dompurify 3.3.1 → 3.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/README.md +7 -7
  2. package/dist/purify.cjs.d.ts +1 -1
  3. package/dist/purify.cjs.js +15 -4
  4. package/dist/purify.cjs.js.map +1 -1
  5. package/dist/purify.es.d.mts +1 -1
  6. package/dist/purify.es.mjs +15 -4
  7. package/dist/purify.es.mjs.map +1 -1
  8. package/dist/purify.js +15 -4
  9. package/dist/purify.js.map +1 -1
  10. package/dist/purify.min.js +2 -2
  11. package/dist/purify.min.js.map +1 -1
  12. package/package.json +10 -5
package/README.md CHANGED
@@ -1,16 +1,16 @@
1
1
  # DOMPurify
2
2
 
3
- [![npm](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js/dompurify) ![Tests](https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg) [![Downloads](https://img.shields.io/npm/dm/dompurify.svg)](https://www.npmjs.com/package/dompurify) ![npm package minimized gzipped size (select exports)](https://img.shields.io/bundlejs/size/dompurify?color=%233C1&label=gzipped) [![dependents](https://badgen.net/github/dependents-repo/cure53/dompurify?color=green&label=dependents)](https://github.com/cure53/DOMPurify/network/dependents) [![Build Status](https://app.cloudback.it/badge/cure53/DOMPurify)](https://cloudback.it)
3
+ [![npm](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js/dompurify) ![Tests](https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg) [![Downloads](https://img.shields.io/npm/dm/dompurify.svg)](https://www.npmjs.com/package/dompurify) ![npm package minimized gzipped size (select exports)](https://img.shields.io/bundlejs/size/dompurify?color=%233C1&label=gzip) [![dependents](https://badgen.net/github/dependents-repo/cure53/dompurify?color=green&label=dependents)](https://github.com/cure53/DOMPurify/network/dependents) [![Cloudback](https://app.cloudback.it/badge/cure53/DOMPurify)](https://cloudback.it)
4
4
 
5
5
  DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
6
6
 
7
- It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.3.1**.
7
+ It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.3.3**.
8
8
 
9
- DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
9
+ DOMPurify runs as JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
10
10
 
11
- **Note that [DOMPurify v2.5.8](https://github.com/cure53/DOMPurify/releases/tag/2.5.8) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
11
+ **Note that [DOMPurify v2.5.9](https://github.com/cure53/DOMPurify/releases/tag/2.5.9) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
12
12
 
13
- Our automated tests cover [28 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v18.x, v19.x, v20.x, v21.x, v22.x and v23.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
13
+ Our automated tests cover [28 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v20.x, v22.x, 24.x and v25.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
14
14
 
15
15
  DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model). Please, read it. Like, really.
16
16
 
@@ -65,7 +65,7 @@ After sanitizing your markup, you can also have a look at the property `DOMPurif
65
65
 
66
66
  ### Running DOMPurify on the server
67
67
 
68
- DOMPurify technically also works server-side with Node.js. Our support strives to follow the [Node.js release cycle](https://nodejs.org/en/about/releases/).
68
+ DOMPurify technically also works server-side with Node.js. Our support strives to follow the [Node.js release cycle](https://nodejs.org/en/about/previous-releases).
69
69
 
70
70
  Running DOMPurify on the server requires a DOM to be present, which is probably no surprise. Usually, [jsdom](https://github.com/jsdom/jsdom) is the tool of choice and we **strongly recommend** to use the latest version of _jsdom_.
71
71
 
@@ -440,7 +440,7 @@ We support `npm` officially. GitHub Actions workflow is configured to install de
440
440
 
441
441
  #### Scripts
442
442
 
443
- We rely on npm run-scripts for integrating with our tooling infrastructure. We use ESLint as a pre-commit hook to ensure code consistency. Moreover, to ease formatting we use [prettier](https://github.com/prettier/prettier) while building the `/dist` assets happens through `rollup`.
443
+ We use ESLint as a pre-commit hook to ensure code consistency. Moreover, to ease formatting we use [prettier](https://github.com/prettier/prettier) while building the `/dist` assets happens through `rollup`.
444
444
 
445
445
  These are our npm scripts:
446
446
 
package/dist/purify.cjs.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- /*! @license DOMPurify 3.3.1 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.3.1/LICENSE */
1
+ /*! @license DOMPurify 3.3.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.3.3/LICENSE */
2
2
 
3
3
  import { TrustedTypePolicy, TrustedHTML, TrustedTypesWindow } from 'trusted-types/lib/index.js';
4
4
 
package/dist/purify.cjs.js CHANGED
@@ -1,4 +1,4 @@
1
- /*! @license DOMPurify 3.3.1 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.3.1/LICENSE */
1
+ /*! @license DOMPurify 3.3.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.3.3/LICENSE */
2
2
 
3
3
  'use strict';
4
4
 
@@ -307,7 +307,7 @@ const _createHooksMap = function _createHooksMap() {
307
307
  function createDOMPurify() {
308
308
  let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
309
309
  const DOMPurify = root => createDOMPurify(root);
310
- DOMPurify.version = '3.3.1';
310
+ DOMPurify.version = '3.3.3';
311
311
  DOMPurify.removed = [];
312
312
  if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
313
313
  // Not running in a browser, provide a factory function
@@ -602,7 +602,7 @@ function createDOMPurify() {
602
602
  /* Parse profile info */
603
603
  if (USE_PROFILES) {
604
604
  ALLOWED_TAGS = addToSet({}, text);
605
- ALLOWED_ATTR = [];
605
+ ALLOWED_ATTR = create(null);
606
606
  if (USE_PROFILES.html === true) {
607
607
  addToSet(ALLOWED_TAGS, html$1);
608
608
  addToSet(ALLOWED_ATTR, html);
@@ -623,6 +623,13 @@ function createDOMPurify() {
623
623
  addToSet(ALLOWED_ATTR, xml);
624
624
  }
625
625
  }
626
+ /* Prevent function-based ADD_ATTR / ADD_TAGS from leaking across calls */
627
+ if (!objectHasOwnProperty(cfg, 'ADD_TAGS')) {
628
+ EXTRA_ELEMENT_HANDLING.tagCheck = null;
629
+ }
630
+ if (!objectHasOwnProperty(cfg, 'ADD_ATTR')) {
631
+ EXTRA_ELEMENT_HANDLING.attributeCheck = null;
632
+ }
626
633
  /* Merge configuration parameters */
627
634
  if (cfg.ADD_TAGS) {
628
635
  if (typeof cfg.ADD_TAGS === 'function') {
@@ -1020,6 +1027,10 @@ function createDOMPurify() {
1020
1027
  */
1021
1028
  // eslint-disable-next-line complexity
1022
1029
  const _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
1030
+ /* FORBID_ATTR must always win, even if ADD_ATTR predicate would allow it */
1031
+ if (FORBID_ATTR[lcName]) {
1032
+ return false;
1033
+ }
1023
1034
  /* Make sure attribute cannot clobber */
1024
1035
  if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
1025
1036
  return false;
@@ -1112,7 +1123,7 @@ function createDOMPurify() {
1112
1123
  value = SANITIZE_NAMED_PROPS_PREFIX + value;
1113
1124
  }
1114
1125
  /* Work around a security issue with comments inside attributes */
1115
- if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title|textarea)/i, value)) {
1126
+ if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|script|title|xmp|textarea|noscript|iframe|noembed|noframes)/i, value)) {
1116
1127
  _removeAttribute(name, currentNode);
1117
1128
  continue;
1118
1129
  }