dompurify 2.4.2 → 2.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -1
- package/dist/purify.cjs.js +10 -4
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +10 -4
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +10 -4
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.es.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.4.
|
|
1
|
+
/*! @license DOMPurify 2.4.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.4/LICENSE */
|
|
2
2
|
|
|
3
3
|
function _typeof(obj) {
|
|
4
4
|
"@babel/helpers - typeof";
|
|
@@ -322,7 +322,7 @@ function createDOMPurify() {
|
|
|
322
322
|
*/
|
|
323
323
|
|
|
324
324
|
|
|
325
|
-
DOMPurify.version = '2.4.
|
|
325
|
+
DOMPurify.version = '2.4.4';
|
|
326
326
|
/**
|
|
327
327
|
* Array of elements that DOMPurify removed during sanitation.
|
|
328
328
|
* Empty if nothing was removed.
|
|
@@ -452,6 +452,10 @@ function createDOMPurify() {
|
|
|
452
452
|
/* Decide if unknown protocols are okay */
|
|
453
453
|
|
|
454
454
|
var ALLOW_UNKNOWN_PROTOCOLS = false;
|
|
455
|
+
/* Decide if self-closing tags in attributes are allowed.
|
|
456
|
+
* Usually removed due to a mXSS issue in jQuery 3.0 */
|
|
457
|
+
|
|
458
|
+
var ALLOW_SELF_CLOSE_IN_ATTR = true;
|
|
455
459
|
/* Output should be safe for common template engines.
|
|
456
460
|
* This means, DOMPurify removes data attributes, mustaches and ERB
|
|
457
461
|
*/
|
|
@@ -604,6 +608,8 @@ function createDOMPurify() {
|
|
|
604
608
|
|
|
605
609
|
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
|
|
606
610
|
|
|
611
|
+
ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
|
|
612
|
+
|
|
607
613
|
SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
|
|
608
614
|
|
|
609
615
|
WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
|
|
@@ -1267,7 +1273,7 @@ function createDOMPurify() {
|
|
|
1267
1273
|
/* Work around a security issue in jQuery 3.0 */
|
|
1268
1274
|
|
|
1269
1275
|
|
|
1270
|
-
if (regExpTest(/\/>/i, value)) {
|
|
1276
|
+
if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
|
|
1271
1277
|
_removeAttribute(name, currentNode);
|
|
1272
1278
|
|
|
1273
1279
|
continue;
|
|
@@ -1548,7 +1554,7 @@ function createDOMPurify() {
|
|
|
1548
1554
|
returnNode = body;
|
|
1549
1555
|
}
|
|
1550
1556
|
|
|
1551
|
-
if (ALLOWED_ATTR.shadowroot) {
|
|
1557
|
+
if (ALLOWED_ATTR.shadowroot || ALLOWED_ATTR.shadowrootmod) {
|
|
1552
1558
|
/*
|
|
1553
1559
|
AdoptNode() is not used because internal state is not reset
|
|
1554
1560
|
(e.g. the past names map of a HTMLFormElement), this is safe
|