dompurify 2.3.8 → 2.3.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/purify.cjs.js +31 -22
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +31 -22
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +31 -22
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.3.
|
|
1
|
+
/*! @license DOMPurify 2.3.9 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.9/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -155,7 +155,9 @@
|
|
|
155
155
|
}
|
|
156
156
|
/* Add properties to a lookup table */
|
|
157
157
|
|
|
158
|
-
function addToSet(set, array) {
|
|
158
|
+
function addToSet(set, array, transformCaseFunc) {
|
|
159
|
+
transformCaseFunc = transformCaseFunc ? transformCaseFunc : stringToLowerCase;
|
|
160
|
+
|
|
159
161
|
if (setPrototypeOf) {
|
|
160
162
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
161
163
|
// independent of any properties defined on Object.prototype.
|
|
@@ -169,7 +171,7 @@
|
|
|
169
171
|
var element = array[l];
|
|
170
172
|
|
|
171
173
|
if (typeof element === 'string') {
|
|
172
|
-
var lcElement =
|
|
174
|
+
var lcElement = transformCaseFunc(element);
|
|
173
175
|
|
|
174
176
|
if (lcElement !== element) {
|
|
175
177
|
// Config presets (e.g. tags.js, attrs.js) are immutable.
|
|
@@ -321,7 +323,7 @@
|
|
|
321
323
|
*/
|
|
322
324
|
|
|
323
325
|
|
|
324
|
-
DOMPurify.version = '2.3.
|
|
326
|
+
DOMPurify.version = '2.3.9';
|
|
325
327
|
/**
|
|
326
328
|
* Array of elements that DOMPurify removed during sanitation.
|
|
327
329
|
* Empty if nothing was removed.
|
|
@@ -551,15 +553,29 @@
|
|
|
551
553
|
|
|
552
554
|
|
|
553
555
|
cfg = clone(cfg);
|
|
556
|
+
PARSER_MEDIA_TYPE = // eslint-disable-next-line unicorn/prefer-includes
|
|
557
|
+
SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? PARSER_MEDIA_TYPE = DEFAULT_PARSER_MEDIA_TYPE : PARSER_MEDIA_TYPE = cfg.PARSER_MEDIA_TYPE; // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
|
|
558
|
+
|
|
559
|
+
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? function (x) {
|
|
560
|
+
return x;
|
|
561
|
+
} : stringToLowerCase;
|
|
554
562
|
/* Set configuration parameters */
|
|
555
563
|
|
|
556
|
-
ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS) : DEFAULT_ALLOWED_TAGS;
|
|
557
|
-
ALLOWED_ATTR = 'ALLOWED_ATTR' in cfg ? addToSet({}, cfg.ALLOWED_ATTR) : DEFAULT_ALLOWED_ATTR;
|
|
558
|
-
URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR' in cfg ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES),
|
|
559
|
-
|
|
560
|
-
|
|
561
|
-
|
|
562
|
-
|
|
564
|
+
ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
|
|
565
|
+
ALLOWED_ATTR = 'ALLOWED_ATTR' in cfg ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
|
|
566
|
+
URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR' in cfg ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), // eslint-disable-line indent
|
|
567
|
+
cfg.ADD_URI_SAFE_ATTR, // eslint-disable-line indent
|
|
568
|
+
transformCaseFunc // eslint-disable-line indent
|
|
569
|
+
) // eslint-disable-line indent
|
|
570
|
+
: DEFAULT_URI_SAFE_ATTRIBUTES;
|
|
571
|
+
DATA_URI_TAGS = 'ADD_DATA_URI_TAGS' in cfg ? addToSet(clone(DEFAULT_DATA_URI_TAGS), // eslint-disable-line indent
|
|
572
|
+
cfg.ADD_DATA_URI_TAGS, // eslint-disable-line indent
|
|
573
|
+
transformCaseFunc // eslint-disable-line indent
|
|
574
|
+
) // eslint-disable-line indent
|
|
575
|
+
: DEFAULT_DATA_URI_TAGS;
|
|
576
|
+
FORBID_CONTENTS = 'FORBID_CONTENTS' in cfg ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
|
|
577
|
+
FORBID_TAGS = 'FORBID_TAGS' in cfg ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
|
|
578
|
+
FORBID_ATTR = 'FORBID_ATTR' in cfg ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
|
|
563
579
|
USE_PROFILES = 'USE_PROFILES' in cfg ? cfg.USE_PROFILES : false;
|
|
564
580
|
ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
|
|
565
581
|
|
|
@@ -600,13 +616,6 @@
|
|
|
600
616
|
CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements = cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements;
|
|
601
617
|
}
|
|
602
618
|
|
|
603
|
-
PARSER_MEDIA_TYPE = // eslint-disable-next-line unicorn/prefer-includes
|
|
604
|
-
SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? PARSER_MEDIA_TYPE = DEFAULT_PARSER_MEDIA_TYPE : PARSER_MEDIA_TYPE = cfg.PARSER_MEDIA_TYPE; // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
|
|
605
|
-
|
|
606
|
-
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? function (x) {
|
|
607
|
-
return x;
|
|
608
|
-
} : stringToLowerCase;
|
|
609
|
-
|
|
610
619
|
if (SAFE_FOR_TEMPLATES) {
|
|
611
620
|
ALLOW_DATA_ATTR = false;
|
|
612
621
|
}
|
|
@@ -652,7 +661,7 @@
|
|
|
652
661
|
ALLOWED_TAGS = clone(ALLOWED_TAGS);
|
|
653
662
|
}
|
|
654
663
|
|
|
655
|
-
addToSet(ALLOWED_TAGS, cfg.ADD_TAGS);
|
|
664
|
+
addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
|
|
656
665
|
}
|
|
657
666
|
|
|
658
667
|
if (cfg.ADD_ATTR) {
|
|
@@ -660,11 +669,11 @@
|
|
|
660
669
|
ALLOWED_ATTR = clone(ALLOWED_ATTR);
|
|
661
670
|
}
|
|
662
671
|
|
|
663
|
-
addToSet(ALLOWED_ATTR, cfg.ADD_ATTR);
|
|
672
|
+
addToSet(ALLOWED_ATTR, cfg.ADD_ATTR, transformCaseFunc);
|
|
664
673
|
}
|
|
665
674
|
|
|
666
675
|
if (cfg.ADD_URI_SAFE_ATTR) {
|
|
667
|
-
addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR);
|
|
676
|
+
addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR, transformCaseFunc);
|
|
668
677
|
}
|
|
669
678
|
|
|
670
679
|
if (cfg.FORBID_CONTENTS) {
|
|
@@ -672,7 +681,7 @@
|
|
|
672
681
|
FORBID_CONTENTS = clone(FORBID_CONTENTS);
|
|
673
682
|
}
|
|
674
683
|
|
|
675
|
-
addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS);
|
|
684
|
+
addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);
|
|
676
685
|
}
|
|
677
686
|
/* Add #text in case KEEP_CONTENT is set to true */
|
|
678
687
|
|