dompurify 2.5.4 → 2.5.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +11 -63
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +11 -63
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +11 -63
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.6.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
13
|
-
**Note that DOMPurify v2.5.
|
|
13
|
+
**Note that DOMPurify v2.5.6 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
|
|
14
14
|
|
|
15
15
|
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
|
|
16
16
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.6/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -112,10 +112,6 @@ var stringIndexOf = unapply(String.prototype.indexOf);
|
|
|
112
112
|
var stringTrim = unapply(String.prototype.trim);
|
|
113
113
|
var regExpTest = unapply(RegExp.prototype.test);
|
|
114
114
|
var typeErrorCreate = unconstruct(TypeError);
|
|
115
|
-
function numberIsNaN(x) {
|
|
116
|
-
// eslint-disable-next-line unicorn/prefer-number-properties
|
|
117
|
-
return typeof x === 'number' && isNaN(x);
|
|
118
|
-
}
|
|
119
115
|
function unapply(func) {
|
|
120
116
|
return function (thisArg) {
|
|
121
117
|
for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
|
|
@@ -287,7 +283,7 @@ function createDOMPurify() {
|
|
|
287
283
|
* Version label, exposed for easier checks
|
|
288
284
|
* if DOMPurify is up to date or not
|
|
289
285
|
*/
|
|
290
|
-
DOMPurify.version = '2.5.
|
|
286
|
+
DOMPurify.version = '2.5.6';
|
|
291
287
|
|
|
292
288
|
/**
|
|
293
289
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -513,9 +509,6 @@ function createDOMPurify() {
|
|
|
513
509
|
/* Keep a reference to config to pass to hooks */
|
|
514
510
|
var CONFIG = null;
|
|
515
511
|
|
|
516
|
-
/* Specify the maximum element nesting depth to prevent mXSS */
|
|
517
|
-
var MAX_NESTING_DEPTH = 255;
|
|
518
|
-
|
|
519
512
|
/* Ideally, do not touch anything below this line */
|
|
520
513
|
/* ______________________________________________ */
|
|
521
514
|
|
|
@@ -910,7 +903,7 @@ function createDOMPurify() {
|
|
|
910
903
|
* @return {Boolean} true if clobbered, false if safe
|
|
911
904
|
*/
|
|
912
905
|
var _isClobbered = function _isClobbered(elm) {
|
|
913
|
-
return elm instanceof HTMLFormElement && (typeof elm.
|
|
906
|
+
return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
|
|
914
907
|
};
|
|
915
908
|
|
|
916
909
|
/**
|
|
@@ -1069,7 +1062,7 @@ function createDOMPurify() {
|
|
|
1069
1062
|
// eslint-disable-next-line complexity
|
|
1070
1063
|
var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
|
|
1071
1064
|
/* Make sure attribute cannot clobber */
|
|
1072
|
-
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement
|
|
1065
|
+
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
|
|
1073
1066
|
return false;
|
|
1074
1067
|
}
|
|
1075
1068
|
|
|
@@ -1152,6 +1145,13 @@ function createDOMPurify() {
|
|
|
1152
1145
|
hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
|
|
1153
1146
|
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
|
|
1154
1147
|
value = hookEvent.attrValue;
|
|
1148
|
+
|
|
1149
|
+
/* Work around a security issue with comments inside attributes */
|
|
1150
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1151
|
+
_removeAttribute(name, currentNode);
|
|
1152
|
+
continue;
|
|
1153
|
+
}
|
|
1154
|
+
|
|
1155
1155
|
/* Did the hooks approve of the attribute? */
|
|
1156
1156
|
if (hookEvent.forceKeepAttr) {
|
|
1157
1157
|
continue;
|
|
@@ -1171,12 +1171,6 @@ function createDOMPurify() {
|
|
|
1171
1171
|
continue;
|
|
1172
1172
|
}
|
|
1173
1173
|
|
|
1174
|
-
/* Work around a security issue with comments inside attributes */
|
|
1175
|
-
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1176
|
-
_removeAttribute(name, currentNode);
|
|
1177
|
-
continue;
|
|
1178
|
-
}
|
|
1179
|
-
|
|
1180
1174
|
/* Sanitize attribute content to be template-safe */
|
|
1181
1175
|
if (SAFE_FOR_TEMPLATES) {
|
|
1182
1176
|
value = stringReplace(value, MUSTACHE_EXPR$1, ' ');
|
|
@@ -1258,32 +1252,9 @@ function createDOMPurify() {
|
|
|
1258
1252
|
if (_sanitizeElements(shadowNode)) {
|
|
1259
1253
|
continue;
|
|
1260
1254
|
}
|
|
1261
|
-
var parentNode = getParentNode(shadowNode);
|
|
1262
|
-
|
|
1263
|
-
/* Set the nesting depth of an element */
|
|
1264
|
-
if (shadowNode.nodeType === 1) {
|
|
1265
|
-
if (parentNode && parentNode.__depth) {
|
|
1266
|
-
/*
|
|
1267
|
-
We want the depth of the node in the original tree, which can
|
|
1268
|
-
change when it's removed from its parent.
|
|
1269
|
-
*/
|
|
1270
|
-
shadowNode.__depth = (shadowNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1271
|
-
} else {
|
|
1272
|
-
shadowNode.__depth = 1;
|
|
1273
|
-
}
|
|
1274
|
-
}
|
|
1275
|
-
|
|
1276
|
-
/*
|
|
1277
|
-
* Remove an element if nested too deeply to avoid mXSS
|
|
1278
|
-
* or if the __depth might have been tampered with
|
|
1279
|
-
*/
|
|
1280
|
-
if (shadowNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(shadowNode.__depth)) {
|
|
1281
|
-
_forceRemove(shadowNode);
|
|
1282
|
-
}
|
|
1283
1255
|
|
|
1284
1256
|
/* Deep shadow DOM detected */
|
|
1285
1257
|
if (shadowNode.content instanceof DocumentFragment) {
|
|
1286
|
-
shadowNode.content.__depth = shadowNode.__depth;
|
|
1287
1258
|
_sanitizeShadowDOM(shadowNode.content);
|
|
1288
1259
|
}
|
|
1289
1260
|
|
|
@@ -1413,32 +1384,9 @@ function createDOMPurify() {
|
|
|
1413
1384
|
if (_sanitizeElements(currentNode)) {
|
|
1414
1385
|
continue;
|
|
1415
1386
|
}
|
|
1416
|
-
var parentNode = getParentNode(currentNode);
|
|
1417
|
-
|
|
1418
|
-
/* Set the nesting depth of an element */
|
|
1419
|
-
if (currentNode.nodeType === 1) {
|
|
1420
|
-
if (parentNode && parentNode.__depth) {
|
|
1421
|
-
/*
|
|
1422
|
-
We want the depth of the node in the original tree, which can
|
|
1423
|
-
change when it's removed from its parent.
|
|
1424
|
-
*/
|
|
1425
|
-
currentNode.__depth = (currentNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1426
|
-
} else {
|
|
1427
|
-
currentNode.__depth = 1;
|
|
1428
|
-
}
|
|
1429
|
-
}
|
|
1430
|
-
|
|
1431
|
-
/*
|
|
1432
|
-
* Remove an element if nested too deeply to avoid mXSS
|
|
1433
|
-
* or if the __depth might have been tampered with
|
|
1434
|
-
*/
|
|
1435
|
-
if (currentNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(currentNode.__depth)) {
|
|
1436
|
-
_forceRemove(currentNode);
|
|
1437
|
-
}
|
|
1438
1387
|
|
|
1439
1388
|
/* Shadow DOM detected, sanitize it */
|
|
1440
1389
|
if (currentNode.content instanceof DocumentFragment) {
|
|
1441
|
-
currentNode.content.__depth = currentNode.__depth;
|
|
1442
1390
|
_sanitizeShadowDOM(currentNode.content);
|
|
1443
1391
|
}
|
|
1444
1392
|
|