dompurify 2.5.6 → 2.5.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +19 -24
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +19 -24
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +19 -24
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 2.5.
|
|
1
|
+
/*! @license DOMPurify 2.5.8 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.5.8/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -224,7 +224,7 @@
|
|
|
224
224
|
var MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
|
|
225
225
|
var ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);
|
|
226
226
|
var TMPLIT_EXPR = seal(/\${[\w\W]*}/gm);
|
|
227
|
-
var DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]
|
|
227
|
+
var DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]+$/); // eslint-disable-line no-useless-escape
|
|
228
228
|
var ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
|
|
229
229
|
var IS_ALLOWED_URI = seal(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
|
|
230
230
|
);
|
|
@@ -287,7 +287,7 @@
|
|
|
287
287
|
* Version label, exposed for easier checks
|
|
288
288
|
* if DOMPurify is up to date or not
|
|
289
289
|
*/
|
|
290
|
-
DOMPurify.version = '2.5.
|
|
290
|
+
DOMPurify.version = '2.5.8';
|
|
291
291
|
|
|
292
292
|
/**
|
|
293
293
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -674,7 +674,7 @@
|
|
|
674
674
|
CONFIG = cfg;
|
|
675
675
|
};
|
|
676
676
|
var MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
|
|
677
|
-
var HTML_INTEGRATION_POINTS = addToSet({}, ['
|
|
677
|
+
var HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
|
|
678
678
|
|
|
679
679
|
// Certain elements are allowed in both SVG and HTML
|
|
680
680
|
// namespace. We need to specify them explicitly
|
|
@@ -1122,7 +1122,7 @@
|
|
|
1122
1122
|
var attributes = currentNode.attributes;
|
|
1123
1123
|
|
|
1124
1124
|
/* Check if we have attributes; if not we might have a text node */
|
|
1125
|
-
if (!attributes) {
|
|
1125
|
+
if (!attributes || _isClobbered(currentNode)) {
|
|
1126
1126
|
return;
|
|
1127
1127
|
}
|
|
1128
1128
|
var hookEvent = {
|
|
@@ -1150,12 +1150,6 @@
|
|
|
1150
1150
|
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
|
|
1151
1151
|
value = hookEvent.attrValue;
|
|
1152
1152
|
|
|
1153
|
-
/* Work around a security issue with comments inside attributes */
|
|
1154
|
-
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1155
|
-
_removeAttribute(name, currentNode);
|
|
1156
|
-
continue;
|
|
1157
|
-
}
|
|
1158
|
-
|
|
1159
1153
|
/* Did the hooks approve of the attribute? */
|
|
1160
1154
|
if (hookEvent.forceKeepAttr) {
|
|
1161
1155
|
continue;
|
|
@@ -1199,6 +1193,12 @@
|
|
|
1199
1193
|
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
1200
1194
|
}
|
|
1201
1195
|
|
|
1196
|
+
/* Work around a security issue with comments inside attributes */
|
|
1197
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1198
|
+
_removeAttribute(name, currentNode);
|
|
1199
|
+
continue;
|
|
1200
|
+
}
|
|
1201
|
+
|
|
1202
1202
|
/* Handle attributes that require Trusted Types */
|
|
1203
1203
|
if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
1204
1204
|
if (namespaceURI) ; else {
|
|
@@ -1251,19 +1251,16 @@
|
|
|
1251
1251
|
while (shadowNode = shadowIterator.nextNode()) {
|
|
1252
1252
|
/* Execute a hook if present */
|
|
1253
1253
|
_executeHook('uponSanitizeShadowNode', shadowNode, null);
|
|
1254
|
-
|
|
1255
1254
|
/* Sanitize tags and elements */
|
|
1256
|
-
|
|
1257
|
-
|
|
1258
|
-
|
|
1255
|
+
_sanitizeElements(shadowNode);
|
|
1256
|
+
|
|
1257
|
+
/* Check attributes next */
|
|
1258
|
+
_sanitizeAttributes(shadowNode);
|
|
1259
1259
|
|
|
1260
1260
|
/* Deep shadow DOM detected */
|
|
1261
1261
|
if (shadowNode.content instanceof DocumentFragment) {
|
|
1262
1262
|
_sanitizeShadowDOM(shadowNode.content);
|
|
1263
1263
|
}
|
|
1264
|
-
|
|
1265
|
-
/* Check attributes, sanitize if necessary */
|
|
1266
|
-
_sanitizeAttributes(shadowNode);
|
|
1267
1264
|
}
|
|
1268
1265
|
|
|
1269
1266
|
/* Execute a hook if present */
|
|
@@ -1385,17 +1382,15 @@
|
|
|
1385
1382
|
}
|
|
1386
1383
|
|
|
1387
1384
|
/* Sanitize tags and elements */
|
|
1388
|
-
|
|
1389
|
-
|
|
1390
|
-
|
|
1385
|
+
_sanitizeElements(currentNode);
|
|
1386
|
+
|
|
1387
|
+
/* Check attributes next */
|
|
1388
|
+
_sanitizeAttributes(currentNode);
|
|
1391
1389
|
|
|
1392
1390
|
/* Shadow DOM detected, sanitize it */
|
|
1393
1391
|
if (currentNode.content instanceof DocumentFragment) {
|
|
1394
1392
|
_sanitizeShadowDOM(currentNode.content);
|
|
1395
1393
|
}
|
|
1396
|
-
|
|
1397
|
-
/* Check attributes, sanitize if necessary */
|
|
1398
|
-
_sanitizeAttributes(currentNode);
|
|
1399
1394
|
oldNode = currentNode;
|
|
1400
1395
|
}
|
|
1401
1396
|
oldNode = null;
|