dompurify 2.3.9 → 2.3.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/purify.cjs.js +21 -2
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +21 -2
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +21 -2
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.3.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.3.10.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.3.
|
|
1
|
+
/*! @license DOMPurify 2.3.10 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.10/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -296,6 +296,9 @@ var _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes,
|
|
|
296
296
|
return trustedTypes.createPolicy(policyName, {
|
|
297
297
|
createHTML: function createHTML(html) {
|
|
298
298
|
return html;
|
|
299
|
+
},
|
|
300
|
+
createScriptURL: function createScriptURL(scriptUrl) {
|
|
301
|
+
return scriptUrl;
|
|
299
302
|
}
|
|
300
303
|
});
|
|
301
304
|
} catch (_) {
|
|
@@ -319,7 +322,7 @@ function createDOMPurify() {
|
|
|
319
322
|
*/
|
|
320
323
|
|
|
321
324
|
|
|
322
|
-
DOMPurify.version = '2.3.
|
|
325
|
+
DOMPurify.version = '2.3.10';
|
|
323
326
|
/**
|
|
324
327
|
* Array of elements that DOMPurify removed during sanitation.
|
|
325
328
|
* Empty if nothing was removed.
|
|
@@ -1249,6 +1252,22 @@ function createDOMPurify() {
|
|
|
1249
1252
|
if (!_isValidAttribute(lcTag, lcName, value)) {
|
|
1250
1253
|
continue;
|
|
1251
1254
|
}
|
|
1255
|
+
/* Handle attributes that require Trusted Types */
|
|
1256
|
+
|
|
1257
|
+
|
|
1258
|
+
if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
1259
|
+
if (namespaceURI) ; else {
|
|
1260
|
+
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1261
|
+
case 'TrustedHTML':
|
|
1262
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1263
|
+
break;
|
|
1264
|
+
|
|
1265
|
+
case 'TrustedScriptURL':
|
|
1266
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1267
|
+
break;
|
|
1268
|
+
}
|
|
1269
|
+
}
|
|
1270
|
+
}
|
|
1252
1271
|
/* Handle invalid data-* attribute set by try-catching it */
|
|
1253
1272
|
|
|
1254
1273
|
|