dompurify 2.5.0 → 2.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +50 -5
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +50 -5
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +50 -5
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.2.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
13
|
-
**Note that DOMPurify v2.5.
|
|
13
|
+
**Note that DOMPurify v2.5.2 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
|
|
14
14
|
|
|
15
15
|
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
|
|
16
16
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.2 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.2/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -283,7 +283,7 @@ function createDOMPurify() {
|
|
|
283
283
|
* Version label, exposed for easier checks
|
|
284
284
|
* if DOMPurify is up to date or not
|
|
285
285
|
*/
|
|
286
|
-
DOMPurify.version = '2.5.
|
|
286
|
+
DOMPurify.version = '2.5.2';
|
|
287
287
|
|
|
288
288
|
/**
|
|
289
289
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -509,6 +509,9 @@ function createDOMPurify() {
|
|
|
509
509
|
/* Keep a reference to config to pass to hooks */
|
|
510
510
|
var CONFIG = null;
|
|
511
511
|
|
|
512
|
+
/* Specify the maximum element nesting depth to prevent mXSS */
|
|
513
|
+
var MAX_NESTING_DEPTH = 255;
|
|
514
|
+
|
|
512
515
|
/* Ideally, do not touch anything below this line */
|
|
513
516
|
/* ______________________________________________ */
|
|
514
517
|
|
|
@@ -670,7 +673,7 @@ function createDOMPurify() {
|
|
|
670
673
|
CONFIG = cfg;
|
|
671
674
|
};
|
|
672
675
|
var MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
|
|
673
|
-
var HTML_INTEGRATION_POINTS = addToSet({}, ['foreignobject', '
|
|
676
|
+
var HTML_INTEGRATION_POINTS = addToSet({}, ['foreignobject', 'annotation-xml']);
|
|
674
677
|
|
|
675
678
|
// Certain elements are allowed in both SVG and HTML
|
|
676
679
|
// namespace. We need to specify them explicitly
|
|
@@ -903,7 +906,7 @@ function createDOMPurify() {
|
|
|
903
906
|
* @return {Boolean} true if clobbered, false if safe
|
|
904
907
|
*/
|
|
905
908
|
var _isClobbered = function _isClobbered(elm) {
|
|
906
|
-
return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
|
|
909
|
+
return elm instanceof HTMLFormElement && (typeof elm.__depth !== 'undefined' && typeof elm.__depth !== 'number' || typeof elm.__removalCount !== 'undefined' && typeof elm.__removalCount !== 'number' || typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
|
|
907
910
|
};
|
|
908
911
|
|
|
909
912
|
/**
|
|
@@ -1009,7 +1012,9 @@ function createDOMPurify() {
|
|
|
1009
1012
|
if (childNodes && parentNode) {
|
|
1010
1013
|
var childCount = childNodes.length;
|
|
1011
1014
|
for (var i = childCount - 1; i >= 0; --i) {
|
|
1012
|
-
|
|
1015
|
+
var childClone = cloneNode(childNodes[i], true);
|
|
1016
|
+
childClone.__removalCount = (currentNode.__removalCount || 0) + 1;
|
|
1017
|
+
parentNode.insertBefore(childClone, getNextSibling(currentNode));
|
|
1013
1018
|
}
|
|
1014
1019
|
}
|
|
1015
1020
|
}
|
|
@@ -1239,9 +1244,29 @@ function createDOMPurify() {
|
|
|
1239
1244
|
if (_sanitizeElements(shadowNode)) {
|
|
1240
1245
|
continue;
|
|
1241
1246
|
}
|
|
1247
|
+
var parentNode = getParentNode(shadowNode);
|
|
1248
|
+
|
|
1249
|
+
/* Set the nesting depth of an element */
|
|
1250
|
+
if (shadowNode.nodeType === 1) {
|
|
1251
|
+
if (parentNode && parentNode.__depth) {
|
|
1252
|
+
/*
|
|
1253
|
+
We want the depth of the node in the original tree, which can
|
|
1254
|
+
change when it's removed from its parent.
|
|
1255
|
+
*/
|
|
1256
|
+
shadowNode.__depth = (shadowNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1257
|
+
} else {
|
|
1258
|
+
shadowNode.__depth = 1;
|
|
1259
|
+
}
|
|
1260
|
+
}
|
|
1261
|
+
|
|
1262
|
+
/* Remove an element if nested too deeply to avoid mXSS */
|
|
1263
|
+
if (shadowNode.__depth >= MAX_NESTING_DEPTH) {
|
|
1264
|
+
_forceRemove(shadowNode);
|
|
1265
|
+
}
|
|
1242
1266
|
|
|
1243
1267
|
/* Deep shadow DOM detected */
|
|
1244
1268
|
if (shadowNode.content instanceof DocumentFragment) {
|
|
1269
|
+
shadowNode.content.__depth = shadowNode.__depth;
|
|
1245
1270
|
_sanitizeShadowDOM(shadowNode.content);
|
|
1246
1271
|
}
|
|
1247
1272
|
|
|
@@ -1371,9 +1396,29 @@ function createDOMPurify() {
|
|
|
1371
1396
|
if (_sanitizeElements(currentNode)) {
|
|
1372
1397
|
continue;
|
|
1373
1398
|
}
|
|
1399
|
+
var parentNode = getParentNode(currentNode);
|
|
1400
|
+
|
|
1401
|
+
/* Set the nesting depth of an element */
|
|
1402
|
+
if (currentNode.nodeType === 1) {
|
|
1403
|
+
if (parentNode && parentNode.__depth) {
|
|
1404
|
+
/*
|
|
1405
|
+
We want the depth of the node in the original tree, which can
|
|
1406
|
+
change when it's removed from its parent.
|
|
1407
|
+
*/
|
|
1408
|
+
currentNode.__depth = (currentNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1409
|
+
} else {
|
|
1410
|
+
currentNode.__depth = 1;
|
|
1411
|
+
}
|
|
1412
|
+
}
|
|
1413
|
+
|
|
1414
|
+
/* Remove an element if nested too deeply to avoid mXSS */
|
|
1415
|
+
if (currentNode.__depth >= MAX_NESTING_DEPTH) {
|
|
1416
|
+
_forceRemove(currentNode);
|
|
1417
|
+
}
|
|
1374
1418
|
|
|
1375
1419
|
/* Shadow DOM detected, sanitize it */
|
|
1376
1420
|
if (currentNode.content instanceof DocumentFragment) {
|
|
1421
|
+
currentNode.content.__depth = currentNode.__depth;
|
|
1377
1422
|
_sanitizeShadowDOM(currentNode.content);
|
|
1378
1423
|
}
|
|
1379
1424
|
|