dompurify 2.4.7 → 2.4.9

package/README.md

@@ -10,7 +10,7 @@ It's also very simple to use and get started with. DOMPurify was [started in Feb
 
 DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
 
-**Note that DOMPurify v2.4.7 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
+**Note that DOMPurify v2.4.9 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
 
 Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
 

package/dist/purify.cjs.js

@@ -1,4 +1,4 @@
-/*! @license DOMPurify 2.4.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.7/LICENSE */
+/*! @license DOMPurify 2.4.9 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.4.9/LICENSE */
 
 'use strict';
 
@@ -265,6 +265,7 @@ var IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i);
 var ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
 );
 var DOCTYPE_NAME = seal(/^html$/i);
+var CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);
 
 var getGlobal = function getGlobal() {
   return typeof window === 'undefined' ? null : window;
@@ -326,7 +327,7 @@ function createDOMPurify() {
    */
 
 
-  DOMPurify.version = '2.4.7';
+  DOMPurify.version = '2.4.9';
   /**
    * Array of elements that DOMPurify removed during sanitation.
    * Empty if nothing was removed.
@@ -399,7 +400,8 @@ function createDOMPurify() {
       DATA_ATTR$1 = DATA_ATTR,
       ARIA_ATTR$1 = ARIA_ATTR,
       IS_SCRIPT_OR_DATA$1 = IS_SCRIPT_OR_DATA,
-      ATTR_WHITESPACE$1 = ATTR_WHITESPACE;
+      ATTR_WHITESPACE$1 = ATTR_WHITESPACE,
+      CUSTOM_ELEMENT$1 = CUSTOM_ELEMENT;
   var IS_ALLOWED_URI$1 = IS_ALLOWED_URI;
   /**
    * We consider the elements and attributes below to be safe. Ideally
@@ -987,7 +989,7 @@ function createDOMPurify() {
 
   var _createIterator = function _createIterator(root) {
     return createNodeIterator.call(root.ownerDocument || root, root, // eslint-disable-next-line no-bitwise
-    NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT, null, false);
+    NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION | NodeFilter.SHOW_CDATA_SECTION, null, false);
   };
   /**
    * _isClobbered
@@ -1089,6 +1091,14 @@ function createDOMPurify() {
 
       return true;
     }
+    /* Remove any ocurrence of processing instructions */
+
+
+    if (currentNode.nodeType === 7) {
+      _forceRemove(currentNode);
+
+      return true;
+    }
     /* Remove element if anything forbids its presence */
 
 
@@ -1206,7 +1216,7 @@ function createDOMPurify() {
 
 
   var _basicCustomElementTest = function _basicCustomElementTest(tagName) {
-    return tagName.indexOf('-') > 0;
+    return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT$1);
   };
   /**
    * _sanitizeAttributes