SAFE_ATTR, transformCaseFunc) : DEFAULT_URI_SAFE_ATTRIBUTES;
|
|
447
|
+
DATA_URI_TAGS = objectHasOwnProperty(cfg, "ADD_DATA_URI_TAGS") && arrayIsArray(cfg.ADD_DATA_URI_TAGS) ? addToSet(clone(DEFAULT_DATA_URI_TAGS), cfg.ADD_DATA_URI_TAGS, transformCaseFunc) : DEFAULT_DATA_URI_TAGS;
|
|
448
|
+
FORBID_CONTENTS = objectHasOwnProperty(cfg, "FORBID_CONTENTS") && arrayIsArray(cfg.FORBID_CONTENTS) ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
|
|
449
|
+
FORBID_TAGS = objectHasOwnProperty(cfg, "FORBID_TAGS") && arrayIsArray(cfg.FORBID_TAGS) ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : clone({});
|
|
450
|
+
FORBID_ATTR = objectHasOwnProperty(cfg, "FORBID_ATTR") && arrayIsArray(cfg.FORBID_ATTR) ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : clone({});
|
|
451
|
+
USE_PROFILES = objectHasOwnProperty(cfg, "USE_PROFILES") ? cfg.USE_PROFILES && typeof cfg.USE_PROFILES === "object" ? clone(cfg.USE_PROFILES) : cfg.USE_PROFILES : false;
|
|
397
452
|
ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false;
|
|
398
453
|
ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false;
|
|
399
454
|
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false;
|
|
@@ -409,19 +464,20 @@ function createDOMPurify() {
|
|
|
409
464
|
SANITIZE_NAMED_PROPS = cfg.SANITIZE_NAMED_PROPS || false;
|
|
410
465
|
KEEP_CONTENT = cfg.KEEP_CONTENT !== false;
|
|
411
466
|
IN_PLACE = cfg.IN_PLACE || false;
|
|
412
|
-
IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP
|
|
413
|
-
NAMESPACE = cfg.NAMESPACE
|
|
414
|
-
MATHML_TEXT_INTEGRATION_POINTS = cfg.MATHML_TEXT_INTEGRATION_POINTS
|
|
415
|
-
HTML_INTEGRATION_POINTS = cfg.HTML_INTEGRATION_POINTS
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
|
|
467
|
+
IS_ALLOWED_URI$1 = isRegex(cfg.ALLOWED_URI_REGEXP) ? cfg.ALLOWED_URI_REGEXP : IS_ALLOWED_URI;
|
|
468
|
+
NAMESPACE = typeof cfg.NAMESPACE === "string" ? cfg.NAMESPACE : HTML_NAMESPACE;
|
|
469
|
+
MATHML_TEXT_INTEGRATION_POINTS = objectHasOwnProperty(cfg, "MATHML_TEXT_INTEGRATION_POINTS") && cfg.MATHML_TEXT_INTEGRATION_POINTS && typeof cfg.MATHML_TEXT_INTEGRATION_POINTS === "object" ? clone(cfg.MATHML_TEXT_INTEGRATION_POINTS) : addToSet({}, ["mi", "mo", "mn", "ms", "mtext"]);
|
|
470
|
+
HTML_INTEGRATION_POINTS = objectHasOwnProperty(cfg, "HTML_INTEGRATION_POINTS") && cfg.HTML_INTEGRATION_POINTS && typeof cfg.HTML_INTEGRATION_POINTS === "object" ? clone(cfg.HTML_INTEGRATION_POINTS) : addToSet({}, ["annotation-xml"]);
|
|
471
|
+
const customElementHandling = objectHasOwnProperty(cfg, "CUSTOM_ELEMENT_HANDLING") && cfg.CUSTOM_ELEMENT_HANDLING && typeof cfg.CUSTOM_ELEMENT_HANDLING === "object" ? clone(cfg.CUSTOM_ELEMENT_HANDLING) : create(null);
|
|
472
|
+
CUSTOM_ELEMENT_HANDLING = create(null);
|
|
473
|
+
if (objectHasOwnProperty(customElementHandling, "tagNameCheck") && isRegexOrFunction(customElementHandling.tagNameCheck)) {
|
|
474
|
+
CUSTOM_ELEMENT_HANDLING.tagNameCheck = customElementHandling.tagNameCheck;
|
|
419
475
|
}
|
|
420
|
-
if (
|
|
421
|
-
CUSTOM_ELEMENT_HANDLING.attributeNameCheck =
|
|
476
|
+
if (objectHasOwnProperty(customElementHandling, "attributeNameCheck") && isRegexOrFunction(customElementHandling.attributeNameCheck)) {
|
|
477
|
+
CUSTOM_ELEMENT_HANDLING.attributeNameCheck = customElementHandling.attributeNameCheck;
|
|
422
478
|
}
|
|
423
|
-
if (
|
|
424
|
-
CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements =
|
|
479
|
+
if (objectHasOwnProperty(customElementHandling, "allowCustomizedBuiltInElements") && typeof customElementHandling.allowCustomizedBuiltInElements === "boolean") {
|
|
480
|
+
CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements = customElementHandling.allowCustomizedBuiltInElements;
|
|
425
481
|
}
|
|
426
482
|
if (SAFE_FOR_TEMPLATES) {
|
|
427
483
|
ALLOW_DATA_ATTR = false;
|
|
@@ -452,42 +508,38 @@ function createDOMPurify() {
|
|
|
452
508
|
addToSet(ALLOWED_ATTR, xml);
|
|
453
509
|
}
|
|
454
510
|
}
|
|
455
|
-
|
|
456
|
-
|
|
457
|
-
|
|
458
|
-
if (!objectHasOwnProperty(cfg, "ADD_ATTR")) {
|
|
459
|
-
EXTRA_ELEMENT_HANDLING.attributeCheck = null;
|
|
460
|
-
}
|
|
461
|
-
if (cfg.ADD_TAGS) {
|
|
511
|
+
EXTRA_ELEMENT_HANDLING.tagCheck = null;
|
|
512
|
+
EXTRA_ELEMENT_HANDLING.attributeCheck = null;
|
|
513
|
+
if (objectHasOwnProperty(cfg, "ADD_TAGS")) {
|
|
462
514
|
if (typeof cfg.ADD_TAGS === "function") {
|
|
463
515
|
EXTRA_ELEMENT_HANDLING.tagCheck = cfg.ADD_TAGS;
|
|
464
|
-
} else {
|
|
516
|
+
} else if (arrayIsArray(cfg.ADD_TAGS)) {
|
|
465
517
|
if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
|
|
466
518
|
ALLOWED_TAGS = clone(ALLOWED_TAGS);
|
|
467
519
|
}
|
|
468
520
|
addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
|
|
469
521
|
}
|
|
470
522
|
}
|
|
471
|
-
if (cfg
|
|
523
|
+
if (objectHasOwnProperty(cfg, "ADD_ATTR")) {
|
|
472
524
|
if (typeof cfg.ADD_ATTR === "function") {
|
|
473
525
|
EXTRA_ELEMENT_HANDLING.attributeCheck = cfg.ADD_ATTR;
|
|
474
|
-
} else {
|
|
526
|
+
} else if (arrayIsArray(cfg.ADD_ATTR)) {
|
|
475
527
|
if (ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) {
|
|
476
528
|
ALLOWED_ATTR = clone(ALLOWED_ATTR);
|
|
477
529
|
}
|
|
478
530
|
addToSet(ALLOWED_ATTR, cfg.ADD_ATTR, transformCaseFunc);
|
|
479
531
|
}
|
|
480
532
|
}
|
|
481
|
-
if (cfg.ADD_URI_SAFE_ATTR) {
|
|
533
|
+
if (objectHasOwnProperty(cfg, "ADD_URI_SAFE_ATTR") && arrayIsArray(cfg.ADD_URI_SAFE_ATTR)) {
|
|
482
534
|
addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR, transformCaseFunc);
|
|
483
535
|
}
|
|
484
|
-
if (cfg.FORBID_CONTENTS) {
|
|
536
|
+
if (objectHasOwnProperty(cfg, "FORBID_CONTENTS") && arrayIsArray(cfg.FORBID_CONTENTS)) {
|
|
485
537
|
if (FORBID_CONTENTS === DEFAULT_FORBID_CONTENTS) {
|
|
486
538
|
FORBID_CONTENTS = clone(FORBID_CONTENTS);
|
|
487
539
|
}
|
|
488
540
|
addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);
|
|
489
541
|
}
|
|
490
|
-
if (cfg.ADD_FORBID_CONTENTS) {
|
|
542
|
+
if (objectHasOwnProperty(cfg, "ADD_FORBID_CONTENTS") && arrayIsArray(cfg.ADD_FORBID_CONTENTS)) {
|
|
491
543
|
if (FORBID_CONTENTS === DEFAULT_FORBID_CONTENTS) {
|
|
492
544
|
FORBID_CONTENTS = clone(FORBID_CONTENTS);
|
|
493
545
|
}
|
|
@@ -680,6 +732,10 @@ function createDOMPurify() {
|
|
|
680
732
|
_forceRemove(currentNode);
|
|
681
733
|
return true;
|
|
682
734
|
}
|
|
735
|
+
if (SAFE_FOR_XML && currentNode.namespaceURI === HTML_NAMESPACE && tagName === "style" && _isNode(currentNode.firstElementChild)) {
|
|
736
|
+
_forceRemove(currentNode);
|
|
737
|
+
return true;
|
|
738
|
+
}
|
|
683
739
|
if (currentNode.nodeType === NODE_TYPE.progressingInstruction) {
|
|
684
740
|
_forceRemove(currentNode);
|
|
685
741
|
return true;
|
|
@@ -688,7 +744,7 @@ function createDOMPurify() {
|
|
|
688
744
|
_forceRemove(currentNode);
|
|
689
745
|
return true;
|
|
690
746
|
}
|
|
691
|
-
if (!(EXTRA_ELEMENT_HANDLING.tagCheck instanceof Function && EXTRA_ELEMENT_HANDLING.tagCheck(tagName)) &&
|
|
747
|
+
if (FORBID_TAGS[tagName] || !(EXTRA_ELEMENT_HANDLING.tagCheck instanceof Function && EXTRA_ELEMENT_HANDLING.tagCheck(tagName)) && !ALLOWED_TAGS[tagName]) {
|
|
692
748
|
if (!FORBID_TAGS[tagName] && _isBasicCustomElement(tagName)) {
|
|
693
749
|
if (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, tagName)) {
|
|
694
750
|
return false;
|
|
@@ -704,7 +760,6 @@ function createDOMPurify() {
|
|
|
704
760
|
const childCount = childNodes.length;
|
|
705
761
|
for (let i = childCount - 1; i >= 0; --i) {
|
|
706
762
|
const childClone = cloneNode(childNodes[i], true);
|
|
707
|
-
childClone.__removalCount = (currentNode.__removalCount || 0) + 1;
|
|
708
763
|
parentNode.insertBefore(childClone, getNextSibling(currentNode));
|
|
709
764
|
}
|
|
710
765
|
}
|
|
@@ -766,8 +821,9 @@ function createDOMPurify() {
|
|
|
766
821
|
} else ;
|
|
767
822
|
return true;
|
|
768
823
|
};
|
|
824
|
+
const RESERVED_CUSTOM_ELEMENT_NAMES = addToSet({}, ["annotation-xml", "color-profile", "font-face", "font-face-format", "font-face-name", "font-face-src", "font-face-uri", "missing-glyph"]);
|
|
769
825
|
const _isBasicCustomElement = function _isBasicCustomElement2(tagName) {
|
|
770
|
-
return tagName
|
|
826
|
+
return !RESERVED_CUSTOM_ELEMENT_NAMES[stringToLowerCase(tagName)] && regExpTest(CUSTOM_ELEMENT2, tagName);
|
|
771
827
|
};
|
|
772
828
|
const _sanitizeAttributes = function _sanitizeAttributes2(currentNode) {
|
|
773
829
|
_executeHooks(hooks.beforeSanitizeAttributes, currentNode, null);
|
|
@@ -801,7 +857,7 @@ function createDOMPurify() {
|
|
|
801
857
|
hookEvent.forceKeepAttr = void 0;
|
|
802
858
|
_executeHooks(hooks.uponSanitizeAttribute, currentNode, hookEvent);
|
|
803
859
|
value = hookEvent.attrValue;
|
|
804
|
-
if (SANITIZE_NAMED_PROPS && (lcName === "id" || lcName === "name")) {
|
|
860
|
+
if (SANITIZE_NAMED_PROPS && (lcName === "id" || lcName === "name") && stringIndexOf(value, SANITIZE_NAMED_PROPS_PREFIX) !== 0) {
|
|
805
861
|
_removeAttribute(name, currentNode);
|
|
806
862
|
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
807
863
|
}
|
|
@@ -868,7 +924,7 @@ function createDOMPurify() {
|
|
|
868
924
|
}
|
|
869
925
|
_executeHooks(hooks.afterSanitizeAttributes, currentNode, null);
|
|
870
926
|
};
|
|
871
|
-
const
|
|
927
|
+
const _sanitizeShadowDOM2 = function _sanitizeShadowDOM(fragment) {
|
|
872
928
|
let shadowNode = null;
|
|
873
929
|
const shadowIterator = _createNodeIterator(fragment);
|
|
874
930
|
_executeHooks(hooks.beforeSanitizeShadowDOM, fragment, null);
|
|
@@ -893,13 +949,9 @@ function createDOMPurify() {
|
|
|
893
949
|
dirty = "<!-->";
|
|
894
950
|
}
|
|
895
951
|
if (typeof dirty !== "string" && !_isNode(dirty)) {
|
|
896
|
-
|
|
897
|
-
|
|
898
|
-
|
|
899
|
-
throw typeErrorCreate("dirty is not a string, aborting");
|
|
900
|
-
}
|
|
901
|
-
} else {
|
|
902
|
-
throw typeErrorCreate("toString is not a function");
|
|
952
|
+
dirty = stringifyValue(dirty);
|
|
953
|
+
if (typeof dirty !== "string") {
|
|
954
|
+
throw typeErrorCreate("dirty is not a string, aborting");
|
|
903
955
|
}
|
|
904
956
|
}
|
|
905
957
|
if (!DOMPurify.isSupported) {
|
|
@@ -913,8 +965,9 @@ function createDOMPurify() {
|
|
|
913
965
|
IN_PLACE = false;
|
|
914
966
|
}
|
|
915
967
|
if (IN_PLACE) {
|
|
916
|
-
|
|
917
|
-
|
|
968
|
+
const nn = dirty.nodeName;
|
|
969
|
+
if (typeof nn === "string") {
|
|
970
|
+
const tagName = transformCaseFunc(nn);
|
|
918
971
|
if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {
|
|
919
972
|
throw typeErrorCreate("root node is forbidden and cannot be sanitized in-place");
|
|
920
973
|
}
|
|
@@ -947,13 +1000,21 @@ function createDOMPurify() {
|
|
|
947
1000
|
_sanitizeElements(currentNode);
|
|
948
1001
|
_sanitizeAttributes(currentNode);
|
|
949
1002
|
if (currentNode.content instanceof DocumentFragment) {
|
|
950
|
-
|
|
1003
|
+
_sanitizeShadowDOM2(currentNode.content);
|
|
951
1004
|
}
|
|
952
1005
|
}
|
|
953
1006
|
if (IN_PLACE) {
|
|
954
1007
|
return dirty;
|
|
955
1008
|
}
|
|
956
1009
|
if (RETURN_DOM) {
|
|
1010
|
+
if (SAFE_FOR_TEMPLATES) {
|
|
1011
|
+
body.normalize();
|
|
1012
|
+
let html2 = body.innerHTML;
|
|
1013
|
+
arrayForEach([MUSTACHE_EXPR2, ERB_EXPR2, TMPLIT_EXPR2], (expr) => {
|
|
1014
|
+
html2 = stringReplace(html2, expr, " ");
|
|
1015
|
+
});
|
|
1016
|
+
body.innerHTML = html2;
|
|
1017
|
+
}
|
|
957
1018
|
if (RETURN_DOM_FRAGMENT) {
|
|
958
1019
|
returnNode = createDocumentFragment.call(body.ownerDocument);
|
|
959
1020
|
while (body.firstChild) {
|