dompurify 2.4.3 → 2.4.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +10 -4
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +10 -4
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +10 -4
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.4.
|
|
1
|
+
/*! @license DOMPurify 2.4.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.4/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -328,7 +328,7 @@
|
|
|
328
328
|
*/
|
|
329
329
|
|
|
330
330
|
|
|
331
|
-
DOMPurify.version = '2.4.
|
|
331
|
+
DOMPurify.version = '2.4.4';
|
|
332
332
|
/**
|
|
333
333
|
* Array of elements that DOMPurify removed during sanitation.
|
|
334
334
|
* Empty if nothing was removed.
|
|
@@ -458,6 +458,10 @@
|
|
|
458
458
|
/* Decide if unknown protocols are okay */
|
|
459
459
|
|
|
460
460
|
var ALLOW_UNKNOWN_PROTOCOLS = false;
|
|
461
|
+
/* Decide if self-closing tags in attributes are allowed.
|
|
462
|
+
* Usually removed due to a mXSS issue in jQuery 3.0 */
|
|
463
|
+
|
|
464
|
+
var ALLOW_SELF_CLOSE_IN_ATTR = true;
|
|
461
465
|
/* Output should be safe for common template engines.
|
|
462
466
|
* This means, DOMPurify removes data attributes, mustaches and ERB
|
|
463
467
|
*/
|
|
@@ -610,6 +614,8 @@
|
|
|
610
614
|
|
|
611
615
|
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
|
|
612
616
|
|
|
617
|
+
ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
|
|
618
|
+
|
|
613
619
|
SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
|
|
614
620
|
|
|
615
621
|
WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
|
|
@@ -1273,7 +1279,7 @@
|
|
|
1273
1279
|
/* Work around a security issue in jQuery 3.0 */
|
|
1274
1280
|
|
|
1275
1281
|
|
|
1276
|
-
if (regExpTest(/\/>/i, value)) {
|
|
1282
|
+
if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
|
|
1277
1283
|
_removeAttribute(name, currentNode);
|
|
1278
1284
|
|
|
1279
1285
|
continue;
|
|
@@ -1554,7 +1560,7 @@
|
|
|
1554
1560
|
returnNode = body;
|
|
1555
1561
|
}
|
|
1556
1562
|
|
|
1557
|
-
if (ALLOWED_ATTR.shadowroot) {
|
|
1563
|
+
if (ALLOWED_ATTR.shadowroot || ALLOWED_ATTR.shadowrootmod) {
|
|
1558
1564
|
/*
|
|
1559
1565
|
AdoptNode() is not used because internal state is not reset
|
|
1560
1566
|
(e.g. the past names map of a HTMLFormElement), this is safe
|