dompurify 2.5.6 → 2.5.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +19 -24
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +19 -24
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +19 -24
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.2.3.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.
|
|
12
12
|
|
|
13
|
-
**Note that DOMPurify v2.5.
|
|
13
|
+
**Note that DOMPurify v2.5.8 is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the 2.x branch. Do not expect new features here, this branch only exists for compatibility with MSIE.**
|
|
14
14
|
|
|
15
15
|
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v14.x, v16.x, v17.x and v18.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
|
|
16
16
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.8 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.8/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -220,7 +220,7 @@ var xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xli
|
|
|
220
220
|
var MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
|
|
221
221
|
var ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);
|
|
222
222
|
var TMPLIT_EXPR = seal(/\${[\w\W]*}/gm);
|
|
223
|
-
var DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]
|
|
223
|
+
var DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]+$/); // eslint-disable-line no-useless-escape
|
|
224
224
|
var ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
|
|
225
225
|
var IS_ALLOWED_URI = seal(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
|
|
226
226
|
);
|
|
@@ -283,7 +283,7 @@ function createDOMPurify() {
|
|
|
283
283
|
* Version label, exposed for easier checks
|
|
284
284
|
* if DOMPurify is up to date or not
|
|
285
285
|
*/
|
|
286
|
-
DOMPurify.version = '2.5.
|
|
286
|
+
DOMPurify.version = '2.5.8';
|
|
287
287
|
|
|
288
288
|
/**
|
|
289
289
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -670,7 +670,7 @@ function createDOMPurify() {
|
|
|
670
670
|
CONFIG = cfg;
|
|
671
671
|
};
|
|
672
672
|
var MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
|
|
673
|
-
var HTML_INTEGRATION_POINTS = addToSet({}, ['
|
|
673
|
+
var HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
|
|
674
674
|
|
|
675
675
|
// Certain elements are allowed in both SVG and HTML
|
|
676
676
|
// namespace. We need to specify them explicitly
|
|
@@ -1118,7 +1118,7 @@ function createDOMPurify() {
|
|
|
1118
1118
|
var attributes = currentNode.attributes;
|
|
1119
1119
|
|
|
1120
1120
|
/* Check if we have attributes; if not we might have a text node */
|
|
1121
|
-
if (!attributes) {
|
|
1121
|
+
if (!attributes || _isClobbered(currentNode)) {
|
|
1122
1122
|
return;
|
|
1123
1123
|
}
|
|
1124
1124
|
var hookEvent = {
|
|
@@ -1146,12 +1146,6 @@ function createDOMPurify() {
|
|
|
1146
1146
|
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
|
|
1147
1147
|
value = hookEvent.attrValue;
|
|
1148
1148
|
|
|
1149
|
-
/* Work around a security issue with comments inside attributes */
|
|
1150
|
-
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1151
|
-
_removeAttribute(name, currentNode);
|
|
1152
|
-
continue;
|
|
1153
|
-
}
|
|
1154
|
-
|
|
1155
1149
|
/* Did the hooks approve of the attribute? */
|
|
1156
1150
|
if (hookEvent.forceKeepAttr) {
|
|
1157
1151
|
continue;
|
|
@@ -1195,6 +1189,12 @@ function createDOMPurify() {
|
|
|
1195
1189
|
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
1196
1190
|
}
|
|
1197
1191
|
|
|
1192
|
+
/* Work around a security issue with comments inside attributes */
|
|
1193
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1194
|
+
_removeAttribute(name, currentNode);
|
|
1195
|
+
continue;
|
|
1196
|
+
}
|
|
1197
|
+
|
|
1198
1198
|
/* Handle attributes that require Trusted Types */
|
|
1199
1199
|
if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
1200
1200
|
if (namespaceURI) ; else {
|
|
@@ -1247,19 +1247,16 @@ function createDOMPurify() {
|
|
|
1247
1247
|
while (shadowNode = shadowIterator.nextNode()) {
|
|
1248
1248
|
/* Execute a hook if present */
|
|
1249
1249
|
_executeHook('uponSanitizeShadowNode', shadowNode, null);
|
|
1250
|
-
|
|
1251
1250
|
/* Sanitize tags and elements */
|
|
1252
|
-
|
|
1253
|
-
|
|
1254
|
-
|
|
1251
|
+
_sanitizeElements(shadowNode);
|
|
1252
|
+
|
|
1253
|
+
/* Check attributes next */
|
|
1254
|
+
_sanitizeAttributes(shadowNode);
|
|
1255
1255
|
|
|
1256
1256
|
/* Deep shadow DOM detected */
|
|
1257
1257
|
if (shadowNode.content instanceof DocumentFragment) {
|
|
1258
1258
|
_sanitizeShadowDOM(shadowNode.content);
|
|
1259
1259
|
}
|
|
1260
|
-
|
|
1261
|
-
/* Check attributes, sanitize if necessary */
|
|
1262
|
-
_sanitizeAttributes(shadowNode);
|
|
1263
1260
|
}
|
|
1264
1261
|
|
|
1265
1262
|
/* Execute a hook if present */
|
|
@@ -1381,17 +1378,15 @@ function createDOMPurify() {
|
|
|
1381
1378
|
}
|
|
1382
1379
|
|
|
1383
1380
|
/* Sanitize tags and elements */
|
|
1384
|
-
|
|
1385
|
-
|
|
1386
|
-
|
|
1381
|
+
_sanitizeElements(currentNode);
|
|
1382
|
+
|
|
1383
|
+
/* Check attributes next */
|
|
1384
|
+
_sanitizeAttributes(currentNode);
|
|
1387
1385
|
|
|
1388
1386
|
/* Shadow DOM detected, sanitize it */
|
|
1389
1387
|
if (currentNode.content instanceof DocumentFragment) {
|
|
1390
1388
|
_sanitizeShadowDOM(currentNode.content);
|
|
1391
1389
|
}
|
|
1392
|
-
|
|
1393
|
-
/* Check attributes, sanitize if necessary */
|
|
1394
|
-
_sanitizeAttributes(currentNode);
|
|
1395
1390
|
oldNode = currentNode;
|
|
1396
1391
|
}
|
|
1397
1392
|
oldNode = null;
|