dompurify 2.5.2 → 2.5.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +25 -8
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +25 -8
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +25 -8
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.3.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
13
|
-
**Note that DOMPurify v2.5.
|
|
13
|
+
**Note that DOMPurify v2.5.3 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
|
|
14
14
|
|
|
15
15
|
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
|
|
16
16
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.3/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -112,6 +112,7 @@ var stringIndexOf = unapply(String.prototype.indexOf);
|
|
|
112
112
|
var stringTrim = unapply(String.prototype.trim);
|
|
113
113
|
var regExpTest = unapply(RegExp.prototype.test);
|
|
114
114
|
var typeErrorCreate = unconstruct(TypeError);
|
|
115
|
+
var numberIsNaN = unapply(Number.isNaN);
|
|
115
116
|
function unapply(func) {
|
|
116
117
|
return function (thisArg) {
|
|
117
118
|
for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
|
|
@@ -283,7 +284,7 @@ function createDOMPurify() {
|
|
|
283
284
|
* Version label, exposed for easier checks
|
|
284
285
|
* if DOMPurify is up to date or not
|
|
285
286
|
*/
|
|
286
|
-
DOMPurify.version = '2.5.
|
|
287
|
+
DOMPurify.version = '2.5.3';
|
|
287
288
|
|
|
288
289
|
/**
|
|
289
290
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -1065,7 +1066,7 @@ function createDOMPurify() {
|
|
|
1065
1066
|
// eslint-disable-next-line complexity
|
|
1066
1067
|
var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
|
|
1067
1068
|
/* Make sure attribute cannot clobber */
|
|
1068
|
-
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
|
|
1069
|
+
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement || value === '__depth' || value === '__removalCount')) {
|
|
1069
1070
|
return false;
|
|
1070
1071
|
}
|
|
1071
1072
|
|
|
@@ -1167,6 +1168,12 @@ function createDOMPurify() {
|
|
|
1167
1168
|
continue;
|
|
1168
1169
|
}
|
|
1169
1170
|
|
|
1171
|
+
/* Work around a security issue with comments inside attributes */
|
|
1172
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1173
|
+
_removeAttribute(name, currentNode);
|
|
1174
|
+
continue;
|
|
1175
|
+
}
|
|
1176
|
+
|
|
1170
1177
|
/* Sanitize attribute content to be template-safe */
|
|
1171
1178
|
if (SAFE_FOR_TEMPLATES) {
|
|
1172
1179
|
value = stringReplace(value, MUSTACHE_EXPR$1, ' ');
|
|
@@ -1217,7 +1224,11 @@ function createDOMPurify() {
|
|
|
1217
1224
|
/* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
|
|
1218
1225
|
currentNode.setAttribute(name, value);
|
|
1219
1226
|
}
|
|
1220
|
-
|
|
1227
|
+
if (_isClobbered(currentNode)) {
|
|
1228
|
+
_forceRemove(currentNode);
|
|
1229
|
+
} else {
|
|
1230
|
+
arrayPop(DOMPurify.removed);
|
|
1231
|
+
}
|
|
1221
1232
|
} catch (_) {}
|
|
1222
1233
|
}
|
|
1223
1234
|
|
|
@@ -1259,8 +1270,11 @@ function createDOMPurify() {
|
|
|
1259
1270
|
}
|
|
1260
1271
|
}
|
|
1261
1272
|
|
|
1262
|
-
/*
|
|
1263
|
-
|
|
1273
|
+
/*
|
|
1274
|
+
* Remove an element if nested too deeply to avoid mXSS
|
|
1275
|
+
* or if the __depth might have been tampered with
|
|
1276
|
+
*/
|
|
1277
|
+
if (shadowNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(shadowNode.__depth)) {
|
|
1264
1278
|
_forceRemove(shadowNode);
|
|
1265
1279
|
}
|
|
1266
1280
|
|
|
@@ -1411,8 +1425,11 @@ function createDOMPurify() {
|
|
|
1411
1425
|
}
|
|
1412
1426
|
}
|
|
1413
1427
|
|
|
1414
|
-
/*
|
|
1415
|
-
|
|
1428
|
+
/*
|
|
1429
|
+
* Remove an element if nested too deeply to avoid mXSS
|
|
1430
|
+
* or if the __depth might have been tampered with
|
|
1431
|
+
*/
|
|
1432
|
+
if (currentNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(currentNode.__depth)) {
|
|
1416
1433
|
_forceRemove(currentNode);
|
|
1417
1434
|
}
|
|
1418
1435
|
|