dompurify 2.4.4 → 2.4.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +23 -15
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +23 -15
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +23 -15
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.es.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.4.
|
|
1
|
+
/*! @license DOMPurify 2.4.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.6/LICENSE */
|
|
2
2
|
|
|
3
3
|
function _typeof(obj) {
|
|
4
4
|
"@babel/helpers - typeof";
|
|
@@ -151,7 +151,9 @@ function unconstruct(func) {
|
|
|
151
151
|
/* Add properties to a lookup table */
|
|
152
152
|
|
|
153
153
|
function addToSet(set, array, transformCaseFunc) {
|
|
154
|
-
|
|
154
|
+
var _transformCaseFunc;
|
|
155
|
+
|
|
156
|
+
transformCaseFunc = (_transformCaseFunc = transformCaseFunc) !== null && _transformCaseFunc !== void 0 ? _transformCaseFunc : stringToLowerCase;
|
|
155
157
|
|
|
156
158
|
if (setPrototypeOf) {
|
|
157
159
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
@@ -322,7 +324,7 @@ function createDOMPurify() {
|
|
|
322
324
|
*/
|
|
323
325
|
|
|
324
326
|
|
|
325
|
-
DOMPurify.version = '2.4.
|
|
327
|
+
DOMPurify.version = '2.4.6';
|
|
326
328
|
/**
|
|
327
329
|
* Array of elements that DOMPurify removed during sanitation.
|
|
328
330
|
* Empty if nothing was removed.
|
|
@@ -388,7 +390,7 @@ function createDOMPurify() {
|
|
|
388
390
|
* Expose whether this browser supports running the full DOMPurify.
|
|
389
391
|
*/
|
|
390
392
|
|
|
391
|
-
DOMPurify.isSupported = typeof getParentNode === 'function' && implementation &&
|
|
393
|
+
DOMPurify.isSupported = typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined && documentMode !== 9;
|
|
392
394
|
var MUSTACHE_EXPR$1 = MUSTACHE_EXPR,
|
|
393
395
|
ERB_EXPR$1 = ERB_EXPR,
|
|
394
396
|
TMPLIT_EXPR$1 = TMPLIT_EXPR,
|
|
@@ -632,6 +634,7 @@ function createDOMPurify() {
|
|
|
632
634
|
|
|
633
635
|
IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$1;
|
|
634
636
|
NAMESPACE = cfg.NAMESPACE || HTML_NAMESPACE;
|
|
637
|
+
CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING || {};
|
|
635
638
|
|
|
636
639
|
if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck)) {
|
|
637
640
|
CUSTOM_ELEMENT_HANDLING.tagNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck;
|
|
@@ -1121,8 +1124,10 @@ function createDOMPurify() {
|
|
|
1121
1124
|
|
|
1122
1125
|
return true;
|
|
1123
1126
|
}
|
|
1127
|
+
/* Make sure that older browsers don't get fallback-tag mXSS */
|
|
1128
|
+
|
|
1124
1129
|
|
|
1125
|
-
if ((tagName === 'noscript' || tagName === 'noembed') && regExpTest(/<\/no(script|embed)/i, currentNode.innerHTML)) {
|
|
1130
|
+
if ((tagName === 'noscript' || tagName === 'noembed' || tagName === 'noframes') && regExpTest(/<\/no(script|embed|frames)/i, currentNode.innerHTML)) {
|
|
1126
1131
|
_forceRemove(currentNode);
|
|
1127
1132
|
|
|
1128
1133
|
return true;
|
|
@@ -1184,9 +1189,9 @@ function createDOMPurify() {
|
|
|
1184
1189
|
}
|
|
1185
1190
|
/* Check value is safe. First, is attr inert? If so, is safe */
|
|
1186
1191
|
|
|
1187
|
-
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if (
|
|
1192
|
+
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if (value) {
|
|
1188
1193
|
return false;
|
|
1189
|
-
}
|
|
1194
|
+
} else ;
|
|
1190
1195
|
|
|
1191
1196
|
return true;
|
|
1192
1197
|
};
|
|
@@ -1313,12 +1318,16 @@ function createDOMPurify() {
|
|
|
1313
1318
|
if (namespaceURI) ; else {
|
|
1314
1319
|
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1315
1320
|
case 'TrustedHTML':
|
|
1316
|
-
|
|
1317
|
-
|
|
1321
|
+
{
|
|
1322
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1323
|
+
break;
|
|
1324
|
+
}
|
|
1318
1325
|
|
|
1319
1326
|
case 'TrustedScriptURL':
|
|
1320
|
-
|
|
1321
|
-
|
|
1327
|
+
{
|
|
1328
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1329
|
+
break;
|
|
1330
|
+
}
|
|
1322
1331
|
}
|
|
1323
1332
|
}
|
|
1324
1333
|
}
|
|
@@ -1412,15 +1421,14 @@ function createDOMPurify() {
|
|
|
1412
1421
|
|
|
1413
1422
|
|
|
1414
1423
|
if (typeof dirty !== 'string' && !_isNode(dirty)) {
|
|
1415
|
-
|
|
1416
|
-
if (typeof dirty.toString !== 'function') {
|
|
1417
|
-
throw typeErrorCreate('toString is not a function');
|
|
1418
|
-
} else {
|
|
1424
|
+
if (typeof dirty.toString === 'function') {
|
|
1419
1425
|
dirty = dirty.toString();
|
|
1420
1426
|
|
|
1421
1427
|
if (typeof dirty !== 'string') {
|
|
1422
1428
|
throw typeErrorCreate('dirty is not a string, aborting');
|
|
1423
1429
|
}
|
|
1430
|
+
} else {
|
|
1431
|
+
throw typeErrorCreate('toString is not a function');
|
|
1424
1432
|
}
|
|
1425
1433
|
}
|
|
1426
1434
|
/* Check we can run. Otherwise fall back or ignore */
|