dompurify 2.4.3 → 2.4.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +2 -2
  2. package/dist/purify.cjs.js +11 -4
  3. package/dist/purify.cjs.js.map +1 -1
  4. package/dist/purify.es.js +11 -4
  5. package/dist/purify.es.js.map +1 -1
  6. package/dist/purify.js +11 -4
  7. package/dist/purify.js.map +1 -1
  8. package/dist/purify.min.js +2 -2
  9. package/dist/purify.min.js.map +1 -1
  10. package/package.json +1 -1
package/dist/purify.js CHANGED
@@ -1,4 +1,4 @@
1
- /*! @license DOMPurify 2.4.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.3/LICENSE */
1
+ /*! @license DOMPurify 2.4.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.5/LICENSE */
2
2
 
3
3
  (function (global, factory) {
4
4
  typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
@@ -328,7 +328,7 @@
328
328
  */
329
329
 
330
330
 
331
- DOMPurify.version = '2.4.3';
331
+ DOMPurify.version = '2.4.5';
332
332
  /**
333
333
  * Array of elements that DOMPurify removed during sanitation.
334
334
  * Empty if nothing was removed.
@@ -458,6 +458,10 @@
458
458
  /* Decide if unknown protocols are okay */
459
459
 
460
460
  var ALLOW_UNKNOWN_PROTOCOLS = false;
461
+ /* Decide if self-closing tags in attributes are allowed.
462
+ * Usually removed due to a mXSS issue in jQuery 3.0 */
463
+
464
+ var ALLOW_SELF_CLOSE_IN_ATTR = true;
461
465
  /* Output should be safe for common template engines.
462
466
  * This means, DOMPurify removes data attributes, mustaches and ERB
463
467
  */
@@ -610,6 +614,8 @@
610
614
 
611
615
  ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
612
616
 
617
+ ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
618
+
613
619
  SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
614
620
 
615
621
  WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
@@ -632,6 +638,7 @@
632
638
 
633
639
  IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$1;
634
640
  NAMESPACE = cfg.NAMESPACE || HTML_NAMESPACE;
641
+ CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING || {};
635
642
 
636
643
  if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck)) {
637
644
  CUSTOM_ELEMENT_HANDLING.tagNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck;
@@ -1273,7 +1280,7 @@
1273
1280
  /* Work around a security issue in jQuery 3.0 */
1274
1281
 
1275
1282
 
1276
- if (regExpTest(/\/>/i, value)) {
1283
+ if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
1277
1284
  _removeAttribute(name, currentNode);
1278
1285
 
1279
1286
  continue;
@@ -1554,7 +1561,7 @@
1554
1561
  returnNode = body;
1555
1562
  }
1556
1563
 
1557
- if (ALLOWED_ATTR.shadowroot) {
1564
+ if (ALLOWED_ATTR.shadowroot || ALLOWED_ATTR.shadowrootmod) {
1558
1565
  /*
1559
1566
  AdoptNode() is not used because internal state is not reset
1560
1567
  (e.g. the past names map of a HTMLFormElement), this is safe