dompurify 2.4.2 → 2.4.4

package/README.md

@@ -6,10 +6,12 @@
 
 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
 
-It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.4.2.
+It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.4.4.
 
 DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
 
+**Note that DOMPurify v2.4.4 is the final version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
+
 Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
 
 DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model). Please, read it. Like, really.

package/dist/purify.cjs.js

@@ -1,4 +1,4 @@
-/*! @license DOMPurify 2.4.2 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.2/LICENSE */
+/*! @license DOMPurify 2.4.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.4/LICENSE */
 
 'use strict';
 
@@ -324,7 +324,7 @@ function createDOMPurify() {
    */
 
 
-  DOMPurify.version = '2.4.2';
+  DOMPurify.version = '2.4.4';
   /**
    * Array of elements that DOMPurify removed during sanitation.
    * Empty if nothing was removed.
@@ -454,6 +454,10 @@ function createDOMPurify() {
   /* Decide if unknown protocols are okay */
 
   var ALLOW_UNKNOWN_PROTOCOLS = false;
+  /* Decide if self-closing tags in attributes are allowed.
+   * Usually removed due to a mXSS issue in jQuery 3.0 */
+
+  var ALLOW_SELF_CLOSE_IN_ATTR = true;
   /* Output should be safe for common template engines.
    * This means, DOMPurify removes data attributes, mustaches and ERB
    */
@@ -606,6 +610,8 @@ function createDOMPurify() {
 
     ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
 
+    ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
+
     SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
 
     WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
@@ -1269,7 +1275,7 @@ function createDOMPurify() {
       /* Work around a security issue in jQuery 3.0 */
 
 
-      if (regExpTest(/\/>/i, value)) {
+      if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
         _removeAttribute(name, currentNode);
 
         continue;
@@ -1550,7 +1556,7 @@ function createDOMPurify() {
         returnNode = body;
       }
 
-      if (ALLOWED_ATTR.shadowroot) {
+      if (ALLOWED_ATTR.shadowroot || ALLOWED_ATTR.shadowrootmod) {
         /*
           AdoptNode() is not used because internal state is not reset
           (e.g. the past names map of a HTMLFormElement), this is safe