dompurify 2.5.4 → 2.5.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +2 -2
  2. package/dist/purify.cjs.js +11 -63
  3. package/dist/purify.cjs.js.map +1 -1
  4. package/dist/purify.es.js +11 -63
  5. package/dist/purify.es.js.map +1 -1
  6. package/dist/purify.js +11 -63
  7. package/dist/purify.js.map +1 -1
  8. package/dist/purify.min.js +2 -2
  9. package/dist/purify.min.js.map +1 -1
  10. package/package.json +1 -1
package/dist/purify.es.js CHANGED
@@ -1,4 +1,4 @@
1
- /*! @license DOMPurify 2.5.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.4/LICENSE */
1
+ /*! @license DOMPurify 2.5.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.6/LICENSE */
2
2
 
3
3
  function _typeof(obj) {
4
4
  "@babel/helpers - typeof";
@@ -110,10 +110,6 @@ var stringIndexOf = unapply(String.prototype.indexOf);
110
110
  var stringTrim = unapply(String.prototype.trim);
111
111
  var regExpTest = unapply(RegExp.prototype.test);
112
112
  var typeErrorCreate = unconstruct(TypeError);
113
- function numberIsNaN(x) {
114
- // eslint-disable-next-line unicorn/prefer-number-properties
115
- return typeof x === 'number' && isNaN(x);
116
- }
117
113
  function unapply(func) {
118
114
  return function (thisArg) {
119
115
  for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
@@ -285,7 +281,7 @@ function createDOMPurify() {
285
281
  * Version label, exposed for easier checks
286
282
  * if DOMPurify is up to date or not
287
283
  */
288
- DOMPurify.version = '2.5.4';
284
+ DOMPurify.version = '2.5.6';
289
285
 
290
286
  /**
291
287
  * Array of elements that DOMPurify removed during sanitation.
@@ -511,9 +507,6 @@ function createDOMPurify() {
511
507
  /* Keep a reference to config to pass to hooks */
512
508
  var CONFIG = null;
513
509
 
514
- /* Specify the maximum element nesting depth to prevent mXSS */
515
- var MAX_NESTING_DEPTH = 255;
516
-
517
510
  /* Ideally, do not touch anything below this line */
518
511
  /* ______________________________________________ */
519
512
 
@@ -908,7 +901,7 @@ function createDOMPurify() {
908
901
  * @return {Boolean} true if clobbered, false if safe
909
902
  */
910
903
  var _isClobbered = function _isClobbered(elm) {
911
- return elm instanceof HTMLFormElement && (typeof elm.__depth !== 'undefined' && typeof elm.__depth !== 'number' || typeof elm.__removalCount !== 'undefined' && typeof elm.__removalCount !== 'number' || typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
904
+ return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
912
905
  };
913
906
 
914
907
  /**
@@ -1067,7 +1060,7 @@ function createDOMPurify() {
1067
1060
  // eslint-disable-next-line complexity
1068
1061
  var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
1069
1062
  /* Make sure attribute cannot clobber */
1070
- if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement || value === '__depth' || value === '__removalCount')) {
1063
+ if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
1071
1064
  return false;
1072
1065
  }
1073
1066
 
@@ -1150,6 +1143,13 @@ function createDOMPurify() {
1150
1143
  hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
1151
1144
  _executeHook('uponSanitizeAttribute', currentNode, hookEvent);
1152
1145
  value = hookEvent.attrValue;
1146
+
1147
+ /* Work around a security issue with comments inside attributes */
1148
+ if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
1149
+ _removeAttribute(name, currentNode);
1150
+ continue;
1151
+ }
1152
+
1153
1153
  /* Did the hooks approve of the attribute? */
1154
1154
  if (hookEvent.forceKeepAttr) {
1155
1155
  continue;
@@ -1169,12 +1169,6 @@ function createDOMPurify() {
1169
1169
  continue;
1170
1170
  }
1171
1171
 
1172
- /* Work around a security issue with comments inside attributes */
1173
- if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
1174
- _removeAttribute(name, currentNode);
1175
- continue;
1176
- }
1177
-
1178
1172
  /* Sanitize attribute content to be template-safe */
1179
1173
  if (SAFE_FOR_TEMPLATES) {
1180
1174
  value = stringReplace(value, MUSTACHE_EXPR$1, ' ');
@@ -1256,32 +1250,9 @@ function createDOMPurify() {
1256
1250
  if (_sanitizeElements(shadowNode)) {
1257
1251
  continue;
1258
1252
  }
1259
- var parentNode = getParentNode(shadowNode);
1260
-
1261
- /* Set the nesting depth of an element */
1262
- if (shadowNode.nodeType === 1) {
1263
- if (parentNode && parentNode.__depth) {
1264
- /*
1265
- We want the depth of the node in the original tree, which can
1266
- change when it's removed from its parent.
1267
- */
1268
- shadowNode.__depth = (shadowNode.__removalCount || 0) + parentNode.__depth + 1;
1269
- } else {
1270
- shadowNode.__depth = 1;
1271
- }
1272
- }
1273
-
1274
- /*
1275
- * Remove an element if nested too deeply to avoid mXSS
1276
- * or if the __depth might have been tampered with
1277
- */
1278
- if (shadowNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(shadowNode.__depth)) {
1279
- _forceRemove(shadowNode);
1280
- }
1281
1253
 
1282
1254
  /* Deep shadow DOM detected */
1283
1255
  if (shadowNode.content instanceof DocumentFragment) {
1284
- shadowNode.content.__depth = shadowNode.__depth;
1285
1256
  _sanitizeShadowDOM(shadowNode.content);
1286
1257
  }
1287
1258
 
@@ -1411,32 +1382,9 @@ function createDOMPurify() {
1411
1382
  if (_sanitizeElements(currentNode)) {
1412
1383
  continue;
1413
1384
  }
1414
- var parentNode = getParentNode(currentNode);
1415
-
1416
- /* Set the nesting depth of an element */
1417
- if (currentNode.nodeType === 1) {
1418
- if (parentNode && parentNode.__depth) {
1419
- /*
1420
- We want the depth of the node in the original tree, which can
1421
- change when it's removed from its parent.
1422
- */
1423
- currentNode.__depth = (currentNode.__removalCount || 0) + parentNode.__depth + 1;
1424
- } else {
1425
- currentNode.__depth = 1;
1426
- }
1427
- }
1428
-
1429
- /*
1430
- * Remove an element if nested too deeply to avoid mXSS
1431
- * or if the __depth might have been tampered with
1432
- */
1433
- if (currentNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(currentNode.__depth)) {
1434
- _forceRemove(currentNode);
1435
- }
1436
1385
 
1437
1386
  /* Shadow DOM detected, sanitize it */
1438
1387
  if (currentNode.content instanceof DocumentFragment) {
1439
- currentNode.content.__depth = currentNode.__depth;
1440
1388
  _sanitizeShadowDOM(currentNode.content);
1441
1389
  }
1442
1390