dompurify 2.3.4 → 2.3.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +28 -25
- package/dist/purify.cjs.js +445 -269
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +446 -270
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +447 -271
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +21 -31
package/README.md
CHANGED
|
@@ -1,16 +1,16 @@
|
|
|
1
1
|
# DOMPurify
|
|
2
2
|
|
|
3
|
-
[](http://badge.fury.io/js/dompurify)
|
|
3
|
+
[](http://badge.fury.io/js/dompurify)  [](https://www.npmjs.com/package/dompurify) [](https://cdn.jsdelivr.net/npm/dompurify/dist/purify.min.js) [](https://packagephobia.now.sh/result?p=dompurify) [](https://github.com/cure53/DOMPurify/network/dependents)
|
|
4
4
|
|
|
5
5
|
[](https://nodei.co/npm/dompurify/)
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.3.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.3.7.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
13
|
-
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.15.1, v15.4.0, v16.13.0, v17.0.0, running DOMPurify on [jsdom](https://github.com/
|
|
13
|
+
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.15.1, v15.4.0, v16.13.0, v17.0.0, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node.js versions are known to work as well.
|
|
14
14
|
|
|
15
15
|
DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model). Please, read it. Like, really.
|
|
16
16
|
|
|
@@ -37,14 +37,14 @@ It's easy. Just include DOMPurify on your website.
|
|
|
37
37
|
Afterwards you can sanitize strings by executing the following code:
|
|
38
38
|
|
|
39
39
|
```js
|
|
40
|
-
let clean = DOMPurify.sanitize(
|
|
40
|
+
let clean = DOMPurify.sanitize(dirty);
|
|
41
41
|
```
|
|
42
42
|
|
|
43
43
|
The resulting HTML can be written into a DOM element using `innerHTML` or the DOM using `document.write()`. That is fully up to you.
|
|
44
44
|
Note that by default, we permit HTML, SVG **and** MathML. If you only need HTML, which might be a very common use-case, you can easily set that up as well:
|
|
45
45
|
|
|
46
46
|
```js
|
|
47
|
-
let clean = DOMPurify.sanitize(
|
|
47
|
+
let clean = DOMPurify.sanitize(dirty, { USE_PROFILES: { html: true } });
|
|
48
48
|
```
|
|
49
49
|
|
|
50
50
|
### Is there any foot-gun potential?
|
|
@@ -55,7 +55,7 @@ Well, please note, if you _first_ sanitize HTML and then modify it _afterwards_,
|
|
|
55
55
|
|
|
56
56
|
After sanitizing your markup, you can also have a look at the property `DOMPurify.removed` and find out, what elements and attributes were thrown out. Please **do not use** this property for making any security critical decisions. This is just a little helper for curious minds.
|
|
57
57
|
|
|
58
|
-
If you're using an [AMD](https://github.com/amdjs/amdjs-api/
|
|
58
|
+
If you're using an [AMD](https://github.com/amdjs/amdjs-api/blob/master/AMD.md) module loader like [Require.js](http://requirejs.org/), you can load this script asynchronously as well:
|
|
59
59
|
|
|
60
60
|
```js
|
|
61
61
|
import DOMPurify from 'dompurify';
|
|
@@ -101,7 +101,7 @@ Of course there is a demo! [Play with DOMPurify](https://cure53.de/purify)
|
|
|
101
101
|
|
|
102
102
|
First of all, please immediately contact us via [email](mailto:mario@cure53.de) so we can work on a fix. [PGP key](https://keyserver.ubuntu.com/pks/lookup?op=vindex&search=0xC26C858090F70ADA)
|
|
103
103
|
|
|
104
|
-
Also, you probably qualify for a bug bounty! The fine folks over at [Fastmail](https://www.fastmail.com/) use DOMPurify for their services and added our library to their bug bounty scope. So, if you find a way to bypass or weaken DOMPurify, please also have a look at their website and the [bug bounty info](https://www.fastmail.com/about/bugbounty
|
|
104
|
+
Also, you probably qualify for a bug bounty! The fine folks over at [Fastmail](https://www.fastmail.com/) use DOMPurify for their services and added our library to their bug bounty scope. So, if you find a way to bypass or weaken DOMPurify, please also have a look at their website and the [bug bounty info](https://www.fastmail.com/about/bugbounty/).
|
|
105
105
|
|
|
106
106
|
## Some purification samples please?
|
|
107
107
|
|
|
@@ -130,7 +130,7 @@ DOMPurify also exposes a property called `isSupported`, which tells you whether
|
|
|
130
130
|
|
|
131
131
|
## What about DOMPurify and Trusted Types?
|
|
132
132
|
|
|
133
|
-
In version 1.0.9, support for [Trusted Types API](https://github.com/
|
|
133
|
+
In version 1.0.9, support for [Trusted Types API](https://github.com/w3c/webappsec-trusted-types) was added to DOMPurify.
|
|
134
134
|
In version 2.0.0, a config flag was added to control DOMPurify's behavior regarding this.
|
|
135
135
|
|
|
136
136
|
When `DOMPurify.sanitize` is used in an environment where the Trusted Types API is available and `RETURN_TRUSTED_TYPE` is set to `true`, it tries to return a `TrustedHTML` value instead of a string (the behavior for `RETURN_DOM` and `RETURN_DOM_FRAGMENT` config options does not change).
|
|
@@ -185,14 +185,17 @@ var clean = DOMPurify.sanitize(dirty, {ADD_TAGS: ['my-tag']});
|
|
|
185
185
|
// extend the existing array of allowed attributes and add my-attr to allow-list
|
|
186
186
|
var clean = DOMPurify.sanitize(dirty, {ADD_ATTR: ['my-attr']});
|
|
187
187
|
|
|
188
|
+
// prohibit ARIA attributes, leave other safe HTML as is (default is true)
|
|
189
|
+
var clean = DOMPurify.sanitize(dirty, {ALLOW_ARIA_ATTR: false});
|
|
190
|
+
|
|
188
191
|
// prohibit HTML5 data attributes, leave other safe HTML as is (default is true)
|
|
189
192
|
var clean = DOMPurify.sanitize(dirty, {ALLOW_DATA_ATTR: false});
|
|
190
193
|
|
|
191
194
|
/**
|
|
192
195
|
* Control behavior relating to Custom Elements
|
|
193
196
|
*/
|
|
194
|
-
|
|
195
|
-
// DOMPurify allows to define rules for Custom Elements. When using the CUSTOM_ELEMENT_HANDLING
|
|
197
|
+
|
|
198
|
+
// DOMPurify allows to define rules for Custom Elements. When using the CUSTOM_ELEMENT_HANDLING
|
|
196
199
|
// literal, it is possible to define exactly what elements you wish to allow (by default, none are allowed).
|
|
197
200
|
//
|
|
198
201
|
// The same goes for their attributes. By default, the built-in or configured allow.list is used.
|
|
@@ -211,7 +214,7 @@ var clean = DOMPurify.sanitize(
|
|
|
211
214
|
},
|
|
212
215
|
}
|
|
213
216
|
); // <div is=""></div>
|
|
214
|
-
|
|
217
|
+
|
|
215
218
|
var clean = DOMPurify.sanitize(
|
|
216
219
|
'<foo-bar baz="foobar" forbidden="true"></foo-bar><div is="foo-baz"></div>',
|
|
217
220
|
{
|
|
@@ -222,7 +225,7 @@ var clean = DOMPurify.sanitize(
|
|
|
222
225
|
},
|
|
223
226
|
}
|
|
224
227
|
); // <foo-bar baz="foobar"></foo-bar><div is=""></div>
|
|
225
|
-
|
|
228
|
+
|
|
226
229
|
var clean = DOMPurify.sanitize(
|
|
227
230
|
'<foo-bar baz="foobar" forbidden="true"></foo-bar><div is="foo-baz"></div>',
|
|
228
231
|
{
|
|
@@ -319,15 +322,14 @@ It passes the currently processed DOM node, when needed a literal with verified
|
|
|
319
322
|
_Example_:
|
|
320
323
|
|
|
321
324
|
```js
|
|
322
|
-
DOMPurify.addHook(
|
|
323
|
-
|
|
324
|
-
hookEvent,
|
|
325
|
-
|
|
326
|
-
)
|
|
327
|
-
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
});
|
|
325
|
+
DOMPurify.addHook(
|
|
326
|
+
'beforeSanitizeElements',
|
|
327
|
+
function (currentNode, hookEvent, config) {
|
|
328
|
+
// Do something with the current node and return it
|
|
329
|
+
// You can also mutate hookEvent (i.e. set hookEvent.forceKeepAttr = true)
|
|
330
|
+
return currentNode;
|
|
331
|
+
}
|
|
332
|
+
);
|
|
331
333
|
```
|
|
332
334
|
|
|
333
335
|
## Continuous Integration
|
|
@@ -340,9 +342,9 @@ All relevant commits will be signed with the key `0x24BB6BF4` for additional sec
|
|
|
340
342
|
|
|
341
343
|
### Development and contributing
|
|
342
344
|
|
|
343
|
-
#### Installation (`
|
|
345
|
+
#### Installation (`npm i`)
|
|
344
346
|
|
|
345
|
-
We support
|
|
347
|
+
We support `npm` officially. GitHub Actions workflow is configured to install dependencies using `npm`. When using deprecated version of `npm` we can not fully ensure the versions of installed dependencies which might lead to unanticipated problems.
|
|
346
348
|
|
|
347
349
|
#### Scripts
|
|
348
350
|
|
|
@@ -360,7 +362,7 @@ These are our npm scripts:
|
|
|
360
362
|
- `npm run build:umd` to only build an unminified UMD module
|
|
361
363
|
- `npm run build:umd:min` to only build a minified UMD module
|
|
362
364
|
|
|
363
|
-
Note: all run scripts triggered via `npm run <script
|
|
365
|
+
Note: all run scripts triggered via `npm run <script>`.
|
|
364
366
|
|
|
365
367
|
There are more npm scripts but they are mainly to integrate with CI or are meant to be "private" for instance to amend build distribution files with every commit.
|
|
366
368
|
|
|
@@ -376,9 +378,10 @@ Feature releases will not be announced to this list.
|
|
|
376
378
|
|
|
377
379
|
Many people helped and help DOMPurify become what it is and need to be acknowledged here!
|
|
378
380
|
|
|
379
|
-
[
|
|
381
|
+
[JGraph 💸](https://github.com/jgraph), [Sentry 💸](https://github.com/getsentry), [jarrodldavis 💸](https://github.com/jarrodldavis), [GrantGryczan](https://github.com/GrantGryczan), [Lowdefy 💸](https://twitter.com/lowdefy), [granlem ](https://twitter.com/MaximeVeit), [oreoshake ](https://github.com/oreoshake), [dcramer 💸](https://github.com/dcramer),[tdeekens ❤️](https://github.com/tdeekens), [peernohell ❤️](https://github.com/peernohell), [is2ei](https://github.com/is2ei), [franktopel](https://github.com/franktopel), [NateScarlet](https://github.com/NateScarlet), [neilj](https://github.com/neilj), [fhemberger](https://github.com/fhemberger), [Joris-van-der-Wel](https://github.com/Joris-van-der-Wel), [ydaniv](https://github.com/ydaniv), [terjanq](https://twitter.com/terjanq), [filedescriptor](https://github.com/filedescriptor), [ConradIrwin](https://github.com/ConradIrwin), [gibson042](https://github.com/gibson042), [choumx](https://github.com/choumx), [0xSobky](https://github.com/0xSobky), [styfle](https://github.com/styfle), [koto](https://github.com/koto), [tlau88](https://github.com/tlau88), [strugee](https://github.com/strugee), [oparoz](https://github.com/oparoz), [mathiasbynens](https://github.com/mathiasbynens), [edg2s](https://github.com/edg2s), [dnkolegov](https://github.com/dnkolegov), [dhardtke](https://github.com/dhardtke), [wirehead](https://github.com/wirehead), [thorn0](https://github.com/thorn0), [styu](https://github.com/styu), [mozfreddyb](https://github.com/mozfreddyb), [mikesamuel](https://github.com/mikesamuel), [jorangreef](https://github.com/jorangreef), [jimmyhchan](https://github.com/jimmyhchan), [jameydeorio](https://github.com/jameydeorio), [jameskraus](https://github.com/jameskraus), [hyderali](https://github.com/hyderali), [hansottowirtz](https://github.com/hansottowirtz), [hackvertor](https://github.com/hackvertor), [freddyb](https://github.com/freddyb), [flavorjones](https://github.com/flavorjones), [djfarrelly](https://github.com/djfarrelly), [devd](https://github.com/devd), [camerondunford](https://github.com/camerondunford), [buu700](https://github.com/buu700), [buildog](https://github.com/buildog), [alabiaga](https://github.com/alabiaga), [Vector919](https://github.com/Vector919), [Robbert](https://github.com/Robbert), [GreLI](https://github.com/GreLI), [FuzzySockets](https://github.com/FuzzySockets), [ArtemBernatskyy](https://github.com/ArtemBernatskyy), [@garethheyes](https://twitter.com/garethheyes), [@shafigullin](https://twitter.com/shafigullin), [@mmrupp](https://twitter.com/mmrupp), [@irsdl](https://twitter.com/irsdl),[ShikariSenpai](https://github.com/ShikariSenpai), [ansjdnakjdnajkd](https://github.com/ansjdnakjdnajkd), [@asutherland](https://twitter.com/asutherland), [@mathias](https://twitter.com/mathias), [@cgvwzq](https://twitter.com/cgvwzq), [@robbertatwork](https://twitter.com/robbertatwork), [@giutro](https://twitter.com/giutro), [@CmdEngineer\_](https://twitter.com/CmdEngineer_), [@avr4mit](https://twitter.com/avr4mit) and especially [@securitymb ❤️](https://twitter.com/securitymb) & [@masatokinugawa ❤️](https://twitter.com/masatokinugawa)
|
|
380
382
|
|
|
381
383
|
## Testing powered by
|
|
384
|
+
|
|
382
385
|
<a target="_blank" href="https://www.browserstack.com/"><img width="200" src="https://www.browserstack.com/images/layout/browserstack-logo-600x315.png"></a><br>
|
|
383
386
|
|
|
384
387
|
And last but not least, thanks to [BrowserStack Open-Source Program](https://www.browserstack.com/open-source) for supporting this project with their services for free and delivering excellent, dedicated and very professional support on top of that.
|