dompurify 2.3.9 → 2.3.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +45 -18
- package/dist/purify.cjs.d.ts +144 -0
- package/dist/purify.cjs.js +56 -4
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.d.ts +144 -0
- package/dist/purify.es.js +56 -4
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +56 -4
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +6 -2
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.3.
|
|
1
|
+
/*! @license DOMPurify 2.3.12 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.3.12/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -300,6 +300,9 @@
|
|
|
300
300
|
return trustedTypes.createPolicy(policyName, {
|
|
301
301
|
createHTML: function createHTML(html) {
|
|
302
302
|
return html;
|
|
303
|
+
},
|
|
304
|
+
createScriptURL: function createScriptURL(scriptUrl) {
|
|
305
|
+
return scriptUrl;
|
|
303
306
|
}
|
|
304
307
|
});
|
|
305
308
|
} catch (_) {
|
|
@@ -323,7 +326,7 @@
|
|
|
323
326
|
*/
|
|
324
327
|
|
|
325
328
|
|
|
326
|
-
DOMPurify.version = '2.3.
|
|
329
|
+
DOMPurify.version = '2.3.12';
|
|
327
330
|
/**
|
|
328
331
|
* Array of elements that DOMPurify removed during sanitation.
|
|
329
332
|
* Empty if nothing was removed.
|
|
@@ -481,9 +484,27 @@
|
|
|
481
484
|
* case Trusted Types are not supported */
|
|
482
485
|
|
|
483
486
|
var RETURN_TRUSTED_TYPE = false;
|
|
484
|
-
/* Output should be free from DOM clobbering attacks?
|
|
487
|
+
/* Output should be free from DOM clobbering attacks?
|
|
488
|
+
* This sanitizes markups named with colliding, clobberable built-in DOM APIs.
|
|
489
|
+
*/
|
|
485
490
|
|
|
486
491
|
var SANITIZE_DOM = true;
|
|
492
|
+
/* Achieve full DOM Clobbering protection by isolating the namespace of named
|
|
493
|
+
* properties and JS variables, mitigating attacks that abuse the HTML/DOM spec rules.
|
|
494
|
+
*
|
|
495
|
+
* HTML/DOM spec rules that enable DOM Clobbering:
|
|
496
|
+
* - Named Access on Window (§7.3.3)
|
|
497
|
+
* - DOM Tree Accessors (§3.1.5)
|
|
498
|
+
* - Form Element Parent-Child Relations (§4.10.3)
|
|
499
|
+
* - Iframe srcdoc / Nested WindowProxies (§4.8.5)
|
|
500
|
+
* - HTMLCollection (§4.2.10.2)
|
|
501
|
+
*
|
|
502
|
+
* Namespace isolation is implemented by prefixing `id` and `name` attributes
|
|
503
|
+
* with a constant string, i.e., `user-content-`
|
|
504
|
+
*/
|
|
505
|
+
|
|
506
|
+
var SANITIZE_NAMED_PROPS = false;
|
|
507
|
+
var SANITIZE_NAMED_PROPS_PREFIX = 'user-content-';
|
|
487
508
|
/* Keep element content when removing element? */
|
|
488
509
|
|
|
489
510
|
var KEEP_CONTENT = true;
|
|
@@ -597,6 +618,8 @@
|
|
|
597
618
|
|
|
598
619
|
SANITIZE_DOM = cfg.SANITIZE_DOM !== false; // Default true
|
|
599
620
|
|
|
621
|
+
SANITIZE_NAMED_PROPS = cfg.SANITIZE_NAMED_PROPS || false; // Default false
|
|
622
|
+
|
|
600
623
|
KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true
|
|
601
624
|
|
|
602
625
|
IN_PLACE = cfg.IN_PLACE || false; // Default false
|
|
@@ -1253,6 +1276,34 @@
|
|
|
1253
1276
|
if (!_isValidAttribute(lcTag, lcName, value)) {
|
|
1254
1277
|
continue;
|
|
1255
1278
|
}
|
|
1279
|
+
/* Full DOM Clobbering protection via namespace isolation,
|
|
1280
|
+
* Prefix id and name attributes with `user-content-`
|
|
1281
|
+
*/
|
|
1282
|
+
|
|
1283
|
+
|
|
1284
|
+
if (SANITIZE_NAMED_PROPS && (lcName === 'id' || lcName === 'name')) {
|
|
1285
|
+
// Remove the attribute with this value
|
|
1286
|
+
_removeAttribute(name, currentNode); // Prefix the value and later re-create the attribute with the sanitized value
|
|
1287
|
+
|
|
1288
|
+
|
|
1289
|
+
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
1290
|
+
}
|
|
1291
|
+
/* Handle attributes that require Trusted Types */
|
|
1292
|
+
|
|
1293
|
+
|
|
1294
|
+
if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
1295
|
+
if (namespaceURI) ; else {
|
|
1296
|
+
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1297
|
+
case 'TrustedHTML':
|
|
1298
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1299
|
+
break;
|
|
1300
|
+
|
|
1301
|
+
case 'TrustedScriptURL':
|
|
1302
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1303
|
+
break;
|
|
1304
|
+
}
|
|
1305
|
+
}
|
|
1306
|
+
}
|
|
1256
1307
|
/* Handle invalid data-* attribute set by try-catching it */
|
|
1257
1308
|
|
|
1258
1309
|
|
|
@@ -1323,7 +1374,8 @@
|
|
|
1323
1374
|
// eslint-disable-next-line complexity
|
|
1324
1375
|
|
|
1325
1376
|
|
|
1326
|
-
DOMPurify.sanitize = function (dirty
|
|
1377
|
+
DOMPurify.sanitize = function (dirty) {
|
|
1378
|
+
var cfg = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
|
|
1327
1379
|
var body;
|
|
1328
1380
|
var importedNode;
|
|
1329
1381
|
var currentNode;
|