dompurify 2.2.7 → 2.2.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -1
- package/dist/purify.cjs.js +26 -21
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +26 -21
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +26 -21
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +1 -1
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.2.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.2.8.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
@@ -170,6 +170,9 @@ var clean = DOMPurify.sanitize(dirty, {USE_PROFILES: {svg: true, svgFilters: tru
|
|
|
170
170
|
// allow all safe MathML elements and SVG, but no SVG Filters
|
|
171
171
|
var clean = DOMPurify.sanitize(dirty, {USE_PROFILES: {mathMl: true, svg: true}});
|
|
172
172
|
|
|
173
|
+
// change the default namespace from HTML to something different
|
|
174
|
+
var clean = DOMPurify.sanitize(dirty, {NAMESPACE: 'http://www.w3.org/2000/svg'});
|
|
175
|
+
|
|
173
176
|
// leave all safe HTML as it is and add <style> elements to block-list
|
|
174
177
|
var clean = DOMPurify.sanitize(dirty, {FORBID_TAGS: ['style']});
|
|
175
178
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -168,7 +168,7 @@ var mathMlDisallowed = freeze(['maction', 'maligngroup', 'malignmark', 'mlongdiv
|
|
|
168
168
|
|
|
169
169
|
var text = freeze(['#text']);
|
|
170
170
|
|
|
171
|
-
var html$1 = freeze(['accept', 'action', 'align', 'alt', 'autocapitalize', 'autocomplete', 'autopictureinpicture', 'autoplay', 'background', 'bgcolor', 'border', 'capture', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'controlslist', 'coords', 'crossorigin', 'datetime', 'decoding', 'default', 'dir', 'disabled', 'disablepictureinpicture', 'disableremoteplayback', 'download', 'draggable', 'enctype', 'enterkeyhint', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'inputmode', 'integrity', 'ismap', 'kind', 'label', 'lang', 'list', 'loading', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'muted', 'name', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'playsinline', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'translate', 'type', 'usemap', 'valign', 'value', 'width', 'xmlns']);
|
|
171
|
+
var html$1 = freeze(['accept', 'action', 'align', 'alt', 'autocapitalize', 'autocomplete', 'autopictureinpicture', 'autoplay', 'background', 'bgcolor', 'border', 'capture', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'controlslist', 'coords', 'crossorigin', 'datetime', 'decoding', 'default', 'dir', 'disabled', 'disablepictureinpicture', 'disableremoteplayback', 'download', 'draggable', 'enctype', 'enterkeyhint', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'inputmode', 'integrity', 'ismap', 'kind', 'label', 'lang', 'list', 'loading', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'muted', 'name', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'playsinline', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'translate', 'type', 'usemap', 'valign', 'value', 'width', 'xmlns', 'slot']);
|
|
172
172
|
|
|
173
173
|
var svg$1 = freeze(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clippathunits', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'startoffset', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'systemlanguage', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']);
|
|
174
174
|
|
|
@@ -245,7 +245,7 @@ function createDOMPurify() {
|
|
|
245
245
|
* Version label, exposed for easier checks
|
|
246
246
|
* if DOMPurify is up to date or not
|
|
247
247
|
*/
|
|
248
|
-
DOMPurify.version = '2.2.
|
|
248
|
+
DOMPurify.version = '2.2.8';
|
|
249
249
|
|
|
250
250
|
/**
|
|
251
251
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -303,7 +303,6 @@ function createDOMPurify() {
|
|
|
303
303
|
var _document = document,
|
|
304
304
|
implementation = _document.implementation,
|
|
305
305
|
createNodeIterator = _document.createNodeIterator,
|
|
306
|
-
getElementsByTagName = _document.getElementsByTagName,
|
|
307
306
|
createDocumentFragment = _document.createDocumentFragment;
|
|
308
307
|
var importNode = originalDocument.importNode;
|
|
309
308
|
|
|
@@ -421,6 +420,12 @@ function createDOMPurify() {
|
|
|
421
420
|
var URI_SAFE_ATTRIBUTES = null;
|
|
422
421
|
var DEFAULT_URI_SAFE_ATTRIBUTES = addToSet({}, ['alt', 'class', 'for', 'id', 'label', 'name', 'pattern', 'placeholder', 'summary', 'title', 'value', 'style', 'xmlns']);
|
|
423
422
|
|
|
423
|
+
var MATHML_NAMESPACE = 'http://www.w3.org/1998/Math/MathML';
|
|
424
|
+
var SVG_NAMESPACE = 'http://www.w3.org/2000/svg';
|
|
425
|
+
var HTML_NAMESPACE = 'http://www.w3.org/1999/xhtml';
|
|
426
|
+
/* Document namespace */
|
|
427
|
+
var NAMESPACE = HTML_NAMESPACE;
|
|
428
|
+
|
|
424
429
|
/* Keep a reference to config to pass to hooks */
|
|
425
430
|
var CONFIG = null;
|
|
426
431
|
|
|
@@ -470,6 +475,7 @@ function createDOMPurify() {
|
|
|
470
475
|
KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true
|
|
471
476
|
IN_PLACE = cfg.IN_PLACE || false; // Default false
|
|
472
477
|
IS_ALLOWED_URI$$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$$1;
|
|
478
|
+
NAMESPACE = cfg.NAMESPACE || NAMESPACE;
|
|
473
479
|
if (SAFE_FOR_TEMPLATES) {
|
|
474
480
|
ALLOW_DATA_ATTR = false;
|
|
475
481
|
}
|
|
@@ -566,10 +572,6 @@ function createDOMPurify() {
|
|
|
566
572
|
var ALL_MATHML_TAGS = addToSet({}, mathMl);
|
|
567
573
|
addToSet(ALL_MATHML_TAGS, mathMlDisallowed);
|
|
568
574
|
|
|
569
|
-
var MATHML_NAMESPACE = 'http://www.w3.org/1998/Math/MathML';
|
|
570
|
-
var SVG_NAMESPACE = 'http://www.w3.org/2000/svg';
|
|
571
|
-
var HTML_NAMESPACE = 'http://www.w3.org/1999/xhtml';
|
|
572
|
-
|
|
573
575
|
/**
|
|
574
576
|
*
|
|
575
577
|
*
|
|
@@ -734,27 +736,30 @@ function createDOMPurify() {
|
|
|
734
736
|
}
|
|
735
737
|
|
|
736
738
|
var dirtyPayload = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty;
|
|
737
|
-
/*
|
|
738
|
-
|
|
739
|
-
|
|
740
|
-
|
|
739
|
+
/*
|
|
740
|
+
* Use the DOMParser API by default, fallback later if needs be
|
|
741
|
+
* DOMParser not work for svg when has multiple root element.
|
|
742
|
+
*/
|
|
743
|
+
if (NAMESPACE === HTML_NAMESPACE) {
|
|
744
|
+
try {
|
|
745
|
+
doc = new DOMParser().parseFromString(dirtyPayload, 'text/html');
|
|
746
|
+
} catch (_) {}
|
|
747
|
+
}
|
|
741
748
|
|
|
742
749
|
/* Use createHTMLDocument in case DOMParser is not available */
|
|
743
750
|
if (!doc || !doc.documentElement) {
|
|
744
|
-
doc = implementation.
|
|
745
|
-
|
|
746
|
-
body = _doc.body;
|
|
747
|
-
|
|
748
|
-
body.parentNode.removeChild(body.parentNode.firstElementChild);
|
|
749
|
-
body.outerHTML = dirtyPayload;
|
|
751
|
+
doc = implementation.createDocument(NAMESPACE, 'template', null);
|
|
752
|
+
doc.documentElement.innerHTML = dirtyPayload;
|
|
750
753
|
}
|
|
751
754
|
|
|
755
|
+
var body = doc.body || doc.documentElement;
|
|
756
|
+
|
|
752
757
|
if (dirty && leadingWhitespace) {
|
|
753
|
-
|
|
758
|
+
body.insertBefore(document.createTextNode(leadingWhitespace), body.childNodes[0] || null);
|
|
754
759
|
}
|
|
755
760
|
|
|
756
761
|
/* Work on whole document or just its body */
|
|
757
|
-
return
|
|
762
|
+
return WHOLE_DOCUMENT ? doc.documentElement : body;
|
|
758
763
|
};
|
|
759
764
|
|
|
760
765
|
/**
|
|
@@ -862,8 +867,8 @@ function createDOMPurify() {
|
|
|
862
867
|
if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {
|
|
863
868
|
/* Keep content except for bad-listed elements */
|
|
864
869
|
if (KEEP_CONTENT && !FORBID_CONTENTS[tagName]) {
|
|
865
|
-
var parentNode = getParentNode(currentNode);
|
|
866
|
-
var childNodes = getChildNodes(currentNode);
|
|
870
|
+
var parentNode = getParentNode(currentNode) || currentNode.parentNode;
|
|
871
|
+
var childNodes = getChildNodes(currentNode) || currentNode.childNodes;
|
|
867
872
|
|
|
868
873
|
if (childNodes && parentNode) {
|
|
869
874
|
var childCount = childNodes.length;
|