dompurify 3.0.9 → 3.0.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +2 -2
- package/dist/purify.cjs.js +15 -6
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.mjs +15 -6
- package/dist/purify.es.mjs.map +1 -1
- package/dist/purify.js +15 -6
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.11**.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
|
|
12
12
|
|
|
13
|
-
**Note that [DOMPurify v2.4.
|
|
13
|
+
**Note that [DOMPurify v2.4.9](https://github.com/cure53/DOMPurify/releases/tag/2.4.9) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
|
|
14
14
|
|
|
15
15
|
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v16.x, v17.x, v18.x and v19.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
|
|
16
16
|
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 3.0.
|
|
1
|
+
/*! @license DOMPurify 3.0.11 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.11/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -217,6 +217,7 @@ const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205
|
|
|
217
217
|
);
|
|
218
218
|
|
|
219
219
|
const DOCTYPE_NAME = seal(/^html$/i);
|
|
220
|
+
const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);
|
|
220
221
|
|
|
221
222
|
var EXPRESSIONS = /*#__PURE__*/Object.freeze({
|
|
222
223
|
__proto__: null,
|
|
@@ -228,7 +229,8 @@ var EXPRESSIONS = /*#__PURE__*/Object.freeze({
|
|
|
228
229
|
IS_ALLOWED_URI: IS_ALLOWED_URI,
|
|
229
230
|
IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,
|
|
230
231
|
ATTR_WHITESPACE: ATTR_WHITESPACE,
|
|
231
|
-
DOCTYPE_NAME: DOCTYPE_NAME
|
|
232
|
+
DOCTYPE_NAME: DOCTYPE_NAME,
|
|
233
|
+
CUSTOM_ELEMENT: CUSTOM_ELEMENT
|
|
232
234
|
});
|
|
233
235
|
|
|
234
236
|
const getGlobal = function getGlobal() {
|
|
@@ -282,7 +284,7 @@ function createDOMPurify() {
|
|
|
282
284
|
* Version label, exposed for easier checks
|
|
283
285
|
* if DOMPurify is up to date or not
|
|
284
286
|
*/
|
|
285
|
-
DOMPurify.version = '3.0.
|
|
287
|
+
DOMPurify.version = '3.0.11';
|
|
286
288
|
|
|
287
289
|
/**
|
|
288
290
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -353,7 +355,8 @@ function createDOMPurify() {
|
|
|
353
355
|
DATA_ATTR,
|
|
354
356
|
ARIA_ATTR,
|
|
355
357
|
IS_SCRIPT_OR_DATA,
|
|
356
|
-
ATTR_WHITESPACE
|
|
358
|
+
ATTR_WHITESPACE,
|
|
359
|
+
CUSTOM_ELEMENT
|
|
357
360
|
} = EXPRESSIONS;
|
|
358
361
|
let {
|
|
359
362
|
IS_ALLOWED_URI: IS_ALLOWED_URI$1
|
|
@@ -908,7 +911,7 @@ function createDOMPurify() {
|
|
|
908
911
|
const _createNodeIterator = function _createNodeIterator(root) {
|
|
909
912
|
return createNodeIterator.call(root.ownerDocument || root, root,
|
|
910
913
|
// eslint-disable-next-line no-bitwise
|
|
911
|
-
NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT, null);
|
|
914
|
+
NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION | NodeFilter.SHOW_CDATA_SECTION, null);
|
|
912
915
|
};
|
|
913
916
|
|
|
914
917
|
/**
|
|
@@ -985,6 +988,12 @@ function createDOMPurify() {
|
|
|
985
988
|
return true;
|
|
986
989
|
}
|
|
987
990
|
|
|
991
|
+
/* Remove any ocurrence of processing instructions */
|
|
992
|
+
if (currentNode.nodeType === 7) {
|
|
993
|
+
_forceRemove(currentNode);
|
|
994
|
+
return true;
|
|
995
|
+
}
|
|
996
|
+
|
|
988
997
|
/* Remove element if anything forbids its presence */
|
|
989
998
|
if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {
|
|
990
999
|
/* Check if we have a custom element to handle */
|
|
@@ -1090,7 +1099,7 @@ function createDOMPurify() {
|
|
|
1090
1099
|
* @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
|
|
1091
1100
|
*/
|
|
1092
1101
|
const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
|
|
1093
|
-
return tagName !== 'annotation-xml' && tagName
|
|
1102
|
+
return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
|
|
1094
1103
|
};
|
|
1095
1104
|
|
|
1096
1105
|
/**
|