dompurify 2.4.3 → 3.0.0

package/dist/purify.es.js

@@ -1,4 +1,4 @@
-/*! @license DOMPurify 2.4.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.3/LICENSE */
+/*! @license DOMPurify 3.0.0 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.0/LICENSE */
 
 function _typeof(obj) {
   "@babel/helpers - typeof";
@@ -49,6 +49,10 @@ function _construct(Parent, args, Class) {
   return _construct.apply(null, arguments);
 }
 
+function _slicedToArray(arr, i) {
+  return _arrayWithHoles(arr) || _iterableToArrayLimit(arr, i) || _unsupportedIterableToArray(arr, i) || _nonIterableRest();
+}
+
 function _toConsumableArray(arr) {
   return _arrayWithoutHoles(arr) || _iterableToArray(arr) || _unsupportedIterableToArray(arr) || _nonIterableSpread();
 }
@@ -57,10 +61,44 @@ function _arrayWithoutHoles(arr) {
   if (Array.isArray(arr)) return _arrayLikeToArray(arr);
 }
 
+function _arrayWithHoles(arr) {
+  if (Array.isArray(arr)) return arr;
+}
+
 function _iterableToArray(iter) {
   if (typeof Symbol !== "undefined" && iter[Symbol.iterator] != null || iter["@@iterator"] != null) return Array.from(iter);
 }
 
+function _iterableToArrayLimit(arr, i) {
+  var _i = arr == null ? null : typeof Symbol !== "undefined" && arr[Symbol.iterator] || arr["@@iterator"];
+
+  if (_i == null) return;
+  var _arr = [];
+  var _n = true;
+  var _d = false;
+
+  var _s, _e;
+
+  try {
+    for (_i = _i.call(arr); !(_n = (_s = _i.next()).done); _n = true) {
+      _arr.push(_s.value);
+
+      if (i && _arr.length === i) break;
+    }
+  } catch (err) {
+    _d = true;
+    _e = err;
+  } finally {
+    try {
+      if (!_n && _i["return"] != null) _i["return"]();
+    } finally {
+      if (_d) throw _e;
+    }
+  }
+
+  return _arr;
+}
+
 function _unsupportedIterableToArray(o, minLen) {
   if (!o) return;
   if (typeof o === "string") return _arrayLikeToArray(o, minLen);
@@ -82,7 +120,68 @@ function _nonIterableSpread() {
   throw new TypeError("Invalid attempt to spread non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
 }
 
-var hasOwnProperty = Object.hasOwnProperty,
+function _nonIterableRest() {
+  throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
+}
+
+function _createForOfIteratorHelper(o, allowArrayLike) {
+  var it = typeof Symbol !== "undefined" && o[Symbol.iterator] || o["@@iterator"];
+
+  if (!it) {
+    if (Array.isArray(o) || (it = _unsupportedIterableToArray(o)) || allowArrayLike && o && typeof o.length === "number") {
+      if (it) o = it;
+      var i = 0;
+
+      var F = function () {};
+
+      return {
+        s: F,
+        n: function () {
+          if (i >= o.length) return {
+            done: true
+          };
+          return {
+            done: false,
+            value: o[i++]
+          };
+        },
+        e: function (e) {
+          throw e;
+        },
+        f: F
+      };
+    }
+
+    throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method.");
+  }
+
+  var normalCompletion = true,
+      didErr = false,
+      err;
+  return {
+    s: function () {
+      it = it.call(o);
+    },
+    n: function () {
+      var step = it.next();
+      normalCompletion = step.done;
+      return step;
+    },
+    e: function (e) {
+      didErr = true;
+      err = e;
+    },
+    f: function () {
+      try {
+        if (!normalCompletion && it.return != null) it.return();
+      } finally {
+        if (didErr) throw err;
+      }
+    }
+  };
+}
+
+var entries = Object.entries,
     setPrototypeOf = Object.setPrototypeOf,
     isFrozen = Object.isFrozen,
     getPrototypeOf = Object.getPrototypeOf,
@@ -187,20 +286,28 @@ function addToSet(set, array, transformCaseFunc) {
 
 function clone(object) {
   var newObject = create(null);
-  var property;
 
-  for (property in object) {
-    if (apply(hasOwnProperty, object, [property]) === true) {
-      newObject[property] = object[property];
+  var _iterator = _createForOfIteratorHelper(entries(object)),
+      _step;
+
+  try {
+    for (_iterator.s(); !(_step = _iterator.n()).done;) {
+      var _step$value = _slicedToArray(_step.value, 2),
+          property = _step$value[0],
+          value = _step$value[1];
+
+      newObject[property] = value;
     }
+  } catch (err) {
+    _iterator.e(err);
+  } finally {
+    _iterator.f();
   }
 
   return newObject;
 }
-/* IE10 doesn't support __lookupGetter__ so lets'
- * simulate it. It also automatically checks
- * if the prop is function or getter and behaves
- * accordingly. */
+/* This method automatically checks if the prop is function
+ * or getter and behaves accordingly. */
 
 function lookupGetter(object, prop) {
   while (object !== null) {
@@ -322,7 +429,7 @@ function createDOMPurify() {
    */
 
 
-  DOMPurify.version = '2.4.3';
+  DOMPurify.version = '3.0.0';
   /**
    * Array of elements that DOMPurify removed during sanitation.
    * Empty if nothing was removed.
@@ -377,18 +484,12 @@ function createDOMPurify() {
       createDocumentFragment = _document.createDocumentFragment,
       getElementsByTagName = _document.getElementsByTagName;
   var importNode = originalDocument.importNode;
-  var documentMode = {};
-
-  try {
-    documentMode = clone(document).documentMode ? document.documentMode : {};
-  } catch (_) {}
-
   var hooks = {};
   /**
    * Expose whether this browser supports running the full DOMPurify.
    */
 
-  DOMPurify.isSupported = typeof getParentNode === 'function' && implementation && typeof implementation.createHTMLDocument !== 'undefined' && documentMode !== 9;
+  DOMPurify.isSupported = typeof entries === 'function' && typeof getParentNode === 'function' && implementation && typeof implementation.createHTMLDocument !== 'undefined';
   var MUSTACHE_EXPR$1 = MUSTACHE_EXPR,
       ERB_EXPR$1 = ERB_EXPR,
       TMPLIT_EXPR$1 = TMPLIT_EXPR,
@@ -452,6 +553,10 @@ function createDOMPurify() {
   /* Decide if unknown protocols are okay */
 
   var ALLOW_UNKNOWN_PROTOCOLS = false;
+  /* Decide if self-closing tags in attributes are allowed.
+   * Usually removed due to a mXSS issue in jQuery 3.0 */
+
+  var ALLOW_SELF_CLOSE_IN_ATTR = true;
   /* Output should be safe for common template engines.
    * This means, DOMPurify removes data attributes, mustaches and ERB
    */
@@ -604,6 +709,8 @@ function createDOMPurify() {
 
     ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
 
+    ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
+
     SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
 
     WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
@@ -861,11 +968,7 @@ function createDOMPurify() {
       // eslint-disable-next-line unicorn/prefer-dom-node-remove
       node.parentNode.removeChild(node);
     } catch (_) {
-      try {
-        node.outerHTML = emptyHTML;
-      } catch (_) {
-        node.remove();
-      }
+      node.remove();
     }
   };
   /**
@@ -1044,14 +1147,6 @@ function createDOMPurify() {
 
       return true;
     }
-    /* Check if tagname contains Unicode */
-
-
-    if (regExpTest(/[\u0080-\uFFFF]/, currentNode.nodeName)) {
-      _forceRemove(currentNode);
-
-      return true;
-    }
     /* Now let's check the element's type and name */
 
 
@@ -1070,14 +1165,6 @@ function createDOMPurify() {
 
       return true;
     }
-    /* Mitigate a problem with templates inside select */
-
-
-    if (tagName === 'select' && regExpTest(/<template/i, currentNode.innerHTML)) {
-      _forceRemove(currentNode);
-
-      return true;
-    }
     /* Remove element if anything forbids its presence */
 
 
@@ -1115,6 +1202,8 @@ function createDOMPurify() {
 
       return true;
     }
+    /* Make sure that older browsers don't get noscript mXSS */
+
 
     if ((tagName === 'noscript' || tagName === 'noembed') && regExpTest(/<\/no(script|embed)/i, currentNode.innerHTML)) {
       _forceRemove(currentNode);
@@ -1267,7 +1356,7 @@ function createDOMPurify() {
       /* Work around a security issue in jQuery 3.0 */
 
 
-      if (regExpTest(/\/>/i, value)) {
+      if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
         _removeAttribute(name, currentNode);
 
         continue;
@@ -1391,7 +1480,6 @@ function createDOMPurify() {
     var body;
     var importedNode;
     var currentNode;
-    var oldNode;
     var returnNode;
     /* Make sure we have a string to sanitize.
       DO NOT return early, as this will return the wrong type if
@@ -1417,20 +1505,10 @@ function createDOMPurify() {
         }
       }
     }
-    /* Check we can run. Otherwise fall back or ignore */
+    /* Return dirty HTML if DOMPurify cannot run */
 
 
     if (!DOMPurify.isSupported) {
-      if (_typeof(window.toStaticHTML) === 'object' || typeof window.toStaticHTML === 'function') {
-        if (typeof dirty === 'string') {
-          return window.toStaticHTML(dirty);
-        }
-
-        if (_isNode(dirty)) {
-          return window.toStaticHTML(dirty.outerHTML);
-        }
-      }
-
       return dirty;
     }
     /* Assign config vars */
@@ -1503,13 +1581,7 @@ function createDOMPurify() {
 
 
     while (currentNode = nodeIterator.nextNode()) {
-      /* Fix IE's strange behavior with manipulated textNodes #89 */
-      if (currentNode.nodeType === 3 && currentNode === oldNode) {
-        continue;
-      }
       /* Sanitize tags and elements */
-
-
       if (_sanitizeElements(currentNode)) {
         continue;
       }
@@ -1523,13 +1595,10 @@ function createDOMPurify() {
 
 
       _sanitizeAttributes(currentNode);
-
-      oldNode = currentNode;
     }
-
-    oldNode = null;
     /* If we sanitized `dirty` in-place, return it. */
 
+
     if (IN_PLACE) {
       return dirty;
     }
@@ -1548,7 +1617,7 @@ function createDOMPurify() {
         returnNode = body;
       }
 
-      if (ALLOWED_ATTR.shadowroot) {
+      if (ALLOWED_ATTR.shadowroot || ALLOWED_ATTR.shadowrootmod) {
         /*
           AdoptNode() is not used because internal state is not reset
           (e.g. the past names map of a HTMLFormElement), this is safe