dompurify 3.3.0 → 3.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -6
- package/dist/purify.cjs.d.ts +6 -2
- package/dist/purify.cjs.js +21 -4
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.d.mts +6 -2
- package/dist/purify.es.mjs +21 -4
- package/dist/purify.es.mjs.map +1 -1
- package/dist/purify.js +21 -4
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +6 -5
package/dist/purify.es.d.mts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
/*! @license DOMPurify 3.3.
|
|
1
|
+
/*! @license DOMPurify 3.3.2 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.3.2/LICENSE */
|
|
2
2
|
|
|
3
|
-
import { TrustedTypePolicy, TrustedHTML, TrustedTypesWindow } from 'trusted-types/lib';
|
|
3
|
+
import { TrustedTypePolicy, TrustedHTML, TrustedTypesWindow } from 'trusted-types/lib/index.js';
|
|
4
4
|
|
|
5
5
|
/**
|
|
6
6
|
* Configuration to control DOMPurify behavior.
|
|
@@ -94,6 +94,10 @@ interface Config {
|
|
|
94
94
|
* Add child elements to be removed when their parent is removed.
|
|
95
95
|
*/
|
|
96
96
|
FORBID_CONTENTS?: string[] | undefined;
|
|
97
|
+
/**
|
|
98
|
+
* Extend the existing or default array of forbidden content elements.
|
|
99
|
+
*/
|
|
100
|
+
ADD_FORBID_CONTENTS?: string[] | undefined;
|
|
97
101
|
/**
|
|
98
102
|
* Add elements to block-list.
|
|
99
103
|
*/
|
package/dist/purify.es.mjs
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 3.3.
|
|
1
|
+
/*! @license DOMPurify 3.3.2 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.3.2/LICENSE */
|
|
2
2
|
|
|
3
3
|
const {
|
|
4
4
|
entries,
|
|
@@ -305,7 +305,7 @@ const _createHooksMap = function _createHooksMap() {
|
|
|
305
305
|
function createDOMPurify() {
|
|
306
306
|
let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
|
|
307
307
|
const DOMPurify = root => createDOMPurify(root);
|
|
308
|
-
DOMPurify.version = '3.3.
|
|
308
|
+
DOMPurify.version = '3.3.2';
|
|
309
309
|
DOMPurify.removed = [];
|
|
310
310
|
if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
|
|
311
311
|
// Not running in a browser, provide a factory function
|
|
@@ -600,7 +600,7 @@ function createDOMPurify() {
|
|
|
600
600
|
/* Parse profile info */
|
|
601
601
|
if (USE_PROFILES) {
|
|
602
602
|
ALLOWED_TAGS = addToSet({}, text);
|
|
603
|
-
ALLOWED_ATTR =
|
|
603
|
+
ALLOWED_ATTR = create(null);
|
|
604
604
|
if (USE_PROFILES.html === true) {
|
|
605
605
|
addToSet(ALLOWED_TAGS, html$1);
|
|
606
606
|
addToSet(ALLOWED_ATTR, html);
|
|
@@ -621,6 +621,13 @@ function createDOMPurify() {
|
|
|
621
621
|
addToSet(ALLOWED_ATTR, xml);
|
|
622
622
|
}
|
|
623
623
|
}
|
|
624
|
+
/* Prevent function-based ADD_ATTR / ADD_TAGS from leaking across calls */
|
|
625
|
+
if (!objectHasOwnProperty(cfg, 'ADD_TAGS')) {
|
|
626
|
+
EXTRA_ELEMENT_HANDLING.tagCheck = null;
|
|
627
|
+
}
|
|
628
|
+
if (!objectHasOwnProperty(cfg, 'ADD_ATTR')) {
|
|
629
|
+
EXTRA_ELEMENT_HANDLING.attributeCheck = null;
|
|
630
|
+
}
|
|
624
631
|
/* Merge configuration parameters */
|
|
625
632
|
if (cfg.ADD_TAGS) {
|
|
626
633
|
if (typeof cfg.ADD_TAGS === 'function') {
|
|
@@ -651,6 +658,12 @@ function createDOMPurify() {
|
|
|
651
658
|
}
|
|
652
659
|
addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);
|
|
653
660
|
}
|
|
661
|
+
if (cfg.ADD_FORBID_CONTENTS) {
|
|
662
|
+
if (FORBID_CONTENTS === DEFAULT_FORBID_CONTENTS) {
|
|
663
|
+
FORBID_CONTENTS = clone(FORBID_CONTENTS);
|
|
664
|
+
}
|
|
665
|
+
addToSet(FORBID_CONTENTS, cfg.ADD_FORBID_CONTENTS, transformCaseFunc);
|
|
666
|
+
}
|
|
654
667
|
/* Add #text in case KEEP_CONTENT is set to true */
|
|
655
668
|
if (KEEP_CONTENT) {
|
|
656
669
|
ALLOWED_TAGS['#text'] = true;
|
|
@@ -1012,6 +1025,10 @@ function createDOMPurify() {
|
|
|
1012
1025
|
*/
|
|
1013
1026
|
// eslint-disable-next-line complexity
|
|
1014
1027
|
const _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
|
|
1028
|
+
/* FORBID_ATTR must always win, even if ADD_ATTR predicate would allow it */
|
|
1029
|
+
if (FORBID_ATTR[lcName]) {
|
|
1030
|
+
return false;
|
|
1031
|
+
}
|
|
1015
1032
|
/* Make sure attribute cannot clobber */
|
|
1016
1033
|
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
|
|
1017
1034
|
return false;
|
|
@@ -1104,7 +1121,7 @@ function createDOMPurify() {
|
|
|
1104
1121
|
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
1105
1122
|
}
|
|
1106
1123
|
/* Work around a security issue with comments inside attributes */
|
|
1107
|
-
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title|textarea)/i, value)) {
|
|
1124
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|script|title|xmp|textarea|noscript|iframe|noembed|noframes)/i, value)) {
|
|
1108
1125
|
_removeAttribute(name, currentNode);
|
|
1109
1126
|
continue;
|
|
1110
1127
|
}
|