dompurify 2.3.9 → 2.3.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/README.md +45 -18
  2. package/dist/purify.cjs.d.ts +144 -0
  3. package/dist/purify.cjs.js +56 -4
  4. package/dist/purify.cjs.js.map +1 -1
  5. package/dist/purify.es.d.ts +144 -0
  6. package/dist/purify.es.js +56 -4
  7. package/dist/purify.es.js.map +1 -1
  8. package/dist/purify.js +56 -4
  9. package/dist/purify.js.map +1 -1
  10. package/dist/purify.min.js +2 -2
  11. package/dist/purify.min.js.map +1 -1
  12. package/package.json +6 -2
package/dist/purify.es.d.ts ADDED
@@ -0,0 +1,144 @@
1
+ export { purify as default };
2
+ declare function purify(root: any): {
3
+ (root: any): any;
4
+ /**
5
+ * Version label, exposed for easier checks
6
+ * if DOMPurify is up to date or not
7
+ */
8
+ version: string;
9
+ /**
10
+ * Array of elements that DOMPurify removed during sanitation.
11
+ * Empty if nothing was removed.
12
+ */
13
+ removed: any[];
14
+ isSupported: boolean;
15
+ /**
16
+ * Sanitize
17
+ * Public method providing core sanitation functionality
18
+ *
19
+ * @param {String|Node} dirty string or DOM node
20
+ * @param {Object} configuration object
21
+ */
22
+ sanitize(dirty: string | Node, ...args: any[]): any;
23
+ /**
24
+ * Public method to set the configuration once
25
+ * setConfig
26
+ *
27
+ * @param {Object} cfg configuration object
28
+ */
29
+ setConfig(cfg: any): void;
30
+ /**
31
+ * Public method to remove the configuration
32
+ * clearConfig
33
+ *
34
+ */
35
+ clearConfig(): void;
36
+ /**
37
+ * Public method to check if an attribute value is valid.
38
+ * Uses last set config, if any. Otherwise, uses config defaults.
39
+ * isValidAttribute
40
+ *
41
+ * @param {string} tag Tag name of containing element.
42
+ * @param {string} attr Attribute name.
43
+ * @param {string} value Attribute value.
44
+ * @return {Boolean} Returns true if `value` is valid. Otherwise, returns false.
45
+ */
46
+ isValidAttribute(tag: string, attr: string, value: string): boolean;
47
+ /**
48
+ * AddHook
49
+ * Public method to add DOMPurify hooks
50
+ *
51
+ * @param {String} entryPoint entry point for the hook to add
52
+ * @param {Function} hookFunction function to execute
53
+ */
54
+ addHook(entryPoint: string, hookFunction: Function): void;
55
+ /**
56
+ * RemoveHook
57
+ * Public method to remove a DOMPurify hook at a given entryPoint
58
+ * (pops it from the stack of hooks if more are present)
59
+ *
60
+ * @param {String} entryPoint entry point for the hook to remove
61
+ * @return {Function} removed(popped) hook
62
+ */
63
+ removeHook(entryPoint: string): Function;
64
+ /**
65
+ * RemoveHooks
66
+ * Public method to remove all DOMPurify hooks at a given entryPoint
67
+ *
68
+ * @param {String} entryPoint entry point for the hooks to remove
69
+ */
70
+ removeHooks(entryPoint: string): void;
71
+ /**
72
+ * RemoveAllHooks
73
+ * Public method to remove all DOMPurify hooks
74
+ *
75
+ */
76
+ removeAllHooks(): void;
77
+ };
78
+ declare namespace purify {
79
+ const version: string;
80
+ const removed: any[];
81
+ const isSupported: boolean;
82
+ /**
83
+ * Sanitize
84
+ * Public method providing core sanitation functionality
85
+ *
86
+ * @param {String|Node} dirty string or DOM node
87
+ * @param {Object} configuration object
88
+ */
89
+ function sanitize(dirty: string | Node, ...args: any[]): any;
90
+ /**
91
+ * Public method to set the configuration once
92
+ * setConfig
93
+ *
94
+ * @param {Object} cfg configuration object
95
+ */
96
+ function setConfig(cfg: any): void;
97
+ /**
98
+ * Public method to remove the configuration
99
+ * clearConfig
100
+ *
101
+ */
102
+ function clearConfig(): void;
103
+ /**
104
+ * Public method to check if an attribute value is valid.
105
+ * Uses last set config, if any. Otherwise, uses config defaults.
106
+ * isValidAttribute
107
+ *
108
+ * @param {string} tag Tag name of containing element.
109
+ * @param {string} attr Attribute name.
110
+ * @param {string} value Attribute value.
111
+ * @return {Boolean} Returns true if `value` is valid. Otherwise, returns false.
112
+ */
113
+ function isValidAttribute(tag: string, attr: string, value: string): boolean;
114
+ /**
115
+ * AddHook
116
+ * Public method to add DOMPurify hooks
117
+ *
118
+ * @param {String} entryPoint entry point for the hook to add
119
+ * @param {Function} hookFunction function to execute
120
+ */
121
+ function addHook(entryPoint: string, hookFunction: Function): void;
122
+ /**
123
+ * RemoveHook
124
+ * Public method to remove a DOMPurify hook at a given entryPoint
125
+ * (pops it from the stack of hooks if more are present)
126
+ *
127
+ * @param {String} entryPoint entry point for the hook to remove
128
+ * @return {Function} removed(popped) hook
129
+ */
130
+ function removeHook(entryPoint: string): Function;
131
+ /**
132
+ * RemoveHooks
133
+ * Public method to remove all DOMPurify hooks at a given entryPoint
134
+ *
135
+ * @param {String} entryPoint entry point for the hooks to remove
136
+ */
137
+ function removeHooks(entryPoint: string): void;
138
+ /**
139
+ * RemoveAllHooks
140
+ * Public method to remove all DOMPurify hooks
141
+ *
142
+ */
143
+ function removeAllHooks(): void;
144
+ }
package/dist/purify.es.js CHANGED
@@ -1,4 +1,4 @@
1
- /*! @license DOMPurify 2.3.9 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.9/LICENSE */
1
+ /*! @license DOMPurify 2.3.12 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.12/LICENSE */
2
2
 
3
3
  function _typeof(obj) {
4
4
  "@babel/helpers - typeof";
@@ -294,6 +294,9 @@ var _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes,
294
294
  return trustedTypes.createPolicy(policyName, {
295
295
  createHTML: function createHTML(html) {
296
296
  return html;
297
+ },
298
+ createScriptURL: function createScriptURL(scriptUrl) {
299
+ return scriptUrl;
297
300
  }
298
301
  });
299
302
  } catch (_) {
@@ -317,7 +320,7 @@ function createDOMPurify() {
317
320
  */
318
321
 
319
322
 
320
- DOMPurify.version = '2.3.9';
323
+ DOMPurify.version = '2.3.12';
321
324
  /**
322
325
  * Array of elements that DOMPurify removed during sanitation.
323
326
  * Empty if nothing was removed.
@@ -475,9 +478,27 @@ function createDOMPurify() {
475
478
  * case Trusted Types are not supported */
476
479
 
477
480
  var RETURN_TRUSTED_TYPE = false;
478
- /* Output should be free from DOM clobbering attacks? */
481
+ /* Output should be free from DOM clobbering attacks?
482
+ * This sanitizes markups named with colliding, clobberable built-in DOM APIs.
483
+ */
479
484
 
480
485
  var SANITIZE_DOM = true;
486
+ /* Achieve full DOM Clobbering protection by isolating the namespace of named
487
+ * properties and JS variables, mitigating attacks that abuse the HTML/DOM spec rules.
488
+ *
489
+ * HTML/DOM spec rules that enable DOM Clobbering:
490
+ * - Named Access on Window (§7.3.3)
491
+ * - DOM Tree Accessors (§3.1.5)
492
+ * - Form Element Parent-Child Relations (§4.10.3)
493
+ * - Iframe srcdoc / Nested WindowProxies (§4.8.5)
494
+ * - HTMLCollection (§4.2.10.2)
495
+ *
496
+ * Namespace isolation is implemented by prefixing `id` and `name` attributes
497
+ * with a constant string, i.e., `user-content-`
498
+ */
499
+
500
+ var SANITIZE_NAMED_PROPS = false;
501
+ var SANITIZE_NAMED_PROPS_PREFIX = 'user-content-';
481
502
  /* Keep element content when removing element? */
482
503
 
483
504
  var KEEP_CONTENT = true;
@@ -591,6 +612,8 @@ function createDOMPurify() {
591
612
 
592
613
  SANITIZE_DOM = cfg.SANITIZE_DOM !== false; // Default true
593
614
 
615
+ SANITIZE_NAMED_PROPS = cfg.SANITIZE_NAMED_PROPS || false; // Default false
616
+
594
617
  KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true
595
618
 
596
619
  IN_PLACE = cfg.IN_PLACE || false; // Default false
@@ -1247,6 +1270,34 @@ function createDOMPurify() {
1247
1270
  if (!_isValidAttribute(lcTag, lcName, value)) {
1248
1271
  continue;
1249
1272
  }
1273
+ /* Full DOM Clobbering protection via namespace isolation,
1274
+ * Prefix id and name attributes with `user-content-`
1275
+ */
1276
+
1277
+
1278
+ if (SANITIZE_NAMED_PROPS && (lcName === 'id' || lcName === 'name')) {
1279
+ // Remove the attribute with this value
1280
+ _removeAttribute(name, currentNode); // Prefix the value and later re-create the attribute with the sanitized value
1281
+
1282
+
1283
+ value = SANITIZE_NAMED_PROPS_PREFIX + value;
1284
+ }
1285
+ /* Handle attributes that require Trusted Types */
1286
+
1287
+
1288
+ if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
1289
+ if (namespaceURI) ; else {
1290
+ switch (trustedTypes.getAttributeType(lcTag, lcName)) {
1291
+ case 'TrustedHTML':
1292
+ value = trustedTypesPolicy.createHTML(value);
1293
+ break;
1294
+
1295
+ case 'TrustedScriptURL':
1296
+ value = trustedTypesPolicy.createScriptURL(value);
1297
+ break;
1298
+ }
1299
+ }
1300
+ }
1250
1301
  /* Handle invalid data-* attribute set by try-catching it */
1251
1302
 
1252
1303
 
@@ -1317,7 +1368,8 @@ function createDOMPurify() {
1317
1368
  // eslint-disable-next-line complexity
1318
1369
 
1319
1370
 
1320
- DOMPurify.sanitize = function (dirty, cfg) {
1371
+ DOMPurify.sanitize = function (dirty) {
1372
+ var cfg = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
1321
1373
  var body;
1322
1374
  var importedNode;
1323
1375
  var currentNode;