dompurify 2.4.4 → 2.4.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +23 -15
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +23 -15
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +23 -15
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.4.
|
|
1
|
+
/*! @license DOMPurify 2.4.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.6/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -157,7 +157,9 @@
|
|
|
157
157
|
/* Add properties to a lookup table */
|
|
158
158
|
|
|
159
159
|
function addToSet(set, array, transformCaseFunc) {
|
|
160
|
-
|
|
160
|
+
var _transformCaseFunc;
|
|
161
|
+
|
|
162
|
+
transformCaseFunc = (_transformCaseFunc = transformCaseFunc) !== null && _transformCaseFunc !== void 0 ? _transformCaseFunc : stringToLowerCase;
|
|
161
163
|
|
|
162
164
|
if (setPrototypeOf) {
|
|
163
165
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
@@ -328,7 +330,7 @@
|
|
|
328
330
|
*/
|
|
329
331
|
|
|
330
332
|
|
|
331
|
-
DOMPurify.version = '2.4.
|
|
333
|
+
DOMPurify.version = '2.4.6';
|
|
332
334
|
/**
|
|
333
335
|
* Array of elements that DOMPurify removed during sanitation.
|
|
334
336
|
* Empty if nothing was removed.
|
|
@@ -394,7 +396,7 @@
|
|
|
394
396
|
* Expose whether this browser supports running the full DOMPurify.
|
|
395
397
|
*/
|
|
396
398
|
|
|
397
|
-
DOMPurify.isSupported = typeof getParentNode === 'function' && implementation &&
|
|
399
|
+
DOMPurify.isSupported = typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined && documentMode !== 9;
|
|
398
400
|
var MUSTACHE_EXPR$1 = MUSTACHE_EXPR,
|
|
399
401
|
ERB_EXPR$1 = ERB_EXPR,
|
|
400
402
|
TMPLIT_EXPR$1 = TMPLIT_EXPR,
|
|
@@ -638,6 +640,7 @@
|
|
|
638
640
|
|
|
639
641
|
IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$1;
|
|
640
642
|
NAMESPACE = cfg.NAMESPACE || HTML_NAMESPACE;
|
|
643
|
+
CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING || {};
|
|
641
644
|
|
|
642
645
|
if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck)) {
|
|
643
646
|
CUSTOM_ELEMENT_HANDLING.tagNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck;
|
|
@@ -1127,8 +1130,10 @@
|
|
|
1127
1130
|
|
|
1128
1131
|
return true;
|
|
1129
1132
|
}
|
|
1133
|
+
/* Make sure that older browsers don't get fallback-tag mXSS */
|
|
1134
|
+
|
|
1130
1135
|
|
|
1131
|
-
if ((tagName === 'noscript' || tagName === 'noembed') && regExpTest(/<\/no(script|embed)/i, currentNode.innerHTML)) {
|
|
1136
|
+
if ((tagName === 'noscript' || tagName === 'noembed' || tagName === 'noframes') && regExpTest(/<\/no(script|embed|frames)/i, currentNode.innerHTML)) {
|
|
1132
1137
|
_forceRemove(currentNode);
|
|
1133
1138
|
|
|
1134
1139
|
return true;
|
|
@@ -1190,9 +1195,9 @@
|
|
|
1190
1195
|
}
|
|
1191
1196
|
/* Check value is safe. First, is attr inert? If so, is safe */
|
|
1192
1197
|
|
|
1193
|
-
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if (
|
|
1198
|
+
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if (value) {
|
|
1194
1199
|
return false;
|
|
1195
|
-
}
|
|
1200
|
+
} else ;
|
|
1196
1201
|
|
|
1197
1202
|
return true;
|
|
1198
1203
|
};
|
|
@@ -1319,12 +1324,16 @@
|
|
|
1319
1324
|
if (namespaceURI) ; else {
|
|
1320
1325
|
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1321
1326
|
case 'TrustedHTML':
|
|
1322
|
-
|
|
1323
|
-
|
|
1327
|
+
{
|
|
1328
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1329
|
+
break;
|
|
1330
|
+
}
|
|
1324
1331
|
|
|
1325
1332
|
case 'TrustedScriptURL':
|
|
1326
|
-
|
|
1327
|
-
|
|
1333
|
+
{
|
|
1334
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1335
|
+
break;
|
|
1336
|
+
}
|
|
1328
1337
|
}
|
|
1329
1338
|
}
|
|
1330
1339
|
}
|
|
@@ -1418,15 +1427,14 @@
|
|
|
1418
1427
|
|
|
1419
1428
|
|
|
1420
1429
|
if (typeof dirty !== 'string' && !_isNode(dirty)) {
|
|
1421
|
-
|
|
1422
|
-
if (typeof dirty.toString !== 'function') {
|
|
1423
|
-
throw typeErrorCreate('toString is not a function');
|
|
1424
|
-
} else {
|
|
1430
|
+
if (typeof dirty.toString === 'function') {
|
|
1425
1431
|
dirty = dirty.toString();
|
|
1426
1432
|
|
|
1427
1433
|
if (typeof dirty !== 'string') {
|
|
1428
1434
|
throw typeErrorCreate('dirty is not a string, aborting');
|
|
1429
1435
|
}
|
|
1436
|
+
} else {
|
|
1437
|
+
throw typeErrorCreate('toString is not a function');
|
|
1430
1438
|
}
|
|
1431
1439
|
}
|
|
1432
1440
|
/* Check we can run. Otherwise fall back or ignore */
|