dompurify 3.1.5 → 3.1.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +11 -2
- package/dist/purify.cjs.js +13 -14
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.mjs +13 -14
- package/dist/purify.es.mjs.map +1 -1
- package/dist/purify.js +13 -14
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,11 +6,11 @@
|
|
|
6
6
|
|
|
7
7
|
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
|
|
8
8
|
|
|
9
|
-
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.1.
|
|
9
|
+
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.1.6**.
|
|
10
10
|
|
|
11
11
|
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
|
|
12
12
|
|
|
13
|
-
**Note that [DOMPurify v2.5.
|
|
13
|
+
**Note that [DOMPurify v2.5.6](https://github.com/cure53/DOMPurify/releases/tag/2.5.6) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
|
|
14
14
|
|
|
15
15
|
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v16.x, v17.x, v18.x and v19.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
|
|
16
16
|
|
|
@@ -181,6 +181,9 @@ const clean = DOMPurify.sanitize(dirty, {SAFE_FOR_TEMPLATES: true});
|
|
|
181
181
|
|
|
182
182
|
|
|
183
183
|
// change how e.g. comments containing risky HTML characters are treated.
|
|
184
|
+
// be very careful, this setting should only be set to `false` if you really only handle
|
|
185
|
+
// HTML and nothing else, no SVG, MathML or the like.
|
|
186
|
+
// Otherwise, changing from `true` to `false` will lead to XSS in this or some other way.
|
|
184
187
|
const clean = DOMPurify.sanitize(dirty, {SAFE_FOR_XML: false});
|
|
185
188
|
```
|
|
186
189
|
|
|
@@ -378,6 +381,12 @@ DOMPurify.addHook(
|
|
|
378
381
|
);
|
|
379
382
|
```
|
|
380
383
|
|
|
384
|
+
## Removed Configuration
|
|
385
|
+
|
|
386
|
+
| Option | Since | Note |
|
|
387
|
+
|-----------------|-------|--------------------------|
|
|
388
|
+
| SAFE_FOR_JQUERY | 2.1.0 | No replacement required. |
|
|
389
|
+
|
|
381
390
|
## Continuous Integration
|
|
382
391
|
|
|
383
392
|
We are currently using Github Actions in combination with BrowserStack. This gives us the possibility to confirm for each and every commit that all is going according to plan in all supported browsers. Check out the build logs here: https://github.com/cure53/DOMPurify/actions
|
package/dist/purify.cjs.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 3.1.
|
|
1
|
+
/*! @license DOMPurify 3.1.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.6/LICENSE */
|
|
2
2
|
|
|
3
3
|
'use strict';
|
|
4
4
|
|
|
@@ -211,11 +211,9 @@ const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]/); // eslint-disable-line no-
|
|
|
211
211
|
const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
|
|
212
212
|
const IS_ALLOWED_URI = seal(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
|
|
213
213
|
);
|
|
214
|
-
|
|
215
214
|
const IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i);
|
|
216
215
|
const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
|
|
217
216
|
);
|
|
218
|
-
|
|
219
217
|
const DOCTYPE_NAME = seal(/^html$/i);
|
|
220
218
|
const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);
|
|
221
219
|
|
|
@@ -250,7 +248,6 @@ const NODE_TYPE = {
|
|
|
250
248
|
documentFragment: 11,
|
|
251
249
|
notation: 12 // Deprecated
|
|
252
250
|
};
|
|
253
|
-
|
|
254
251
|
const getGlobal = function getGlobal() {
|
|
255
252
|
return typeof window === 'undefined' ? null : window;
|
|
256
253
|
};
|
|
@@ -302,7 +299,7 @@ function createDOMPurify() {
|
|
|
302
299
|
* Version label, exposed for easier checks
|
|
303
300
|
* if DOMPurify is up to date or not
|
|
304
301
|
*/
|
|
305
|
-
DOMPurify.version = '3.1.
|
|
302
|
+
DOMPurify.version = '3.1.6';
|
|
306
303
|
|
|
307
304
|
/**
|
|
308
305
|
* Array of elements that DOMPurify removed during sanitation.
|
|
@@ -333,6 +330,7 @@ function createDOMPurify() {
|
|
|
333
330
|
} = window;
|
|
334
331
|
const ElementPrototype = Element.prototype;
|
|
335
332
|
const cloneNode = lookupGetter(ElementPrototype, 'cloneNode');
|
|
333
|
+
const remove = lookupGetter(ElementPrototype, 'remove');
|
|
336
334
|
const getNextSibling = lookupGetter(ElementPrototype, 'nextSibling');
|
|
337
335
|
const getChildNodes = lookupGetter(ElementPrototype, 'childNodes');
|
|
338
336
|
const getParentNode = lookupGetter(ElementPrototype, 'parentNode');
|
|
@@ -833,9 +831,9 @@ function createDOMPurify() {
|
|
|
833
831
|
});
|
|
834
832
|
try {
|
|
835
833
|
// eslint-disable-next-line unicorn/prefer-dom-node-remove
|
|
836
|
-
node.
|
|
834
|
+
getParentNode(node).removeChild(node);
|
|
837
835
|
} catch (_) {
|
|
838
|
-
|
|
836
|
+
remove(node);
|
|
839
837
|
}
|
|
840
838
|
};
|
|
841
839
|
|
|
@@ -1012,7 +1010,7 @@ function createDOMPurify() {
|
|
|
1012
1010
|
return true;
|
|
1013
1011
|
}
|
|
1014
1012
|
|
|
1015
|
-
/* Remove any
|
|
1013
|
+
/* Remove any occurrence of processing instructions */
|
|
1016
1014
|
if (currentNode.nodeType === NODE_TYPE.progressingInstruction) {
|
|
1017
1015
|
_forceRemove(currentNode);
|
|
1018
1016
|
return true;
|
|
@@ -1181,6 +1179,13 @@ function createDOMPurify() {
|
|
|
1181
1179
|
hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
|
|
1182
1180
|
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
|
|
1183
1181
|
value = hookEvent.attrValue;
|
|
1182
|
+
|
|
1183
|
+
/* Work around a security issue with comments inside attributes */
|
|
1184
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1185
|
+
_removeAttribute(name, currentNode);
|
|
1186
|
+
continue;
|
|
1187
|
+
}
|
|
1188
|
+
|
|
1184
1189
|
/* Did the hooks approve of the attribute? */
|
|
1185
1190
|
if (hookEvent.forceKeepAttr) {
|
|
1186
1191
|
continue;
|
|
@@ -1200,12 +1205,6 @@ function createDOMPurify() {
|
|
|
1200
1205
|
continue;
|
|
1201
1206
|
}
|
|
1202
1207
|
|
|
1203
|
-
/* Work around a security issue with comments inside attributes */
|
|
1204
|
-
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1205
|
-
_removeAttribute(name, currentNode);
|
|
1206
|
-
continue;
|
|
1207
|
-
}
|
|
1208
|
-
|
|
1209
1208
|
/* Sanitize attribute content to be template-safe */
|
|
1210
1209
|
if (SAFE_FOR_TEMPLATES) {
|
|
1211
1210
|
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
|