dompurify 3.0.8 → 3.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +3 -3
- package/dist/purify.cjs.js +24 -19
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.mjs +24 -19
- package/dist/purify.es.mjs.map +1 -1
- package/dist/purify.js +24 -19
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 3.0.
|
|
1
|
+
/*! @license DOMPurify 3.0.10 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.10/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -51,6 +51,7 @@
|
|
|
51
51
|
const stringReplace = unapply(String.prototype.replace);
|
|
52
52
|
const stringIndexOf = unapply(String.prototype.indexOf);
|
|
53
53
|
const stringTrim = unapply(String.prototype.trim);
|
|
54
|
+
const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
|
|
54
55
|
const regExpTest = unapply(RegExp.prototype.test);
|
|
55
56
|
const typeErrorCreate = unconstruct(TypeError);
|
|
56
57
|
|
|
@@ -126,7 +127,8 @@
|
|
|
126
127
|
*/
|
|
127
128
|
function cleanArray(array) {
|
|
128
129
|
for (let index = 0; index < array.length; index++) {
|
|
129
|
-
|
|
130
|
+
const isPropertyExist = objectHasOwnProperty(array, index);
|
|
131
|
+
if (!isPropertyExist) {
|
|
130
132
|
array[index] = null;
|
|
131
133
|
}
|
|
132
134
|
}
|
|
@@ -142,7 +144,8 @@
|
|
|
142
144
|
function clone(object) {
|
|
143
145
|
const newObject = create(null);
|
|
144
146
|
for (const [property, value] of entries(object)) {
|
|
145
|
-
|
|
147
|
+
const isPropertyExist = objectHasOwnProperty(object, property);
|
|
148
|
+
if (isPropertyExist) {
|
|
146
149
|
if (Array.isArray(value)) {
|
|
147
150
|
newObject[property] = cleanArray(value);
|
|
148
151
|
} else if (value && typeof value === 'object' && value.constructor === Object) {
|
|
@@ -175,8 +178,7 @@
|
|
|
175
178
|
}
|
|
176
179
|
object = getPrototypeOf(object);
|
|
177
180
|
}
|
|
178
|
-
function fallbackValue(
|
|
179
|
-
console.warn('fallback value for', element);
|
|
181
|
+
function fallbackValue() {
|
|
180
182
|
return null;
|
|
181
183
|
}
|
|
182
184
|
return fallbackValue;
|
|
@@ -219,6 +221,7 @@
|
|
|
219
221
|
);
|
|
220
222
|
|
|
221
223
|
const DOCTYPE_NAME = seal(/^html$/i);
|
|
224
|
+
const CUSTOM_ELEMENT = seal(/^[a-z][a-z\d]*(-[a-z\d]+)+$/i);
|
|
222
225
|
|
|
223
226
|
var EXPRESSIONS = /*#__PURE__*/Object.freeze({
|
|
224
227
|
__proto__: null,
|
|
@@ -230,7 +233,8 @@
|
|
|
230
233
|
IS_ALLOWED_URI: IS_ALLOWED_URI,
|
|
231
234
|
IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,
|
|
232
235
|
ATTR_WHITESPACE: ATTR_WHITESPACE,
|
|
233
|
-
DOCTYPE_NAME: DOCTYPE_NAME
|
|
236
|
+
DOCTYPE_NAME: DOCTYPE_NAME,
|
|
237
|
+
CUSTOM_ELEMENT: CUSTOM_ELEMENT
|
|
234
238
|
});
|
|
235
239
|
|
|
236
240
|
const getGlobal = function getGlobal() {
|
|
@@ -284,7 +288,7 @@
|
|
|
284
288
|
* Version label, exposed for easier checks
|
|
285
289
|
* if DOMPurify is up to date or not
|
|
286
290
|
*/
|
|
287
|
-
DOMPurify.version = '3.0.
|
|
291
|
+
DOMPurify.version = '3.0.10';
|
|
288
292
|
|
|
289
293
|
/**
|
|
290
294
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -355,7 +359,8 @@
|
|
|
355
359
|
DATA_ATTR,
|
|
356
360
|
ARIA_ATTR,
|
|
357
361
|
IS_SCRIPT_OR_DATA,
|
|
358
|
-
ATTR_WHITESPACE
|
|
362
|
+
ATTR_WHITESPACE,
|
|
363
|
+
CUSTOM_ELEMENT
|
|
359
364
|
} = EXPRESSIONS;
|
|
360
365
|
let {
|
|
361
366
|
IS_ALLOWED_URI: IS_ALLOWED_URI$1
|
|
@@ -546,27 +551,27 @@
|
|
|
546
551
|
transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? stringToString : stringToLowerCase;
|
|
547
552
|
|
|
548
553
|
/* Set configuration parameters */
|
|
549
|
-
ALLOWED_TAGS = 'ALLOWED_TAGS'
|
|
550
|
-
ALLOWED_ATTR = 'ALLOWED_ATTR'
|
|
551
|
-
ALLOWED_NAMESPACES = 'ALLOWED_NAMESPACES'
|
|
552
|
-
URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR'
|
|
554
|
+
ALLOWED_TAGS = objectHasOwnProperty(cfg, 'ALLOWED_TAGS') ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
|
|
555
|
+
ALLOWED_ATTR = objectHasOwnProperty(cfg, 'ALLOWED_ATTR') ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
|
|
556
|
+
ALLOWED_NAMESPACES = objectHasOwnProperty(cfg, 'ALLOWED_NAMESPACES') ? addToSet({}, cfg.ALLOWED_NAMESPACES, stringToString) : DEFAULT_ALLOWED_NAMESPACES;
|
|
557
|
+
URI_SAFE_ATTRIBUTES = objectHasOwnProperty(cfg, 'ADD_URI_SAFE_ATTR') ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES),
|
|
553
558
|
// eslint-disable-line indent
|
|
554
559
|
cfg.ADD_URI_SAFE_ATTR,
|
|
555
560
|
// eslint-disable-line indent
|
|
556
561
|
transformCaseFunc // eslint-disable-line indent
|
|
557
562
|
) // eslint-disable-line indent
|
|
558
563
|
: DEFAULT_URI_SAFE_ATTRIBUTES;
|
|
559
|
-
DATA_URI_TAGS = 'ADD_DATA_URI_TAGS'
|
|
564
|
+
DATA_URI_TAGS = objectHasOwnProperty(cfg, 'ADD_DATA_URI_TAGS') ? addToSet(clone(DEFAULT_DATA_URI_TAGS),
|
|
560
565
|
// eslint-disable-line indent
|
|
561
566
|
cfg.ADD_DATA_URI_TAGS,
|
|
562
567
|
// eslint-disable-line indent
|
|
563
568
|
transformCaseFunc // eslint-disable-line indent
|
|
564
569
|
) // eslint-disable-line indent
|
|
565
570
|
: DEFAULT_DATA_URI_TAGS;
|
|
566
|
-
FORBID_CONTENTS = 'FORBID_CONTENTS'
|
|
567
|
-
FORBID_TAGS = 'FORBID_TAGS'
|
|
568
|
-
FORBID_ATTR = 'FORBID_ATTR'
|
|
569
|
-
USE_PROFILES = 'USE_PROFILES'
|
|
571
|
+
FORBID_CONTENTS = objectHasOwnProperty(cfg, 'FORBID_CONTENTS') ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
|
|
572
|
+
FORBID_TAGS = objectHasOwnProperty(cfg, 'FORBID_TAGS') ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
|
|
573
|
+
FORBID_ATTR = objectHasOwnProperty(cfg, 'FORBID_ATTR') ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
|
|
574
|
+
USE_PROFILES = objectHasOwnProperty(cfg, 'USE_PROFILES') ? cfg.USE_PROFILES : false;
|
|
570
575
|
ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
|
|
571
576
|
ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false; // Default true
|
|
572
577
|
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
|
|
@@ -910,7 +915,7 @@
|
|
|
910
915
|
const _createNodeIterator = function _createNodeIterator(root) {
|
|
911
916
|
return createNodeIterator.call(root.ownerDocument || root, root,
|
|
912
917
|
// eslint-disable-next-line no-bitwise
|
|
913
|
-
NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT, null);
|
|
918
|
+
NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION, null);
|
|
914
919
|
};
|
|
915
920
|
|
|
916
921
|
/**
|
|
@@ -1092,7 +1097,7 @@
|
|
|
1092
1097
|
* @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
|
|
1093
1098
|
*/
|
|
1094
1099
|
const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
|
|
1095
|
-
return tagName
|
|
1100
|
+
return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
|
|
1096
1101
|
};
|
|
1097
1102
|
|
|
1098
1103
|
/**
|