dompurify 3.0.2 → 3.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +12 -3
- package/dist/purify.cjs.js +54 -24
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +54 -24
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +54 -24
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +2 -2
package/dist/purify.es.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 3.0.
|
|
1
|
+
/*! @license DOMPurify 3.0.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.3/LICENSE */
|
|
2
2
|
|
|
3
3
|
const {
|
|
4
4
|
entries,
|
|
@@ -74,7 +74,9 @@ function unconstruct(func) {
|
|
|
74
74
|
/* Add properties to a lookup table */
|
|
75
75
|
|
|
76
76
|
function addToSet(set, array, transformCaseFunc) {
|
|
77
|
-
|
|
77
|
+
var _transformCaseFunc;
|
|
78
|
+
|
|
79
|
+
transformCaseFunc = (_transformCaseFunc = transformCaseFunc) !== null && _transformCaseFunc !== void 0 ? _transformCaseFunc : stringToLowerCase;
|
|
78
80
|
|
|
79
81
|
if (setPrototypeOf) {
|
|
80
82
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
@@ -148,12 +150,12 @@ function lookupGetter(object, prop) {
|
|
|
148
150
|
const html$1 = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dialog', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']); // SVG
|
|
149
151
|
|
|
150
152
|
const svg$1 = freeze(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'view', 'vkern']);
|
|
151
|
-
const svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']); // List of SVG elements that are disallowed by default.
|
|
153
|
+
const svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feDropShadow', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']); // List of SVG elements that are disallowed by default.
|
|
152
154
|
// We still need to know them so that we can do namespace
|
|
153
155
|
// checks properly in case one wants to add them to
|
|
154
156
|
// allow-list.
|
|
155
157
|
|
|
156
|
-
const svgDisallowed = freeze(['animate', 'color-profile', 'cursor', 'discard', '
|
|
158
|
+
const svgDisallowed = freeze(['animate', 'color-profile', 'cursor', 'discard', 'font-face', 'font-face-format', 'font-face-name', 'font-face-src', 'font-face-uri', 'foreignobject', 'hatch', 'hatchpath', 'mesh', 'meshgradient', 'meshpatch', 'meshrow', 'missing-glyph', 'script', 'set', 'solidcolor', 'unknown', 'use']);
|
|
157
159
|
const mathMl$1 = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover', 'mprescripts']); // Similarly to SVG, we want to know all MathML elements,
|
|
158
160
|
// even those that we disallow by default.
|
|
159
161
|
|
|
@@ -198,13 +200,13 @@ const getGlobal = () => typeof window === 'undefined' ? null : window;
|
|
|
198
200
|
* Creates a no-op policy for internal use only.
|
|
199
201
|
* Don't export this function outside this module!
|
|
200
202
|
* @param {?TrustedTypePolicyFactory} trustedTypes The policy factory.
|
|
201
|
-
* @param {
|
|
203
|
+
* @param {HTMLScriptElement} purifyHostElement The Script element used to load DOMPurify (to determine policy name suffix).
|
|
202
204
|
* @return {?TrustedTypePolicy} The policy created (or null, if Trusted Types
|
|
203
|
-
* are not supported).
|
|
205
|
+
* are not supported or creating the policy failed).
|
|
204
206
|
*/
|
|
205
207
|
|
|
206
208
|
|
|
207
|
-
const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes,
|
|
209
|
+
const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes, purifyHostElement) {
|
|
208
210
|
if (typeof trustedTypes !== 'object' || typeof trustedTypes.createPolicy !== 'function') {
|
|
209
211
|
return null;
|
|
210
212
|
} // Allow the callers to control the unique policy name
|
|
@@ -215,8 +217,8 @@ const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedType
|
|
|
215
217
|
let suffix = null;
|
|
216
218
|
const ATTR_NAME = 'data-tt-policy-suffix';
|
|
217
219
|
|
|
218
|
-
if (
|
|
219
|
-
suffix =
|
|
220
|
+
if (purifyHostElement && purifyHostElement.hasAttribute(ATTR_NAME)) {
|
|
221
|
+
suffix = purifyHostElement.getAttribute(ATTR_NAME);
|
|
220
222
|
}
|
|
221
223
|
|
|
222
224
|
const policyName = 'dompurify' + (suffix ? '#' + suffix : '');
|
|
@@ -251,7 +253,7 @@ function createDOMPurify() {
|
|
|
251
253
|
*/
|
|
252
254
|
|
|
253
255
|
|
|
254
|
-
DOMPurify.version = '3.0.
|
|
256
|
+
DOMPurify.version = '3.0.3';
|
|
255
257
|
/**
|
|
256
258
|
* Array of elements that DOMPurify removed during sanitation.
|
|
257
259
|
* Empty if nothing was removed.
|
|
@@ -267,6 +269,7 @@ function createDOMPurify() {
|
|
|
267
269
|
}
|
|
268
270
|
|
|
269
271
|
const originalDocument = window.document;
|
|
272
|
+
const currentScript = originalDocument.currentScript;
|
|
270
273
|
let {
|
|
271
274
|
document
|
|
272
275
|
} = window;
|
|
@@ -300,9 +303,8 @@ function createDOMPurify() {
|
|
|
300
303
|
}
|
|
301
304
|
}
|
|
302
305
|
|
|
303
|
-
|
|
304
|
-
|
|
305
|
-
const emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : '';
|
|
306
|
+
let trustedTypesPolicy;
|
|
307
|
+
let emptyHTML = '';
|
|
306
308
|
const {
|
|
307
309
|
implementation,
|
|
308
310
|
createNodeIterator,
|
|
@@ -317,7 +319,7 @@ function createDOMPurify() {
|
|
|
317
319
|
* Expose whether this browser supports running the full DOMPurify.
|
|
318
320
|
*/
|
|
319
321
|
|
|
320
|
-
DOMPurify.isSupported = typeof entries === 'function' && typeof getParentNode === 'function' && implementation &&
|
|
322
|
+
DOMPurify.isSupported = typeof entries === 'function' && typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined;
|
|
321
323
|
const {
|
|
322
324
|
MUSTACHE_EXPR,
|
|
323
325
|
ERB_EXPR,
|
|
@@ -664,6 +666,31 @@ function createDOMPurify() {
|
|
|
664
666
|
if (ALLOWED_TAGS.table) {
|
|
665
667
|
addToSet(ALLOWED_TAGS, ['tbody']);
|
|
666
668
|
delete FORBID_TAGS.tbody;
|
|
669
|
+
}
|
|
670
|
+
|
|
671
|
+
if (cfg.TRUSTED_TYPES_POLICY) {
|
|
672
|
+
if (typeof cfg.TRUSTED_TYPES_POLICY.createHTML !== 'function') {
|
|
673
|
+
throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');
|
|
674
|
+
}
|
|
675
|
+
|
|
676
|
+
if (typeof cfg.TRUSTED_TYPES_POLICY.createScriptURL !== 'function') {
|
|
677
|
+
throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');
|
|
678
|
+
} // Overwrite existing TrustedTypes policy.
|
|
679
|
+
|
|
680
|
+
|
|
681
|
+
trustedTypesPolicy = cfg.TRUSTED_TYPES_POLICY; // Sign local variables required by `sanitize`.
|
|
682
|
+
|
|
683
|
+
emptyHTML = trustedTypesPolicy.createHTML('');
|
|
684
|
+
} else {
|
|
685
|
+
// Uninitialized policy, attempt to initialize the internal dompurify policy.
|
|
686
|
+
if (trustedTypesPolicy === undefined) {
|
|
687
|
+
trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, currentScript);
|
|
688
|
+
} // If creating the internal policy succeeded sign internal variables.
|
|
689
|
+
|
|
690
|
+
|
|
691
|
+
if (trustedTypesPolicy !== null && typeof emptyHTML === 'string') {
|
|
692
|
+
emptyHTML = trustedTypesPolicy.createHTML('');
|
|
693
|
+
}
|
|
667
694
|
} // Prevent further manipulation of configuration.
|
|
668
695
|
// Not available in IE8, Safari 5, etc.
|
|
669
696
|
|
|
@@ -1100,9 +1127,9 @@ function createDOMPurify() {
|
|
|
1100
1127
|
}
|
|
1101
1128
|
/* Check value is safe. First, is attr inert? If so, is safe */
|
|
1102
1129
|
|
|
1103
|
-
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if (
|
|
1130
|
+
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if (value) {
|
|
1104
1131
|
return false;
|
|
1105
|
-
}
|
|
1132
|
+
} else ;
|
|
1106
1133
|
|
|
1107
1134
|
return true;
|
|
1108
1135
|
};
|
|
@@ -1232,12 +1259,16 @@ function createDOMPurify() {
|
|
|
1232
1259
|
if (namespaceURI) ; else {
|
|
1233
1260
|
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1234
1261
|
case 'TrustedHTML':
|
|
1235
|
-
|
|
1236
|
-
|
|
1262
|
+
{
|
|
1263
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1264
|
+
break;
|
|
1265
|
+
}
|
|
1237
1266
|
|
|
1238
1267
|
case 'TrustedScriptURL':
|
|
1239
|
-
|
|
1240
|
-
|
|
1268
|
+
{
|
|
1269
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1270
|
+
break;
|
|
1271
|
+
}
|
|
1241
1272
|
}
|
|
1242
1273
|
}
|
|
1243
1274
|
}
|
|
@@ -1330,15 +1361,14 @@ function createDOMPurify() {
|
|
|
1330
1361
|
|
|
1331
1362
|
|
|
1332
1363
|
if (typeof dirty !== 'string' && !_isNode(dirty)) {
|
|
1333
|
-
|
|
1334
|
-
if (typeof dirty.toString !== 'function') {
|
|
1335
|
-
throw typeErrorCreate('toString is not a function');
|
|
1336
|
-
} else {
|
|
1364
|
+
if (typeof dirty.toString === 'function') {
|
|
1337
1365
|
dirty = dirty.toString();
|
|
1338
1366
|
|
|
1339
1367
|
if (typeof dirty !== 'string') {
|
|
1340
1368
|
throw typeErrorCreate('dirty is not a string, aborting');
|
|
1341
1369
|
}
|
|
1370
|
+
} else {
|
|
1371
|
+
throw typeErrorCreate('toString is not a function');
|
|
1342
1372
|
}
|
|
1343
1373
|
}
|
|
1344
1374
|
/* Return dirty HTML if DOMPurify cannot run */
|