dompurify 2.3.7 → 2.3.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/purify.cjs.js +50 -22
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +50 -22
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +50 -22
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.3.
|
|
1
|
+
/*! @license DOMPurify 2.3.10 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.10/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -155,7 +155,9 @@
|
|
|
155
155
|
}
|
|
156
156
|
/* Add properties to a lookup table */
|
|
157
157
|
|
|
158
|
-
function addToSet(set, array) {
|
|
158
|
+
function addToSet(set, array, transformCaseFunc) {
|
|
159
|
+
transformCaseFunc = transformCaseFunc ? transformCaseFunc : stringToLowerCase;
|
|
160
|
+
|
|
159
161
|
if (setPrototypeOf) {
|
|
160
162
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
161
163
|
// independent of any properties defined on Object.prototype.
|
|
@@ -169,7 +171,7 @@
|
|
|
169
171
|
var element = array[l];
|
|
170
172
|
|
|
171
173
|
if (typeof element === 'string') {
|
|
172
|
-
var lcElement =
|
|
174
|
+
var lcElement = transformCaseFunc(element);
|
|
173
175
|
|
|
174
176
|
if (lcElement !== element) {
|
|
175
177
|
// Config presets (e.g. tags.js, attrs.js) are immutable.
|
|
@@ -298,6 +300,9 @@
|
|
|
298
300
|
return trustedTypes.createPolicy(policyName, {
|
|
299
301
|
createHTML: function createHTML(html) {
|
|
300
302
|
return html;
|
|
303
|
+
},
|
|
304
|
+
createScriptURL: function createScriptURL(scriptUrl) {
|
|
305
|
+
return scriptUrl;
|
|
301
306
|
}
|
|
302
307
|
});
|
|
303
308
|
} catch (_) {
|
|
@@ -321,7 +326,7 @@
|
|
|
321
326
|
*/
|
|
322
327
|
|
|
323
328
|
|
|
324
|
-
DOMPurify.version = '2.3.
|
|
329
|
+
DOMPurify.version = '2.3.10';
|
|
325
330
|
/**
|
|
326
331
|
* Array of elements that DOMPurify removed during sanitation.
|
|
327
332
|
* Empty if nothing was removed.
|
|
@@ -551,15 +556,29 @@
|
|
|
551
556
|
|
|
552
557
|
|
|
553
558
|
cfg = clone(cfg);
|
|
559
|
+
PARSER_MEDIA_TYPE = // eslint-disable-next-line unicorn/prefer-includes
|
|
560
|
+
SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? PARSER_MEDIA_TYPE = DEFAULT_PARSER_MEDIA_TYPE : PARSER_MEDIA_TYPE = cfg.PARSER_MEDIA_TYPE; // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
|
|
561
|
+
|
|
562
|
+
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? function (x) {
|
|
563
|
+
return x;
|
|
564
|
+
} : stringToLowerCase;
|
|
554
565
|
/* Set configuration parameters */
|
|
555
566
|
|
|
556
|
-
ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS) : DEFAULT_ALLOWED_TAGS;
|
|
557
|
-
ALLOWED_ATTR = 'ALLOWED_ATTR' in cfg ? addToSet({}, cfg.ALLOWED_ATTR) : DEFAULT_ALLOWED_ATTR;
|
|
558
|
-
URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR' in cfg ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES),
|
|
559
|
-
|
|
560
|
-
|
|
561
|
-
|
|
562
|
-
|
|
567
|
+
ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
|
|
568
|
+
ALLOWED_ATTR = 'ALLOWED_ATTR' in cfg ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
|
|
569
|
+
URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR' in cfg ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), // eslint-disable-line indent
|
|
570
|
+
cfg.ADD_URI_SAFE_ATTR, // eslint-disable-line indent
|
|
571
|
+
transformCaseFunc // eslint-disable-line indent
|
|
572
|
+
) // eslint-disable-line indent
|
|
573
|
+
: DEFAULT_URI_SAFE_ATTRIBUTES;
|
|
574
|
+
DATA_URI_TAGS = 'ADD_DATA_URI_TAGS' in cfg ? addToSet(clone(DEFAULT_DATA_URI_TAGS), // eslint-disable-line indent
|
|
575
|
+
cfg.ADD_DATA_URI_TAGS, // eslint-disable-line indent
|
|
576
|
+
transformCaseFunc // eslint-disable-line indent
|
|
577
|
+
) // eslint-disable-line indent
|
|
578
|
+
: DEFAULT_DATA_URI_TAGS;
|
|
579
|
+
FORBID_CONTENTS = 'FORBID_CONTENTS' in cfg ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
|
|
580
|
+
FORBID_TAGS = 'FORBID_TAGS' in cfg ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
|
|
581
|
+
FORBID_ATTR = 'FORBID_ATTR' in cfg ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
|
|
563
582
|
USE_PROFILES = 'USE_PROFILES' in cfg ? cfg.USE_PROFILES : false;
|
|
564
583
|
ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
|
|
565
584
|
|
|
@@ -600,13 +619,6 @@
|
|
|
600
619
|
CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements = cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements;
|
|
601
620
|
}
|
|
602
621
|
|
|
603
|
-
PARSER_MEDIA_TYPE = // eslint-disable-next-line unicorn/prefer-includes
|
|
604
|
-
SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? PARSER_MEDIA_TYPE = DEFAULT_PARSER_MEDIA_TYPE : PARSER_MEDIA_TYPE = cfg.PARSER_MEDIA_TYPE; // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
|
|
605
|
-
|
|
606
|
-
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? function (x) {
|
|
607
|
-
return x;
|
|
608
|
-
} : stringToLowerCase;
|
|
609
|
-
|
|
610
622
|
if (SAFE_FOR_TEMPLATES) {
|
|
611
623
|
ALLOW_DATA_ATTR = false;
|
|
612
624
|
}
|
|
@@ -652,7 +664,7 @@
|
|
|
652
664
|
ALLOWED_TAGS = clone(ALLOWED_TAGS);
|
|
653
665
|
}
|
|
654
666
|
|
|
655
|
-
addToSet(ALLOWED_TAGS, cfg.ADD_TAGS);
|
|
667
|
+
addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
|
|
656
668
|
}
|
|
657
669
|
|
|
658
670
|
if (cfg.ADD_ATTR) {
|
|
@@ -660,11 +672,11 @@
|
|
|
660
672
|
ALLOWED_ATTR = clone(ALLOWED_ATTR);
|
|
661
673
|
}
|
|
662
674
|
|
|
663
|
-
addToSet(ALLOWED_ATTR, cfg.ADD_ATTR);
|
|
675
|
+
addToSet(ALLOWED_ATTR, cfg.ADD_ATTR, transformCaseFunc);
|
|
664
676
|
}
|
|
665
677
|
|
|
666
678
|
if (cfg.ADD_URI_SAFE_ATTR) {
|
|
667
|
-
addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR);
|
|
679
|
+
addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR, transformCaseFunc);
|
|
668
680
|
}
|
|
669
681
|
|
|
670
682
|
if (cfg.FORBID_CONTENTS) {
|
|
@@ -672,7 +684,7 @@
|
|
|
672
684
|
FORBID_CONTENTS = clone(FORBID_CONTENTS);
|
|
673
685
|
}
|
|
674
686
|
|
|
675
|
-
addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS);
|
|
687
|
+
addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);
|
|
676
688
|
}
|
|
677
689
|
/* Add #text in case KEEP_CONTENT is set to true */
|
|
678
690
|
|
|
@@ -1244,6 +1256,22 @@
|
|
|
1244
1256
|
if (!_isValidAttribute(lcTag, lcName, value)) {
|
|
1245
1257
|
continue;
|
|
1246
1258
|
}
|
|
1259
|
+
/* Handle attributes that require Trusted Types */
|
|
1260
|
+
|
|
1261
|
+
|
|
1262
|
+
if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
1263
|
+
if (namespaceURI) ; else {
|
|
1264
|
+
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1265
|
+
case 'TrustedHTML':
|
|
1266
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1267
|
+
break;
|
|
1268
|
+
|
|
1269
|
+
case 'TrustedScriptURL':
|
|
1270
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1271
|
+
break;
|
|
1272
|
+
}
|
|
1273
|
+
}
|
|
1274
|
+
}
|
|
1247
1275
|
/* Handle invalid data-* attribute set by try-catching it */
|
|
1248
1276
|
|
|
1249
1277
|
|