dompurify 3.0.7 → 3.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +19 -17
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.mjs +19 -17
- package/dist/purify.es.mjs.map +1 -1
- package/dist/purify.js +19 -17
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -8
package/README.md
CHANGED
|
@@ -6,7 +6,7 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.9**.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
|
|
12
12
|
|
|
@@ -413,6 +413,6 @@ Many people helped and help DOMPurify become what it is and need to be acknowled
|
|
|
413
413
|
|
|
414
414
|
## Testing powered by
|
|
415
415
|
|
|
416
|
-
<a target="_blank" href="https://www.browserstack.com/"><img width="200" src="https://
|
|
416
|
+
<a target="_blank" href="https://www.browserstack.com/"><img width="200" src="https://github.com/cure53/DOMPurify/assets/6709482/f70be7eb-8fc4-41ea-9653-9d359235328f"></a><br>
|
|
417
417
|
|
|
418
418
|
And last but not least, thanks to [BrowserStack Open-Source Program](https://www.browserstack.com/open-source) for supporting this project with their services for free and delivering excellent, dedicated and very professional support on top of that.
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 3.0.
|
|
1
|
+
/*! @license DOMPurify 3.0.9 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.9/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -47,6 +47,7 @@ const stringMatch = unapply(String.prototype.match);
|
|
|
47
47
|
const stringReplace = unapply(String.prototype.replace);
|
|
48
48
|
const stringIndexOf = unapply(String.prototype.indexOf);
|
|
49
49
|
const stringTrim = unapply(String.prototype.trim);
|
|
50
|
+
const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
|
|
50
51
|
const regExpTest = unapply(RegExp.prototype.test);
|
|
51
52
|
const typeErrorCreate = unconstruct(TypeError);
|
|
52
53
|
|
|
@@ -122,7 +123,8 @@ function addToSet(set, array) {
|
|
|
122
123
|
*/
|
|
123
124
|
function cleanArray(array) {
|
|
124
125
|
for (let index = 0; index < array.length; index++) {
|
|
125
|
-
|
|
126
|
+
const isPropertyExist = objectHasOwnProperty(array, index);
|
|
127
|
+
if (!isPropertyExist) {
|
|
126
128
|
array[index] = null;
|
|
127
129
|
}
|
|
128
130
|
}
|
|
@@ -138,10 +140,11 @@ function cleanArray(array) {
|
|
|
138
140
|
function clone(object) {
|
|
139
141
|
const newObject = create(null);
|
|
140
142
|
for (const [property, value] of entries(object)) {
|
|
141
|
-
|
|
143
|
+
const isPropertyExist = objectHasOwnProperty(object, property);
|
|
144
|
+
if (isPropertyExist) {
|
|
142
145
|
if (Array.isArray(value)) {
|
|
143
146
|
newObject[property] = cleanArray(value);
|
|
144
|
-
} else if (typeof value === 'object' && value.constructor === Object) {
|
|
147
|
+
} else if (value && typeof value === 'object' && value.constructor === Object) {
|
|
145
148
|
newObject[property] = clone(value);
|
|
146
149
|
} else {
|
|
147
150
|
newObject[property] = value;
|
|
@@ -171,8 +174,7 @@ function lookupGetter(object, prop) {
|
|
|
171
174
|
}
|
|
172
175
|
object = getPrototypeOf(object);
|
|
173
176
|
}
|
|
174
|
-
function fallbackValue(
|
|
175
|
-
console.warn('fallback value for', element);
|
|
177
|
+
function fallbackValue() {
|
|
176
178
|
return null;
|
|
177
179
|
}
|
|
178
180
|
return fallbackValue;
|
|
@@ -280,7 +282,7 @@ function createDOMPurify() {
|
|
|
280
282
|
* Version label, exposed for easier checks
|
|
281
283
|
* if DOMPurify is up to date or not
|
|
282
284
|
*/
|
|
283
|
-
DOMPurify.version = '3.0.
|
|
285
|
+
DOMPurify.version = '3.0.9';
|
|
284
286
|
|
|
285
287
|
/**
|
|
286
288
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -542,27 +544,27 @@ function createDOMPurify() {
|
|
|
542
544
|
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? stringToString : stringToLowerCase;
|
|
543
545
|
|
|
544
546
|
/* Set configuration parameters */
|
|
545
|
-
ALLOWED_TAGS = 'ALLOWED_TAGS'
|
|
546
|
-
ALLOWED_ATTR = 'ALLOWED_ATTR'
|
|
547
|
-
ALLOWED_NAMESPACES = 'ALLOWED_NAMESPACES'
|
|
548
|
-
URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR'
|
|
547
|
+
ALLOWED_TAGS = objectHasOwnProperty(cfg, 'ALLOWED_TAGS') ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
|
|
548
|
+
ALLOWED_ATTR = objectHasOwnProperty(cfg, 'ALLOWED_ATTR') ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
|
|
549
|
+
ALLOWED_NAMESPACES = objectHasOwnProperty(cfg, 'ALLOWED_NAMESPACES') ? addToSet({}, cfg.ALLOWED_NAMESPACES, stringToString) : DEFAULT_ALLOWED_NAMESPACES;
|
|
550
|
+
URI_SAFE_ATTRIBUTES = objectHasOwnProperty(cfg, 'ADD_URI_SAFE_ATTR') ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES),
|
|
549
551
|
// eslint-disable-line indent
|
|
550
552
|
cfg.ADD_URI_SAFE_ATTR,
|
|
551
553
|
// eslint-disable-line indent
|
|
552
554
|
transformCaseFunc // eslint-disable-line indent
|
|
553
555
|
) // eslint-disable-line indent
|
|
554
556
|
: DEFAULT_URI_SAFE_ATTRIBUTES;
|
|
555
|
-
DATA_URI_TAGS = 'ADD_DATA_URI_TAGS'
|
|
557
|
+
DATA_URI_TAGS = objectHasOwnProperty(cfg, 'ADD_DATA_URI_TAGS') ? addToSet(clone(DEFAULT_DATA_URI_TAGS),
|
|
556
558
|
// eslint-disable-line indent
|
|
557
559
|
cfg.ADD_DATA_URI_TAGS,
|
|
558
560
|
// eslint-disable-line indent
|
|
559
561
|
transformCaseFunc // eslint-disable-line indent
|
|
560
562
|
) // eslint-disable-line indent
|
|
561
563
|
: DEFAULT_DATA_URI_TAGS;
|
|
562
|
-
FORBID_CONTENTS = 'FORBID_CONTENTS'
|
|
563
|
-
FORBID_TAGS = 'FORBID_TAGS'
|
|
564
|
-
FORBID_ATTR = 'FORBID_ATTR'
|
|
565
|
-
USE_PROFILES = 'USE_PROFILES'
|
|
564
|
+
FORBID_CONTENTS = objectHasOwnProperty(cfg, 'FORBID_CONTENTS') ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
|
|
565
|
+
FORBID_TAGS = objectHasOwnProperty(cfg, 'FORBID_TAGS') ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
|
|
566
|
+
FORBID_ATTR = objectHasOwnProperty(cfg, 'FORBID_ATTR') ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
|
|
567
|
+
USE_PROFILES = objectHasOwnProperty(cfg, 'USE_PROFILES') ? cfg.USE_PROFILES : false;
|
|
566
568
|
ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
|
|
567
569
|
ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false; // Default true
|
|
568
570
|
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
|
|
@@ -1088,7 +1090,7 @@ function createDOMPurify() {
|
|
|
1088
1090
|
* @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
|
|
1089
1091
|
*/
|
|
1090
1092
|
const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
|
|
1091
|
-
return tagName.indexOf('-') > 0;
|
|
1093
|
+
return tagName !== 'annotation-xml' && tagName.indexOf('-') > 0;
|
|
1092
1094
|
};
|
|
1093
1095
|
|
|
1094
1096
|
/**
|