dompurify 3.4.1 → 3.4.2

package/src/regexp.ts

@@ -0,0 +1,17 @@
+import { seal } from './utils.js';
+
+// eslint-disable-next-line unicorn/better-regex
+export const MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
+export const ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);
+export const TMPLIT_EXPR = seal(/\$\{[\w\W]*/gm); // eslint-disable-line unicorn/better-regex
+export const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]+$/); // eslint-disable-line no-useless-escape
+export const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
+export const IS_ALLOWED_URI = seal(
+  /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|matrix):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
+);
+export const IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i);
+export const ATTR_WHITESPACE = seal(
+  /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
+);
+export const DOCTYPE_NAME = seal(/^html$/i);
+export const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);

package/src/tags.ts

@@ -0,0 +1,285 @@
+import { freeze } from './utils.js';
+
+export const html = freeze([
+  'a',
+  'abbr',
+  'acronym',
+  'address',
+  'area',
+  'article',
+  'aside',
+  'audio',
+  'b',
+  'bdi',
+  'bdo',
+  'big',
+  'blink',
+  'blockquote',
+  'body',
+  'br',
+  'button',
+  'canvas',
+  'caption',
+  'center',
+  'cite',
+  'code',
+  'col',
+  'colgroup',
+  'content',
+  'data',
+  'datalist',
+  'dd',
+  'decorator',
+  'del',
+  'details',
+  'dfn',
+  'dialog',
+  'dir',
+  'div',
+  'dl',
+  'dt',
+  'element',
+  'em',
+  'fieldset',
+  'figcaption',
+  'figure',
+  'font',
+  'footer',
+  'form',
+  'h1',
+  'h2',
+  'h3',
+  'h4',
+  'h5',
+  'h6',
+  'head',
+  'header',
+  'hgroup',
+  'hr',
+  'html',
+  'i',
+  'img',
+  'input',
+  'ins',
+  'kbd',
+  'label',
+  'legend',
+  'li',
+  'main',
+  'map',
+  'mark',
+  'marquee',
+  'menu',
+  'menuitem',
+  'meter',
+  'nav',
+  'nobr',
+  'ol',
+  'optgroup',
+  'option',
+  'output',
+  'p',
+  'picture',
+  'pre',
+  'progress',
+  'q',
+  'rp',
+  'rt',
+  'ruby',
+  's',
+  'samp',
+  'search',
+  'section',
+  'select',
+  'shadow',
+  'slot',
+  'small',
+  'source',
+  'spacer',
+  'span',
+  'strike',
+  'strong',
+  'style',
+  'sub',
+  'summary',
+  'sup',
+  'table',
+  'tbody',
+  'td',
+  'template',
+  'textarea',
+  'tfoot',
+  'th',
+  'thead',
+  'time',
+  'tr',
+  'track',
+  'tt',
+  'u',
+  'ul',
+  'var',
+  'video',
+  'wbr',
+] as const);
+
+export const svg = freeze([
+  'svg',
+  'a',
+  'altglyph',
+  'altglyphdef',
+  'altglyphitem',
+  'animatecolor',
+  'animatemotion',
+  'animatetransform',
+  'circle',
+  'clippath',
+  'defs',
+  'desc',
+  'ellipse',
+  'enterkeyhint',
+  'exportparts',
+  'filter',
+  'font',
+  'g',
+  'glyph',
+  'glyphref',
+  'hkern',
+  'image',
+  'inputmode',
+  'line',
+  'lineargradient',
+  'marker',
+  'mask',
+  'metadata',
+  'mpath',
+  'part',
+  'path',
+  'pattern',
+  'polygon',
+  'polyline',
+  'radialgradient',
+  'rect',
+  'stop',
+  'style',
+  'switch',
+  'symbol',
+  'text',
+  'textpath',
+  'title',
+  'tref',
+  'tspan',
+  'view',
+  'vkern',
+] as const);
+
+export const svgFilters = freeze([
+  'feBlend',
+  'feColorMatrix',
+  'feComponentTransfer',
+  'feComposite',
+  'feConvolveMatrix',
+  'feDiffuseLighting',
+  'feDisplacementMap',
+  'feDistantLight',
+  'feDropShadow',
+  'feFlood',
+  'feFuncA',
+  'feFuncB',
+  'feFuncG',
+  'feFuncR',
+  'feGaussianBlur',
+  'feImage',
+  'feMerge',
+  'feMergeNode',
+  'feMorphology',
+  'feOffset',
+  'fePointLight',
+  'feSpecularLighting',
+  'feSpotLight',
+  'feTile',
+  'feTurbulence',
+] as const);
+
+// List of SVG elements that are disallowed by default.
+// We still need to know them so that we can do namespace
+// checks properly in case one wants to add them to
+// allow-list.
+export const svgDisallowed = freeze([
+  'animate',
+  'color-profile',
+  'cursor',
+  'discard',
+  'font-face',
+  'font-face-format',
+  'font-face-name',
+  'font-face-src',
+  'font-face-uri',
+  'foreignobject',
+  'hatch',
+  'hatchpath',
+  'mesh',
+  'meshgradient',
+  'meshpatch',
+  'meshrow',
+  'missing-glyph',
+  'script',
+  'set',
+  'solidcolor',
+  'unknown',
+  'use',
+] as const);
+
+export const mathMl = freeze([
+  'math',
+  'menclose',
+  'merror',
+  'mfenced',
+  'mfrac',
+  'mglyph',
+  'mi',
+  'mlabeledtr',
+  'mmultiscripts',
+  'mn',
+  'mo',
+  'mover',
+  'mpadded',
+  'mphantom',
+  'mroot',
+  'mrow',
+  'ms',
+  'mspace',
+  'msqrt',
+  'mstyle',
+  'msub',
+  'msup',
+  'msubsup',
+  'mtable',
+  'mtd',
+  'mtext',
+  'mtr',
+  'munder',
+  'munderover',
+  'mprescripts',
+] as const);
+
+// Similarly to SVG, we want to know all MathML elements,
+// even those that we disallow by default.
+export const mathMlDisallowed = freeze([
+  'maction',
+  'maligngroup',
+  'malignmark',
+  'mlongdiv',
+  'mscarries',
+  'mscarry',
+  'msgroup',
+  'mstack',
+  'msline',
+  'msrow',
+  'semantics',
+  'annotation',
+  'annotation-xml',
+  'mprescripts',
+  'none',
+] as const);
+
+export const text = freeze(['#text'] as const);

package/src/utils.ts

@@ -0,0 +1,338 @@
+const {
+  entries,
+  setPrototypeOf,
+  isFrozen,
+  getPrototypeOf,
+  getOwnPropertyDescriptor,
+} = Object;
+
+let { freeze, seal, create } = Object; // eslint-disable-line import/no-mutable-exports
+let { apply, construct } = typeof Reflect !== 'undefined' && Reflect;
+
+if (!freeze) {
+  freeze = function <T>(x: T): T {
+    return x;
+  };
+}
+
+if (!seal) {
+  seal = function <T>(x: T): T {
+    return x;
+  };
+}
+
+if (!apply) {
+  apply = function <T>(
+    func: (thisArg: any, ...args: any[]) => T,
+    thisArg: any,
+    ...args: any[]
+  ): T {
+    return func.apply(thisArg, args);
+  };
+}
+
+if (!construct) {
+  construct = function <T>(Func: new (...args: any[]) => T, ...args: any[]): T {
+    return new Func(...args);
+  };
+}
+
+const arrayForEach = unapply(Array.prototype.forEach);
+const arrayIndexOf = unapply(Array.prototype.indexOf);
+const arrayLastIndexOf = unapply(Array.prototype.lastIndexOf);
+const arrayPop = unapply(Array.prototype.pop);
+const arrayPush = unapply(Array.prototype.push);
+const arraySlice = unapply(Array.prototype.slice);
+const arraySplice = unapply(Array.prototype.splice);
+const arrayIsArray = Array.isArray;
+
+const stringToLowerCase = unapply(String.prototype.toLowerCase);
+const stringToString = unapply(String.prototype.toString);
+const stringMatch = unapply(String.prototype.match);
+const stringReplace = unapply(String.prototype.replace);
+const stringIndexOf = unapply(String.prototype.indexOf);
+const stringTrim = unapply(String.prototype.trim);
+
+const numberToString = unapply(Number.prototype.toString);
+const booleanToString = unapply(Boolean.prototype.toString);
+const bigintToString =
+  typeof BigInt === 'undefined' ? null : unapply(BigInt.prototype.toString);
+const symbolToString =
+  typeof Symbol === 'undefined' ? null : unapply(Symbol.prototype.toString);
+
+const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
+const objectToString = unapply(Object.prototype.toString);
+
+const regExpTest = unapply(RegExp.prototype.test);
+
+const typeErrorCreate = unconstruct(TypeError);
+
+/**
+ * Creates a new function that calls the given function with a specified thisArg and arguments.
+ *
+ * @param func - The function to be wrapped and called.
+ * @returns A new function that calls the given function with a specified thisArg and arguments.
+ */
+function unapply<T>(
+  func: (thisArg: any, ...args: any[]) => T
+): (thisArg: any, ...args: any[]) => T {
+  return (thisArg: any, ...args: any[]): T => {
+    if (thisArg instanceof RegExp) {
+      thisArg.lastIndex = 0;
+    }
+
+    return apply(func, thisArg, args);
+  };
+}
+
+/**
+ * Creates a new function that constructs an instance of the given constructor function with the provided arguments.
+ *
+ * @param func - The constructor function to be wrapped and called.
+ * @returns A new function that constructs an instance of the given constructor function with the provided arguments.
+ */
+function unconstruct<T>(
+  Func: new (...args: any[]) => T
+): (...args: any[]) => T {
+  return (...args: any[]): T => construct(Func, args);
+}
+
+/**
+ * Add properties to a lookup table
+ *
+ * @param set - The set to which elements will be added.
+ * @param array - The array containing elements to be added to the set.
+ * @param transformCaseFunc - An optional function to transform the case of each element before adding to the set.
+ * @returns The modified set with added elements.
+ */
+function addToSet(
+  set: Record<string, boolean>,
+  array: readonly unknown[],
+  transformCaseFunc: ReturnType<typeof unapply<string>> = stringToLowerCase
+): Record<string, boolean> {
+  if (setPrototypeOf) {
+    // Make 'in' and truthy checks like Boolean(set.constructor)
+    // independent of any properties defined on Object.prototype.
+    // Prevent prototype setters from intercepting set as a this value.
+    setPrototypeOf(set, null);
+  }
+
+  if (!arrayIsArray(array)) {
+    return set;
+  }
+
+  let l = array.length;
+  while (l--) {
+    let element = array[l];
+
+    if (typeof element === 'string') {
+      const lcElement = transformCaseFunc(element);
+
+      if (lcElement !== element) {
+        // Config presets (e.g. tags.js, attrs.js) are immutable.
+        if (!isFrozen(array)) {
+          (array as unknown[])[l] = lcElement;
+        }
+
+        element = lcElement;
+      }
+    }
+
+    set[element as string] = true;
+  }
+
+  return set;
+}
+
+/**
+ * Clean up an array to harden against CSPP
+ *
+ * @param array - The array to be cleaned.
+ * @returns The cleaned version of the array
+ */
+function cleanArray<T>(array: T[]): Array<T | null> {
+  for (let index = 0; index < array.length; index++) {
+    const isPropertyExist = objectHasOwnProperty(array, index);
+
+    if (!isPropertyExist) {
+      array[index] = null;
+    }
+  }
+
+  return array;
+}
+
+/**
+ * Shallow clone an object
+ *
+ * @param object - The object to be cloned.
+ * @returns A new object that copies the original.
+ */
+function clone<T extends Record<string, any>>(object: T): T {
+  const newObject = create(null);
+
+  for (const [property, value] of entries(object)) {
+    const isPropertyExist = objectHasOwnProperty(object, property);
+
+    if (isPropertyExist) {
+      if (arrayIsArray(value)) {
+        newObject[property] = cleanArray(value);
+      } else if (
+        value &&
+        typeof value === 'object' &&
+        value.constructor === Object
+      ) {
+        newObject[property] = clone(value);
+      } else {
+        newObject[property] = value;
+      }
+    }
+  }
+
+  return newObject;
+}
+
+/**
+ * Convert non-node values into strings without depending on direct property access.
+ *
+ * @param value - The value to stringify.
+ * @returns A string representation of the provided value.
+ */
+function stringifyValue(value: unknown): string {
+  switch (typeof value) {
+    case 'string': {
+      return value;
+    }
+
+    case 'number': {
+      return numberToString(value);
+    }
+
+    case 'boolean': {
+      return booleanToString(value);
+    }
+
+    case 'bigint': {
+      return bigintToString ? bigintToString(value) : '0';
+    }
+
+    case 'symbol': {
+      return symbolToString ? symbolToString(value) : 'Symbol()';
+    }
+
+    case 'undefined': {
+      return objectToString(value);
+    }
+
+    case 'function':
+    case 'object': {
+      if (value === null) {
+        return objectToString(value);
+      }
+
+      const valueAsRecord = value as Record<string, any>;
+      const valueToString = lookupGetter(valueAsRecord, 'toString');
+
+      if (typeof valueToString === 'function') {
+        const stringified = valueToString(valueAsRecord);
+
+        return typeof stringified === 'string'
+          ? stringified
+          : objectToString(stringified);
+      }
+
+      return objectToString(value);
+    }
+
+    default: {
+      return objectToString(value);
+    }
+  }
+}
+
+/**
+ * This method automatically checks if the prop is function or getter and behaves accordingly.
+ *
+ * @param object - The object to look up the getter function in its prototype chain.
+ * @param prop - The property name for which to find the getter function.
+ * @returns The getter function found in the prototype chain or a fallback function.
+ */
+function lookupGetter<T extends Record<string, any>>(
+  object: T,
+  prop: string
+): ReturnType<typeof unapply<any>> | (() => null) {
+  while (object !== null) {
+    const desc = getOwnPropertyDescriptor(object, prop);
+
+    if (desc) {
+      if (desc.get) {
+        return unapply(desc.get);
+      }
+
+      if (typeof desc.value === 'function') {
+        return unapply(desc.value);
+      }
+    }
+
+    object = getPrototypeOf(object);
+  }
+
+  function fallbackValue(): null {
+    return null;
+  }
+
+  return fallbackValue;
+}
+
+function isRegex(value: unknown): value is RegExp {
+  try {
+    regExpTest(value as RegExp, '');
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export {
+  // Array
+  arrayForEach,
+  arrayIndexOf,
+  arrayIsArray,
+  arrayLastIndexOf,
+  arrayPop,
+  arrayPush,
+  arraySlice,
+  arraySplice,
+  // Object
+  entries,
+  freeze,
+  getPrototypeOf,
+  getOwnPropertyDescriptor,
+  isFrozen,
+  setPrototypeOf,
+  seal,
+  clone,
+  create,
+  objectHasOwnProperty,
+  objectToString,
+  // RegExp
+  regExpTest,
+  isRegex,
+  // String
+  stringIndexOf,
+  stringMatch,
+  stringReplace,
+  stringToLowerCase,
+  stringToString,
+  stringTrim,
+  // Other conversion
+  stringifyValue,
+  // Errors
+  typeErrorCreate,
+  // Other
+  lookupGetter,
+  addToSet,
+  // Reflect
+  unapply,
+  unconstruct,
+};