dompurify 3.1.4 → 3.1.5

package/dist/purify.js

@@ -1,4 +1,4 @@
-/*! @license DOMPurify 3.1.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.4/LICENSE */
+/*! @license DOMPurify 3.1.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.5/LICENSE */
 
 (function (global, factory) {
   typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
@@ -54,10 +54,6 @@
   const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
   const regExpTest = unapply(RegExp.prototype.test);
   const typeErrorCreate = unconstruct(TypeError);
-  function numberIsNaN(x) {
-    // eslint-disable-next-line unicorn/prefer-number-properties
-    return typeof x === 'number' && isNaN(x);
-  }
 
   /**
    * Creates a new function that calls the given function with a specified thisArg and arguments.
@@ -310,7 +306,7 @@
      * Version label, exposed for easier checks
      * if DOMPurify is up to date or not
      */
-    DOMPurify.version = '3.1.4';
+    DOMPurify.version = '3.1.5';
 
     /**
      * Array of elements that DOMPurify removed during sanitation.
@@ -543,9 +539,6 @@
     /* Keep a reference to config to pass to hooks */
     let CONFIG = null;
 
-    /* Specify the maximum element nesting depth to prevent mXSS */
-    const MAX_NESTING_DEPTH = 255;
-
     /* Ideally, do not touch anything below this line */
     /* ______________________________________________ */
 
@@ -956,11 +949,7 @@
      * @return {Boolean} true if clobbered, false if safe
      */
     const _isClobbered = function _isClobbered(elm) {
-      return elm instanceof HTMLFormElement && (
-      // eslint-disable-next-line unicorn/no-typeof-undefined
-      typeof elm.__depth !== 'undefined' && typeof elm.__depth !== 'number' ||
-      // eslint-disable-next-line unicorn/no-typeof-undefined
-      typeof elm.__removalCount !== 'undefined' && typeof elm.__removalCount !== 'number' || typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
+      return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
     };
 
     /**
@@ -1111,7 +1100,7 @@
     // eslint-disable-next-line complexity
     const _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
       /* Make sure attribute cannot clobber */
-      if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement || value === '__depth' || value === '__removalCount')) {
+      if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
         return false;
       }
 
@@ -1302,32 +1291,9 @@
         if (_sanitizeElements(shadowNode)) {
           continue;
         }
-        const parentNode = getParentNode(shadowNode);
-
-        /* Set the nesting depth of an element */
-        if (shadowNode.nodeType === NODE_TYPE.element) {
-          if (parentNode && parentNode.__depth) {
-            /*
-              We want the depth of the node in the original tree, which can
-              change when it's removed from its parent.
-            */
-            shadowNode.__depth = (shadowNode.__removalCount || 0) + parentNode.__depth + 1;
-          } else {
-            shadowNode.__depth = 1;
-          }
-        }
-
-        /*
-         * Remove an element if nested too deeply to avoid mXSS
-         * or if the __depth might have been tampered with
-         */
-        if (shadowNode.__depth >= MAX_NESTING_DEPTH || shadowNode.__depth < 0 || numberIsNaN(shadowNode.__depth)) {
-          _forceRemove(shadowNode);
-        }
 
         /* Deep shadow DOM detected */
         if (shadowNode.content instanceof DocumentFragment) {
-          shadowNode.content.__depth = shadowNode.__depth;
           _sanitizeShadowDOM(shadowNode.content);
         }
 
@@ -1443,32 +1409,9 @@
         if (_sanitizeElements(currentNode)) {
           continue;
         }
-        const parentNode = getParentNode(currentNode);
-
-        /* Set the nesting depth of an element */
-        if (currentNode.nodeType === NODE_TYPE.element) {
-          if (parentNode && parentNode.__depth) {
-            /*
-              We want the depth of the node in the original tree, which can
-              change when it's removed from its parent.
-            */
-            currentNode.__depth = (currentNode.__removalCount || 0) + parentNode.__depth + 1;
-          } else {
-            currentNode.__depth = 1;
-          }
-        }
-
-        /*
-         * Remove an element if nested too deeply to avoid mXSS
-         * or if the __depth might have been tampered with
-         */
-        if (currentNode.__depth >= MAX_NESTING_DEPTH || currentNode.__depth < 0 || numberIsNaN(currentNode.__depth)) {
-          _forceRemove(currentNode);
-        }
 
         /* Shadow DOM detected, sanitize it */
         if (currentNode.content instanceof DocumentFragment) {
-          currentNode.content.__depth = currentNode.__depth;
           _sanitizeShadowDOM(currentNode.content);
         }