dompurify 2.5.1 → 2.5.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +32 -13
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +32 -13
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +32 -13
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.3.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
13
|
-
**Note that DOMPurify v2.5.
|
|
13
|
+
**Note that DOMPurify v2.5.3 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
|
|
14
14
|
|
|
15
15
|
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
|
|
16
16
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.3/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -112,6 +112,7 @@ var stringIndexOf = unapply(String.prototype.indexOf);
|
|
|
112
112
|
var stringTrim = unapply(String.prototype.trim);
|
|
113
113
|
var regExpTest = unapply(RegExp.prototype.test);
|
|
114
114
|
var typeErrorCreate = unconstruct(TypeError);
|
|
115
|
+
var numberIsNaN = unapply(Number.isNaN);
|
|
115
116
|
function unapply(func) {
|
|
116
117
|
return function (thisArg) {
|
|
117
118
|
for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
|
|
@@ -283,7 +284,7 @@ function createDOMPurify() {
|
|
|
283
284
|
* Version label, exposed for easier checks
|
|
284
285
|
* if DOMPurify is up to date or not
|
|
285
286
|
*/
|
|
286
|
-
DOMPurify.version = '2.5.
|
|
287
|
+
DOMPurify.version = '2.5.3';
|
|
287
288
|
|
|
288
289
|
/**
|
|
289
290
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -673,7 +674,7 @@ function createDOMPurify() {
|
|
|
673
674
|
CONFIG = cfg;
|
|
674
675
|
};
|
|
675
676
|
var MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
|
|
676
|
-
var HTML_INTEGRATION_POINTS = addToSet({}, ['foreignobject', '
|
|
677
|
+
var HTML_INTEGRATION_POINTS = addToSet({}, ['foreignobject', 'annotation-xml']);
|
|
677
678
|
|
|
678
679
|
// Certain elements are allowed in both SVG and HTML
|
|
679
680
|
// namespace. We need to specify them explicitly
|
|
@@ -1065,7 +1066,7 @@ function createDOMPurify() {
|
|
|
1065
1066
|
// eslint-disable-next-line complexity
|
|
1066
1067
|
var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
|
|
1067
1068
|
/* Make sure attribute cannot clobber */
|
|
1068
|
-
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
|
|
1069
|
+
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement || value === '__depth' || value === '__removalCount')) {
|
|
1069
1070
|
return false;
|
|
1070
1071
|
}
|
|
1071
1072
|
|
|
@@ -1167,6 +1168,12 @@ function createDOMPurify() {
|
|
|
1167
1168
|
continue;
|
|
1168
1169
|
}
|
|
1169
1170
|
|
|
1171
|
+
/* Work around a security issue with comments inside attributes */
|
|
1172
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1173
|
+
_removeAttribute(name, currentNode);
|
|
1174
|
+
continue;
|
|
1175
|
+
}
|
|
1176
|
+
|
|
1170
1177
|
/* Sanitize attribute content to be template-safe */
|
|
1171
1178
|
if (SAFE_FOR_TEMPLATES) {
|
|
1172
1179
|
value = stringReplace(value, MUSTACHE_EXPR$1, ' ');
|
|
@@ -1217,7 +1224,11 @@ function createDOMPurify() {
|
|
|
1217
1224
|
/* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
|
|
1218
1225
|
currentNode.setAttribute(name, value);
|
|
1219
1226
|
}
|
|
1220
|
-
|
|
1227
|
+
if (_isClobbered(currentNode)) {
|
|
1228
|
+
_forceRemove(currentNode);
|
|
1229
|
+
} else {
|
|
1230
|
+
arrayPop(DOMPurify.removed);
|
|
1231
|
+
}
|
|
1221
1232
|
} catch (_) {}
|
|
1222
1233
|
}
|
|
1223
1234
|
|
|
@@ -1244,22 +1255,26 @@ function createDOMPurify() {
|
|
|
1244
1255
|
if (_sanitizeElements(shadowNode)) {
|
|
1245
1256
|
continue;
|
|
1246
1257
|
}
|
|
1258
|
+
var parentNode = getParentNode(shadowNode);
|
|
1247
1259
|
|
|
1248
1260
|
/* Set the nesting depth of an element */
|
|
1249
1261
|
if (shadowNode.nodeType === 1) {
|
|
1250
|
-
if (
|
|
1262
|
+
if (parentNode && parentNode.__depth) {
|
|
1251
1263
|
/*
|
|
1252
1264
|
We want the depth of the node in the original tree, which can
|
|
1253
1265
|
change when it's removed from its parent.
|
|
1254
1266
|
*/
|
|
1255
|
-
shadowNode.__depth = (shadowNode.__removalCount || 0) +
|
|
1267
|
+
shadowNode.__depth = (shadowNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1256
1268
|
} else {
|
|
1257
1269
|
shadowNode.__depth = 1;
|
|
1258
1270
|
}
|
|
1259
1271
|
}
|
|
1260
1272
|
|
|
1261
|
-
/*
|
|
1262
|
-
|
|
1273
|
+
/*
|
|
1274
|
+
* Remove an element if nested too deeply to avoid mXSS
|
|
1275
|
+
* or if the __depth might have been tampered with
|
|
1276
|
+
*/
|
|
1277
|
+
if (shadowNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(shadowNode.__depth)) {
|
|
1263
1278
|
_forceRemove(shadowNode);
|
|
1264
1279
|
}
|
|
1265
1280
|
|
|
@@ -1395,22 +1410,26 @@ function createDOMPurify() {
|
|
|
1395
1410
|
if (_sanitizeElements(currentNode)) {
|
|
1396
1411
|
continue;
|
|
1397
1412
|
}
|
|
1413
|
+
var parentNode = getParentNode(currentNode);
|
|
1398
1414
|
|
|
1399
1415
|
/* Set the nesting depth of an element */
|
|
1400
1416
|
if (currentNode.nodeType === 1) {
|
|
1401
|
-
if (
|
|
1417
|
+
if (parentNode && parentNode.__depth) {
|
|
1402
1418
|
/*
|
|
1403
1419
|
We want the depth of the node in the original tree, which can
|
|
1404
1420
|
change when it's removed from its parent.
|
|
1405
1421
|
*/
|
|
1406
|
-
currentNode.__depth = (currentNode.__removalCount || 0) +
|
|
1422
|
+
currentNode.__depth = (currentNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1407
1423
|
} else {
|
|
1408
1424
|
currentNode.__depth = 1;
|
|
1409
1425
|
}
|
|
1410
1426
|
}
|
|
1411
1427
|
|
|
1412
|
-
/*
|
|
1413
|
-
|
|
1428
|
+
/*
|
|
1429
|
+
* Remove an element if nested too deeply to avoid mXSS
|
|
1430
|
+
* or if the __depth might have been tampered with
|
|
1431
|
+
*/
|
|
1432
|
+
if (currentNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(currentNode.__depth)) {
|
|
1414
1433
|
_forceRemove(currentNode);
|
|
1415
1434
|
}
|
|
1416
1435
|
|