dompurify 2.4.4 → 2.4.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +23 -15
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +23 -15
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +23 -15
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.0.0.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
13
|
-
**Note that DOMPurify v2.4.
|
|
13
|
+
**Note that DOMPurify v2.4.6 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
|
|
14
14
|
|
|
15
15
|
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
|
|
16
16
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.4.
|
|
1
|
+
/*! @license DOMPurify 2.4.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.6/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -153,7 +153,9 @@ function unconstruct(func) {
|
|
|
153
153
|
/* Add properties to a lookup table */
|
|
154
154
|
|
|
155
155
|
function addToSet(set, array, transformCaseFunc) {
|
|
156
|
-
|
|
156
|
+
var _transformCaseFunc;
|
|
157
|
+
|
|
158
|
+
transformCaseFunc = (_transformCaseFunc = transformCaseFunc) !== null && _transformCaseFunc !== void 0 ? _transformCaseFunc : stringToLowerCase;
|
|
157
159
|
|
|
158
160
|
if (setPrototypeOf) {
|
|
159
161
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
@@ -324,7 +326,7 @@ function createDOMPurify() {
|
|
|
324
326
|
*/
|
|
325
327
|
|
|
326
328
|
|
|
327
|
-
DOMPurify.version = '2.4.
|
|
329
|
+
DOMPurify.version = '2.4.6';
|
|
328
330
|
/**
|
|
329
331
|
* Array of elements that DOMPurify removed during sanitation.
|
|
330
332
|
* Empty if nothing was removed.
|
|
@@ -390,7 +392,7 @@ function createDOMPurify() {
|
|
|
390
392
|
* Expose whether this browser supports running the full DOMPurify.
|
|
391
393
|
*/
|
|
392
394
|
|
|
393
|
-
DOMPurify.isSupported = typeof getParentNode === 'function' && implementation &&
|
|
395
|
+
DOMPurify.isSupported = typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined && documentMode !== 9;
|
|
394
396
|
var MUSTACHE_EXPR$1 = MUSTACHE_EXPR,
|
|
395
397
|
ERB_EXPR$1 = ERB_EXPR,
|
|
396
398
|
TMPLIT_EXPR$1 = TMPLIT_EXPR,
|
|
@@ -634,6 +636,7 @@ function createDOMPurify() {
|
|
|
634
636
|
|
|
635
637
|
IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$1;
|
|
636
638
|
NAMESPACE = cfg.NAMESPACE || HTML_NAMESPACE;
|
|
639
|
+
CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING || {};
|
|
637
640
|
|
|
638
641
|
if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck)) {
|
|
639
642
|
CUSTOM_ELEMENT_HANDLING.tagNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck;
|
|
@@ -1123,8 +1126,10 @@ function createDOMPurify() {
|
|
|
1123
1126
|
|
|
1124
1127
|
return true;
|
|
1125
1128
|
}
|
|
1129
|
+
/* Make sure that older browsers don't get fallback-tag mXSS */
|
|
1130
|
+
|
|
1126
1131
|
|
|
1127
|
-
if ((tagName === 'noscript' || tagName === 'noembed') && regExpTest(/<\/no(script|embed)/i, currentNode.innerHTML)) {
|
|
1132
|
+
if ((tagName === 'noscript' || tagName === 'noembed' || tagName === 'noframes') && regExpTest(/<\/no(script|embed|frames)/i, currentNode.innerHTML)) {
|
|
1128
1133
|
_forceRemove(currentNode);
|
|
1129
1134
|
|
|
1130
1135
|
return true;
|
|
@@ -1186,9 +1191,9 @@ function createDOMPurify() {
|
|
|
1186
1191
|
}
|
|
1187
1192
|
/* Check value is safe. First, is attr inert? If so, is safe */
|
|
1188
1193
|
|
|
1189
|
-
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if (
|
|
1194
|
+
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if (value) {
|
|
1190
1195
|
return false;
|
|
1191
|
-
}
|
|
1196
|
+
} else ;
|
|
1192
1197
|
|
|
1193
1198
|
return true;
|
|
1194
1199
|
};
|
|
@@ -1315,12 +1320,16 @@ function createDOMPurify() {
|
|
|
1315
1320
|
if (namespaceURI) ; else {
|
|
1316
1321
|
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1317
1322
|
case 'TrustedHTML':
|
|
1318
|
-
|
|
1319
|
-
|
|
1323
|
+
{
|
|
1324
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1325
|
+
break;
|
|
1326
|
+
}
|
|
1320
1327
|
|
|
1321
1328
|
case 'TrustedScriptURL':
|
|
1322
|
-
|
|
1323
|
-
|
|
1329
|
+
{
|
|
1330
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1331
|
+
break;
|
|
1332
|
+
}
|
|
1324
1333
|
}
|
|
1325
1334
|
}
|
|
1326
1335
|
}
|
|
@@ -1414,15 +1423,14 @@ function createDOMPurify() {
|
|
|
1414
1423
|
|
|
1415
1424
|
|
|
1416
1425
|
if (typeof dirty !== 'string' && !_isNode(dirty)) {
|
|
1417
|
-
|
|
1418
|
-
if (typeof dirty.toString !== 'function') {
|
|
1419
|
-
throw typeErrorCreate('toString is not a function');
|
|
1420
|
-
} else {
|
|
1426
|
+
if (typeof dirty.toString === 'function') {
|
|
1421
1427
|
dirty = dirty.toString();
|
|
1422
1428
|
|
|
1423
1429
|
if (typeof dirty !== 'string') {
|
|
1424
1430
|
throw typeErrorCreate('dirty is not a string, aborting');
|
|
1425
1431
|
}
|
|
1432
|
+
} else {
|
|
1433
|
+
throw typeErrorCreate('toString is not a function');
|
|
1426
1434
|
}
|
|
1427
1435
|
}
|
|
1428
1436
|
/* Check we can run. Otherwise fall back or ignore */
|