dompurify 2.0.4 → 2.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +26 -21
- package/dist/purify.cjs.js +151 -116
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +151 -116
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +151 -116
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +1 -1
- package/dist/purify.min.js.map +1 -1
- package/package.json +4 -4
package/README.md
CHANGED
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.0.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.0.8.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
@@ -48,27 +48,30 @@ If you're using an [AMD](https://github.com/amdjs/amdjs-api/wiki/AMD) module loa
|
|
|
48
48
|
|
|
49
49
|
```javascript
|
|
50
50
|
require(['dompurify'], function(DOMPurify) {
|
|
51
|
-
|
|
51
|
+
var clean = DOMPurify.sanitize(dirty);
|
|
52
52
|
});
|
|
53
53
|
```
|
|
54
54
|
|
|
55
|
-
DOMPurify also works server-side with node.js as well as client-side via [Browserify](http://browserify.org/) or similar translators.
|
|
55
|
+
DOMPurify also works server-side with node.js as well as client-side via [Browserify](http://browserify.org/) or similar translators. Node.js 0.x is not supported; either [io.js](https://iojs.org) or Node.js 4.x or newer is required.
|
|
56
56
|
|
|
57
57
|
```bash
|
|
58
58
|
npm install dompurify
|
|
59
59
|
```
|
|
60
|
+
|
|
60
61
|
For JSDOM v10 or newer
|
|
62
|
+
|
|
61
63
|
```javascript
|
|
62
64
|
const createDOMPurify = require('dompurify');
|
|
63
65
|
const { JSDOM } = require('jsdom');
|
|
64
66
|
|
|
65
|
-
const window =
|
|
67
|
+
const window = new JSDOM('').window;
|
|
66
68
|
const DOMPurify = createDOMPurify(window);
|
|
67
69
|
|
|
68
70
|
const clean = DOMPurify.sanitize(dirty);
|
|
69
71
|
```
|
|
70
72
|
|
|
71
73
|
For JSDOM versions older than v10
|
|
74
|
+
|
|
72
75
|
```javascript
|
|
73
76
|
const createDOMPurify = require('dompurify');
|
|
74
77
|
const jsdom = require('jsdom').jsdom;
|
|
@@ -83,9 +86,11 @@ const clean = DOMPurify.sanitize(dirty);
|
|
|
83
86
|
|
|
84
87
|
Of course there is a demo! [Play with DOMPurify](https://cure53.de/purify)
|
|
85
88
|
|
|
86
|
-
## What if I find a
|
|
89
|
+
## What if I find a _security_ bug?
|
|
90
|
+
|
|
91
|
+
First of all, please immediately contact us via [email](mailto:mario@cure53.de) so we can work on a fix. [PGP key](https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xC26C858090F70ADA)
|
|
87
92
|
|
|
88
|
-
|
|
93
|
+
Also, you probably qualify for a bug bounty! The fine folks over at [FastMail](https://www.fastmail.com/) use DOMPurify for their services and added our library to their bug bounty scope. So, if you find a way to bypass or weaken DOMPurify, please also have a look at their website and the [bug bounty info](https://www.fastmail.com/about/bugbounty.html).
|
|
89
94
|
|
|
90
95
|
## Some purification samples please?
|
|
91
96
|
|
|
@@ -94,7 +99,7 @@ How does purified markup look like? Well, [the demo](https://cure53.de/purify) s
|
|
|
94
99
|
```javascript
|
|
95
100
|
DOMPurify.sanitize('<img src=x onerror=alert(1)//>'); // becomes <img src="x">
|
|
96
101
|
DOMPurify.sanitize('<svg><g/onload=alert(2)//<p>'); // becomes <svg><g></g></svg>
|
|
97
|
-
DOMPurify.sanitize('<p>abc<iframe
|
|
102
|
+
DOMPurify.sanitize('<p>abc<iframe//src=jAva	script:alert(3)>def'); // becomes <p>abcdef</p>
|
|
98
103
|
DOMPurify.sanitize('<math><mi//xlink:href="data:x,<script>alert(4)</script>">'); // becomes <math><mi></mi></math>
|
|
99
104
|
DOMPurify.sanitize('<TABLE><tr><td>HELLO</tr></TABL>'); // becomes <table><tbody><tr><td>HELLO</td></tr></tbody></table>
|
|
100
105
|
DOMPurify.sanitize('<UL><li><A HREF=//google.com>click</UL>'); // becomes <ul><li><a href="//google.com">click</a></li></ul>
|
|
@@ -112,7 +117,7 @@ If not even `toStaticHTML` is supported, DOMPurify does nothing at all. It simpl
|
|
|
112
117
|
|
|
113
118
|
## What about DOMPurify and Trusted Types?
|
|
114
119
|
|
|
115
|
-
In version 1.0.9, support for [Trusted Types API](https://github.com/WICG/trusted-types) was added to DOMPurify.
|
|
120
|
+
In version 1.0.9, support for [Trusted Types API](https://github.com/WICG/trusted-types) was added to DOMPurify.
|
|
116
121
|
In version 2.0.0, a config flag was added to control DOMPurify's behavior regarding this.
|
|
117
122
|
|
|
118
123
|
When `DOMPurify.sanitize` is used in an environment where the Trusted Types API is available and `RETURN_TRUSTED_TYPE` is set to `true`, it tries to return a `TrustedHTML` value instead of a string (the behavior for `RETURN_DOM`, `RETURN_DOM_FRAGMENT`, and `RETURN_DOM_IMPORT` config options does not change).
|
|
@@ -203,6 +208,7 @@ var dirty = document.createElement('a');
|
|
|
203
208
|
dirty.setAttribute('href', 'javascript:alert(1)');
|
|
204
209
|
var clean = DOMPurify.sanitize(dirty, {IN_PLACE: true}); // see https://github.com/cure53/DOMPurify/issues/288 for more info
|
|
205
210
|
```
|
|
211
|
+
|
|
206
212
|
There is even [more examples here](https://github.com/cure53/DOMPurify/tree/master/demos#what-is-this), showing how you can run, customize and configure DOMPurify to fit your needs.
|
|
207
213
|
|
|
208
214
|
## Persistent Configuration
|
|
@@ -214,7 +220,7 @@ Instead of repeatedly passing the same configuration to `DOMPurify.sanitize`, yo
|
|
|
214
220
|
DOMPurify allows you to augment its functionality by attaching one or more functions with the `DOMPurify.addHook` method to one of the following hooks:
|
|
215
221
|
|
|
216
222
|
- `beforeSanitizeElements`
|
|
217
|
-
- `uponSanitizeElement`
|
|
223
|
+
- `uponSanitizeElement` (No 's' - called for every element)
|
|
218
224
|
- `afterSanitizeElements`
|
|
219
225
|
- `beforeSanitizeAttributes`
|
|
220
226
|
- `uponSanitizeAttribute`
|
|
@@ -228,9 +234,14 @@ It passes the currently processed DOM node, when needed a literal with verified
|
|
|
228
234
|
_Example_:
|
|
229
235
|
|
|
230
236
|
```javascript
|
|
231
|
-
DOMPurify.addHook('beforeSanitizeElements', function(
|
|
232
|
-
|
|
233
|
-
|
|
237
|
+
DOMPurify.addHook('beforeSanitizeElements', function(
|
|
238
|
+
currentNode,
|
|
239
|
+
hookEvent,
|
|
240
|
+
config
|
|
241
|
+
) {
|
|
242
|
+
// Do something with the current node and return it
|
|
243
|
+
// You can also mutate hookEvent (i.e. set hookEvent.forceKeepAttr = true)
|
|
244
|
+
return currentNode;
|
|
234
245
|
});
|
|
235
246
|
```
|
|
236
247
|
|
|
@@ -278,14 +289,8 @@ Feature releases will not be announced to this list.
|
|
|
278
289
|
|
|
279
290
|
## Who contributed?
|
|
280
291
|
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
[@garethheyes](https://twitter.com/garethheyes) and [@filedescriptor](https://twitter.com/filedescriptor) for invaluable help, [@shafigullin](https://twitter.com/shafigullin) for breaking the library multiple times and thereby strengthening it in the early days, [@mmrupp](https://twitter.com/mmrupp) and [@irsdl](https://twitter.com/irsdl) for doing the same. And lastly, thanks to @ShikariSenpai and @ansjdnakjdnajkd for spotting a [massive Safari 10.1 bug](https://github.com/cure53/DOMPurify/releases/tag/0.8.6) early on and reporting it.
|
|
284
|
-
|
|
285
|
-
Big thanks also go to [@ydaniv](https://github.com/ydaniv), [@asutherland](https://twitter.com/asutherland), [@mathias](https://twitter.com/mathias), [@cgvwzq](https://twitter.com/cgvwzq), [@robbertatwork](https://twitter.com/robbertatwork), [@giutro](https://twitter.com/giutro) and [@fhemberger](https://twitter.com/fhemberger)! Further, we would like to thank @masatokinugawa for his continuous and extremely valuable help in the past and present.
|
|
286
|
-
|
|
287
|
-
Further, thanks [@neilj](https://twitter.com/neilj) and [@0xsobky](https://twitter.com/0xsobky) for their early code reviews and countless small optimizations, fixes and beautifications. Thanks also go out to [@kkotowicz](https://twitter.com/kkotowicz) for his Trusted Types implementation and the connected section on our README page.
|
|
292
|
+
Many people helped and help DOMPurify become what it is and need to be acknowledged here!
|
|
288
293
|
|
|
289
|
-
|
|
294
|
+
[oreoshake 💸](https://github.com/oreoshake), [dcramer 💸](https://github.com/dcramer),[tdeekens](https://github.com/tdeekens), [neilj](https://github.com/neilj), [fhemberger](https://github.com/fhemberger), [Joris-van-der-Wel](https://github.com/Joris-van-der-Wel), [ydaniv](https://github.com/ydaniv), [filedescriptor](https://github.com/filedescriptor), [ConradIrwin](https://github.com/ConradIrwin), [gibson042](https://github.com/gibson042), [choumx](https://github.com/choumx), [0xSobky](https://github.com/0xSobky), [styfle](https://github.com/styfle), [koto](https://github.com/koto), [tlau88](https://github.com/tlau88), [strugee](https://github.com/strugee), [oparoz](https://github.com/oparoz), [mathiasbynens](https://github.com/mathiasbynens), [edg2s](https://github.com/edg2s), [dnkolegov](https://github.com/dnkolegov), [dhardtke](https://github.com/dhardtke), [wirehead](https://github.com/wirehead), [thorn0](https://github.com/thorn0), [styu](https://github.com/styu), [mozfreddyb](https://github.com/mozfreddyb), [mikesamuel](https://github.com/mikesamuel), [jorangreef](https://github.com/jorangreef), [jimmyhchan](https://github.com/jimmyhchan), [jameydeorio](https://github.com/jameydeorio), [jameskraus](https://github.com/jameskraus), [hyderali](https://github.com/hyderali), [hansottowirtz](https://github.com/hansottowirtz), [hackvertor](https://github.com/hackvertor), [freddyb](https://github.com/freddyb), [flavorjones](https://github.com/flavorjones), [djfarrelly](https://github.com/djfarrelly), [devd](https://github.com/devd), [camerondunford](https://github.com/camerondunford), [buu700](https://github.com/buu700), [buildog](https://github.com/buildog), [alabiaga](https://github.com/alabiaga), [Vector919](https://github.com/Vector919), [Robbert](https://github.com/Robbert), [GreLI](https://github.com/GreLI), [FuzzySockets](https://github.com/FuzzySockets), [ArtemBernatskyy](https://github.com/ArtemBernatskyy), [@garethheyes](https://twitter.com/garethheyes), [@filedescriptor](https://twitter.com/filedescriptor), [@shafigullin](https://twitter.com/shafigullin), [@mmrupp](https://twitter.com/mmrupp), [@irsdl](https://twitter.com/irsdl),[ShikariSenpai](https://github.com/ShikariSenpai), [ansjdnakjdnajkd](https://github.com/ansjdnakjdnajkd), [@asutherland](https://twitter.com/asutherland), [@mathias](https://twitter.com/mathias), [@cgvwzq](https://twitter.com/cgvwzq), [@robbertatwork](https://twitter.com/robbertatwork), [@giutro](https://twitter.com/giutro) and especially [@masatokinugawa](https://twitter.com/masatokinugawa)
|
|
290
295
|
|
|
291
|
-
And last but not least, thanks to [BrowserStack](https://browserstack.com) for supporting this project with their services for free and delivering excellent, dedicated and very professional support on top of that.
|
|
296
|
+
And last but not least, thanks to [BrowserStack](https://browserstack.com) for supporting this project with their services for free and delivering excellent, dedicated and very professional support on top of that.
|