dompurify 2.5.4 → 2.5.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +4 -57
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +4 -57
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +4 -57
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.5.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
13
|
-
**Note that DOMPurify v2.5.
|
|
13
|
+
**Note that DOMPurify v2.5.5 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
|
|
14
14
|
|
|
15
15
|
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
|
|
16
16
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.5/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -112,10 +112,6 @@ var stringIndexOf = unapply(String.prototype.indexOf);
|
|
|
112
112
|
var stringTrim = unapply(String.prototype.trim);
|
|
113
113
|
var regExpTest = unapply(RegExp.prototype.test);
|
|
114
114
|
var typeErrorCreate = unconstruct(TypeError);
|
|
115
|
-
function numberIsNaN(x) {
|
|
116
|
-
// eslint-disable-next-line unicorn/prefer-number-properties
|
|
117
|
-
return typeof x === 'number' && isNaN(x);
|
|
118
|
-
}
|
|
119
115
|
function unapply(func) {
|
|
120
116
|
return function (thisArg) {
|
|
121
117
|
for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
|
|
@@ -287,7 +283,7 @@ function createDOMPurify() {
|
|
|
287
283
|
* Version label, exposed for easier checks
|
|
288
284
|
* if DOMPurify is up to date or not
|
|
289
285
|
*/
|
|
290
|
-
DOMPurify.version = '2.5.
|
|
286
|
+
DOMPurify.version = '2.5.5';
|
|
291
287
|
|
|
292
288
|
/**
|
|
293
289
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -513,9 +509,6 @@ function createDOMPurify() {
|
|
|
513
509
|
/* Keep a reference to config to pass to hooks */
|
|
514
510
|
var CONFIG = null;
|
|
515
511
|
|
|
516
|
-
/* Specify the maximum element nesting depth to prevent mXSS */
|
|
517
|
-
var MAX_NESTING_DEPTH = 255;
|
|
518
|
-
|
|
519
512
|
/* Ideally, do not touch anything below this line */
|
|
520
513
|
/* ______________________________________________ */
|
|
521
514
|
|
|
@@ -910,7 +903,7 @@ function createDOMPurify() {
|
|
|
910
903
|
* @return {Boolean} true if clobbered, false if safe
|
|
911
904
|
*/
|
|
912
905
|
var _isClobbered = function _isClobbered(elm) {
|
|
913
|
-
return elm instanceof HTMLFormElement && (typeof elm.
|
|
906
|
+
return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
|
|
914
907
|
};
|
|
915
908
|
|
|
916
909
|
/**
|
|
@@ -1069,7 +1062,7 @@ function createDOMPurify() {
|
|
|
1069
1062
|
// eslint-disable-next-line complexity
|
|
1070
1063
|
var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
|
|
1071
1064
|
/* Make sure attribute cannot clobber */
|
|
1072
|
-
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement
|
|
1065
|
+
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
|
|
1073
1066
|
return false;
|
|
1074
1067
|
}
|
|
1075
1068
|
|
|
@@ -1258,32 +1251,9 @@ function createDOMPurify() {
|
|
|
1258
1251
|
if (_sanitizeElements(shadowNode)) {
|
|
1259
1252
|
continue;
|
|
1260
1253
|
}
|
|
1261
|
-
var parentNode = getParentNode(shadowNode);
|
|
1262
|
-
|
|
1263
|
-
/* Set the nesting depth of an element */
|
|
1264
|
-
if (shadowNode.nodeType === 1) {
|
|
1265
|
-
if (parentNode && parentNode.__depth) {
|
|
1266
|
-
/*
|
|
1267
|
-
We want the depth of the node in the original tree, which can
|
|
1268
|
-
change when it's removed from its parent.
|
|
1269
|
-
*/
|
|
1270
|
-
shadowNode.__depth = (shadowNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1271
|
-
} else {
|
|
1272
|
-
shadowNode.__depth = 1;
|
|
1273
|
-
}
|
|
1274
|
-
}
|
|
1275
|
-
|
|
1276
|
-
/*
|
|
1277
|
-
* Remove an element if nested too deeply to avoid mXSS
|
|
1278
|
-
* or if the __depth might have been tampered with
|
|
1279
|
-
*/
|
|
1280
|
-
if (shadowNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(shadowNode.__depth)) {
|
|
1281
|
-
_forceRemove(shadowNode);
|
|
1282
|
-
}
|
|
1283
1254
|
|
|
1284
1255
|
/* Deep shadow DOM detected */
|
|
1285
1256
|
if (shadowNode.content instanceof DocumentFragment) {
|
|
1286
|
-
shadowNode.content.__depth = shadowNode.__depth;
|
|
1287
1257
|
_sanitizeShadowDOM(shadowNode.content);
|
|
1288
1258
|
}
|
|
1289
1259
|
|
|
@@ -1413,32 +1383,9 @@ function createDOMPurify() {
|
|
|
1413
1383
|
if (_sanitizeElements(currentNode)) {
|
|
1414
1384
|
continue;
|
|
1415
1385
|
}
|
|
1416
|
-
var parentNode = getParentNode(currentNode);
|
|
1417
|
-
|
|
1418
|
-
/* Set the nesting depth of an element */
|
|
1419
|
-
if (currentNode.nodeType === 1) {
|
|
1420
|
-
if (parentNode && parentNode.__depth) {
|
|
1421
|
-
/*
|
|
1422
|
-
We want the depth of the node in the original tree, which can
|
|
1423
|
-
change when it's removed from its parent.
|
|
1424
|
-
*/
|
|
1425
|
-
currentNode.__depth = (currentNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1426
|
-
} else {
|
|
1427
|
-
currentNode.__depth = 1;
|
|
1428
|
-
}
|
|
1429
|
-
}
|
|
1430
|
-
|
|
1431
|
-
/*
|
|
1432
|
-
* Remove an element if nested too deeply to avoid mXSS
|
|
1433
|
-
* or if the __depth might have been tampered with
|
|
1434
|
-
*/
|
|
1435
|
-
if (currentNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(currentNode.__depth)) {
|
|
1436
|
-
_forceRemove(currentNode);
|
|
1437
|
-
}
|
|
1438
1386
|
|
|
1439
1387
|
/* Shadow DOM detected, sanitize it */
|
|
1440
1388
|
if (currentNode.content instanceof DocumentFragment) {
|
|
1441
|
-
currentNode.content.__depth = currentNode.__depth;
|
|
1442
1389
|
_sanitizeShadowDOM(currentNode.content);
|
|
1443
1390
|
}
|
|
1444
1391
|
|