dompurify 3.0.8 → 3.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/dist/purify.cjs.js +24 -19
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.mjs +24 -19
- package/dist/purify.es.mjs.map +1 -1
- package/dist/purify.js +24 -19
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.es.mjs
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 3.0.
|
|
1
|
+
/*! @license DOMPurify 3.0.10 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.10/LICENSE */
|
|
2
2
|
|
|
3
3
|
const {
|
|
4
4
|
entries,
|
|
@@ -45,6 +45,7 @@ const stringMatch = unapply(String.prototype.match);
|
|
|
45
45
|
const stringReplace = unapply(String.prototype.replace);
|
|
46
46
|
const stringIndexOf = unapply(String.prototype.indexOf);
|
|
47
47
|
const stringTrim = unapply(String.prototype.trim);
|
|
48
|
+
const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
|
|
48
49
|
const regExpTest = unapply(RegExp.prototype.test);
|
|
49
50
|
const typeErrorCreate = unconstruct(TypeError);
|
|
50
51
|
|
|
@@ -120,7 +121,8 @@ function addToSet(set, array) {
|
|
|
120
121
|
*/
|
|
121
122
|
function cleanArray(array) {
|
|
122
123
|
for (let index = 0; index < array.length; index++) {
|
|
123
|
-
|
|
124
|
+
const isPropertyExist = objectHasOwnProperty(array, index);
|
|
125
|
+
if (!isPropertyExist) {
|
|
124
126
|
array[index] = null;
|
|
125
127
|
}
|
|
126
128
|
}
|
|
@@ -136,7 +138,8 @@ function cleanArray(array) {
|
|
|
136
138
|
function clone(object) {
|
|
137
139
|
const newObject = create(null);
|
|
138
140
|
for (const [property, value] of entries(object)) {
|
|
139
|
-
|
|
141
|
+
const isPropertyExist = objectHasOwnProperty(object, property);
|
|
142
|
+
if (isPropertyExist) {
|
|
140
143
|
if (Array.isArray(value)) {
|
|
141
144
|
newObject[property] = cleanArray(value);
|
|
142
145
|
} else if (value && typeof value === 'object' && value.constructor === Object) {
|
|
@@ -169,8 +172,7 @@ function lookupGetter(object, prop) {
|
|
|
169
172
|
}
|
|
170
173
|
object = getPrototypeOf(object);
|
|
171
174
|
}
|
|
172
|
-
function fallbackValue(
|
|
173
|
-
console.warn('fallback value for', element);
|
|
175
|
+
function fallbackValue() {
|
|
174
176
|
return null;
|
|
175
177
|
}
|
|
176
178
|
return fallbackValue;
|
|
@@ -213,6 +215,7 @@ const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205
|
|
|
213
215
|
);
|
|
214
216
|
|
|
215
217
|
const DOCTYPE_NAME = seal(/^html$/i);
|
|
218
|
+
const CUSTOM_ELEMENT = seal(/^[a-z][a-z\d]*(-[a-z\d]+)+$/i);
|
|
216
219
|
|
|
217
220
|
var EXPRESSIONS = /*#__PURE__*/Object.freeze({
|
|
218
221
|
__proto__: null,
|
|
@@ -224,7 +227,8 @@ var EXPRESSIONS = /*#__PURE__*/Object.freeze({
|
|
|
224
227
|
IS_ALLOWED_URI: IS_ALLOWED_URI,
|
|
225
228
|
IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,
|
|
226
229
|
ATTR_WHITESPACE: ATTR_WHITESPACE,
|
|
227
|
-
DOCTYPE_NAME: DOCTYPE_NAME
|
|
230
|
+
DOCTYPE_NAME: DOCTYPE_NAME,
|
|
231
|
+
CUSTOM_ELEMENT: CUSTOM_ELEMENT
|
|
228
232
|
});
|
|
229
233
|
|
|
230
234
|
const getGlobal = function getGlobal() {
|
|
@@ -278,7 +282,7 @@ function createDOMPurify() {
|
|
|
278
282
|
* Version label, exposed for easier checks
|
|
279
283
|
* if DOMPurify is up to date or not
|
|
280
284
|
*/
|
|
281
|
-
DOMPurify.version = '3.0.
|
|
285
|
+
DOMPurify.version = '3.0.10';
|
|
282
286
|
|
|
283
287
|
/**
|
|
284
288
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -349,7 +353,8 @@ function createDOMPurify() {
|
|
|
349
353
|
DATA_ATTR,
|
|
350
354
|
ARIA_ATTR,
|
|
351
355
|
IS_SCRIPT_OR_DATA,
|
|
352
|
-
ATTR_WHITESPACE
|
|
356
|
+
ATTR_WHITESPACE,
|
|
357
|
+
CUSTOM_ELEMENT
|
|
353
358
|
} = EXPRESSIONS;
|
|
354
359
|
let {
|
|
355
360
|
IS_ALLOWED_URI: IS_ALLOWED_URI$1
|
|
@@ -540,27 +545,27 @@ function createDOMPurify() {
|
|
|
540
545
|
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? stringToString : stringToLowerCase;
|
|
541
546
|
|
|
542
547
|
/* Set configuration parameters */
|
|
543
|
-
ALLOWED_TAGS = 'ALLOWED_TAGS'
|
|
544
|
-
ALLOWED_ATTR = 'ALLOWED_ATTR'
|
|
545
|
-
ALLOWED_NAMESPACES = 'ALLOWED_NAMESPACES'
|
|
546
|
-
URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR'
|
|
548
|
+
ALLOWED_TAGS = objectHasOwnProperty(cfg, 'ALLOWED_TAGS') ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
|
|
549
|
+
ALLOWED_ATTR = objectHasOwnProperty(cfg, 'ALLOWED_ATTR') ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
|
|
550
|
+
ALLOWED_NAMESPACES = objectHasOwnProperty(cfg, 'ALLOWED_NAMESPACES') ? addToSet({}, cfg.ALLOWED_NAMESPACES, stringToString) : DEFAULT_ALLOWED_NAMESPACES;
|
|
551
|
+
URI_SAFE_ATTRIBUTES = objectHasOwnProperty(cfg, 'ADD_URI_SAFE_ATTR') ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES),
|
|
547
552
|
// eslint-disable-line indent
|
|
548
553
|
cfg.ADD_URI_SAFE_ATTR,
|
|
549
554
|
// eslint-disable-line indent
|
|
550
555
|
transformCaseFunc // eslint-disable-line indent
|
|
551
556
|
) // eslint-disable-line indent
|
|
552
557
|
: DEFAULT_URI_SAFE_ATTRIBUTES;
|
|
553
|
-
DATA_URI_TAGS = 'ADD_DATA_URI_TAGS'
|
|
558
|
+
DATA_URI_TAGS = objectHasOwnProperty(cfg, 'ADD_DATA_URI_TAGS') ? addToSet(clone(DEFAULT_DATA_URI_TAGS),
|
|
554
559
|
// eslint-disable-line indent
|
|
555
560
|
cfg.ADD_DATA_URI_TAGS,
|
|
556
561
|
// eslint-disable-line indent
|
|
557
562
|
transformCaseFunc // eslint-disable-line indent
|
|
558
563
|
) // eslint-disable-line indent
|
|
559
564
|
: DEFAULT_DATA_URI_TAGS;
|
|
560
|
-
FORBID_CONTENTS = 'FORBID_CONTENTS'
|
|
561
|
-
FORBID_TAGS = 'FORBID_TAGS'
|
|
562
|
-
FORBID_ATTR = 'FORBID_ATTR'
|
|
563
|
-
USE_PROFILES = 'USE_PROFILES'
|
|
565
|
+
FORBID_CONTENTS = objectHasOwnProperty(cfg, 'FORBID_CONTENTS') ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
|
|
566
|
+
FORBID_TAGS = objectHasOwnProperty(cfg, 'FORBID_TAGS') ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
|
|
567
|
+
FORBID_ATTR = objectHasOwnProperty(cfg, 'FORBID_ATTR') ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
|
|
568
|
+
USE_PROFILES = objectHasOwnProperty(cfg, 'USE_PROFILES') ? cfg.USE_PROFILES : false;
|
|
564
569
|
ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
|
|
565
570
|
ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false; // Default true
|
|
566
571
|
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
|
|
@@ -904,7 +909,7 @@ function createDOMPurify() {
|
|
|
904
909
|
const _createNodeIterator = function _createNodeIterator(root) {
|
|
905
910
|
return createNodeIterator.call(root.ownerDocument || root, root,
|
|
906
911
|
// eslint-disable-next-line no-bitwise
|
|
907
|
-
NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT, null);
|
|
912
|
+
NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION, null);
|
|
908
913
|
};
|
|
909
914
|
|
|
910
915
|
/**
|
|
@@ -1086,7 +1091,7 @@ function createDOMPurify() {
|
|
|
1086
1091
|
* @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
|
|
1087
1092
|
*/
|
|
1088
1093
|
const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
|
|
1089
|
-
return tagName
|
|
1094
|
+
return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
|
|
1090
1095
|
};
|
|
1091
1096
|
|
|
1092
1097
|
/**
|