dompurify 2.4.3 → 2.4.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +11 -4
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +11 -4
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +11 -4
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.0.0.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
13
|
-
**Note that DOMPurify v2.4.
|
|
13
|
+
**Note that DOMPurify v2.4.5 is the final version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
|
|
14
14
|
|
|
15
15
|
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
|
|
16
16
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.4.
|
|
1
|
+
/*! @license DOMPurify 2.4.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.5/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -324,7 +324,7 @@ function createDOMPurify() {
|
|
|
324
324
|
*/
|
|
325
325
|
|
|
326
326
|
|
|
327
|
-
DOMPurify.version = '2.4.
|
|
327
|
+
DOMPurify.version = '2.4.5';
|
|
328
328
|
/**
|
|
329
329
|
* Array of elements that DOMPurify removed during sanitation.
|
|
330
330
|
* Empty if nothing was removed.
|
|
@@ -454,6 +454,10 @@ function createDOMPurify() {
|
|
|
454
454
|
/* Decide if unknown protocols are okay */
|
|
455
455
|
|
|
456
456
|
var ALLOW_UNKNOWN_PROTOCOLS = false;
|
|
457
|
+
/* Decide if self-closing tags in attributes are allowed.
|
|
458
|
+
* Usually removed due to a mXSS issue in jQuery 3.0 */
|
|
459
|
+
|
|
460
|
+
var ALLOW_SELF_CLOSE_IN_ATTR = true;
|
|
457
461
|
/* Output should be safe for common template engines.
|
|
458
462
|
* This means, DOMPurify removes data attributes, mustaches and ERB
|
|
459
463
|
*/
|
|
@@ -606,6 +610,8 @@ function createDOMPurify() {
|
|
|
606
610
|
|
|
607
611
|
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
|
|
608
612
|
|
|
613
|
+
ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
|
|
614
|
+
|
|
609
615
|
SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
|
|
610
616
|
|
|
611
617
|
WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
|
|
@@ -628,6 +634,7 @@ function createDOMPurify() {
|
|
|
628
634
|
|
|
629
635
|
IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$1;
|
|
630
636
|
NAMESPACE = cfg.NAMESPACE || HTML_NAMESPACE;
|
|
637
|
+
CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING || {};
|
|
631
638
|
|
|
632
639
|
if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck)) {
|
|
633
640
|
CUSTOM_ELEMENT_HANDLING.tagNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck;
|
|
@@ -1269,7 +1276,7 @@ function createDOMPurify() {
|
|
|
1269
1276
|
/* Work around a security issue in jQuery 3.0 */
|
|
1270
1277
|
|
|
1271
1278
|
|
|
1272
|
-
if (regExpTest(/\/>/i, value)) {
|
|
1279
|
+
if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
|
|
1273
1280
|
_removeAttribute(name, currentNode);
|
|
1274
1281
|
|
|
1275
1282
|
continue;
|
|
@@ -1550,7 +1557,7 @@ function createDOMPurify() {
|
|
|
1550
1557
|
returnNode = body;
|
|
1551
1558
|
}
|
|
1552
1559
|
|
|
1553
|
-
if (ALLOWED_ATTR.shadowroot) {
|
|
1560
|
+
if (ALLOWED_ATTR.shadowroot || ALLOWED_ATTR.shadowrootmod) {
|
|
1554
1561
|
/*
|
|
1555
1562
|
AdoptNode() is not used because internal state is not reset
|
|
1556
1563
|
(e.g. the past names map of a HTMLFormElement), this is safe
|