dompurify 2.5.5 → 2.5.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +10 -9
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +10 -9
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +10 -9
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.es.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.7/LICENSE */
|
|
2
2
|
|
|
3
3
|
function _typeof(obj) {
|
|
4
4
|
"@babel/helpers - typeof";
|
|
@@ -281,7 +281,7 @@ function createDOMPurify() {
|
|
|
281
281
|
* Version label, exposed for easier checks
|
|
282
282
|
* if DOMPurify is up to date or not
|
|
283
283
|
*/
|
|
284
|
-
DOMPurify.version = '2.5.
|
|
284
|
+
DOMPurify.version = '2.5.7';
|
|
285
285
|
|
|
286
286
|
/**
|
|
287
287
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -668,7 +668,7 @@ function createDOMPurify() {
|
|
|
668
668
|
CONFIG = cfg;
|
|
669
669
|
};
|
|
670
670
|
var MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
|
|
671
|
-
var HTML_INTEGRATION_POINTS = addToSet({}, ['
|
|
671
|
+
var HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
|
|
672
672
|
|
|
673
673
|
// Certain elements are allowed in both SVG and HTML
|
|
674
674
|
// namespace. We need to specify them explicitly
|
|
@@ -1143,6 +1143,7 @@ function createDOMPurify() {
|
|
|
1143
1143
|
hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
|
|
1144
1144
|
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
|
|
1145
1145
|
value = hookEvent.attrValue;
|
|
1146
|
+
|
|
1146
1147
|
/* Did the hooks approve of the attribute? */
|
|
1147
1148
|
if (hookEvent.forceKeepAttr) {
|
|
1148
1149
|
continue;
|
|
@@ -1162,12 +1163,6 @@ function createDOMPurify() {
|
|
|
1162
1163
|
continue;
|
|
1163
1164
|
}
|
|
1164
1165
|
|
|
1165
|
-
/* Work around a security issue with comments inside attributes */
|
|
1166
|
-
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1167
|
-
_removeAttribute(name, currentNode);
|
|
1168
|
-
continue;
|
|
1169
|
-
}
|
|
1170
|
-
|
|
1171
1166
|
/* Sanitize attribute content to be template-safe */
|
|
1172
1167
|
if (SAFE_FOR_TEMPLATES) {
|
|
1173
1168
|
value = stringReplace(value, MUSTACHE_EXPR$1, ' ');
|
|
@@ -1192,6 +1187,12 @@ function createDOMPurify() {
|
|
|
1192
1187
|
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
1193
1188
|
}
|
|
1194
1189
|
|
|
1190
|
+
/* Work around a security issue with comments inside attributes */
|
|
1191
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1192
|
+
_removeAttribute(name, currentNode);
|
|
1193
|
+
continue;
|
|
1194
|
+
}
|
|
1195
|
+
|
|
1195
1196
|
/* Handle attributes that require Trusted Types */
|
|
1196
1197
|
if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
1197
1198
|
if (namespaceURI) ; else {
|