dompurify 2.5.6 → 2.5.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +19 -24
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +19 -24
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +19 -24
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.es.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.8 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.8/LICENSE */
|
|
2
2
|
|
|
3
3
|
function _typeof(obj) {
|
|
4
4
|
"@babel/helpers - typeof";
|
|
@@ -218,7 +218,7 @@ var xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xli
|
|
|
218
218
|
var MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
|
|
219
219
|
var ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);
|
|
220
220
|
var TMPLIT_EXPR = seal(/\${[\w\W]*}/gm);
|
|
221
|
-
var DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]
|
|
221
|
+
var DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]+$/); // eslint-disable-line no-useless-escape
|
|
222
222
|
var ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
|
|
223
223
|
var IS_ALLOWED_URI = seal(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
|
|
224
224
|
);
|
|
@@ -281,7 +281,7 @@ function createDOMPurify() {
|
|
|
281
281
|
* Version label, exposed for easier checks
|
|
282
282
|
* if DOMPurify is up to date or not
|
|
283
283
|
*/
|
|
284
|
-
DOMPurify.version = '2.5.
|
|
284
|
+
DOMPurify.version = '2.5.8';
|
|
285
285
|
|
|
286
286
|
/**
|
|
287
287
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -668,7 +668,7 @@ function createDOMPurify() {
|
|
|
668
668
|
CONFIG = cfg;
|
|
669
669
|
};
|
|
670
670
|
var MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
|
|
671
|
-
var HTML_INTEGRATION_POINTS = addToSet({}, ['
|
|
671
|
+
var HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
|
|
672
672
|
|
|
673
673
|
// Certain elements are allowed in both SVG and HTML
|
|
674
674
|
// namespace. We need to specify them explicitly
|
|
@@ -1116,7 +1116,7 @@ function createDOMPurify() {
|
|
|
1116
1116
|
var attributes = currentNode.attributes;
|
|
1117
1117
|
|
|
1118
1118
|
/* Check if we have attributes; if not we might have a text node */
|
|
1119
|
-
if (!attributes) {
|
|
1119
|
+
if (!attributes || _isClobbered(currentNode)) {
|
|
1120
1120
|
return;
|
|
1121
1121
|
}
|
|
1122
1122
|
var hookEvent = {
|
|
@@ -1144,12 +1144,6 @@ function createDOMPurify() {
|
|
|
1144
1144
|
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
|
|
1145
1145
|
value = hookEvent.attrValue;
|
|
1146
1146
|
|
|
1147
|
-
/* Work around a security issue with comments inside attributes */
|
|
1148
|
-
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1149
|
-
_removeAttribute(name, currentNode);
|
|
1150
|
-
continue;
|
|
1151
|
-
}
|
|
1152
|
-
|
|
1153
1147
|
/* Did the hooks approve of the attribute? */
|
|
1154
1148
|
if (hookEvent.forceKeepAttr) {
|
|
1155
1149
|
continue;
|
|
@@ -1193,6 +1187,12 @@ function createDOMPurify() {
|
|
|
1193
1187
|
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
1194
1188
|
}
|
|
1195
1189
|
|
|
1190
|
+
/* Work around a security issue with comments inside attributes */
|
|
1191
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1192
|
+
_removeAttribute(name, currentNode);
|
|
1193
|
+
continue;
|
|
1194
|
+
}
|
|
1195
|
+
|
|
1196
1196
|
/* Handle attributes that require Trusted Types */
|
|
1197
1197
|
if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
1198
1198
|
if (namespaceURI) ; else {
|
|
@@ -1245,19 +1245,16 @@ function createDOMPurify() {
|
|
|
1245
1245
|
while (shadowNode = shadowIterator.nextNode()) {
|
|
1246
1246
|
/* Execute a hook if present */
|
|
1247
1247
|
_executeHook('uponSanitizeShadowNode', shadowNode, null);
|
|
1248
|
-
|
|
1249
1248
|
/* Sanitize tags and elements */
|
|
1250
|
-
|
|
1251
|
-
|
|
1252
|
-
|
|
1249
|
+
_sanitizeElements(shadowNode);
|
|
1250
|
+
|
|
1251
|
+
/* Check attributes next */
|
|
1252
|
+
_sanitizeAttributes(shadowNode);
|
|
1253
1253
|
|
|
1254
1254
|
/* Deep shadow DOM detected */
|
|
1255
1255
|
if (shadowNode.content instanceof DocumentFragment) {
|
|
1256
1256
|
_sanitizeShadowDOM(shadowNode.content);
|
|
1257
1257
|
}
|
|
1258
|
-
|
|
1259
|
-
/* Check attributes, sanitize if necessary */
|
|
1260
|
-
_sanitizeAttributes(shadowNode);
|
|
1261
1258
|
}
|
|
1262
1259
|
|
|
1263
1260
|
/* Execute a hook if present */
|
|
@@ -1379,17 +1376,15 @@ function createDOMPurify() {
|
|
|
1379
1376
|
}
|
|
1380
1377
|
|
|
1381
1378
|
/* Sanitize tags and elements */
|
|
1382
|
-
|
|
1383
|
-
|
|
1384
|
-
|
|
1379
|
+
_sanitizeElements(currentNode);
|
|
1380
|
+
|
|
1381
|
+
/* Check attributes next */
|
|
1382
|
+
_sanitizeAttributes(currentNode);
|
|
1385
1383
|
|
|
1386
1384
|
/* Shadow DOM detected, sanitize it */
|
|
1387
1385
|
if (currentNode.content instanceof DocumentFragment) {
|
|
1388
1386
|
_sanitizeShadowDOM(currentNode.content);
|
|
1389
1387
|
}
|
|
1390
|
-
|
|
1391
|
-
/* Check attributes, sanitize if necessary */
|
|
1392
|
-
_sanitizeAttributes(currentNode);
|
|
1393
1388
|
oldNode = currentNode;
|
|
1394
1389
|
}
|
|
1395
1390
|
oldNode = null;
|