dompurify 2.4.5 → 2.4.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +202 -12
- package/README.md +1 -1
- package/dist/purify.cjs.js +22 -15
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +22 -15
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +22 -15
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.4.
|
|
1
|
+
/*! @license DOMPurify 2.4.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.7/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -157,7 +157,9 @@
|
|
|
157
157
|
/* Add properties to a lookup table */
|
|
158
158
|
|
|
159
159
|
function addToSet(set, array, transformCaseFunc) {
|
|
160
|
-
|
|
160
|
+
var _transformCaseFunc;
|
|
161
|
+
|
|
162
|
+
transformCaseFunc = (_transformCaseFunc = transformCaseFunc) !== null && _transformCaseFunc !== void 0 ? _transformCaseFunc : stringToLowerCase;
|
|
161
163
|
|
|
162
164
|
if (setPrototypeOf) {
|
|
163
165
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
@@ -328,7 +330,7 @@
|
|
|
328
330
|
*/
|
|
329
331
|
|
|
330
332
|
|
|
331
|
-
DOMPurify.version = '2.4.
|
|
333
|
+
DOMPurify.version = '2.4.7';
|
|
332
334
|
/**
|
|
333
335
|
* Array of elements that DOMPurify removed during sanitation.
|
|
334
336
|
* Empty if nothing was removed.
|
|
@@ -394,7 +396,7 @@
|
|
|
394
396
|
* Expose whether this browser supports running the full DOMPurify.
|
|
395
397
|
*/
|
|
396
398
|
|
|
397
|
-
DOMPurify.isSupported = typeof getParentNode === 'function' && implementation &&
|
|
399
|
+
DOMPurify.isSupported = typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined && documentMode !== 9;
|
|
398
400
|
var MUSTACHE_EXPR$1 = MUSTACHE_EXPR,
|
|
399
401
|
ERB_EXPR$1 = ERB_EXPR,
|
|
400
402
|
TMPLIT_EXPR$1 = TMPLIT_EXPR,
|
|
@@ -1128,8 +1130,10 @@
|
|
|
1128
1130
|
|
|
1129
1131
|
return true;
|
|
1130
1132
|
}
|
|
1133
|
+
/* Make sure that older browsers don't get fallback-tag mXSS */
|
|
1134
|
+
|
|
1131
1135
|
|
|
1132
|
-
if ((tagName === 'noscript' || tagName === 'noembed') && regExpTest(/<\/no(script|embed)/i, currentNode.innerHTML)) {
|
|
1136
|
+
if ((tagName === 'noscript' || tagName === 'noembed' || tagName === 'noframes') && regExpTest(/<\/no(script|embed|frames)/i, currentNode.innerHTML)) {
|
|
1133
1137
|
_forceRemove(currentNode);
|
|
1134
1138
|
|
|
1135
1139
|
return true;
|
|
@@ -1191,9 +1195,9 @@
|
|
|
1191
1195
|
}
|
|
1192
1196
|
/* Check value is safe. First, is attr inert? If so, is safe */
|
|
1193
1197
|
|
|
1194
|
-
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if (
|
|
1198
|
+
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$1, stringReplace(value, ATTR_WHITESPACE$1, ''))) ; else if (value) {
|
|
1195
1199
|
return false;
|
|
1196
|
-
}
|
|
1200
|
+
} else ;
|
|
1197
1201
|
|
|
1198
1202
|
return true;
|
|
1199
1203
|
};
|
|
@@ -1320,12 +1324,16 @@
|
|
|
1320
1324
|
if (namespaceURI) ; else {
|
|
1321
1325
|
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1322
1326
|
case 'TrustedHTML':
|
|
1323
|
-
|
|
1324
|
-
|
|
1327
|
+
{
|
|
1328
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1329
|
+
break;
|
|
1330
|
+
}
|
|
1325
1331
|
|
|
1326
1332
|
case 'TrustedScriptURL':
|
|
1327
|
-
|
|
1328
|
-
|
|
1333
|
+
{
|
|
1334
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1335
|
+
break;
|
|
1336
|
+
}
|
|
1329
1337
|
}
|
|
1330
1338
|
}
|
|
1331
1339
|
}
|
|
@@ -1419,15 +1427,14 @@
|
|
|
1419
1427
|
|
|
1420
1428
|
|
|
1421
1429
|
if (typeof dirty !== 'string' && !_isNode(dirty)) {
|
|
1422
|
-
|
|
1423
|
-
if (typeof dirty.toString !== 'function') {
|
|
1424
|
-
throw typeErrorCreate('toString is not a function');
|
|
1425
|
-
} else {
|
|
1430
|
+
if (typeof dirty.toString === 'function') {
|
|
1426
1431
|
dirty = dirty.toString();
|
|
1427
1432
|
|
|
1428
1433
|
if (typeof dirty !== 'string') {
|
|
1429
1434
|
throw typeErrorCreate('dirty is not a string, aborting');
|
|
1430
1435
|
}
|
|
1436
|
+
} else {
|
|
1437
|
+
throw typeErrorCreate('toString is not a function');
|
|
1431
1438
|
}
|
|
1432
1439
|
}
|
|
1433
1440
|
/* Check we can run. Otherwise fall back or ignore */
|