dompurify 2.4.3 → 2.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +2 -2
  2. package/dist/purify.cjs.js +11 -4
  3. package/dist/purify.cjs.js.map +1 -1
  4. package/dist/purify.es.js +11 -4
  5. package/dist/purify.es.js.map +1 -1
  6. package/dist/purify.js +11 -4
  7. package/dist/purify.js.map +1 -1
  8. package/dist/purify.min.js +2 -2
  9. package/dist/purify.min.js.map +1 -1
  10. package/package.json +1 -1
package/dist/purify.es.js CHANGED
@@ -1,4 +1,4 @@
1
- /*! @license DOMPurify 2.4.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.3/LICENSE */
1
+ /*! @license DOMPurify 2.4.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.5/LICENSE */
2
2
 
3
3
  function _typeof(obj) {
4
4
  "@babel/helpers - typeof";
@@ -322,7 +322,7 @@ function createDOMPurify() {
322
322
  */
323
323
 
324
324
 
325
- DOMPurify.version = '2.4.3';
325
+ DOMPurify.version = '2.4.5';
326
326
  /**
327
327
  * Array of elements that DOMPurify removed during sanitation.
328
328
  * Empty if nothing was removed.
@@ -452,6 +452,10 @@ function createDOMPurify() {
452
452
  /* Decide if unknown protocols are okay */
453
453
 
454
454
  var ALLOW_UNKNOWN_PROTOCOLS = false;
455
+ /* Decide if self-closing tags in attributes are allowed.
456
+ * Usually removed due to a mXSS issue in jQuery 3.0 */
457
+
458
+ var ALLOW_SELF_CLOSE_IN_ATTR = true;
455
459
  /* Output should be safe for common template engines.
456
460
  * This means, DOMPurify removes data attributes, mustaches and ERB
457
461
  */
@@ -604,6 +608,8 @@ function createDOMPurify() {
604
608
 
605
609
  ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
606
610
 
611
+ ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
612
+
607
613
  SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
608
614
 
609
615
  WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
@@ -626,6 +632,7 @@ function createDOMPurify() {
626
632
 
627
633
  IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$1;
628
634
  NAMESPACE = cfg.NAMESPACE || HTML_NAMESPACE;
635
+ CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING || {};
629
636
 
630
637
  if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck)) {
631
638
  CUSTOM_ELEMENT_HANDLING.tagNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck;
@@ -1267,7 +1274,7 @@ function createDOMPurify() {
1267
1274
  /* Work around a security issue in jQuery 3.0 */
1268
1275
 
1269
1276
 
1270
- if (regExpTest(/\/>/i, value)) {
1277
+ if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
1271
1278
  _removeAttribute(name, currentNode);
1272
1279
 
1273
1280
  continue;
@@ -1548,7 +1555,7 @@ function createDOMPurify() {
1548
1555
  returnNode = body;
1549
1556
  }
1550
1557
 
1551
- if (ALLOWED_ATTR.shadowroot) {
1558
+ if (ALLOWED_ATTR.shadowroot || ALLOWED_ATTR.shadowrootmod) {
1552
1559
  /*
1553
1560
  AdoptNode() is not used because internal state is not reset
1554
1561
  (e.g. the past names map of a HTMLFormElement), this is safe