dompurify 2.4.5 → 2.4.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/dist/purify.cjs.js +22 -15
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +22 -15
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +22 -15
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.es.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.4.
|
|
1
|
+
/*! @license DOMPurify 2.4.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.6/LICENSE */
|
|
2
2
|
|
|
3
3
|
function _typeof(obj) {
|
|
4
4
|
"@babel/helpers - typeof";
|
|
@@ -151,7 +151,9 @@ function unconstruct(func) {
|
|
|
151
151
|
/* Add properties to a lookup table */
|
|
152
152
|
|
|
153
153
|
function addToSet(set, array, transformCaseFunc) {
|
|
154
|
-
|
|
154
|
+
var _transformCaseFunc;
|
|
155
|
+
|
|
156
|
+
transformCaseFunc = (_transformCaseFunc = transformCaseFunc) !== null && _transformCaseFunc !== void 0 ? _transformCaseFunc : stringToLowerCase;
|
|
155
157
|
|
|
156
158
|
if (setPrototypeOf) {
|
|
157
159
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
@@ -322,7 +324,7 @@ function createDOMPurify() {
|
|
|
322
324
|
*/
|
|
323
325
|
|
|
324
326
|
|
|
325
|
-
DOMPurify.version = '2.4.
|
|
327
|
+
DOMPurify.version = '2.4.6';
|
|
326
328
|
/**
|
|
327
329
|
* Array of elements that DOMPurify removed during sanitation.
|
|
328
330
|
* Empty if nothing was removed.
|
|
@@ -388,7 +390,7 @@ function createDOMPurify() {
|
|
|
388
390
|
* Expose whether this browser supports running the full DOMPurify.
|
|
389
391
|
*/
|
|
390
392
|
|
|
391
|
-
DOMPurify.isSupported = typeof getParentNode === 'function' && implementation &&
|
|
393
|
+
DOMPurify.isSupported = typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined && documentMode !== 9;
|
|
392
394
|
var MUSTACHE_EXPR$1 = MUSTACHE_EXPR,
|
|
393
395
|
ERB_EXPR$1 = ERB_EXPR,
|
|
394
396
|
TMPLIT_EXPR$1 = TMPLIT_EXPR,
|
|
@@ -1122,8 +1124,10 @@ function createDOMPurify() {
|
|
|
1122
1124
|
|
|
1123
1125
|
return true;
|
|
1124
1126
|
}
|
|
1127
|
+
/* Make sure that older browsers don't get fallback-tag mXSS */
|
|
1128
|
+
|
|
1125
1129
|
|
|
1126
|
-
if ((tagName === 'noscript' || tagName === 'noembed') && regExpTest(/<\/no(script|embed)/i, currentNode.innerHTML)) {
|
|
1130
|
+
if ((tagName === 'noscript' || tagName === 'noembed' || tagName === 'noframes') && regExpTest(/<\/no(script|embed|frames)/i, currentNode.innerHTML)) {
|
|
1127
1131
|
_forceRemove(currentNode);
|
|
1128
1132
|
|
|
1129
1133
|
return true;
|
|
@@ -1185,9 +1189,9 @@ function createDOMPurify() {
|
|
|
1185
1189
|
}
|
|
1186
1190
|
/* Check value is safe. First, is attr inert? If so, is safe */
|
|
1187
1191
|
|
|
1188
|
-
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if (
|
|
1192
|
+
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if (value) {
|
|
1189
1193
|
return false;
|
|
1190
|
-
}
|
|
1194
|
+
} else ;
|
|
1191
1195
|
|
|
1192
1196
|
return true;
|
|
1193
1197
|
};
|
|
@@ -1314,12 +1318,16 @@ function createDOMPurify() {
|
|
|
1314
1318
|
if (namespaceURI) ; else {
|
|
1315
1319
|
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1316
1320
|
case 'TrustedHTML':
|
|
1317
|
-
|
|
1318
|
-
|
|
1321
|
+
{
|
|
1322
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1323
|
+
break;
|
|
1324
|
+
}
|
|
1319
1325
|
|
|
1320
1326
|
case 'TrustedScriptURL':
|
|
1321
|
-
|
|
1322
|
-
|
|
1327
|
+
{
|
|
1328
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1329
|
+
break;
|
|
1330
|
+
}
|
|
1323
1331
|
}
|
|
1324
1332
|
}
|
|
1325
1333
|
}
|
|
@@ -1413,15 +1421,14 @@ function createDOMPurify() {
|
|
|
1413
1421
|
|
|
1414
1422
|
|
|
1415
1423
|
if (typeof dirty !== 'string' && !_isNode(dirty)) {
|
|
1416
|
-
|
|
1417
|
-
if (typeof dirty.toString !== 'function') {
|
|
1418
|
-
throw typeErrorCreate('toString is not a function');
|
|
1419
|
-
} else {
|
|
1424
|
+
if (typeof dirty.toString === 'function') {
|
|
1420
1425
|
dirty = dirty.toString();
|
|
1421
1426
|
|
|
1422
1427
|
if (typeof dirty !== 'string') {
|
|
1423
1428
|
throw typeErrorCreate('dirty is not a string, aborting');
|
|
1424
1429
|
}
|
|
1430
|
+
} else {
|
|
1431
|
+
throw typeErrorCreate('toString is not a function');
|
|
1425
1432
|
}
|
|
1426
1433
|
}
|
|
1427
1434
|
/* Check we can run. Otherwise fall back or ignore */
|