dompurify 2.5.0 → 2.5.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +47 -4
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +47 -4
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +47 -4
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.es.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.1 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.1/LICENSE */
|
|
2
2
|
|
|
3
3
|
function _typeof(obj) {
|
|
4
4
|
"@babel/helpers - typeof";
|
|
@@ -281,7 +281,7 @@ function createDOMPurify() {
|
|
|
281
281
|
* Version label, exposed for easier checks
|
|
282
282
|
* if DOMPurify is up to date or not
|
|
283
283
|
*/
|
|
284
|
-
DOMPurify.version = '2.5.
|
|
284
|
+
DOMPurify.version = '2.5.1';
|
|
285
285
|
|
|
286
286
|
/**
|
|
287
287
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -507,6 +507,9 @@ function createDOMPurify() {
|
|
|
507
507
|
/* Keep a reference to config to pass to hooks */
|
|
508
508
|
var CONFIG = null;
|
|
509
509
|
|
|
510
|
+
/* Specify the maximum element nesting depth to prevent mXSS */
|
|
511
|
+
var MAX_NESTING_DEPTH = 255;
|
|
512
|
+
|
|
510
513
|
/* Ideally, do not touch anything below this line */
|
|
511
514
|
/* ______________________________________________ */
|
|
512
515
|
|
|
@@ -901,7 +904,7 @@ function createDOMPurify() {
|
|
|
901
904
|
* @return {Boolean} true if clobbered, false if safe
|
|
902
905
|
*/
|
|
903
906
|
var _isClobbered = function _isClobbered(elm) {
|
|
904
|
-
return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
|
|
907
|
+
return elm instanceof HTMLFormElement && (typeof elm.__depth !== 'undefined' && typeof elm.__depth !== 'number' || typeof elm.__removalCount !== 'undefined' && typeof elm.__removalCount !== 'number' || typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
|
|
905
908
|
};
|
|
906
909
|
|
|
907
910
|
/**
|
|
@@ -1007,7 +1010,9 @@ function createDOMPurify() {
|
|
|
1007
1010
|
if (childNodes && parentNode) {
|
|
1008
1011
|
var childCount = childNodes.length;
|
|
1009
1012
|
for (var i = childCount - 1; i >= 0; --i) {
|
|
1010
|
-
|
|
1013
|
+
var childClone = cloneNode(childNodes[i], true);
|
|
1014
|
+
childClone.__removalCount = (currentNode.__removalCount || 0) + 1;
|
|
1015
|
+
parentNode.insertBefore(childClone, getNextSibling(currentNode));
|
|
1011
1016
|
}
|
|
1012
1017
|
}
|
|
1013
1018
|
}
|
|
@@ -1238,8 +1243,27 @@ function createDOMPurify() {
|
|
|
1238
1243
|
continue;
|
|
1239
1244
|
}
|
|
1240
1245
|
|
|
1246
|
+
/* Set the nesting depth of an element */
|
|
1247
|
+
if (shadowNode.nodeType === 1) {
|
|
1248
|
+
if (shadowNode.parentNode && shadowNode.parentNode.__depth) {
|
|
1249
|
+
/*
|
|
1250
|
+
We want the depth of the node in the original tree, which can
|
|
1251
|
+
change when it's removed from its parent.
|
|
1252
|
+
*/
|
|
1253
|
+
shadowNode.__depth = (shadowNode.__removalCount || 0) + shadowNode.parentNode.__depth + 1;
|
|
1254
|
+
} else {
|
|
1255
|
+
shadowNode.__depth = 1;
|
|
1256
|
+
}
|
|
1257
|
+
}
|
|
1258
|
+
|
|
1259
|
+
/* Remove an element if nested too deeply to avoid mXSS */
|
|
1260
|
+
if (shadowNode.__depth >= MAX_NESTING_DEPTH) {
|
|
1261
|
+
_forceRemove(shadowNode);
|
|
1262
|
+
}
|
|
1263
|
+
|
|
1241
1264
|
/* Deep shadow DOM detected */
|
|
1242
1265
|
if (shadowNode.content instanceof DocumentFragment) {
|
|
1266
|
+
shadowNode.content.__depth = shadowNode.__depth;
|
|
1243
1267
|
_sanitizeShadowDOM(shadowNode.content);
|
|
1244
1268
|
}
|
|
1245
1269
|
|
|
@@ -1370,8 +1394,27 @@ function createDOMPurify() {
|
|
|
1370
1394
|
continue;
|
|
1371
1395
|
}
|
|
1372
1396
|
|
|
1397
|
+
/* Set the nesting depth of an element */
|
|
1398
|
+
if (currentNode.nodeType === 1) {
|
|
1399
|
+
if (currentNode.parentNode && currentNode.parentNode.__depth) {
|
|
1400
|
+
/*
|
|
1401
|
+
We want the depth of the node in the original tree, which can
|
|
1402
|
+
change when it's removed from its parent.
|
|
1403
|
+
*/
|
|
1404
|
+
currentNode.__depth = (currentNode.__removalCount || 0) + currentNode.parentNode.__depth + 1;
|
|
1405
|
+
} else {
|
|
1406
|
+
currentNode.__depth = 1;
|
|
1407
|
+
}
|
|
1408
|
+
}
|
|
1409
|
+
|
|
1410
|
+
/* Remove an element if nested too deeply to avoid mXSS */
|
|
1411
|
+
if (currentNode.__depth >= MAX_NESTING_DEPTH) {
|
|
1412
|
+
_forceRemove(currentNode);
|
|
1413
|
+
}
|
|
1414
|
+
|
|
1373
1415
|
/* Shadow DOM detected, sanitize it */
|
|
1374
1416
|
if (currentNode.content instanceof DocumentFragment) {
|
|
1417
|
+
currentNode.content.__depth = currentNode.__depth;
|
|
1375
1418
|
_sanitizeShadowDOM(currentNode.content);
|
|
1376
1419
|
}
|
|
1377
1420
|
|