dompurify 3.0.2 → 3.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +12 -3
- package/dist/purify.cjs.js +54 -24
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.js +54 -24
- package/dist/purify.es.js.map +1 -1
- package/dist/purify.js +54 -24
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +2 -2
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 3.0.
|
|
1
|
+
/*! @license DOMPurify 3.0.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.3/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -80,7 +80,9 @@
|
|
|
80
80
|
/* Add properties to a lookup table */
|
|
81
81
|
|
|
82
82
|
function addToSet(set, array, transformCaseFunc) {
|
|
83
|
-
|
|
83
|
+
var _transformCaseFunc;
|
|
84
|
+
|
|
85
|
+
transformCaseFunc = (_transformCaseFunc = transformCaseFunc) !== null && _transformCaseFunc !== void 0 ? _transformCaseFunc : stringToLowerCase;
|
|
84
86
|
|
|
85
87
|
if (setPrototypeOf) {
|
|
86
88
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
@@ -154,12 +156,12 @@
|
|
|
154
156
|
const html$1 = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dialog', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']); // SVG
|
|
155
157
|
|
|
156
158
|
const svg$1 = freeze(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'view', 'vkern']);
|
|
157
|
-
const svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']); // List of SVG elements that are disallowed by default.
|
|
159
|
+
const svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feDropShadow', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']); // List of SVG elements that are disallowed by default.
|
|
158
160
|
// We still need to know them so that we can do namespace
|
|
159
161
|
// checks properly in case one wants to add them to
|
|
160
162
|
// allow-list.
|
|
161
163
|
|
|
162
|
-
const svgDisallowed = freeze(['animate', 'color-profile', 'cursor', 'discard', '
|
|
164
|
+
const svgDisallowed = freeze(['animate', 'color-profile', 'cursor', 'discard', 'font-face', 'font-face-format', 'font-face-name', 'font-face-src', 'font-face-uri', 'foreignobject', 'hatch', 'hatchpath', 'mesh', 'meshgradient', 'meshpatch', 'meshrow', 'missing-glyph', 'script', 'set', 'solidcolor', 'unknown', 'use']);
|
|
163
165
|
const mathMl$1 = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover', 'mprescripts']); // Similarly to SVG, we want to know all MathML elements,
|
|
164
166
|
// even those that we disallow by default.
|
|
165
167
|
|
|
@@ -204,13 +206,13 @@
|
|
|
204
206
|
* Creates a no-op policy for internal use only.
|
|
205
207
|
* Don't export this function outside this module!
|
|
206
208
|
* @param {?TrustedTypePolicyFactory} trustedTypes The policy factory.
|
|
207
|
-
* @param {
|
|
209
|
+
* @param {HTMLScriptElement} purifyHostElement The Script element used to load DOMPurify (to determine policy name suffix).
|
|
208
210
|
* @return {?TrustedTypePolicy} The policy created (or null, if Trusted Types
|
|
209
|
-
* are not supported).
|
|
211
|
+
* are not supported or creating the policy failed).
|
|
210
212
|
*/
|
|
211
213
|
|
|
212
214
|
|
|
213
|
-
const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes,
|
|
215
|
+
const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes, purifyHostElement) {
|
|
214
216
|
if (typeof trustedTypes !== 'object' || typeof trustedTypes.createPolicy !== 'function') {
|
|
215
217
|
return null;
|
|
216
218
|
} // Allow the callers to control the unique policy name
|
|
@@ -221,8 +223,8 @@
|
|
|
221
223
|
let suffix = null;
|
|
222
224
|
const ATTR_NAME = 'data-tt-policy-suffix';
|
|
223
225
|
|
|
224
|
-
if (
|
|
225
|
-
suffix =
|
|
226
|
+
if (purifyHostElement && purifyHostElement.hasAttribute(ATTR_NAME)) {
|
|
227
|
+
suffix = purifyHostElement.getAttribute(ATTR_NAME);
|
|
226
228
|
}
|
|
227
229
|
|
|
228
230
|
const policyName = 'dompurify' + (suffix ? '#' + suffix : '');
|
|
@@ -257,7 +259,7 @@
|
|
|
257
259
|
*/
|
|
258
260
|
|
|
259
261
|
|
|
260
|
-
DOMPurify.version = '3.0.
|
|
262
|
+
DOMPurify.version = '3.0.3';
|
|
261
263
|
/**
|
|
262
264
|
* Array of elements that DOMPurify removed during sanitation.
|
|
263
265
|
* Empty if nothing was removed.
|
|
@@ -273,6 +275,7 @@
|
|
|
273
275
|
}
|
|
274
276
|
|
|
275
277
|
const originalDocument = window.document;
|
|
278
|
+
const currentScript = originalDocument.currentScript;
|
|
276
279
|
let {
|
|
277
280
|
document
|
|
278
281
|
} = window;
|
|
@@ -306,9 +309,8 @@
|
|
|
306
309
|
}
|
|
307
310
|
}
|
|
308
311
|
|
|
309
|
-
|
|
310
|
-
|
|
311
|
-
const emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : '';
|
|
312
|
+
let trustedTypesPolicy;
|
|
313
|
+
let emptyHTML = '';
|
|
312
314
|
const {
|
|
313
315
|
implementation,
|
|
314
316
|
createNodeIterator,
|
|
@@ -323,7 +325,7 @@
|
|
|
323
325
|
* Expose whether this browser supports running the full DOMPurify.
|
|
324
326
|
*/
|
|
325
327
|
|
|
326
|
-
DOMPurify.isSupported = typeof entries === 'function' && typeof getParentNode === 'function' && implementation &&
|
|
328
|
+
DOMPurify.isSupported = typeof entries === 'function' && typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined;
|
|
327
329
|
const {
|
|
328
330
|
MUSTACHE_EXPR,
|
|
329
331
|
ERB_EXPR,
|
|
@@ -670,6 +672,31 @@
|
|
|
670
672
|
if (ALLOWED_TAGS.table) {
|
|
671
673
|
addToSet(ALLOWED_TAGS, ['tbody']);
|
|
672
674
|
delete FORBID_TAGS.tbody;
|
|
675
|
+
}
|
|
676
|
+
|
|
677
|
+
if (cfg.TRUSTED_TYPES_POLICY) {
|
|
678
|
+
if (typeof cfg.TRUSTED_TYPES_POLICY.createHTML !== 'function') {
|
|
679
|
+
throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');
|
|
680
|
+
}
|
|
681
|
+
|
|
682
|
+
if (typeof cfg.TRUSTED_TYPES_POLICY.createScriptURL !== 'function') {
|
|
683
|
+
throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');
|
|
684
|
+
} // Overwrite existing TrustedTypes policy.
|
|
685
|
+
|
|
686
|
+
|
|
687
|
+
trustedTypesPolicy = cfg.TRUSTED_TYPES_POLICY; // Sign local variables required by `sanitize`.
|
|
688
|
+
|
|
689
|
+
emptyHTML = trustedTypesPolicy.createHTML('');
|
|
690
|
+
} else {
|
|
691
|
+
// Uninitialized policy, attempt to initialize the internal dompurify policy.
|
|
692
|
+
if (trustedTypesPolicy === undefined) {
|
|
693
|
+
trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, currentScript);
|
|
694
|
+
} // If creating the internal policy succeeded sign internal variables.
|
|
695
|
+
|
|
696
|
+
|
|
697
|
+
if (trustedTypesPolicy !== null && typeof emptyHTML === 'string') {
|
|
698
|
+
emptyHTML = trustedTypesPolicy.createHTML('');
|
|
699
|
+
}
|
|
673
700
|
} // Prevent further manipulation of configuration.
|
|
674
701
|
// Not available in IE8, Safari 5, etc.
|
|
675
702
|
|
|
@@ -1106,9 +1133,9 @@
|
|
|
1106
1133
|
}
|
|
1107
1134
|
/* Check value is safe. First, is attr inert? If so, is safe */
|
|
1108
1135
|
|
|
1109
|
-
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if (
|
|
1136
|
+
} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if (value) {
|
|
1110
1137
|
return false;
|
|
1111
|
-
}
|
|
1138
|
+
} else ;
|
|
1112
1139
|
|
|
1113
1140
|
return true;
|
|
1114
1141
|
};
|
|
@@ -1238,12 +1265,16 @@
|
|
|
1238
1265
|
if (namespaceURI) ; else {
|
|
1239
1266
|
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1240
1267
|
case 'TrustedHTML':
|
|
1241
|
-
|
|
1242
|
-
|
|
1268
|
+
{
|
|
1269
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1270
|
+
break;
|
|
1271
|
+
}
|
|
1243
1272
|
|
|
1244
1273
|
case 'TrustedScriptURL':
|
|
1245
|
-
|
|
1246
|
-
|
|
1274
|
+
{
|
|
1275
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1276
|
+
break;
|
|
1277
|
+
}
|
|
1247
1278
|
}
|
|
1248
1279
|
}
|
|
1249
1280
|
}
|
|
@@ -1336,15 +1367,14 @@
|
|
|
1336
1367
|
|
|
1337
1368
|
|
|
1338
1369
|
if (typeof dirty !== 'string' && !_isNode(dirty)) {
|
|
1339
|
-
|
|
1340
|
-
if (typeof dirty.toString !== 'function') {
|
|
1341
|
-
throw typeErrorCreate('toString is not a function');
|
|
1342
|
-
} else {
|
|
1370
|
+
if (typeof dirty.toString === 'function') {
|
|
1343
1371
|
dirty = dirty.toString();
|
|
1344
1372
|
|
|
1345
1373
|
if (typeof dirty !== 'string') {
|
|
1346
1374
|
throw typeErrorCreate('dirty is not a string, aborting');
|
|
1347
1375
|
}
|
|
1376
|
+
} else {
|
|
1377
|
+
throw typeErrorCreate('toString is not a function');
|
|
1348
1378
|
}
|
|
1349
1379
|
}
|
|
1350
1380
|
/* Return dirty HTML if DOMPurify cannot run */
|