dompurify 2.5.3 → 2.5.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +4 -54
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +4 -54
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +4 -54
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.5.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
13
|
-
**Note that DOMPurify v2.5.
|
|
13
|
+
**Note that DOMPurify v2.5.5 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
|
|
14
14
|
|
|
15
15
|
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
|
|
16
16
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.5/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -112,7 +112,6 @@ var stringIndexOf = unapply(String.prototype.indexOf);
|
|
|
112
112
|
var stringTrim = unapply(String.prototype.trim);
|
|
113
113
|
var regExpTest = unapply(RegExp.prototype.test);
|
|
114
114
|
var typeErrorCreate = unconstruct(TypeError);
|
|
115
|
-
var numberIsNaN = unapply(Number.isNaN);
|
|
116
115
|
function unapply(func) {
|
|
117
116
|
return function (thisArg) {
|
|
118
117
|
for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
|
|
@@ -284,7 +283,7 @@ function createDOMPurify() {
|
|
|
284
283
|
* Version label, exposed for easier checks
|
|
285
284
|
* if DOMPurify is up to date or not
|
|
286
285
|
*/
|
|
287
|
-
DOMPurify.version = '2.5.
|
|
286
|
+
DOMPurify.version = '2.5.5';
|
|
288
287
|
|
|
289
288
|
/**
|
|
290
289
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -510,9 +509,6 @@ function createDOMPurify() {
|
|
|
510
509
|
/* Keep a reference to config to pass to hooks */
|
|
511
510
|
var CONFIG = null;
|
|
512
511
|
|
|
513
|
-
/* Specify the maximum element nesting depth to prevent mXSS */
|
|
514
|
-
var MAX_NESTING_DEPTH = 255;
|
|
515
|
-
|
|
516
512
|
/* Ideally, do not touch anything below this line */
|
|
517
513
|
/* ______________________________________________ */
|
|
518
514
|
|
|
@@ -907,7 +903,7 @@ function createDOMPurify() {
|
|
|
907
903
|
* @return {Boolean} true if clobbered, false if safe
|
|
908
904
|
*/
|
|
909
905
|
var _isClobbered = function _isClobbered(elm) {
|
|
910
|
-
return elm instanceof HTMLFormElement && (typeof elm.
|
|
906
|
+
return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
|
|
911
907
|
};
|
|
912
908
|
|
|
913
909
|
/**
|
|
@@ -1066,7 +1062,7 @@ function createDOMPurify() {
|
|
|
1066
1062
|
// eslint-disable-next-line complexity
|
|
1067
1063
|
var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
|
|
1068
1064
|
/* Make sure attribute cannot clobber */
|
|
1069
|
-
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement
|
|
1065
|
+
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
|
|
1070
1066
|
return false;
|
|
1071
1067
|
}
|
|
1072
1068
|
|
|
@@ -1255,32 +1251,9 @@ function createDOMPurify() {
|
|
|
1255
1251
|
if (_sanitizeElements(shadowNode)) {
|
|
1256
1252
|
continue;
|
|
1257
1253
|
}
|
|
1258
|
-
var parentNode = getParentNode(shadowNode);
|
|
1259
|
-
|
|
1260
|
-
/* Set the nesting depth of an element */
|
|
1261
|
-
if (shadowNode.nodeType === 1) {
|
|
1262
|
-
if (parentNode && parentNode.__depth) {
|
|
1263
|
-
/*
|
|
1264
|
-
We want the depth of the node in the original tree, which can
|
|
1265
|
-
change when it's removed from its parent.
|
|
1266
|
-
*/
|
|
1267
|
-
shadowNode.__depth = (shadowNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1268
|
-
} else {
|
|
1269
|
-
shadowNode.__depth = 1;
|
|
1270
|
-
}
|
|
1271
|
-
}
|
|
1272
|
-
|
|
1273
|
-
/*
|
|
1274
|
-
* Remove an element if nested too deeply to avoid mXSS
|
|
1275
|
-
* or if the __depth might have been tampered with
|
|
1276
|
-
*/
|
|
1277
|
-
if (shadowNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(shadowNode.__depth)) {
|
|
1278
|
-
_forceRemove(shadowNode);
|
|
1279
|
-
}
|
|
1280
1254
|
|
|
1281
1255
|
/* Deep shadow DOM detected */
|
|
1282
1256
|
if (shadowNode.content instanceof DocumentFragment) {
|
|
1283
|
-
shadowNode.content.__depth = shadowNode.__depth;
|
|
1284
1257
|
_sanitizeShadowDOM(shadowNode.content);
|
|
1285
1258
|
}
|
|
1286
1259
|
|
|
@@ -1410,32 +1383,9 @@ function createDOMPurify() {
|
|
|
1410
1383
|
if (_sanitizeElements(currentNode)) {
|
|
1411
1384
|
continue;
|
|
1412
1385
|
}
|
|
1413
|
-
var parentNode = getParentNode(currentNode);
|
|
1414
|
-
|
|
1415
|
-
/* Set the nesting depth of an element */
|
|
1416
|
-
if (currentNode.nodeType === 1) {
|
|
1417
|
-
if (parentNode && parentNode.__depth) {
|
|
1418
|
-
/*
|
|
1419
|
-
We want the depth of the node in the original tree, which can
|
|
1420
|
-
change when it's removed from its parent.
|
|
1421
|
-
*/
|
|
1422
|
-
currentNode.__depth = (currentNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1423
|
-
} else {
|
|
1424
|
-
currentNode.__depth = 1;
|
|
1425
|
-
}
|
|
1426
|
-
}
|
|
1427
|
-
|
|
1428
|
-
/*
|
|
1429
|
-
* Remove an element if nested too deeply to avoid mXSS
|
|
1430
|
-
* or if the __depth might have been tampered with
|
|
1431
|
-
*/
|
|
1432
|
-
if (currentNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(currentNode.__depth)) {
|
|
1433
|
-
_forceRemove(currentNode);
|
|
1434
|
-
}
|
|
1435
1386
|
|
|
1436
1387
|
/* Shadow DOM detected, sanitize it */
|
|
1437
1388
|
if (currentNode.content instanceof DocumentFragment) {
|
|
1438
|
-
currentNode.content.__depth = currentNode.__depth;
|
|
1439
1389
|
_sanitizeShadowDOM(currentNode.content);
|
|
1440
1390
|
}
|
|
1441
1391
|
|