dompurify 2.3.7 → 2.3.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +1 -1
  2. package/dist/purify.cjs.js +50 -22
  3. package/dist/purify.cjs.js.map +1 -1
  4. package/dist/purify.es.js +50 -22
  5. package/dist/purify.es.js.map +1 -1
  6. package/dist/purify.js +50 -22
  7. package/dist/purify.js.map +1 -1
  8. package/dist/purify.min.js +2 -2
  9. package/dist/purify.min.js.map +1 -1
  10. package/package.json +1 -1
package/dist/purify.es.js CHANGED
@@ -1,4 +1,4 @@
1
- /*! @license DOMPurify 2.3.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.7/LICENSE */
1
+ /*! @license DOMPurify 2.3.10 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.10/LICENSE */
2
2
 
3
3
  function _typeof(obj) {
4
4
  "@babel/helpers - typeof";
@@ -149,7 +149,9 @@ function unconstruct(func) {
149
149
  }
150
150
  /* Add properties to a lookup table */
151
151
 
152
- function addToSet(set, array) {
152
+ function addToSet(set, array, transformCaseFunc) {
153
+ transformCaseFunc = transformCaseFunc ? transformCaseFunc : stringToLowerCase;
154
+
153
155
  if (setPrototypeOf) {
154
156
  // Make 'in' and truthy checks like Boolean(set.constructor)
155
157
  // independent of any properties defined on Object.prototype.
@@ -163,7 +165,7 @@ function addToSet(set, array) {
163
165
  var element = array[l];
164
166
 
165
167
  if (typeof element === 'string') {
166
- var lcElement = stringToLowerCase(element);
168
+ var lcElement = transformCaseFunc(element);
167
169
 
168
170
  if (lcElement !== element) {
169
171
  // Config presets (e.g. tags.js, attrs.js) are immutable.
@@ -292,6 +294,9 @@ var _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes,
292
294
  return trustedTypes.createPolicy(policyName, {
293
295
  createHTML: function createHTML(html) {
294
296
  return html;
297
+ },
298
+ createScriptURL: function createScriptURL(scriptUrl) {
299
+ return scriptUrl;
295
300
  }
296
301
  });
297
302
  } catch (_) {
@@ -315,7 +320,7 @@ function createDOMPurify() {
315
320
  */
316
321
 
317
322
 
318
- DOMPurify.version = '2.3.7';
323
+ DOMPurify.version = '2.3.10';
319
324
  /**
320
325
  * Array of elements that DOMPurify removed during sanitation.
321
326
  * Empty if nothing was removed.
@@ -545,15 +550,29 @@ function createDOMPurify() {
545
550
 
546
551
 
547
552
  cfg = clone(cfg);
553
+ PARSER_MEDIA_TYPE = // eslint-disable-next-line unicorn/prefer-includes
554
+ SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? PARSER_MEDIA_TYPE = DEFAULT_PARSER_MEDIA_TYPE : PARSER_MEDIA_TYPE = cfg.PARSER_MEDIA_TYPE; // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
555
+
556
+ transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? function (x) {
557
+ return x;
558
+ } : stringToLowerCase;
548
559
  /* Set configuration parameters */
549
560
 
550
- ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS) : DEFAULT_ALLOWED_TAGS;
551
- ALLOWED_ATTR = 'ALLOWED_ATTR' in cfg ? addToSet({}, cfg.ALLOWED_ATTR) : DEFAULT_ALLOWED_ATTR;
552
- URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR' in cfg ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), cfg.ADD_URI_SAFE_ATTR) : DEFAULT_URI_SAFE_ATTRIBUTES;
553
- DATA_URI_TAGS = 'ADD_DATA_URI_TAGS' in cfg ? addToSet(clone(DEFAULT_DATA_URI_TAGS), cfg.ADD_DATA_URI_TAGS) : DEFAULT_DATA_URI_TAGS;
554
- FORBID_CONTENTS = 'FORBID_CONTENTS' in cfg ? addToSet({}, cfg.FORBID_CONTENTS) : DEFAULT_FORBID_CONTENTS;
555
- FORBID_TAGS = 'FORBID_TAGS' in cfg ? addToSet({}, cfg.FORBID_TAGS) : {};
556
- FORBID_ATTR = 'FORBID_ATTR' in cfg ? addToSet({}, cfg.FORBID_ATTR) : {};
561
+ ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
562
+ ALLOWED_ATTR = 'ALLOWED_ATTR' in cfg ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
563
+ URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR' in cfg ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), // eslint-disable-line indent
564
+ cfg.ADD_URI_SAFE_ATTR, // eslint-disable-line indent
565
+ transformCaseFunc // eslint-disable-line indent
566
+ ) // eslint-disable-line indent
567
+ : DEFAULT_URI_SAFE_ATTRIBUTES;
568
+ DATA_URI_TAGS = 'ADD_DATA_URI_TAGS' in cfg ? addToSet(clone(DEFAULT_DATA_URI_TAGS), // eslint-disable-line indent
569
+ cfg.ADD_DATA_URI_TAGS, // eslint-disable-line indent
570
+ transformCaseFunc // eslint-disable-line indent
571
+ ) // eslint-disable-line indent
572
+ : DEFAULT_DATA_URI_TAGS;
573
+ FORBID_CONTENTS = 'FORBID_CONTENTS' in cfg ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
574
+ FORBID_TAGS = 'FORBID_TAGS' in cfg ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
575
+ FORBID_ATTR = 'FORBID_ATTR' in cfg ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
557
576
  USE_PROFILES = 'USE_PROFILES' in cfg ? cfg.USE_PROFILES : false;
558
577
  ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
559
578
 
@@ -594,13 +613,6 @@ function createDOMPurify() {
594
613
  CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements = cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements;
595
614
  }
596
615
 
597
- PARSER_MEDIA_TYPE = // eslint-disable-next-line unicorn/prefer-includes
598
- SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? PARSER_MEDIA_TYPE = DEFAULT_PARSER_MEDIA_TYPE : PARSER_MEDIA_TYPE = cfg.PARSER_MEDIA_TYPE; // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
599
-
600
- transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? function (x) {
601
- return x;
602
- } : stringToLowerCase;
603
-
604
616
  if (SAFE_FOR_TEMPLATES) {
605
617
  ALLOW_DATA_ATTR = false;
606
618
  }
@@ -646,7 +658,7 @@ function createDOMPurify() {
646
658
  ALLOWED_TAGS = clone(ALLOWED_TAGS);
647
659
  }
648
660
 
649
- addToSet(ALLOWED_TAGS, cfg.ADD_TAGS);
661
+ addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
650
662
  }
651
663
 
652
664
  if (cfg.ADD_ATTR) {
@@ -654,11 +666,11 @@ function createDOMPurify() {
654
666
  ALLOWED_ATTR = clone(ALLOWED_ATTR);
655
667
  }
656
668
 
657
- addToSet(ALLOWED_ATTR, cfg.ADD_ATTR);
669
+ addToSet(ALLOWED_ATTR, cfg.ADD_ATTR, transformCaseFunc);
658
670
  }
659
671
 
660
672
  if (cfg.ADD_URI_SAFE_ATTR) {
661
- addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR);
673
+ addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR, transformCaseFunc);
662
674
  }
663
675
 
664
676
  if (cfg.FORBID_CONTENTS) {
@@ -666,7 +678,7 @@ function createDOMPurify() {
666
678
  FORBID_CONTENTS = clone(FORBID_CONTENTS);
667
679
  }
668
680
 
669
- addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS);
681
+ addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);
670
682
  }
671
683
  /* Add #text in case KEEP_CONTENT is set to true */
672
684
 
@@ -1238,6 +1250,22 @@ function createDOMPurify() {
1238
1250
  if (!_isValidAttribute(lcTag, lcName, value)) {
1239
1251
  continue;
1240
1252
  }
1253
+ /* Handle attributes that require Trusted Types */
1254
+
1255
+
1256
+ if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
1257
+ if (namespaceURI) ; else {
1258
+ switch (trustedTypes.getAttributeType(lcTag, lcName)) {
1259
+ case 'TrustedHTML':
1260
+ value = trustedTypesPolicy.createHTML(value);
1261
+ break;
1262
+
1263
+ case 'TrustedScriptURL':
1264
+ value = trustedTypesPolicy.createScriptURL(value);
1265
+ break;
1266
+ }
1267
+ }
1268
+ }
1241
1269
  /* Handle invalid data-* attribute set by try-catching it */
1242
1270
 
1243
1271