dompurify 2.5.4 → 2.5.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +11 -63
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +11 -63
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +11 -63
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.6/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -116,10 +116,6 @@
|
|
|
116
116
|
var stringTrim = unapply(String.prototype.trim);
|
|
117
117
|
var regExpTest = unapply(RegExp.prototype.test);
|
|
118
118
|
var typeErrorCreate = unconstruct(TypeError);
|
|
119
|
-
function numberIsNaN(x) {
|
|
120
|
-
// eslint-disable-next-line unicorn/prefer-number-properties
|
|
121
|
-
return typeof x === 'number' && isNaN(x);
|
|
122
|
-
}
|
|
123
119
|
function unapply(func) {
|
|
124
120
|
return function (thisArg) {
|
|
125
121
|
for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
|
|
@@ -291,7 +287,7 @@
|
|
|
291
287
|
* Version label, exposed for easier checks
|
|
292
288
|
* if DOMPurify is up to date or not
|
|
293
289
|
*/
|
|
294
|
-
DOMPurify.version = '2.5.
|
|
290
|
+
DOMPurify.version = '2.5.6';
|
|
295
291
|
|
|
296
292
|
/**
|
|
297
293
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -517,9 +513,6 @@
|
|
|
517
513
|
/* Keep a reference to config to pass to hooks */
|
|
518
514
|
var CONFIG = null;
|
|
519
515
|
|
|
520
|
-
/* Specify the maximum element nesting depth to prevent mXSS */
|
|
521
|
-
var MAX_NESTING_DEPTH = 255;
|
|
522
|
-
|
|
523
516
|
/* Ideally, do not touch anything below this line */
|
|
524
517
|
/* ______________________________________________ */
|
|
525
518
|
|
|
@@ -914,7 +907,7 @@
|
|
|
914
907
|
* @return {Boolean} true if clobbered, false if safe
|
|
915
908
|
*/
|
|
916
909
|
var _isClobbered = function _isClobbered(elm) {
|
|
917
|
-
return elm instanceof HTMLFormElement && (typeof elm.
|
|
910
|
+
return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
|
|
918
911
|
};
|
|
919
912
|
|
|
920
913
|
/**
|
|
@@ -1073,7 +1066,7 @@
|
|
|
1073
1066
|
// eslint-disable-next-line complexity
|
|
1074
1067
|
var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
|
|
1075
1068
|
/* Make sure attribute cannot clobber */
|
|
1076
|
-
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement
|
|
1069
|
+
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
|
|
1077
1070
|
return false;
|
|
1078
1071
|
}
|
|
1079
1072
|
|
|
@@ -1156,6 +1149,13 @@
|
|
|
1156
1149
|
hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
|
|
1157
1150
|
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
|
|
1158
1151
|
value = hookEvent.attrValue;
|
|
1152
|
+
|
|
1153
|
+
/* Work around a security issue with comments inside attributes */
|
|
1154
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1155
|
+
_removeAttribute(name, currentNode);
|
|
1156
|
+
continue;
|
|
1157
|
+
}
|
|
1158
|
+
|
|
1159
1159
|
/* Did the hooks approve of the attribute? */
|
|
1160
1160
|
if (hookEvent.forceKeepAttr) {
|
|
1161
1161
|
continue;
|
|
@@ -1175,12 +1175,6 @@
|
|
|
1175
1175
|
continue;
|
|
1176
1176
|
}
|
|
1177
1177
|
|
|
1178
|
-
/* Work around a security issue with comments inside attributes */
|
|
1179
|
-
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1180
|
-
_removeAttribute(name, currentNode);
|
|
1181
|
-
continue;
|
|
1182
|
-
}
|
|
1183
|
-
|
|
1184
1178
|
/* Sanitize attribute content to be template-safe */
|
|
1185
1179
|
if (SAFE_FOR_TEMPLATES) {
|
|
1186
1180
|
value = stringReplace(value, MUSTACHE_EXPR$1, ' ');
|
|
@@ -1262,32 +1256,9 @@
|
|
|
1262
1256
|
if (_sanitizeElements(shadowNode)) {
|
|
1263
1257
|
continue;
|
|
1264
1258
|
}
|
|
1265
|
-
var parentNode = getParentNode(shadowNode);
|
|
1266
|
-
|
|
1267
|
-
/* Set the nesting depth of an element */
|
|
1268
|
-
if (shadowNode.nodeType === 1) {
|
|
1269
|
-
if (parentNode && parentNode.__depth) {
|
|
1270
|
-
/*
|
|
1271
|
-
We want the depth of the node in the original tree, which can
|
|
1272
|
-
change when it's removed from its parent.
|
|
1273
|
-
*/
|
|
1274
|
-
shadowNode.__depth = (shadowNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1275
|
-
} else {
|
|
1276
|
-
shadowNode.__depth = 1;
|
|
1277
|
-
}
|
|
1278
|
-
}
|
|
1279
|
-
|
|
1280
|
-
/*
|
|
1281
|
-
* Remove an element if nested too deeply to avoid mXSS
|
|
1282
|
-
* or if the __depth might have been tampered with
|
|
1283
|
-
*/
|
|
1284
|
-
if (shadowNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(shadowNode.__depth)) {
|
|
1285
|
-
_forceRemove(shadowNode);
|
|
1286
|
-
}
|
|
1287
1259
|
|
|
1288
1260
|
/* Deep shadow DOM detected */
|
|
1289
1261
|
if (shadowNode.content instanceof DocumentFragment) {
|
|
1290
|
-
shadowNode.content.__depth = shadowNode.__depth;
|
|
1291
1262
|
_sanitizeShadowDOM(shadowNode.content);
|
|
1292
1263
|
}
|
|
1293
1264
|
|
|
@@ -1417,32 +1388,9 @@
|
|
|
1417
1388
|
if (_sanitizeElements(currentNode)) {
|
|
1418
1389
|
continue;
|
|
1419
1390
|
}
|
|
1420
|
-
var parentNode = getParentNode(currentNode);
|
|
1421
|
-
|
|
1422
|
-
/* Set the nesting depth of an element */
|
|
1423
|
-
if (currentNode.nodeType === 1) {
|
|
1424
|
-
if (parentNode && parentNode.__depth) {
|
|
1425
|
-
/*
|
|
1426
|
-
We want the depth of the node in the original tree, which can
|
|
1427
|
-
change when it's removed from its parent.
|
|
1428
|
-
*/
|
|
1429
|
-
currentNode.__depth = (currentNode.__removalCount || 0) + parentNode.__depth + 1;
|
|
1430
|
-
} else {
|
|
1431
|
-
currentNode.__depth = 1;
|
|
1432
|
-
}
|
|
1433
|
-
}
|
|
1434
|
-
|
|
1435
|
-
/*
|
|
1436
|
-
* Remove an element if nested too deeply to avoid mXSS
|
|
1437
|
-
* or if the __depth might have been tampered with
|
|
1438
|
-
*/
|
|
1439
|
-
if (currentNode.__depth >= MAX_NESTING_DEPTH || numberIsNaN(currentNode.__depth)) {
|
|
1440
|
-
_forceRemove(currentNode);
|
|
1441
|
-
}
|
|
1442
1391
|
|
|
1443
1392
|
/* Shadow DOM detected, sanitize it */
|
|
1444
1393
|
if (currentNode.content instanceof DocumentFragment) {
|
|
1445
|
-
currentNode.content.__depth = currentNode.__depth;
|
|
1446
1394
|
_sanitizeShadowDOM(currentNode.content);
|
|
1447
1395
|
}
|
|
1448
1396
|
|