dompurify 2.3.10 → 2.3.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +45 -18
- package/dist/purify.cjs.d.ts +144 -0
- package/dist/purify.cjs.js +35 -3
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.d.ts +144 -0
- package/dist/purify.es.js +35 -3
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +35 -3
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +6 -2
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.3.
|
|
1
|
+
/*! @license DOMPurify 2.3.11 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.11/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -326,7 +326,7 @@
|
|
|
326
326
|
*/
|
|
327
327
|
|
|
328
328
|
|
|
329
|
-
DOMPurify.version = '2.3.
|
|
329
|
+
DOMPurify.version = '2.3.11';
|
|
330
330
|
/**
|
|
331
331
|
* Array of elements that DOMPurify removed during sanitation.
|
|
332
332
|
* Empty if nothing was removed.
|
|
@@ -484,9 +484,27 @@
|
|
|
484
484
|
* case Trusted Types are not supported */
|
|
485
485
|
|
|
486
486
|
var RETURN_TRUSTED_TYPE = false;
|
|
487
|
-
/* Output should be free from DOM clobbering attacks?
|
|
487
|
+
/* Output should be free from DOM clobbering attacks?
|
|
488
|
+
* This sanitizes markups named with colliding, clobberable built-in DOM APIs.
|
|
489
|
+
*/
|
|
488
490
|
|
|
489
491
|
var SANITIZE_DOM = true;
|
|
492
|
+
/* Achieve full DOM Clobbering protection by isolating the namespace of named
|
|
493
|
+
* properties and JS variables, mitigating attacks that abuse the HTML/DOM spec rules.
|
|
494
|
+
*
|
|
495
|
+
* HTML/DOM spec rules that enable DOM Clobbering:
|
|
496
|
+
* - Named Access on Window (§7.3.3)
|
|
497
|
+
* - DOM Tree Accessors (§3.1.5)
|
|
498
|
+
* - Form Element Parent-Child Relations (§4.10.3)
|
|
499
|
+
* - Iframe srcdoc / Nested WindowProxies (§4.8.5)
|
|
500
|
+
* - HTMLCollection (§4.2.10.2)
|
|
501
|
+
*
|
|
502
|
+
* Namespace isolation is implemented by prefixing `id` and `name` attributes
|
|
503
|
+
* with a constant string, i.e., `user-content-`
|
|
504
|
+
*/
|
|
505
|
+
|
|
506
|
+
var SANITIZE_NAMED_PROPS = false;
|
|
507
|
+
var SANITIZE_NAMED_PROPS_PREFIX = 'user-content-';
|
|
490
508
|
/* Keep element content when removing element? */
|
|
491
509
|
|
|
492
510
|
var KEEP_CONTENT = true;
|
|
@@ -600,6 +618,8 @@
|
|
|
600
618
|
|
|
601
619
|
SANITIZE_DOM = cfg.SANITIZE_DOM !== false; // Default true
|
|
602
620
|
|
|
621
|
+
SANITIZE_NAMED_PROPS = cfg.SANITIZE_NAMED_PROPS || false; // Default false
|
|
622
|
+
|
|
603
623
|
KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true
|
|
604
624
|
|
|
605
625
|
IN_PLACE = cfg.IN_PLACE || false; // Default false
|
|
@@ -1256,6 +1276,18 @@
|
|
|
1256
1276
|
if (!_isValidAttribute(lcTag, lcName, value)) {
|
|
1257
1277
|
continue;
|
|
1258
1278
|
}
|
|
1279
|
+
/* Full DOM Clobbering protection via namespace isolation,
|
|
1280
|
+
* Prefix id and name attributes with `user-content-`
|
|
1281
|
+
*/
|
|
1282
|
+
|
|
1283
|
+
|
|
1284
|
+
if (SANITIZE_NAMED_PROPS && (lcName === 'id' || lcName === 'name')) {
|
|
1285
|
+
// Remove the attribute with this value
|
|
1286
|
+
_removeAttribute(name, currentNode); // Prefix the value and later re-create the attribute with the sanitized value
|
|
1287
|
+
|
|
1288
|
+
|
|
1289
|
+
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
1290
|
+
}
|
|
1259
1291
|
/* Handle attributes that require Trusted Types */
|
|
1260
1292
|
|
|
1261
1293
|
|