dompurify 2.5.5 → 2.5.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +10 -9
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +10 -9
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +10 -9
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.7/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -287,7 +287,7 @@
|
|
|
287
287
|
* Version label, exposed for easier checks
|
|
288
288
|
* if DOMPurify is up to date or not
|
|
289
289
|
*/
|
|
290
|
-
DOMPurify.version = '2.5.
|
|
290
|
+
DOMPurify.version = '2.5.7';
|
|
291
291
|
|
|
292
292
|
/**
|
|
293
293
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -674,7 +674,7 @@
|
|
|
674
674
|
CONFIG = cfg;
|
|
675
675
|
};
|
|
676
676
|
var MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
|
|
677
|
-
var HTML_INTEGRATION_POINTS = addToSet({}, ['
|
|
677
|
+
var HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
|
|
678
678
|
|
|
679
679
|
// Certain elements are allowed in both SVG and HTML
|
|
680
680
|
// namespace. We need to specify them explicitly
|
|
@@ -1149,6 +1149,7 @@
|
|
|
1149
1149
|
hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
|
|
1150
1150
|
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
|
|
1151
1151
|
value = hookEvent.attrValue;
|
|
1152
|
+
|
|
1152
1153
|
/* Did the hooks approve of the attribute? */
|
|
1153
1154
|
if (hookEvent.forceKeepAttr) {
|
|
1154
1155
|
continue;
|
|
@@ -1168,12 +1169,6 @@
|
|
|
1168
1169
|
continue;
|
|
1169
1170
|
}
|
|
1170
1171
|
|
|
1171
|
-
/* Work around a security issue with comments inside attributes */
|
|
1172
|
-
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1173
|
-
_removeAttribute(name, currentNode);
|
|
1174
|
-
continue;
|
|
1175
|
-
}
|
|
1176
|
-
|
|
1177
1172
|
/* Sanitize attribute content to be template-safe */
|
|
1178
1173
|
if (SAFE_FOR_TEMPLATES) {
|
|
1179
1174
|
value = stringReplace(value, MUSTACHE_EXPR$1, ' ');
|
|
@@ -1198,6 +1193,12 @@
|
|
|
1198
1193
|
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
1199
1194
|
}
|
|
1200
1195
|
|
|
1196
|
+
/* Work around a security issue with comments inside attributes */
|
|
1197
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1198
|
+
_removeAttribute(name, currentNode);
|
|
1199
|
+
continue;
|
|
1200
|
+
}
|
|
1201
|
+
|
|
1201
1202
|
/* Handle attributes that require Trusted Types */
|
|
1202
1203
|
if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
1203
1204
|
if (namespaceURI) ; else {
|