dompurify 2.3.8 → 2.3.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/purify.cjs.js +31 -22
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +31 -22
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +31 -22
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.3.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.3.9.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.3.
|
|
1
|
+
/*! @license DOMPurify 2.3.9 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.9/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -151,7 +151,9 @@ function unconstruct(func) {
|
|
|
151
151
|
}
|
|
152
152
|
/* Add properties to a lookup table */
|
|
153
153
|
|
|
154
|
-
function addToSet(set, array) {
|
|
154
|
+
function addToSet(set, array, transformCaseFunc) {
|
|
155
|
+
transformCaseFunc = transformCaseFunc ? transformCaseFunc : stringToLowerCase;
|
|
156
|
+
|
|
155
157
|
if (setPrototypeOf) {
|
|
156
158
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
157
159
|
// independent of any properties defined on Object.prototype.
|
|
@@ -165,7 +167,7 @@ function addToSet(set, array) {
|
|
|
165
167
|
var element = array[l];
|
|
166
168
|
|
|
167
169
|
if (typeof element === 'string') {
|
|
168
|
-
var lcElement =
|
|
170
|
+
var lcElement = transformCaseFunc(element);
|
|
169
171
|
|
|
170
172
|
if (lcElement !== element) {
|
|
171
173
|
// Config presets (e.g. tags.js, attrs.js) are immutable.
|
|
@@ -317,7 +319,7 @@ function createDOMPurify() {
|
|
|
317
319
|
*/
|
|
318
320
|
|
|
319
321
|
|
|
320
|
-
DOMPurify.version = '2.3.
|
|
322
|
+
DOMPurify.version = '2.3.9';
|
|
321
323
|
/**
|
|
322
324
|
* Array of elements that DOMPurify removed during sanitation.
|
|
323
325
|
* Empty if nothing was removed.
|
|
@@ -547,15 +549,29 @@ function createDOMPurify() {
|
|
|
547
549
|
|
|
548
550
|
|
|
549
551
|
cfg = clone(cfg);
|
|
552
|
+
PARSER_MEDIA_TYPE = // eslint-disable-next-line unicorn/prefer-includes
|
|
553
|
+
SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? PARSER_MEDIA_TYPE = DEFAULT_PARSER_MEDIA_TYPE : PARSER_MEDIA_TYPE = cfg.PARSER_MEDIA_TYPE; // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
|
|
554
|
+
|
|
555
|
+
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? function (x) {
|
|
556
|
+
return x;
|
|
557
|
+
} : stringToLowerCase;
|
|
550
558
|
/* Set configuration parameters */
|
|
551
559
|
|
|
552
|
-
ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS) : DEFAULT_ALLOWED_TAGS;
|
|
553
|
-
ALLOWED_ATTR = 'ALLOWED_ATTR' in cfg ? addToSet({}, cfg.ALLOWED_ATTR) : DEFAULT_ALLOWED_ATTR;
|
|
554
|
-
URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR' in cfg ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES),
|
|
555
|
-
|
|
556
|
-
|
|
557
|
-
|
|
558
|
-
|
|
560
|
+
ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
|
|
561
|
+
ALLOWED_ATTR = 'ALLOWED_ATTR' in cfg ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
|
|
562
|
+
URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR' in cfg ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), // eslint-disable-line indent
|
|
563
|
+
cfg.ADD_URI_SAFE_ATTR, // eslint-disable-line indent
|
|
564
|
+
transformCaseFunc // eslint-disable-line indent
|
|
565
|
+
) // eslint-disable-line indent
|
|
566
|
+
: DEFAULT_URI_SAFE_ATTRIBUTES;
|
|
567
|
+
DATA_URI_TAGS = 'ADD_DATA_URI_TAGS' in cfg ? addToSet(clone(DEFAULT_DATA_URI_TAGS), // eslint-disable-line indent
|
|
568
|
+
cfg.ADD_DATA_URI_TAGS, // eslint-disable-line indent
|
|
569
|
+
transformCaseFunc // eslint-disable-line indent
|
|
570
|
+
) // eslint-disable-line indent
|
|
571
|
+
: DEFAULT_DATA_URI_TAGS;
|
|
572
|
+
FORBID_CONTENTS = 'FORBID_CONTENTS' in cfg ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
|
|
573
|
+
FORBID_TAGS = 'FORBID_TAGS' in cfg ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
|
|
574
|
+
FORBID_ATTR = 'FORBID_ATTR' in cfg ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
|
|
559
575
|
USE_PROFILES = 'USE_PROFILES' in cfg ? cfg.USE_PROFILES : false;
|
|
560
576
|
ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
|
|
561
577
|
|
|
@@ -596,13 +612,6 @@ function createDOMPurify() {
|
|
|
596
612
|
CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements = cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements;
|
|
597
613
|
}
|
|
598
614
|
|
|
599
|
-
PARSER_MEDIA_TYPE = // eslint-disable-next-line unicorn/prefer-includes
|
|
600
|
-
SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? PARSER_MEDIA_TYPE = DEFAULT_PARSER_MEDIA_TYPE : PARSER_MEDIA_TYPE = cfg.PARSER_MEDIA_TYPE; // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
|
|
601
|
-
|
|
602
|
-
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? function (x) {
|
|
603
|
-
return x;
|
|
604
|
-
} : stringToLowerCase;
|
|
605
|
-
|
|
606
615
|
if (SAFE_FOR_TEMPLATES) {
|
|
607
616
|
ALLOW_DATA_ATTR = false;
|
|
608
617
|
}
|
|
@@ -648,7 +657,7 @@ function createDOMPurify() {
|
|
|
648
657
|
ALLOWED_TAGS = clone(ALLOWED_TAGS);
|
|
649
658
|
}
|
|
650
659
|
|
|
651
|
-
addToSet(ALLOWED_TAGS, cfg.ADD_TAGS);
|
|
660
|
+
addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
|
|
652
661
|
}
|
|
653
662
|
|
|
654
663
|
if (cfg.ADD_ATTR) {
|
|
@@ -656,11 +665,11 @@ function createDOMPurify() {
|
|
|
656
665
|
ALLOWED_ATTR = clone(ALLOWED_ATTR);
|
|
657
666
|
}
|
|
658
667
|
|
|
659
|
-
addToSet(ALLOWED_ATTR, cfg.ADD_ATTR);
|
|
668
|
+
addToSet(ALLOWED_ATTR, cfg.ADD_ATTR, transformCaseFunc);
|
|
660
669
|
}
|
|
661
670
|
|
|
662
671
|
if (cfg.ADD_URI_SAFE_ATTR) {
|
|
663
|
-
addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR);
|
|
672
|
+
addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR, transformCaseFunc);
|
|
664
673
|
}
|
|
665
674
|
|
|
666
675
|
if (cfg.FORBID_CONTENTS) {
|
|
@@ -668,7 +677,7 @@ function createDOMPurify() {
|
|
|
668
677
|
FORBID_CONTENTS = clone(FORBID_CONTENTS);
|
|
669
678
|
}
|
|
670
679
|
|
|
671
|
-
addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS);
|
|
680
|
+
addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);
|
|
672
681
|
}
|
|
673
682
|
/* Add #text in case KEEP_CONTENT is set to true */
|
|
674
683
|
|