dompurify 2.5.5 → 2.5.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +2 -2
  2. package/dist/purify.cjs.js +10 -9
  3. package/dist/purify.cjs.js.map +1 -1
  4. package/dist/purify.es.js +10 -9
  5. package/dist/purify.es.js.map +1 -1
  6. package/dist/purify.js +10 -9
  7. package/dist/purify.js.map +1 -1
  8. package/dist/purify.min.js +2 -2
  9. package/dist/purify.min.js.map +1 -1
  10. package/package.json +1 -1
package/README.md CHANGED
@@ -6,11 +6,11 @@
6
6
 
7
7
  DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
8
8
 
9
- It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.5.
9
+ It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.1.7.
10
10
 
11
11
  DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
12
12
 
13
- **Note that DOMPurify v2.5.5 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
13
+ **Note that DOMPurify v2.5.7 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch.**
14
14
 
15
15
  Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
16
16
 
package/dist/purify.cjs.js CHANGED
@@ -1,4 +1,4 @@
1
- /*! @license DOMPurify 2.5.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.5/LICENSE */
1
+ /*! @license DOMPurify 2.5.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.7/LICENSE */
2
2
 
3
3
  'use strict';
4
4
 
@@ -283,7 +283,7 @@ function createDOMPurify() {
283
283
  * Version label, exposed for easier checks
284
284
  * if DOMPurify is up to date or not
285
285
  */
286
- DOMPurify.version = '2.5.5';
286
+ DOMPurify.version = '2.5.7';
287
287
 
288
288
  /**
289
289
  * Array of elements that DOMPurify removed during sanitation.
@@ -670,7 +670,7 @@ function createDOMPurify() {
670
670
  CONFIG = cfg;
671
671
  };
672
672
  var MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
673
- var HTML_INTEGRATION_POINTS = addToSet({}, ['foreignobject', 'annotation-xml']);
673
+ var HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
674
674
 
675
675
  // Certain elements are allowed in both SVG and HTML
676
676
  // namespace. We need to specify them explicitly
@@ -1145,6 +1145,7 @@ function createDOMPurify() {
1145
1145
  hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
1146
1146
  _executeHook('uponSanitizeAttribute', currentNode, hookEvent);
1147
1147
  value = hookEvent.attrValue;
1148
+
1148
1149
  /* Did the hooks approve of the attribute? */
1149
1150
  if (hookEvent.forceKeepAttr) {
1150
1151
  continue;
@@ -1164,12 +1165,6 @@ function createDOMPurify() {
1164
1165
  continue;
1165
1166
  }
1166
1167
 
1167
- /* Work around a security issue with comments inside attributes */
1168
- if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
1169
- _removeAttribute(name, currentNode);
1170
- continue;
1171
- }
1172
-
1173
1168
  /* Sanitize attribute content to be template-safe */
1174
1169
  if (SAFE_FOR_TEMPLATES) {
1175
1170
  value = stringReplace(value, MUSTACHE_EXPR$1, ' ');
@@ -1194,6 +1189,12 @@ function createDOMPurify() {
1194
1189
  value = SANITIZE_NAMED_PROPS_PREFIX + value;
1195
1190
  }
1196
1191
 
1192
+ /* Work around a security issue with comments inside attributes */
1193
+ if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
1194
+ _removeAttribute(name, currentNode);
1195
+ continue;
1196
+ }
1197
+
1197
1198
  /* Handle attributes that require Trusted Types */
1198
1199
  if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
1199
1200
  if (namespaceURI) ; else {