dompurify 3.4.0 → 3.4.2

package/package.json

@@ -1,11 +1,12 @@
 {
   "scripts": {
+    "prepare": "husky",
     "lint": "xo src/*.ts",
     "format": "npm run format:js && npm run format:md",
     "format:md": "prettier --write --parser markdown '**/*.md'",
     "format:js": "prettier --write '{src,demos,scripts,test,website}/*.{js,ts}'",
     "commit-amend-build": "scripts/commit-amend-build.sh",
-    "prebuild": "rimraf dist/**",
+    "prebuild": "rimraf dist",
     "dev": "cross-env NODE_ENV=development BABEL_ENV=rollup rollup -w -c -o dist/purify.js",
     "build": "npm run build:types && npm run build:rollup && npm run build:fix-types && npm run build:cleanup",
     "build:types": "tsc --outDir dist/types --declaration --emitDeclarationOnly",
@@ -16,10 +17,12 @@
     "build:es": "rollup -c -f es -o dist/purify.es.mjs",
     "build:cjs": "rollup -c -f cjs -o dist/purify.cjs.js",
     "build:cleanup": "rimraf dist/types",
+    "test": "cross-env NODE_ENV=test BABEL_ENV=rollup npm run lint && npm run test:jsdom && npm run test:browser -- --project=chromium",
     "test:jsdom": "cross-env NODE_ENV=test BABEL_ENV=rollup node test/jsdom-node-runner --dot",
-    "test:karma": "cross-env NODE_ENV=test BABEL_ENV=rollup karma start test/karma.conf.js --log-level warn ",
-    "test:ci": "cross-env NODE_ENV=test BABEL_ENV=rollup npm run test:jsdom && npm run test:karma -- --log-level error --reporters dots --single-run --shouldTestOnBrowserStack=\"${TEST_BROWSERSTACK}\" --shouldProbeOnly=\"${TEST_PROBE_ONLY}\"",
-    "test": "cross-env NODE_ENV=test BABEL_ENV=rollup npm run lint &&  npm run test:jsdom && npm run test:karma -- --browsers Chrome",
+    "test:browser": "playwright test",
+    "test:browser:install": "playwright install",
+    "test:ci": "cross-env NODE_ENV=test BABEL_ENV=rollup npm run test:jsdom && npm run test:browser",
+    "test:fuzz": "cross-env NODE_ENV=test BABEL_ENV=rollup node test/fuzz/sanitize.fast-check.js",
     "verify-typescript": "node ./typescript/verify.js"
   },
   "main": "./dist/purify.cjs.js",
@@ -44,12 +47,8 @@
     "./dist/purify.js": "./dist/purify.js"
   },
   "files": [
-    "dist"
-  ],
-  "pre-commit": [
-    "lint",
-    "build",
-    "commit-amend-build"
+    "dist",
+    "src"
   ],
   "xo": {
     "semicolon": true,
@@ -110,33 +109,27 @@
   "devDependencies": {
     "@babel/core": "^7.17.8",
     "@babel/preset-env": "^7.29.2",
-    "@rollup/plugin-babel": "^6.0.4",
+    "@playwright/test": "^1.49.0",
+    "@rollup/plugin-babel": "^7.0.0",
     "@rollup/plugin-node-resolve": "^16.0.3",
     "@rollup/plugin-replace": "^6.0.1",
     "@rollup/plugin-terser": "^1.0.0",
+    "@rollup/plugin-typescript": "^12.3.0",
     "@types/estree": "^1.0.0",
-    "@types/node": "^16.18.120",
+    "@types/node": "^25.6.0",
     "cross-env": "^10.1.0",
     "eslint-config-prettier": "^10.1.8",
-    "eslint-plugin-prettier": "^4.0.0",
+    "eslint-plugin-prettier": "^5.2.1",
+    "fast-check": "^4.7.0",
+    "husky": "^9.1.0",
     "jquery": "^3.6.0",
-    "jsdom": "^29.0.2",
-    "karma": "^6.3.17",
-    "karma-browserstack-launcher": "^1.5.1",
-    "karma-chrome-launcher": "^3.1.0",
-    "karma-firefox-launcher": "^2.1.2",
-    "karma-qunit": "^4.1.2",
-    "karma-rollup-preprocessor": "^7.0.8",
-    "minimist": "^1.2.6",
-    "pre-commit": "^1.2.2",
-    "prettier": "^2.5.1",
+    "jsdom": "^29.1.0",
+    "prettier": "^3.3.3",
     "qunit": "^2.4.1",
     "qunit-tap": "^1.5.0",
-    "rimraf": "^3.0.2",
-    "rollup": "^4.60.1",
+    "rimraf": "^6.0.1",
+    "rollup": "^4.60.2",
     "rollup-plugin-dts": "^6.4.1",
-    "rollup-plugin-includepaths": "^0.2.4",
-    "rollup-plugin-typescript2": "^0.36.0",
     "tslib": "^2.7.0",
     "typescript": "^5.6.3",
     "xo": "^0.54.1"
@@ -146,7 +139,7 @@
   },
   "name": "dompurify",
   "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
-  "version": "3.4.0",
+  "version": "3.4.2",
   "directories": {
     "test": "test"
   },

package/src/attrs.ts

@@ -0,0 +1,376 @@
+import { freeze } from './utils.js';
+
+export const html = freeze([
+  'accept',
+  'action',
+  'align',
+  'alt',
+  'autocapitalize',
+  'autocomplete',
+  'autopictureinpicture',
+  'autoplay',
+  'background',
+  'bgcolor',
+  'border',
+  'capture',
+  'cellpadding',
+  'cellspacing',
+  'checked',
+  'cite',
+  'class',
+  'clear',
+  'color',
+  'cols',
+  'colspan',
+  'controls',
+  'controlslist',
+  'coords',
+  'crossorigin',
+  'datetime',
+  'decoding',
+  'default',
+  'dir',
+  'disabled',
+  'disablepictureinpicture',
+  'disableremoteplayback',
+  'download',
+  'draggable',
+  'enctype',
+  'enterkeyhint',
+  'exportparts',
+  'face',
+  'for',
+  'headers',
+  'height',
+  'hidden',
+  'high',
+  'href',
+  'hreflang',
+  'id',
+  'inert',
+  'inputmode',
+  'integrity',
+  'ismap',
+  'kind',
+  'label',
+  'lang',
+  'list',
+  'loading',
+  'loop',
+  'low',
+  'max',
+  'maxlength',
+  'media',
+  'method',
+  'min',
+  'minlength',
+  'multiple',
+  'muted',
+  'name',
+  'nonce',
+  'noshade',
+  'novalidate',
+  'nowrap',
+  'open',
+  'optimum',
+  'part',
+  'pattern',
+  'placeholder',
+  'playsinline',
+  'popover',
+  'popovertarget',
+  'popovertargetaction',
+  'poster',
+  'preload',
+  'pubdate',
+  'radiogroup',
+  'readonly',
+  'rel',
+  'required',
+  'rev',
+  'reversed',
+  'role',
+  'rows',
+  'rowspan',
+  'spellcheck',
+  'scope',
+  'selected',
+  'shape',
+  'size',
+  'sizes',
+  'slot',
+  'span',
+  'srclang',
+  'start',
+  'src',
+  'srcset',
+  'step',
+  'style',
+  'summary',
+  'tabindex',
+  'title',
+  'translate',
+  'type',
+  'usemap',
+  'valign',
+  'value',
+  'width',
+  'wrap',
+  'xmlns',
+] as const);
+
+export const svg = freeze([
+  'accent-height',
+  'accumulate',
+  'additive',
+  'alignment-baseline',
+  'amplitude',
+  'ascent',
+  'attributename',
+  'attributetype',
+  'azimuth',
+  'basefrequency',
+  'baseline-shift',
+  'begin',
+  'bias',
+  'by',
+  'class',
+  'clip',
+  'clippathunits',
+  'clip-path',
+  'clip-rule',
+  'color',
+  'color-interpolation',
+  'color-interpolation-filters',
+  'color-profile',
+  'color-rendering',
+  'cx',
+  'cy',
+  'd',
+  'dx',
+  'dy',
+  'diffuseconstant',
+  'direction',
+  'display',
+  'divisor',
+  'dur',
+  'edgemode',
+  'elevation',
+  'end',
+  'exponent',
+  'fill',
+  'fill-opacity',
+  'fill-rule',
+  'filter',
+  'filterunits',
+  'flood-color',
+  'flood-opacity',
+  'font-family',
+  'font-size',
+  'font-size-adjust',
+  'font-stretch',
+  'font-style',
+  'font-variant',
+  'font-weight',
+  'fx',
+  'fy',
+  'g1',
+  'g2',
+  'glyph-name',
+  'glyphref',
+  'gradientunits',
+  'gradienttransform',
+  'height',
+  'href',
+  'id',
+  'image-rendering',
+  'in',
+  'in2',
+  'intercept',
+  'k',
+  'k1',
+  'k2',
+  'k3',
+  'k4',
+  'kerning',
+  'keypoints',
+  'keysplines',
+  'keytimes',
+  'lang',
+  'lengthadjust',
+  'letter-spacing',
+  'kernelmatrix',
+  'kernelunitlength',
+  'lighting-color',
+  'local',
+  'marker-end',
+  'marker-mid',
+  'marker-start',
+  'markerheight',
+  'markerunits',
+  'markerwidth',
+  'maskcontentunits',
+  'maskunits',
+  'max',
+  'mask',
+  'mask-type',
+  'media',
+  'method',
+  'mode',
+  'min',
+  'name',
+  'numoctaves',
+  'offset',
+  'operator',
+  'opacity',
+  'order',
+  'orient',
+  'orientation',
+  'origin',
+  'overflow',
+  'paint-order',
+  'path',
+  'pathlength',
+  'patterncontentunits',
+  'patterntransform',
+  'patternunits',
+  'points',
+  'preservealpha',
+  'preserveaspectratio',
+  'primitiveunits',
+  'r',
+  'rx',
+  'ry',
+  'radius',
+  'refx',
+  'refy',
+  'repeatcount',
+  'repeatdur',
+  'restart',
+  'result',
+  'rotate',
+  'scale',
+  'seed',
+  'shape-rendering',
+  'slope',
+  'specularconstant',
+  'specularexponent',
+  'spreadmethod',
+  'startoffset',
+  'stddeviation',
+  'stitchtiles',
+  'stop-color',
+  'stop-opacity',
+  'stroke-dasharray',
+  'stroke-dashoffset',
+  'stroke-linecap',
+  'stroke-linejoin',
+  'stroke-miterlimit',
+  'stroke-opacity',
+  'stroke',
+  'stroke-width',
+  'style',
+  'surfacescale',
+  'systemlanguage',
+  'tabindex',
+  'tablevalues',
+  'targetx',
+  'targety',
+  'transform',
+  'transform-origin',
+  'text-anchor',
+  'text-decoration',
+  'text-rendering',
+  'textlength',
+  'type',
+  'u1',
+  'u2',
+  'unicode',
+  'values',
+  'viewbox',
+  'visibility',
+  'version',
+  'vert-adv-y',
+  'vert-origin-x',
+  'vert-origin-y',
+  'width',
+  'word-spacing',
+  'wrap',
+  'writing-mode',
+  'xchannelselector',
+  'ychannelselector',
+  'x',
+  'x1',
+  'x2',
+  'xmlns',
+  'y',
+  'y1',
+  'y2',
+  'z',
+  'zoomandpan',
+] as const);
+
+export const mathMl = freeze([
+  'accent',
+  'accentunder',
+  'align',
+  'bevelled',
+  'close',
+  'columnalign',
+  'columnlines',
+  'columnspacing',
+  'columnspan',
+  'denomalign',
+  'depth',
+  'dir',
+  'display',
+  'displaystyle',
+  'encoding',
+  'fence',
+  'frame',
+  'height',
+  'href',
+  'id',
+  'largeop',
+  'length',
+  'linethickness',
+  'lquote',
+  'lspace',
+  'mathbackground',
+  'mathcolor',
+  'mathsize',
+  'mathvariant',
+  'maxsize',
+  'minsize',
+  'movablelimits',
+  'notation',
+  'numalign',
+  'open',
+  'rowalign',
+  'rowlines',
+  'rowspacing',
+  'rowspan',
+  'rspace',
+  'rquote',
+  'scriptlevel',
+  'scriptminsize',
+  'scriptsizemultiplier',
+  'selection',
+  'separator',
+  'separators',
+  'stretchy',
+  'subscriptshift',
+  'supscriptshift',
+  'symmetric',
+  'voffset',
+  'width',
+  'xmlns',
+]);
+
+export const xml = freeze([
+  'xlink:href',
+  'xml:id',
+  'xlink:title',
+  'xml:space',
+  'xmlns:xlink',
+] as const);