dompurify 2.4.3 → 3.0.0

package/LICENSE

@@ -1,5 +1,5 @@
 DOMPurify
-Copyright 2015 Mario Heiderich
+Copyright 2023 Dr.-Ing. Mario Heiderich, Cure53
 
 DOMPurify is free software; you can redistribute it and/or modify it under the
 terms of either:

package/README.md

@@ -6,13 +6,13 @@
 
 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
 
-It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.4.3.
+It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.0.0.
 
-DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
+DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
 
-**Note that DOMPurify v2.4.3 is the final version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
+**Note that [DOMPurify v2.4.4](https://github.com/cure53/DOMPurify/releases/tag/2.4.4) is the final version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
 
-Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
+Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v16.x, v17.x, v18.x and v19.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
 
 DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model). Please, read it. Like, really.
 
@@ -145,13 +145,9 @@ DOMPurify.sanitize('<UL><li><A HREF=//google.com>click</UL>'); // becomes <ul><l
 
 DOMPurify currently supports HTML5, SVG and MathML. DOMPurify per default allows CSS, HTML custom data attributes. DOMPurify also supports the Shadow DOM - and sanitizes DOM templates recursively. DOMPurify also allows you to sanitize HTML for being used with the jQuery `$()` and `elm.html()` API without any known problems.
 
-## What about older browsers like MSIE8?
+## What about legacy browsers like Internet Explorer?
 
-DOMPurify offers a fall-back behavior for older MSIE browsers. It uses the MSIE-only `toStaticHTML` feature to sanitize. Note however that in this fall-back mode, pretty much none of the configuration flags shown below have any effect. You need to handle that yourself.
-
-If not even `toStaticHTML` is supported, DOMPurify does nothing at all. It simply returns exactly the string that you fed it.
-
-DOMPurify also exposes a property called `isSupported`, which tells you whether DOMPurify will be able to do its job.
+DOMPurify does nothing at all. It simply returns exactly the string that you fed it. DOMPurify exposes a property called `isSupported`, which tells you whether it will be able to do its job, so you can come up with your own backup plan.
 
 ## What about DOMPurify and Trusted Types?
 

package/dist/purify.cjs.js

@@ -1,4 +1,4 @@
-/*! @license DOMPurify 2.4.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.3/LICENSE */
+/*! @license DOMPurify 3.0.0 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.0/LICENSE */
 
 'use strict';
 
@@ -51,6 +51,10 @@ function _construct(Parent, args, Class) {
   return _construct.apply(null, arguments);
 }
 
+function _slicedToArray(arr, i) {
+  return _arrayWithHoles(arr) || _iterableToArrayLimit(arr, i) || _unsupportedIterableToArray(arr, i) || _nonIterableRest();
+}
+
 function _toConsumableArray(arr) {
   return _arrayWithoutHoles(arr) || _iterableToArray(arr) || _unsupportedIterableToArray(arr) || _nonIterableSpread();
 }
@@ -59,10 +63,44 @@ function _arrayWithoutHoles(arr) {
   if (Array.isArray(arr)) return _arrayLikeToArray(arr);
 }
 
+function _arrayWithHoles(arr) {
+  if (Array.isArray(arr)) return arr;
+}
+
 function _iterableToArray(iter) {
   if (typeof Symbol !== "undefined" && iter[Symbol.iterator] != null || iter["@@iterator"] != null) return Array.from(iter);
 }
 
+function _iterableToArrayLimit(arr, i) {
+  var _i = arr == null ? null : typeof Symbol !== "undefined" && arr[Symbol.iterator] || arr["@@iterator"];
+
+  if (_i == null) return;
+  var _arr = [];
+  var _n = true;
+  var _d = false;
+
+  var _s, _e;
+
+  try {
+    for (_i = _i.call(arr); !(_n = (_s = _i.next()).done); _n = true) {
+      _arr.push(_s.value);
+
+      if (i && _arr.length === i) break;
+    }
+  } catch (err) {
+    _d = true;
+    _e = err;
+  } finally {
+    try {
+      if (!_n && _i["return"] != null) _i["return"]();
+    } finally {
+      if (_d) throw _e;
+    }
+  }
+
+  return _arr;
+}
+
 function _unsupportedIterableToArray(o, minLen) {
   if (!o) return;
   if (typeof o === "string") return _arrayLikeToArray(o, minLen);
@@ -84,7 +122,68 @@ function _nonIterableSpread() {
   throw new TypeError("Invalid attempt to spread non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
 }
 
-var hasOwnProperty = Object.hasOwnProperty,
+function _nonIterableRest() {
+  throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
+}
+
+function _createForOfIteratorHelper(o, allowArrayLike) {
+  var it = typeof Symbol !== "undefined" && o[Symbol.iterator] || o["@@iterator"];
+
+  if (!it) {
+    if (Array.isArray(o) || (it = _unsupportedIterableToArray(o)) || allowArrayLike && o && typeof o.length === "number") {
+      if (it) o = it;
+      var i = 0;
+
+      var F = function () {};
+
+      return {
+        s: F,
+        n: function () {
+          if (i >= o.length) return {
+            done: true
+          };
+          return {
+            done: false,
+            value: o[i++]
+          };
+        },
+        e: function (e) {
+          throw e;
+        },
+        f: F
+      };
+    }
+
+    throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
+  }
+
+  var normalCompletion = true,
+      didErr = false,
+      err;
+  return {
+    s: function () {
+      it = it.call(o);
+    },
+    n: function () {
+      var step = it.next();
+      normalCompletion = step.done;
+      return step;
+    },
+    e: function (e) {
+      didErr = true;
+      err = e;
+    },
+    f: function () {
+      try {
+        if (!normalCompletion && it.return != null) it.return();
+      } finally {
+        if (didErr) throw err;
+      }
+    }
+  };
+}
+
+var entries = Object.entries,
     setPrototypeOf = Object.setPrototypeOf,
     isFrozen = Object.isFrozen,
     getPrototypeOf = Object.getPrototypeOf,
@@ -189,20 +288,28 @@ function addToSet(set, array, transformCaseFunc) {
 
 function clone(object) {
   var newObject = create(null);
-  var property;
 
-  for (property in object) {
-    if (apply(hasOwnProperty, object, [property]) === true) {
-      newObject[property] = object[property];
+  var _iterator = _createForOfIteratorHelper(entries(object)),
+      _step;
+
+  try {
+    for (_iterator.s(); !(_step = _iterator.n()).done;) {
+      var _step$value = _slicedToArray(_step.value, 2),
+          property = _step$value[0],
+          value = _step$value[1];
+
+      newObject[property] = value;
     }
+  } catch (err) {
+    _iterator.e(err);
+  } finally {
+    _iterator.f();
   }
 
   return newObject;
 }
-/* IE10 doesn't support __lookupGetter__ so lets'
- * simulate it. It also automatically checks
- * if the prop is function or getter and behaves
- * accordingly. */
+/* This method automatically checks if the prop is function
+ * or getter and behaves accordingly. */
 
 function lookupGetter(object, prop) {
   while (object !== null) {
@@ -324,7 +431,7 @@ function createDOMPurify() {
    */
 
 
-  DOMPurify.version = '2.4.3';
+  DOMPurify.version = '3.0.0';
   /**
    * Array of elements that DOMPurify removed during sanitation.
    * Empty if nothing was removed.
@@ -379,18 +486,12 @@ function createDOMPurify() {
       createDocumentFragment = _document.createDocumentFragment,
       getElementsByTagName = _document.getElementsByTagName;
   var importNode = originalDocument.importNode;
-  var documentMode = {};
-
-  try {
-    documentMode = clone(document).documentMode ? document.documentMode : {};
-  } catch (_) {}
-
   var hooks = {};
   /**
    * Expose whether this browser supports running the full DOMPurify.
    */
 
-  DOMPurify.isSupported = typeof getParentNode === 'function' && implementation && typeof implementation.createHTMLDocument !== 'undefined' && documentMode !== 9;
+  DOMPurify.isSupported = typeof entries === 'function' && typeof getParentNode === 'function' && implementation && typeof implementation.createHTMLDocument !== 'undefined';
   var MUSTACHE_EXPR$1 = MUSTACHE_EXPR,
       ERB_EXPR$1 = ERB_EXPR,
       TMPLIT_EXPR$1 = TMPLIT_EXPR,
@@ -454,6 +555,10 @@ function createDOMPurify() {
   /* Decide if unknown protocols are okay */
 
   var ALLOW_UNKNOWN_PROTOCOLS = false;
+  /* Decide if self-closing tags in attributes are allowed.
+   * Usually removed due to a mXSS issue in jQuery 3.0 */
+
+  var ALLOW_SELF_CLOSE_IN_ATTR = true;
   /* Output should be safe for common template engines.
    * This means, DOMPurify removes data attributes, mustaches and ERB
    */
@@ -606,6 +711,8 @@ function createDOMPurify() {
 
     ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
 
+    ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
+
     SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
 
     WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
@@ -863,11 +970,7 @@ function createDOMPurify() {
       // eslint-disable-next-line unicorn/prefer-dom-node-remove
       node.parentNode.removeChild(node);
     } catch (_) {
-      try {
-        node.outerHTML = emptyHTML;
-      } catch (_) {
-        node.remove();
-      }
+      node.remove();
     }
   };
   /**
@@ -1046,14 +1149,6 @@ function createDOMPurify() {
 
       return true;
     }
-    /* Check if tagname contains Unicode */
-
-
-    if (regExpTest(/[\u0080-\uFFFF]/, currentNode.nodeName)) {
-      _forceRemove(currentNode);
-
-      return true;
-    }
     /* Now let's check the element's type and name */
 
 
@@ -1072,14 +1167,6 @@ function createDOMPurify() {
 
       return true;
     }
-    /* Mitigate a problem with templates inside select */
-
-
-    if (tagName === 'select' && regExpTest(/<template/i, currentNode.innerHTML)) {
-      _forceRemove(currentNode);
-
-      return true;
-    }
     /* Remove element if anything forbids its presence */
 
 
@@ -1117,6 +1204,8 @@ function createDOMPurify() {
 
       return true;
     }
+    /* Make sure that older browsers don't get noscript mXSS */
+
 
     if ((tagName === 'noscript' || tagName === 'noembed') && regExpTest(/<\/no(script|embed)/i, currentNode.innerHTML)) {
       _forceRemove(currentNode);
@@ -1269,7 +1358,7 @@ function createDOMPurify() {
       /* Work around a security issue in jQuery 3.0 */
 
 
-      if (regExpTest(/\/>/i, value)) {
+      if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
         _removeAttribute(name, currentNode);
 
         continue;
@@ -1393,7 +1482,6 @@ function createDOMPurify() {
     var body;
     var importedNode;
     var currentNode;
-    var oldNode;
     var returnNode;
     /* Make sure we have a string to sanitize.
       DO NOT return early, as this will return the wrong type if
@@ -1419,20 +1507,10 @@ function createDOMPurify() {
         }
       }
     }
-    /* Check we can run. Otherwise fall back or ignore */
+    /* Return dirty HTML if DOMPurify cannot run */
 
 
     if (!DOMPurify.isSupported) {
-      if (_typeof(window.toStaticHTML) === 'object' || typeof window.toStaticHTML === 'function') {
-        if (typeof dirty === 'string') {
-          return window.toStaticHTML(dirty);
-        }
-
-        if (_isNode(dirty)) {
-          return window.toStaticHTML(dirty.outerHTML);
-        }
-      }
-
       return dirty;
     }
     /* Assign config vars */
@@ -1505,13 +1583,7 @@ function createDOMPurify() {
 
 
     while (currentNode = nodeIterator.nextNode()) {
-      /* Fix IE's strange behavior with manipulated textNodes #89 */
-      if (currentNode.nodeType === 3 && currentNode === oldNode) {
-        continue;
-      }
       /* Sanitize tags and elements */
-
-
       if (_sanitizeElements(currentNode)) {
         continue;
       }
@@ -1525,13 +1597,10 @@ function createDOMPurify() {
 
 
       _sanitizeAttributes(currentNode);
-
-      oldNode = currentNode;
     }
-
-    oldNode = null;
     /* If we sanitized `dirty` in-place, return it. */
 
+
     if (IN_PLACE) {
       return dirty;
     }
@@ -1550,7 +1619,7 @@ function createDOMPurify() {
         returnNode = body;
       }
 
-      if (ALLOWED_ATTR.shadowroot) {
+      if (ALLOWED_ATTR.shadowroot || ALLOWED_ATTR.shadowrootmod) {
         /*
           AdoptNode() is not used because internal state is not reset
           (e.g. the past names map of a HTMLFormElement), this is safe