dompurify 2.3.7 → 2.3.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/purify.cjs.js +50 -22
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +50 -22
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +50 -22
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.3.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.3.10.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.3.
|
|
1
|
+
/*! @license DOMPurify 2.3.10 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.10/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -151,7 +151,9 @@ function unconstruct(func) {
|
|
|
151
151
|
}
|
|
152
152
|
/* Add properties to a lookup table */
|
|
153
153
|
|
|
154
|
-
function addToSet(set, array) {
|
|
154
|
+
function addToSet(set, array, transformCaseFunc) {
|
|
155
|
+
transformCaseFunc = transformCaseFunc ? transformCaseFunc : stringToLowerCase;
|
|
156
|
+
|
|
155
157
|
if (setPrototypeOf) {
|
|
156
158
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
157
159
|
// independent of any properties defined on Object.prototype.
|
|
@@ -165,7 +167,7 @@ function addToSet(set, array) {
|
|
|
165
167
|
var element = array[l];
|
|
166
168
|
|
|
167
169
|
if (typeof element === 'string') {
|
|
168
|
-
var lcElement =
|
|
170
|
+
var lcElement = transformCaseFunc(element);
|
|
169
171
|
|
|
170
172
|
if (lcElement !== element) {
|
|
171
173
|
// Config presets (e.g. tags.js, attrs.js) are immutable.
|
|
@@ -294,6 +296,9 @@ var _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes,
|
|
|
294
296
|
return trustedTypes.createPolicy(policyName, {
|
|
295
297
|
createHTML: function createHTML(html) {
|
|
296
298
|
return html;
|
|
299
|
+
},
|
|
300
|
+
createScriptURL: function createScriptURL(scriptUrl) {
|
|
301
|
+
return scriptUrl;
|
|
297
302
|
}
|
|
298
303
|
});
|
|
299
304
|
} catch (_) {
|
|
@@ -317,7 +322,7 @@ function createDOMPurify() {
|
|
|
317
322
|
*/
|
|
318
323
|
|
|
319
324
|
|
|
320
|
-
DOMPurify.version = '2.3.
|
|
325
|
+
DOMPurify.version = '2.3.10';
|
|
321
326
|
/**
|
|
322
327
|
* Array of elements that DOMPurify removed during sanitation.
|
|
323
328
|
* Empty if nothing was removed.
|
|
@@ -547,15 +552,29 @@ function createDOMPurify() {
|
|
|
547
552
|
|
|
548
553
|
|
|
549
554
|
cfg = clone(cfg);
|
|
555
|
+
PARSER_MEDIA_TYPE = // eslint-disable-next-line unicorn/prefer-includes
|
|
556
|
+
SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? PARSER_MEDIA_TYPE = DEFAULT_PARSER_MEDIA_TYPE : PARSER_MEDIA_TYPE = cfg.PARSER_MEDIA_TYPE; // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
|
|
557
|
+
|
|
558
|
+
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? function (x) {
|
|
559
|
+
return x;
|
|
560
|
+
} : stringToLowerCase;
|
|
550
561
|
/* Set configuration parameters */
|
|
551
562
|
|
|
552
|
-
ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS) : DEFAULT_ALLOWED_TAGS;
|
|
553
|
-
ALLOWED_ATTR = 'ALLOWED_ATTR' in cfg ? addToSet({}, cfg.ALLOWED_ATTR) : DEFAULT_ALLOWED_ATTR;
|
|
554
|
-
URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR' in cfg ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES),
|
|
555
|
-
|
|
556
|
-
|
|
557
|
-
|
|
558
|
-
|
|
563
|
+
ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
|
|
564
|
+
ALLOWED_ATTR = 'ALLOWED_ATTR' in cfg ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
|
|
565
|
+
URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR' in cfg ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), // eslint-disable-line indent
|
|
566
|
+
cfg.ADD_URI_SAFE_ATTR, // eslint-disable-line indent
|
|
567
|
+
transformCaseFunc // eslint-disable-line indent
|
|
568
|
+
) // eslint-disable-line indent
|
|
569
|
+
: DEFAULT_URI_SAFE_ATTRIBUTES;
|
|
570
|
+
DATA_URI_TAGS = 'ADD_DATA_URI_TAGS' in cfg ? addToSet(clone(DEFAULT_DATA_URI_TAGS), // eslint-disable-line indent
|
|
571
|
+
cfg.ADD_DATA_URI_TAGS, // eslint-disable-line indent
|
|
572
|
+
transformCaseFunc // eslint-disable-line indent
|
|
573
|
+
) // eslint-disable-line indent
|
|
574
|
+
: DEFAULT_DATA_URI_TAGS;
|
|
575
|
+
FORBID_CONTENTS = 'FORBID_CONTENTS' in cfg ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
|
|
576
|
+
FORBID_TAGS = 'FORBID_TAGS' in cfg ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
|
|
577
|
+
FORBID_ATTR = 'FORBID_ATTR' in cfg ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
|
|
559
578
|
USE_PROFILES = 'USE_PROFILES' in cfg ? cfg.USE_PROFILES : false;
|
|
560
579
|
ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
|
|
561
580
|
|
|
@@ -596,13 +615,6 @@ function createDOMPurify() {
|
|
|
596
615
|
CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements = cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements;
|
|
597
616
|
}
|
|
598
617
|
|
|
599
|
-
PARSER_MEDIA_TYPE = // eslint-disable-next-line unicorn/prefer-includes
|
|
600
|
-
SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? PARSER_MEDIA_TYPE = DEFAULT_PARSER_MEDIA_TYPE : PARSER_MEDIA_TYPE = cfg.PARSER_MEDIA_TYPE; // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
|
|
601
|
-
|
|
602
|
-
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? function (x) {
|
|
603
|
-
return x;
|
|
604
|
-
} : stringToLowerCase;
|
|
605
|
-
|
|
606
618
|
if (SAFE_FOR_TEMPLATES) {
|
|
607
619
|
ALLOW_DATA_ATTR = false;
|
|
608
620
|
}
|
|
@@ -648,7 +660,7 @@ function createDOMPurify() {
|
|
|
648
660
|
ALLOWED_TAGS = clone(ALLOWED_TAGS);
|
|
649
661
|
}
|
|
650
662
|
|
|
651
|
-
addToSet(ALLOWED_TAGS, cfg.ADD_TAGS);
|
|
663
|
+
addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
|
|
652
664
|
}
|
|
653
665
|
|
|
654
666
|
if (cfg.ADD_ATTR) {
|
|
@@ -656,11 +668,11 @@ function createDOMPurify() {
|
|
|
656
668
|
ALLOWED_ATTR = clone(ALLOWED_ATTR);
|
|
657
669
|
}
|
|
658
670
|
|
|
659
|
-
addToSet(ALLOWED_ATTR, cfg.ADD_ATTR);
|
|
671
|
+
addToSet(ALLOWED_ATTR, cfg.ADD_ATTR, transformCaseFunc);
|
|
660
672
|
}
|
|
661
673
|
|
|
662
674
|
if (cfg.ADD_URI_SAFE_ATTR) {
|
|
663
|
-
addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR);
|
|
675
|
+
addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR, transformCaseFunc);
|
|
664
676
|
}
|
|
665
677
|
|
|
666
678
|
if (cfg.FORBID_CONTENTS) {
|
|
@@ -668,7 +680,7 @@ function createDOMPurify() {
|
|
|
668
680
|
FORBID_CONTENTS = clone(FORBID_CONTENTS);
|
|
669
681
|
}
|
|
670
682
|
|
|
671
|
-
addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS);
|
|
683
|
+
addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);
|
|
672
684
|
}
|
|
673
685
|
/* Add #text in case KEEP_CONTENT is set to true */
|
|
674
686
|
|
|
@@ -1240,6 +1252,22 @@ function createDOMPurify() {
|
|
|
1240
1252
|
if (!_isValidAttribute(lcTag, lcName, value)) {
|
|
1241
1253
|
continue;
|
|
1242
1254
|
}
|
|
1255
|
+
/* Handle attributes that require Trusted Types */
|
|
1256
|
+
|
|
1257
|
+
|
|
1258
|
+
if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
1259
|
+
if (namespaceURI) ; else {
|
|
1260
|
+
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1261
|
+
case 'TrustedHTML':
|
|
1262
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1263
|
+
break;
|
|
1264
|
+
|
|
1265
|
+
case 'TrustedScriptURL':
|
|
1266
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1267
|
+
break;
|
|
1268
|
+
}
|
|
1269
|
+
}
|
|
1270
|
+
}
|
|
1243
1271
|
/* Handle invalid data-* attribute set by try-catching it */
|
|
1244
1272
|
|
|
1245
1273
|
|