dompurify 3.3.1 → 3.3.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +7 -7
- package/dist/purify.cjs.d.ts +1 -1
- package/dist/purify.cjs.js +15 -4
- package/dist/purify.cjs.js.map +1 -1
- package/dist/purify.es.d.mts +1 -1
- package/dist/purify.es.mjs +15 -4
- package/dist/purify.es.mjs.map +1 -1
- package/dist/purify.js +15 -4
- package/dist/purify.js.map +1 -1
- package/dist/purify.min.js +2 -2
- package/dist/purify.min.js.map +1 -1
- package/package.json +10 -5
package/dist/purify.js
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
/*! @license DOMPurify 3.3.
|
|
1
|
+
/*! @license DOMPurify 3.3.3 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.3.3/LICENSE */
|
|
2
2
|
|
|
3
3
|
(function (global, factory) {
|
|
4
4
|
typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
|
|
@@ -311,7 +311,7 @@
|
|
|
311
311
|
function createDOMPurify() {
|
|
312
312
|
let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
|
|
313
313
|
const DOMPurify = root => createDOMPurify(root);
|
|
314
|
-
DOMPurify.version = '3.3.
|
|
314
|
+
DOMPurify.version = '3.3.3';
|
|
315
315
|
DOMPurify.removed = [];
|
|
316
316
|
if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
|
|
317
317
|
// Not running in a browser, provide a factory function
|
|
@@ -606,7 +606,7 @@
|
|
|
606
606
|
/* Parse profile info */
|
|
607
607
|
if (USE_PROFILES) {
|
|
608
608
|
ALLOWED_TAGS = addToSet({}, text);
|
|
609
|
-
ALLOWED_ATTR =
|
|
609
|
+
ALLOWED_ATTR = create(null);
|
|
610
610
|
if (USE_PROFILES.html === true) {
|
|
611
611
|
addToSet(ALLOWED_TAGS, html$1);
|
|
612
612
|
addToSet(ALLOWED_ATTR, html);
|
|
@@ -627,6 +627,13 @@
|
|
|
627
627
|
addToSet(ALLOWED_ATTR, xml);
|
|
628
628
|
}
|
|
629
629
|
}
|
|
630
|
+
/* Prevent function-based ADD_ATTR / ADD_TAGS from leaking across calls */
|
|
631
|
+
if (!objectHasOwnProperty(cfg, 'ADD_TAGS')) {
|
|
632
|
+
EXTRA_ELEMENT_HANDLING.tagCheck = null;
|
|
633
|
+
}
|
|
634
|
+
if (!objectHasOwnProperty(cfg, 'ADD_ATTR')) {
|
|
635
|
+
EXTRA_ELEMENT_HANDLING.attributeCheck = null;
|
|
636
|
+
}
|
|
630
637
|
/* Merge configuration parameters */
|
|
631
638
|
if (cfg.ADD_TAGS) {
|
|
632
639
|
if (typeof cfg.ADD_TAGS === 'function') {
|
|
@@ -1024,6 +1031,10 @@
|
|
|
1024
1031
|
*/
|
|
1025
1032
|
// eslint-disable-next-line complexity
|
|
1026
1033
|
const _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
|
|
1034
|
+
/* FORBID_ATTR must always win, even if ADD_ATTR predicate would allow it */
|
|
1035
|
+
if (FORBID_ATTR[lcName]) {
|
|
1036
|
+
return false;
|
|
1037
|
+
}
|
|
1027
1038
|
/* Make sure attribute cannot clobber */
|
|
1028
1039
|
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
|
|
1029
1040
|
return false;
|
|
@@ -1116,7 +1127,7 @@
|
|
|
1116
1127
|
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
1117
1128
|
}
|
|
1118
1129
|
/* Work around a security issue with comments inside attributes */
|
|
1119
|
-
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title|textarea)/i, value)) {
|
|
1130
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|script|title|xmp|textarea|noscript|iframe|noembed|noframes)/i, value)) {
|
|
1120
1131
|
_removeAttribute(name, currentNode);
|
|
1121
1132
|
continue;
|
|
1122
1133
|
}
|