fl-web-component 1.0.10 → 1.0.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +36 -25
- package/dist/fl-web-component.common.1.js +10906 -10863
- package/dist/fl-web-component.common.2.js +340 -329
- package/dist/fl-web-component.common.3.js +7642 -7742
- package/dist/fl-web-component.common.js +30492 -19338
- package/package.json +7 -19
- package/src/main.js +1 -0
- package/dist/demo.html +0 -10
- package/dist/fl-web-component.umd.1.js +0 -13216
- package/dist/fl-web-component.umd.2.js +0 -1358
- package/dist/fl-web-component.umd.3.js +0 -7839
- package/dist/fl-web-component.umd.js +0 -47631
- package/dist/fl-web-component.umd.min.1.js +0 -16
- package/dist/fl-web-component.umd.min.2.js +0 -3
- package/dist/fl-web-component.umd.min.3.js +0 -21
- package/dist/fl-web-component.umd.min.js +0 -301
|
@@ -3,29 +3,43 @@
|
|
|
3
3
|
/***/ "c0c4":
|
|
4
4
|
/***/ (function(module, exports, __webpack_require__) {
|
|
5
5
|
|
|
6
|
+
var __WEBPACK_AMD_DEFINE_FACTORY__, __WEBPACK_AMD_DEFINE_RESULT__;function _slicedToArray(r, e) { return _arrayWithHoles(r) || _iterableToArrayLimit(r, e) || _unsupportedIterableToArray(r, e) || _nonIterableRest(); }
|
|
7
|
+
function _nonIterableRest() { throw new TypeError("Invalid attempt to destructure non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); }
|
|
8
|
+
function _iterableToArrayLimit(r, l) { var t = null == r ? null : "undefined" != typeof Symbol && r[Symbol.iterator] || r["@@iterator"]; if (null != t) { var e, n, i, u, a = [], f = !0, o = !1; try { if (i = (t = t.call(r)).next, 0 === l) { if (Object(t) !== t) return; f = !1; } else for (; !(f = (e = i.call(t)).done) && (a.push(e.value), a.length !== l); f = !0); } catch (r) { o = !0, n = r; } finally { try { if (!f && null != t.return && (u = t.return(), Object(u) !== u)) return; } finally { if (o) throw n; } } return a; } }
|
|
9
|
+
function _arrayWithHoles(r) { if (Array.isArray(r)) return r; }
|
|
10
|
+
function _createForOfIteratorHelper(r, e) { var t = "undefined" != typeof Symbol && r[Symbol.iterator] || r["@@iterator"]; if (!t) { if (Array.isArray(r) || (t = _unsupportedIterableToArray(r)) || e && r && "number" == typeof r.length) { t && (r = t); var _n = 0, F = function F() {}; return { s: F, n: function n() { return _n >= r.length ? { done: !0 } : { done: !1, value: r[_n++] }; }, e: function e(r) { throw r; }, f: F }; } throw new TypeError("Invalid attempt to iterate non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); } var o, a = !0, u = !1; return { s: function s() { t = t.call(r); }, n: function n() { var r = t.next(); return a = r.done, r; }, e: function e(r) { u = !0, o = r; }, f: function f() { try { a || null == t.return || t.return(); } finally { if (u) throw o; } } }; }
|
|
11
|
+
function _construct(t, e, r) { if (_isNativeReflectConstruct()) return Reflect.construct.apply(null, arguments); var o = [null]; o.push.apply(o, e); var p = new (t.bind.apply(t, o))(); return r && _setPrototypeOf(p, r.prototype), p; }
|
|
12
|
+
function _setPrototypeOf(t, e) { return _setPrototypeOf = Object.setPrototypeOf ? Object.setPrototypeOf.bind() : function (t, e) { return t.__proto__ = e, t; }, _setPrototypeOf(t, e); }
|
|
13
|
+
function _isNativeReflectConstruct() { try { var t = !Boolean.prototype.valueOf.call(Reflect.construct(Boolean, [], function () {})); } catch (t) {} return (_isNativeReflectConstruct = function _isNativeReflectConstruct() { return !!t; })(); }
|
|
14
|
+
function _toConsumableArray(r) { return _arrayWithoutHoles(r) || _iterableToArray(r) || _unsupportedIterableToArray(r) || _nonIterableSpread(); }
|
|
15
|
+
function _nonIterableSpread() { throw new TypeError("Invalid attempt to spread non-iterable instance.\nIn order to be iterable, non-array objects must have a [Symbol.iterator]() method."); }
|
|
16
|
+
function _unsupportedIterableToArray(r, a) { if (r) { if ("string" == typeof r) return _arrayLikeToArray(r, a); var t = {}.toString.call(r).slice(8, -1); return "Object" === t && r.constructor && (t = r.constructor.name), "Map" === t || "Set" === t ? Array.from(r) : "Arguments" === t || /^(?:Ui|I)nt(?:8|16|32)(?:Clamped)?Array$/.test(t) ? _arrayLikeToArray(r, a) : void 0; } }
|
|
17
|
+
function _iterableToArray(r) { if ("undefined" != typeof Symbol && null != r[Symbol.iterator] || null != r["@@iterator"]) return Array.from(r); }
|
|
18
|
+
function _arrayWithoutHoles(r) { if (Array.isArray(r)) return _arrayLikeToArray(r); }
|
|
19
|
+
function _arrayLikeToArray(r, a) { (null == a || a > r.length) && (a = r.length); for (var e = 0, n = Array(a); e < a; e++) n[e] = r[e]; return n; }
|
|
20
|
+
function _typeof(o) { "@babel/helpers - typeof"; return _typeof = "function" == typeof Symbol && "symbol" == typeof Symbol.iterator ? function (o) { return typeof o; } : function (o) { return o && "function" == typeof Symbol && o.constructor === Symbol && o !== Symbol.prototype ? "symbol" : typeof o; }, _typeof(o); }
|
|
6
21
|
/*! @license DOMPurify 3.2.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.5/LICENSE */
|
|
7
22
|
|
|
8
23
|
(function (global, factory) {
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
24
|
+
( false ? undefined : _typeof(exports)) === 'object' && typeof module !== 'undefined' ? module.exports = factory() : true ? !(__WEBPACK_AMD_DEFINE_FACTORY__ = (factory),
|
|
25
|
+
__WEBPACK_AMD_DEFINE_RESULT__ = (typeof __WEBPACK_AMD_DEFINE_FACTORY__ === 'function' ?
|
|
26
|
+
(__WEBPACK_AMD_DEFINE_FACTORY__.call(exports, __webpack_require__, exports, module)) :
|
|
27
|
+
__WEBPACK_AMD_DEFINE_FACTORY__),
|
|
28
|
+
__WEBPACK_AMD_DEFINE_RESULT__ !== undefined && (module.exports = __WEBPACK_AMD_DEFINE_RESULT__)) : (undefined);
|
|
29
|
+
})(this, function () {
|
|
30
|
+
'use strict';
|
|
12
31
|
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
} = Object; // eslint-disable-line import/no-mutable-exports
|
|
25
|
-
let {
|
|
26
|
-
apply,
|
|
27
|
-
construct
|
|
28
|
-
} = typeof Reflect !== 'undefined' && Reflect;
|
|
32
|
+
var entries = Object.entries,
|
|
33
|
+
setPrototypeOf = Object.setPrototypeOf,
|
|
34
|
+
isFrozen = Object.isFrozen,
|
|
35
|
+
getPrototypeOf = Object.getPrototypeOf,
|
|
36
|
+
getOwnPropertyDescriptor = Object.getOwnPropertyDescriptor;
|
|
37
|
+
var freeze = Object.freeze,
|
|
38
|
+
seal = Object.seal,
|
|
39
|
+
create = Object.create; // eslint-disable-line import/no-mutable-exports
|
|
40
|
+
var _ref = typeof Reflect !== 'undefined' && Reflect,
|
|
41
|
+
apply = _ref.apply,
|
|
42
|
+
construct = _ref.construct;
|
|
29
43
|
if (!freeze) {
|
|
30
44
|
freeze = function freeze(x) {
|
|
31
45
|
return x;
|
|
@@ -43,23 +57,23 @@
|
|
|
43
57
|
}
|
|
44
58
|
if (!construct) {
|
|
45
59
|
construct = function construct(Func, args) {
|
|
46
|
-
return
|
|
60
|
+
return _construct(Func, _toConsumableArray(args));
|
|
47
61
|
};
|
|
48
62
|
}
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
+
var arrayForEach = unapply(Array.prototype.forEach);
|
|
64
|
+
var arrayLastIndexOf = unapply(Array.prototype.lastIndexOf);
|
|
65
|
+
var arrayPop = unapply(Array.prototype.pop);
|
|
66
|
+
var arrayPush = unapply(Array.prototype.push);
|
|
67
|
+
var arraySplice = unapply(Array.prototype.splice);
|
|
68
|
+
var stringToLowerCase = unapply(String.prototype.toLowerCase);
|
|
69
|
+
var stringToString = unapply(String.prototype.toString);
|
|
70
|
+
var stringMatch = unapply(String.prototype.match);
|
|
71
|
+
var stringReplace = unapply(String.prototype.replace);
|
|
72
|
+
var stringIndexOf = unapply(String.prototype.indexOf);
|
|
73
|
+
var stringTrim = unapply(String.prototype.trim);
|
|
74
|
+
var objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
|
|
75
|
+
var regExpTest = unapply(RegExp.prototype.test);
|
|
76
|
+
var typeErrorCreate = unconstruct(TypeError);
|
|
63
77
|
/**
|
|
64
78
|
* Creates a new function that calls the given function with a specified thisArg and arguments.
|
|
65
79
|
*
|
|
@@ -100,18 +114,18 @@
|
|
|
100
114
|
* @returns The modified set with added elements.
|
|
101
115
|
*/
|
|
102
116
|
function addToSet(set, array) {
|
|
103
|
-
|
|
117
|
+
var transformCaseFunc = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : stringToLowerCase;
|
|
104
118
|
if (setPrototypeOf) {
|
|
105
119
|
// Make 'in' and truthy checks like Boolean(set.constructor)
|
|
106
120
|
// independent of any properties defined on Object.prototype.
|
|
107
121
|
// Prevent prototype setters from intercepting set as a this value.
|
|
108
122
|
setPrototypeOf(set, null);
|
|
109
123
|
}
|
|
110
|
-
|
|
124
|
+
var l = array.length;
|
|
111
125
|
while (l--) {
|
|
112
|
-
|
|
126
|
+
var element = array[l];
|
|
113
127
|
if (typeof element === 'string') {
|
|
114
|
-
|
|
128
|
+
var lcElement = transformCaseFunc(element);
|
|
115
129
|
if (lcElement !== element) {
|
|
116
130
|
// Config presets (e.g. tags.js, attrs.js) are immutable.
|
|
117
131
|
if (!isFrozen(array)) {
|
|
@@ -131,8 +145,8 @@
|
|
|
131
145
|
* @returns The cleaned version of the array
|
|
132
146
|
*/
|
|
133
147
|
function cleanArray(array) {
|
|
134
|
-
for (
|
|
135
|
-
|
|
148
|
+
for (var index = 0; index < array.length; index++) {
|
|
149
|
+
var isPropertyExist = objectHasOwnProperty(array, index);
|
|
136
150
|
if (!isPropertyExist) {
|
|
137
151
|
array[index] = null;
|
|
138
152
|
}
|
|
@@ -146,18 +160,29 @@
|
|
|
146
160
|
* @returns A new object that copies the original.
|
|
147
161
|
*/
|
|
148
162
|
function clone(object) {
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
163
|
+
var newObject = create(null);
|
|
164
|
+
var _iterator = _createForOfIteratorHelper(entries(object)),
|
|
165
|
+
_step;
|
|
166
|
+
try {
|
|
167
|
+
for (_iterator.s(); !(_step = _iterator.n()).done;) {
|
|
168
|
+
var _step$value = _slicedToArray(_step.value, 2),
|
|
169
|
+
property = _step$value[0],
|
|
170
|
+
value = _step$value[1];
|
|
171
|
+
var isPropertyExist = objectHasOwnProperty(object, property);
|
|
172
|
+
if (isPropertyExist) {
|
|
173
|
+
if (Array.isArray(value)) {
|
|
174
|
+
newObject[property] = cleanArray(value);
|
|
175
|
+
} else if (value && _typeof(value) === 'object' && value.constructor === Object) {
|
|
176
|
+
newObject[property] = clone(value);
|
|
177
|
+
} else {
|
|
178
|
+
newObject[property] = value;
|
|
179
|
+
}
|
|
159
180
|
}
|
|
160
181
|
}
|
|
182
|
+
} catch (err) {
|
|
183
|
+
_iterator.e(err);
|
|
184
|
+
} finally {
|
|
185
|
+
_iterator.f();
|
|
161
186
|
}
|
|
162
187
|
return newObject;
|
|
163
188
|
}
|
|
@@ -170,7 +195,7 @@
|
|
|
170
195
|
*/
|
|
171
196
|
function lookupGetter(object, prop) {
|
|
172
197
|
while (object !== null) {
|
|
173
|
-
|
|
198
|
+
var desc = getOwnPropertyDescriptor(object, prop);
|
|
174
199
|
if (desc) {
|
|
175
200
|
if (desc.get) {
|
|
176
201
|
return unapply(desc.get);
|
|
@@ -186,40 +211,37 @@
|
|
|
186
211
|
}
|
|
187
212
|
return fallbackValue;
|
|
188
213
|
}
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
const svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feDropShadow', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']);
|
|
214
|
+
var html$1 = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dialog', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']);
|
|
215
|
+
var svg$1 = freeze(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'view', 'vkern']);
|
|
216
|
+
var svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feDropShadow', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']);
|
|
193
217
|
// List of SVG elements that are disallowed by default.
|
|
194
218
|
// We still need to know them so that we can do namespace
|
|
195
219
|
// checks properly in case one wants to add them to
|
|
196
220
|
// allow-list.
|
|
197
|
-
|
|
198
|
-
|
|
221
|
+
var svgDisallowed = freeze(['animate', 'color-profile', 'cursor', 'discard', 'font-face', 'font-face-format', 'font-face-name', 'font-face-src', 'font-face-uri', 'foreignobject', 'hatch', 'hatchpath', 'mesh', 'meshgradient', 'meshpatch', 'meshrow', 'missing-glyph', 'script', 'set', 'solidcolor', 'unknown', 'use']);
|
|
222
|
+
var mathMl$1 = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover', 'mprescripts']);
|
|
199
223
|
// Similarly to SVG, we want to know all MathML elements,
|
|
200
224
|
// even those that we disallow by default.
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
const xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']);
|
|
225
|
+
var mathMlDisallowed = freeze(['maction', 'maligngroup', 'malignmark', 'mlongdiv', 'mscarries', 'mscarry', 'msgroup', 'mstack', 'msline', 'msrow', 'semantics', 'annotation', 'annotation-xml', 'mprescripts', 'none']);
|
|
226
|
+
var text = freeze(['#text']);
|
|
227
|
+
var html = freeze(['accept', 'action', 'align', 'alt', 'autocapitalize', 'autocomplete', 'autopictureinpicture', 'autoplay', 'background', 'bgcolor', 'border', 'capture', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'controlslist', 'coords', 'crossorigin', 'datetime', 'decoding', 'default', 'dir', 'disabled', 'disablepictureinpicture', 'disableremoteplayback', 'download', 'draggable', 'enctype', 'enterkeyhint', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'inputmode', 'integrity', 'ismap', 'kind', 'label', 'lang', 'list', 'loading', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'muted', 'name', 'nonce', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'playsinline', 'popover', 'popovertarget', 'popovertargetaction', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'translate', 'type', 'usemap', 'valign', 'value', 'width', 'wrap', 'xmlns', 'slot']);
|
|
228
|
+
var svg = freeze(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'amplitude', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clippathunits', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'exponent', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'intercept', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'slope', 'specularconstant', 'specularexponent', 'spreadmethod', 'startoffset', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'systemlanguage', 'tabindex', 'tablevalues', 'targetx', 'targety', 'transform', 'transform-origin', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']);
|
|
229
|
+
var mathMl = freeze(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']);
|
|
230
|
+
var xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']);
|
|
208
231
|
|
|
209
232
|
// eslint-disable-next-line unicorn/better-regex
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
233
|
+
var MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
|
|
234
|
+
var ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);
|
|
235
|
+
var TMPLIT_EXPR = seal(/\$\{[\w\W]*/gm); // eslint-disable-line unicorn/better-regex
|
|
236
|
+
var DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]+$/); // eslint-disable-line no-useless-escape
|
|
237
|
+
var ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
|
|
238
|
+
var IS_ALLOWED_URI = seal(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
|
|
216
239
|
);
|
|
217
|
-
|
|
218
|
-
|
|
240
|
+
var IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i);
|
|
241
|
+
var ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
|
|
219
242
|
);
|
|
220
|
-
|
|
221
|
-
|
|
222
|
-
|
|
243
|
+
var DOCTYPE_NAME = seal(/^html$/i);
|
|
244
|
+
var CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);
|
|
223
245
|
var EXPRESSIONS = /*#__PURE__*/Object.freeze({
|
|
224
246
|
__proto__: null,
|
|
225
247
|
ARIA_ATTR: ARIA_ATTR,
|
|
@@ -236,7 +258,7 @@
|
|
|
236
258
|
|
|
237
259
|
/* eslint-disable @typescript-eslint/indent */
|
|
238
260
|
// https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeType
|
|
239
|
-
|
|
261
|
+
var NODE_TYPE = {
|
|
240
262
|
element: 1,
|
|
241
263
|
attribute: 2,
|
|
242
264
|
text: 3,
|
|
@@ -252,7 +274,7 @@
|
|
|
252
274
|
documentFragment: 11,
|
|
253
275
|
notation: 12 // Deprecated
|
|
254
276
|
};
|
|
255
|
-
|
|
277
|
+
var getGlobal = function getGlobal() {
|
|
256
278
|
return typeof window === 'undefined' ? null : window;
|
|
257
279
|
};
|
|
258
280
|
/**
|
|
@@ -263,25 +285,25 @@
|
|
|
263
285
|
* @return The policy created (or null, if Trusted Types
|
|
264
286
|
* are not supported or creating the policy failed).
|
|
265
287
|
*/
|
|
266
|
-
|
|
267
|
-
if (
|
|
288
|
+
var _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes, purifyHostElement) {
|
|
289
|
+
if (_typeof(trustedTypes) !== 'object' || typeof trustedTypes.createPolicy !== 'function') {
|
|
268
290
|
return null;
|
|
269
291
|
}
|
|
270
292
|
// Allow the callers to control the unique policy name
|
|
271
293
|
// by adding a data-tt-policy-suffix to the script element with the DOMPurify.
|
|
272
294
|
// Policy creation with duplicate names throws in Trusted Types.
|
|
273
|
-
|
|
274
|
-
|
|
295
|
+
var suffix = null;
|
|
296
|
+
var ATTR_NAME = 'data-tt-policy-suffix';
|
|
275
297
|
if (purifyHostElement && purifyHostElement.hasAttribute(ATTR_NAME)) {
|
|
276
298
|
suffix = purifyHostElement.getAttribute(ATTR_NAME);
|
|
277
299
|
}
|
|
278
|
-
|
|
300
|
+
var policyName = 'dompurify' + (suffix ? '#' + suffix : '');
|
|
279
301
|
try {
|
|
280
302
|
return trustedTypes.createPolicy(policyName, {
|
|
281
|
-
createHTML(html) {
|
|
303
|
+
createHTML: function createHTML(html) {
|
|
282
304
|
return html;
|
|
283
305
|
},
|
|
284
|
-
createScriptURL(scriptUrl) {
|
|
306
|
+
createScriptURL: function createScriptURL(scriptUrl) {
|
|
285
307
|
return scriptUrl;
|
|
286
308
|
}
|
|
287
309
|
});
|
|
@@ -293,7 +315,7 @@
|
|
|
293
315
|
return null;
|
|
294
316
|
}
|
|
295
317
|
};
|
|
296
|
-
|
|
318
|
+
var _createHooksMap = function _createHooksMap() {
|
|
297
319
|
return {
|
|
298
320
|
afterSanitizeAttributes: [],
|
|
299
321
|
afterSanitizeElements: [],
|
|
@@ -307,8 +329,10 @@
|
|
|
307
329
|
};
|
|
308
330
|
};
|
|
309
331
|
function createDOMPurify() {
|
|
310
|
-
|
|
311
|
-
|
|
332
|
+
var window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
|
|
333
|
+
var DOMPurify = function DOMPurify(root) {
|
|
334
|
+
return createDOMPurify(root);
|
|
335
|
+
};
|
|
312
336
|
DOMPurify.version = '3.2.5';
|
|
313
337
|
DOMPurify.removed = [];
|
|
314
338
|
if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
|
|
@@ -317,28 +341,25 @@
|
|
|
317
341
|
DOMPurify.isSupported = false;
|
|
318
342
|
return DOMPurify;
|
|
319
343
|
}
|
|
320
|
-
|
|
321
|
-
|
|
322
|
-
|
|
323
|
-
|
|
324
|
-
|
|
325
|
-
|
|
326
|
-
|
|
327
|
-
|
|
328
|
-
|
|
329
|
-
|
|
330
|
-
|
|
331
|
-
|
|
332
|
-
|
|
333
|
-
|
|
334
|
-
|
|
335
|
-
|
|
336
|
-
|
|
337
|
-
|
|
338
|
-
|
|
339
|
-
const getNextSibling = lookupGetter(ElementPrototype, 'nextSibling');
|
|
340
|
-
const getChildNodes = lookupGetter(ElementPrototype, 'childNodes');
|
|
341
|
-
const getParentNode = lookupGetter(ElementPrototype, 'parentNode');
|
|
344
|
+
var document = window.document;
|
|
345
|
+
var originalDocument = document;
|
|
346
|
+
var currentScript = originalDocument.currentScript;
|
|
347
|
+
var DocumentFragment = window.DocumentFragment,
|
|
348
|
+
HTMLTemplateElement = window.HTMLTemplateElement,
|
|
349
|
+
Node = window.Node,
|
|
350
|
+
Element = window.Element,
|
|
351
|
+
NodeFilter = window.NodeFilter,
|
|
352
|
+
_window$NamedNodeMap = window.NamedNodeMap,
|
|
353
|
+
NamedNodeMap = _window$NamedNodeMap === void 0 ? window.NamedNodeMap || window.MozNamedAttrMap : _window$NamedNodeMap,
|
|
354
|
+
HTMLFormElement = window.HTMLFormElement,
|
|
355
|
+
DOMParser = window.DOMParser,
|
|
356
|
+
trustedTypes = window.trustedTypes;
|
|
357
|
+
var ElementPrototype = Element.prototype;
|
|
358
|
+
var cloneNode = lookupGetter(ElementPrototype, 'cloneNode');
|
|
359
|
+
var remove = lookupGetter(ElementPrototype, 'remove');
|
|
360
|
+
var getNextSibling = lookupGetter(ElementPrototype, 'nextSibling');
|
|
361
|
+
var getChildNodes = lookupGetter(ElementPrototype, 'childNodes');
|
|
362
|
+
var getParentNode = lookupGetter(ElementPrototype, 'parentNode');
|
|
342
363
|
// As per issue #47, the web-components registry is inherited by a
|
|
343
364
|
// new document created via createHTMLDocument. As per the spec
|
|
344
365
|
// (http://w3c.github.io/webcomponents/spec/custom/#creating-and-passing-registries)
|
|
@@ -346,57 +367,50 @@
|
|
|
346
367
|
// document, so we use that as our parent document to ensure nothing
|
|
347
368
|
// is inherited.
|
|
348
369
|
if (typeof HTMLTemplateElement === 'function') {
|
|
349
|
-
|
|
370
|
+
var template = document.createElement('template');
|
|
350
371
|
if (template.content && template.content.ownerDocument) {
|
|
351
372
|
document = template.content.ownerDocument;
|
|
352
373
|
}
|
|
353
374
|
}
|
|
354
|
-
|
|
355
|
-
|
|
356
|
-
|
|
357
|
-
implementation,
|
|
358
|
-
createNodeIterator,
|
|
359
|
-
createDocumentFragment,
|
|
360
|
-
getElementsByTagName
|
|
361
|
-
|
|
362
|
-
|
|
363
|
-
importNode
|
|
364
|
-
} = originalDocument;
|
|
365
|
-
let hooks = _createHooksMap();
|
|
375
|
+
var trustedTypesPolicy;
|
|
376
|
+
var emptyHTML = '';
|
|
377
|
+
var _document = document,
|
|
378
|
+
implementation = _document.implementation,
|
|
379
|
+
createNodeIterator = _document.createNodeIterator,
|
|
380
|
+
createDocumentFragment = _document.createDocumentFragment,
|
|
381
|
+
getElementsByTagName = _document.getElementsByTagName;
|
|
382
|
+
var importNode = originalDocument.importNode;
|
|
383
|
+
var hooks = _createHooksMap();
|
|
366
384
|
/**
|
|
367
385
|
* Expose whether this browser supports running the full DOMPurify.
|
|
368
386
|
*/
|
|
369
387
|
DOMPurify.isSupported = typeof entries === 'function' && typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined;
|
|
370
|
-
|
|
371
|
-
|
|
372
|
-
|
|
373
|
-
|
|
374
|
-
|
|
375
|
-
|
|
376
|
-
|
|
377
|
-
|
|
378
|
-
|
|
379
|
-
} = EXPRESSIONS;
|
|
380
|
-
let {
|
|
381
|
-
IS_ALLOWED_URI: IS_ALLOWED_URI$1
|
|
382
|
-
} = EXPRESSIONS;
|
|
388
|
+
var MUSTACHE_EXPR = EXPRESSIONS.MUSTACHE_EXPR,
|
|
389
|
+
ERB_EXPR = EXPRESSIONS.ERB_EXPR,
|
|
390
|
+
TMPLIT_EXPR = EXPRESSIONS.TMPLIT_EXPR,
|
|
391
|
+
DATA_ATTR = EXPRESSIONS.DATA_ATTR,
|
|
392
|
+
ARIA_ATTR = EXPRESSIONS.ARIA_ATTR,
|
|
393
|
+
IS_SCRIPT_OR_DATA = EXPRESSIONS.IS_SCRIPT_OR_DATA,
|
|
394
|
+
ATTR_WHITESPACE = EXPRESSIONS.ATTR_WHITESPACE,
|
|
395
|
+
CUSTOM_ELEMENT = EXPRESSIONS.CUSTOM_ELEMENT;
|
|
396
|
+
var IS_ALLOWED_URI$1 = EXPRESSIONS.IS_ALLOWED_URI;
|
|
383
397
|
/**
|
|
384
398
|
* We consider the elements and attributes below to be safe. Ideally
|
|
385
399
|
* don't add any new ones but feel free to remove unwanted ones.
|
|
386
400
|
*/
|
|
387
401
|
/* allowed element names */
|
|
388
|
-
|
|
389
|
-
|
|
402
|
+
var ALLOWED_TAGS = null;
|
|
403
|
+
var DEFAULT_ALLOWED_TAGS = addToSet({}, [].concat(_toConsumableArray(html$1), _toConsumableArray(svg$1), _toConsumableArray(svgFilters), _toConsumableArray(mathMl$1), _toConsumableArray(text)));
|
|
390
404
|
/* Allowed attribute names */
|
|
391
|
-
|
|
392
|
-
|
|
405
|
+
var ALLOWED_ATTR = null;
|
|
406
|
+
var DEFAULT_ALLOWED_ATTR = addToSet({}, [].concat(_toConsumableArray(html), _toConsumableArray(svg), _toConsumableArray(mathMl), _toConsumableArray(xml)));
|
|
393
407
|
/*
|
|
394
408
|
* Configure how DOMPurify should handle custom elements and their attributes as well as customized built-in elements.
|
|
395
409
|
* @property {RegExp|Function|null} tagNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any custom elements)
|
|
396
410
|
* @property {RegExp|Function|null} attributeNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any attributes not on the allow list)
|
|
397
411
|
* @property {boolean} allowCustomizedBuiltInElements allow custom elements derived from built-ins if they pass CUSTOM_ELEMENT_HANDLING.tagNameCheck. Default: `false`.
|
|
398
412
|
*/
|
|
399
|
-
|
|
413
|
+
var CUSTOM_ELEMENT_HANDLING = Object.seal(create(null, {
|
|
400
414
|
tagNameCheck: {
|
|
401
415
|
writable: true,
|
|
402
416
|
configurable: false,
|
|
@@ -417,48 +431,48 @@
|
|
|
417
431
|
}
|
|
418
432
|
}));
|
|
419
433
|
/* Explicitly forbidden tags (overrides ALLOWED_TAGS/ADD_TAGS) */
|
|
420
|
-
|
|
434
|
+
var FORBID_TAGS = null;
|
|
421
435
|
/* Explicitly forbidden attributes (overrides ALLOWED_ATTR/ADD_ATTR) */
|
|
422
|
-
|
|
436
|
+
var FORBID_ATTR = null;
|
|
423
437
|
/* Decide if ARIA attributes are okay */
|
|
424
|
-
|
|
438
|
+
var ALLOW_ARIA_ATTR = true;
|
|
425
439
|
/* Decide if custom data attributes are okay */
|
|
426
|
-
|
|
440
|
+
var ALLOW_DATA_ATTR = true;
|
|
427
441
|
/* Decide if unknown protocols are okay */
|
|
428
|
-
|
|
442
|
+
var ALLOW_UNKNOWN_PROTOCOLS = false;
|
|
429
443
|
/* Decide if self-closing tags in attributes are allowed.
|
|
430
444
|
* Usually removed due to a mXSS issue in jQuery 3.0 */
|
|
431
|
-
|
|
445
|
+
var ALLOW_SELF_CLOSE_IN_ATTR = true;
|
|
432
446
|
/* Output should be safe for common template engines.
|
|
433
447
|
* This means, DOMPurify removes data attributes, mustaches and ERB
|
|
434
448
|
*/
|
|
435
|
-
|
|
449
|
+
var SAFE_FOR_TEMPLATES = false;
|
|
436
450
|
/* Output should be safe even for XML used within HTML and alike.
|
|
437
451
|
* This means, DOMPurify removes comments when containing risky content.
|
|
438
452
|
*/
|
|
439
|
-
|
|
453
|
+
var SAFE_FOR_XML = true;
|
|
440
454
|
/* Decide if document with <html>... should be returned */
|
|
441
|
-
|
|
455
|
+
var WHOLE_DOCUMENT = false;
|
|
442
456
|
/* Track whether config is already set on this instance of DOMPurify. */
|
|
443
|
-
|
|
457
|
+
var SET_CONFIG = false;
|
|
444
458
|
/* Decide if all elements (e.g. style, script) must be children of
|
|
445
459
|
* document.body. By default, browsers might move them to document.head */
|
|
446
|
-
|
|
460
|
+
var FORCE_BODY = false;
|
|
447
461
|
/* Decide if a DOM `HTMLBodyElement` should be returned, instead of a html
|
|
448
462
|
* string (or a TrustedHTML object if Trusted Types are supported).
|
|
449
463
|
* If `WHOLE_DOCUMENT` is enabled a `HTMLHtmlElement` will be returned instead
|
|
450
464
|
*/
|
|
451
|
-
|
|
465
|
+
var RETURN_DOM = false;
|
|
452
466
|
/* Decide if a DOM `DocumentFragment` should be returned, instead of a html
|
|
453
467
|
* string (or a TrustedHTML object if Trusted Types are supported) */
|
|
454
|
-
|
|
468
|
+
var RETURN_DOM_FRAGMENT = false;
|
|
455
469
|
/* Try to return a Trusted Type object instead of a string, return a string in
|
|
456
470
|
* case Trusted Types are not supported */
|
|
457
|
-
|
|
471
|
+
var RETURN_TRUSTED_TYPE = false;
|
|
458
472
|
/* Output should be free from DOM clobbering attacks?
|
|
459
473
|
* This sanitizes markups named with colliding, clobberable built-in DOM APIs.
|
|
460
474
|
*/
|
|
461
|
-
|
|
475
|
+
var SANITIZE_DOM = true;
|
|
462
476
|
/* Achieve full DOM Clobbering protection by isolating the namespace of named
|
|
463
477
|
* properties and JS variables, mitigating attacks that abuse the HTML/DOM spec rules.
|
|
464
478
|
*
|
|
@@ -472,51 +486,51 @@
|
|
|
472
486
|
* Namespace isolation is implemented by prefixing `id` and `name` attributes
|
|
473
487
|
* with a constant string, i.e., `user-content-`
|
|
474
488
|
*/
|
|
475
|
-
|
|
476
|
-
|
|
489
|
+
var SANITIZE_NAMED_PROPS = false;
|
|
490
|
+
var SANITIZE_NAMED_PROPS_PREFIX = 'user-content-';
|
|
477
491
|
/* Keep element content when removing element? */
|
|
478
|
-
|
|
492
|
+
var KEEP_CONTENT = true;
|
|
479
493
|
/* If a `Node` is passed to sanitize(), then performs sanitization in-place instead
|
|
480
494
|
* of importing it into a new Document and returning a sanitized copy */
|
|
481
|
-
|
|
495
|
+
var IN_PLACE = false;
|
|
482
496
|
/* Allow usage of profiles like html, svg and mathMl */
|
|
483
|
-
|
|
497
|
+
var USE_PROFILES = {};
|
|
484
498
|
/* Tags to ignore content of when KEEP_CONTENT is true */
|
|
485
|
-
|
|
486
|
-
|
|
499
|
+
var FORBID_CONTENTS = null;
|
|
500
|
+
var DEFAULT_FORBID_CONTENTS = addToSet({}, ['annotation-xml', 'audio', 'colgroup', 'desc', 'foreignobject', 'head', 'iframe', 'math', 'mi', 'mn', 'mo', 'ms', 'mtext', 'noembed', 'noframes', 'noscript', 'plaintext', 'script', 'style', 'svg', 'template', 'thead', 'title', 'video', 'xmp']);
|
|
487
501
|
/* Tags that are safe for data: URIs */
|
|
488
|
-
|
|
489
|
-
|
|
502
|
+
var DATA_URI_TAGS = null;
|
|
503
|
+
var DEFAULT_DATA_URI_TAGS = addToSet({}, ['audio', 'video', 'img', 'source', 'image', 'track']);
|
|
490
504
|
/* Attributes safe for values like "javascript:" */
|
|
491
|
-
|
|
492
|
-
|
|
493
|
-
|
|
494
|
-
|
|
495
|
-
|
|
505
|
+
var URI_SAFE_ATTRIBUTES = null;
|
|
506
|
+
var DEFAULT_URI_SAFE_ATTRIBUTES = addToSet({}, ['alt', 'class', 'for', 'id', 'label', 'name', 'pattern', 'placeholder', 'role', 'summary', 'title', 'value', 'style', 'xmlns']);
|
|
507
|
+
var MATHML_NAMESPACE = 'http://www.w3.org/1998/Math/MathML';
|
|
508
|
+
var SVG_NAMESPACE = 'http://www.w3.org/2000/svg';
|
|
509
|
+
var HTML_NAMESPACE = 'http://www.w3.org/1999/xhtml';
|
|
496
510
|
/* Document namespace */
|
|
497
|
-
|
|
498
|
-
|
|
511
|
+
var NAMESPACE = HTML_NAMESPACE;
|
|
512
|
+
var IS_EMPTY_INPUT = false;
|
|
499
513
|
/* Allowed XHTML+XML namespaces */
|
|
500
|
-
|
|
501
|
-
|
|
502
|
-
|
|
503
|
-
|
|
514
|
+
var ALLOWED_NAMESPACES = null;
|
|
515
|
+
var DEFAULT_ALLOWED_NAMESPACES = addToSet({}, [MATHML_NAMESPACE, SVG_NAMESPACE, HTML_NAMESPACE], stringToString);
|
|
516
|
+
var MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
|
|
517
|
+
var HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
|
|
504
518
|
// Certain elements are allowed in both SVG and HTML
|
|
505
519
|
// namespace. We need to specify them explicitly
|
|
506
520
|
// so that they don't get erroneously deleted from
|
|
507
521
|
// HTML namespace.
|
|
508
|
-
|
|
522
|
+
var COMMON_SVG_AND_HTML_ELEMENTS = addToSet({}, ['title', 'style', 'font', 'a', 'script']);
|
|
509
523
|
/* Parsing of strict XHTML documents */
|
|
510
|
-
|
|
511
|
-
|
|
512
|
-
|
|
513
|
-
|
|
524
|
+
var PARSER_MEDIA_TYPE = null;
|
|
525
|
+
var SUPPORTED_PARSER_MEDIA_TYPES = ['application/xhtml+xml', 'text/html'];
|
|
526
|
+
var DEFAULT_PARSER_MEDIA_TYPE = 'text/html';
|
|
527
|
+
var transformCaseFunc = null;
|
|
514
528
|
/* Keep a reference to config to pass to hooks */
|
|
515
|
-
|
|
529
|
+
var CONFIG = null;
|
|
516
530
|
/* Ideally, do not touch anything below this line */
|
|
517
531
|
/* ______________________________________________ */
|
|
518
|
-
|
|
519
|
-
|
|
532
|
+
var formElement = document.createElement('form');
|
|
533
|
+
var isRegexOrFunction = function isRegexOrFunction(testValue) {
|
|
520
534
|
return testValue instanceof RegExp || testValue instanceof Function;
|
|
521
535
|
};
|
|
522
536
|
/**
|
|
@@ -525,13 +539,13 @@
|
|
|
525
539
|
* @param cfg optional config literal
|
|
526
540
|
*/
|
|
527
541
|
// eslint-disable-next-line complexity
|
|
528
|
-
|
|
529
|
-
|
|
542
|
+
var _parseConfig = function _parseConfig() {
|
|
543
|
+
var cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
|
|
530
544
|
if (CONFIG && CONFIG === cfg) {
|
|
531
545
|
return;
|
|
532
546
|
}
|
|
533
547
|
/* Shield configuration object from tampering */
|
|
534
|
-
if (!cfg ||
|
|
548
|
+
if (!cfg || _typeof(cfg) !== 'object') {
|
|
535
549
|
cfg = {};
|
|
536
550
|
}
|
|
537
551
|
/* Shield configuration object from prototype pollution */
|
|
@@ -676,16 +690,16 @@
|
|
|
676
690
|
/* Keep track of all possible SVG and MathML tags
|
|
677
691
|
* so that we can perform the namespace checks
|
|
678
692
|
* correctly. */
|
|
679
|
-
|
|
680
|
-
|
|
693
|
+
var ALL_SVG_TAGS = addToSet({}, [].concat(_toConsumableArray(svg$1), _toConsumableArray(svgFilters), _toConsumableArray(svgDisallowed)));
|
|
694
|
+
var ALL_MATHML_TAGS = addToSet({}, [].concat(_toConsumableArray(mathMl$1), _toConsumableArray(mathMlDisallowed)));
|
|
681
695
|
/**
|
|
682
696
|
* @param element a DOM element whose namespace is being checked
|
|
683
697
|
* @returns Return false if the element has a
|
|
684
698
|
* namespace that a spec-compliant parser would never
|
|
685
699
|
* return. Return true otherwise.
|
|
686
700
|
*/
|
|
687
|
-
|
|
688
|
-
|
|
701
|
+
var _checkValidNamespace = function _checkValidNamespace(element) {
|
|
702
|
+
var parent = getParentNode(element);
|
|
689
703
|
// In JSDOM, if we're inside shadow DOM, then parentNode
|
|
690
704
|
// can be null. We just simulate parent in this case.
|
|
691
705
|
if (!parent || !parent.tagName) {
|
|
@@ -694,8 +708,8 @@
|
|
|
694
708
|
tagName: 'template'
|
|
695
709
|
};
|
|
696
710
|
}
|
|
697
|
-
|
|
698
|
-
|
|
711
|
+
var tagName = stringToLowerCase(element.tagName);
|
|
712
|
+
var parentTagName = stringToLowerCase(parent.tagName);
|
|
699
713
|
if (!ALLOWED_NAMESPACES[element.namespaceURI]) {
|
|
700
714
|
return false;
|
|
701
715
|
}
|
|
@@ -761,7 +775,7 @@
|
|
|
761
775
|
*
|
|
762
776
|
* @param node a DOM node
|
|
763
777
|
*/
|
|
764
|
-
|
|
778
|
+
var _forceRemove = function _forceRemove(node) {
|
|
765
779
|
arrayPush(DOMPurify.removed, {
|
|
766
780
|
element: node
|
|
767
781
|
});
|
|
@@ -778,7 +792,7 @@
|
|
|
778
792
|
* @param name an Attribute name
|
|
779
793
|
* @param element a DOM node
|
|
780
794
|
*/
|
|
781
|
-
|
|
795
|
+
var _removeAttribute = function _removeAttribute(name, element) {
|
|
782
796
|
try {
|
|
783
797
|
arrayPush(DOMPurify.removed, {
|
|
784
798
|
attribute: element.getAttributeNode(name),
|
|
@@ -810,22 +824,22 @@
|
|
|
810
824
|
* @param dirty - a string of dirty markup
|
|
811
825
|
* @return a DOM, filled with the dirty markup
|
|
812
826
|
*/
|
|
813
|
-
|
|
827
|
+
var _initDocument = function _initDocument(dirty) {
|
|
814
828
|
/* Create a HTML document */
|
|
815
|
-
|
|
816
|
-
|
|
829
|
+
var doc = null;
|
|
830
|
+
var leadingWhitespace = null;
|
|
817
831
|
if (FORCE_BODY) {
|
|
818
832
|
dirty = '<remove></remove>' + dirty;
|
|
819
833
|
} else {
|
|
820
834
|
/* If FORCE_BODY isn't used, leading whitespace needs to be preserved manually */
|
|
821
|
-
|
|
835
|
+
var matches = stringMatch(dirty, /^[\r\n\t ]+/);
|
|
822
836
|
leadingWhitespace = matches && matches[0];
|
|
823
837
|
}
|
|
824
838
|
if (PARSER_MEDIA_TYPE === 'application/xhtml+xml' && NAMESPACE === HTML_NAMESPACE) {
|
|
825
839
|
// Root of XHTML doc must contain xmlns declaration (see https://www.w3.org/TR/xhtml1/normative.html#strict)
|
|
826
840
|
dirty = '<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>' + dirty + '</body></html>';
|
|
827
841
|
}
|
|
828
|
-
|
|
842
|
+
var dirtyPayload = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty;
|
|
829
843
|
/*
|
|
830
844
|
* Use the DOMParser API by default, fallback later if needs be
|
|
831
845
|
* DOMParser not work for svg when has multiple root element.
|
|
@@ -844,7 +858,7 @@
|
|
|
844
858
|
// Syntax error if dirtyPayload is invalid xml
|
|
845
859
|
}
|
|
846
860
|
}
|
|
847
|
-
|
|
861
|
+
var body = doc.body || doc.documentElement;
|
|
848
862
|
if (dirty && leadingWhitespace) {
|
|
849
863
|
body.insertBefore(document.createTextNode(leadingWhitespace), body.childNodes[0] || null);
|
|
850
864
|
}
|
|
@@ -860,7 +874,7 @@
|
|
|
860
874
|
* @param root The root element or node to start traversing on.
|
|
861
875
|
* @return The created NodeIterator
|
|
862
876
|
*/
|
|
863
|
-
|
|
877
|
+
var _createNodeIterator = function _createNodeIterator(root) {
|
|
864
878
|
return createNodeIterator.call(root.ownerDocument || root, root,
|
|
865
879
|
// eslint-disable-next-line no-bitwise
|
|
866
880
|
NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION | NodeFilter.SHOW_CDATA_SECTION, null);
|
|
@@ -871,7 +885,7 @@
|
|
|
871
885
|
* @param element element to check for clobbering attacks
|
|
872
886
|
* @return true if clobbered, false if safe
|
|
873
887
|
*/
|
|
874
|
-
|
|
888
|
+
var _isClobbered = function _isClobbered(element) {
|
|
875
889
|
return element instanceof HTMLFormElement && (typeof element.nodeName !== 'string' || typeof element.textContent !== 'string' || typeof element.removeChild !== 'function' || !(element.attributes instanceof NamedNodeMap) || typeof element.removeAttribute !== 'function' || typeof element.setAttribute !== 'function' || typeof element.namespaceURI !== 'string' || typeof element.insertBefore !== 'function' || typeof element.hasChildNodes !== 'function');
|
|
876
890
|
};
|
|
877
891
|
/**
|
|
@@ -880,11 +894,11 @@
|
|
|
880
894
|
* @param value object to check whether it's a DOM node
|
|
881
895
|
* @return true is object is a DOM node
|
|
882
896
|
*/
|
|
883
|
-
|
|
897
|
+
var _isNode = function _isNode(value) {
|
|
884
898
|
return typeof Node === 'function' && value instanceof Node;
|
|
885
899
|
};
|
|
886
900
|
function _executeHooks(hooks, currentNode, data) {
|
|
887
|
-
arrayForEach(hooks, hook
|
|
901
|
+
arrayForEach(hooks, function (hook) {
|
|
888
902
|
hook.call(DOMPurify, currentNode, data, CONFIG);
|
|
889
903
|
});
|
|
890
904
|
}
|
|
@@ -897,8 +911,8 @@
|
|
|
897
911
|
* @param currentNode to check for permission to exist
|
|
898
912
|
* @return true if node was killed, false if left alive
|
|
899
913
|
*/
|
|
900
|
-
|
|
901
|
-
|
|
914
|
+
var _sanitizeElements = function _sanitizeElements(currentNode) {
|
|
915
|
+
var content = null;
|
|
902
916
|
/* Execute a hook if present */
|
|
903
917
|
_executeHooks(hooks.beforeSanitizeElements, currentNode, null);
|
|
904
918
|
/* Check if element is clobbered or can clobber */
|
|
@@ -907,10 +921,10 @@
|
|
|
907
921
|
return true;
|
|
908
922
|
}
|
|
909
923
|
/* Now let's check the element's type and name */
|
|
910
|
-
|
|
924
|
+
var tagName = transformCaseFunc(currentNode.nodeName);
|
|
911
925
|
/* Execute a hook if present */
|
|
912
926
|
_executeHooks(hooks.uponSanitizeElement, currentNode, {
|
|
913
|
-
tagName,
|
|
927
|
+
tagName: tagName,
|
|
914
928
|
allowedTags: ALLOWED_TAGS
|
|
915
929
|
});
|
|
916
930
|
/* Detect mXSS attempts abusing namespace confusion */
|
|
@@ -941,12 +955,12 @@
|
|
|
941
955
|
}
|
|
942
956
|
/* Keep content except for bad-listed elements */
|
|
943
957
|
if (KEEP_CONTENT && !FORBID_CONTENTS[tagName]) {
|
|
944
|
-
|
|
945
|
-
|
|
958
|
+
var parentNode = getParentNode(currentNode) || currentNode.parentNode;
|
|
959
|
+
var childNodes = getChildNodes(currentNode) || currentNode.childNodes;
|
|
946
960
|
if (childNodes && parentNode) {
|
|
947
|
-
|
|
948
|
-
for (
|
|
949
|
-
|
|
961
|
+
var childCount = childNodes.length;
|
|
962
|
+
for (var i = childCount - 1; i >= 0; --i) {
|
|
963
|
+
var childClone = cloneNode(childNodes[i], true);
|
|
950
964
|
childClone.__removalCount = (currentNode.__removalCount || 0) + 1;
|
|
951
965
|
parentNode.insertBefore(childClone, getNextSibling(currentNode));
|
|
952
966
|
}
|
|
@@ -969,7 +983,7 @@
|
|
|
969
983
|
if (SAFE_FOR_TEMPLATES && currentNode.nodeType === NODE_TYPE.text) {
|
|
970
984
|
/* Get the element's text content */
|
|
971
985
|
content = currentNode.textContent;
|
|
972
|
-
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr
|
|
986
|
+
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], function (expr) {
|
|
973
987
|
content = stringReplace(content, expr, ' ');
|
|
974
988
|
});
|
|
975
989
|
if (currentNode.textContent !== content) {
|
|
@@ -992,7 +1006,7 @@
|
|
|
992
1006
|
* @return Returns true if `value` is valid, otherwise false.
|
|
993
1007
|
*/
|
|
994
1008
|
// eslint-disable-next-line complexity
|
|
995
|
-
|
|
1009
|
+
var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
|
|
996
1010
|
/* Make sure attribute cannot clobber */
|
|
997
1011
|
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
|
|
998
1012
|
return false;
|
|
@@ -1001,7 +1015,7 @@
|
|
|
1001
1015
|
(https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
|
|
1002
1016
|
XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
|
|
1003
1017
|
We don't need to check the value; it's always URI safe. */
|
|
1004
|
-
if (ALLOW_DATA_ATTR && !FORBID_ATTR[lcName] && regExpTest(DATA_ATTR, lcName)) ;
|
|
1018
|
+
if (ALLOW_DATA_ATTR && !FORBID_ATTR[lcName] && regExpTest(DATA_ATTR, lcName)) ;else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR, lcName)) ;else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) {
|
|
1005
1019
|
if (
|
|
1006
1020
|
// First condition does a very basic check if a) it's basically a valid custom element tagname AND
|
|
1007
1021
|
// b) if the tagName passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck
|
|
@@ -1009,11 +1023,11 @@
|
|
|
1009
1023
|
_isBasicCustomElement(lcTag) && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, lcTag) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(lcTag)) && (CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.attributeNameCheck, lcName) || CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.attributeNameCheck(lcName)) ||
|
|
1010
1024
|
// Alternative, second condition checks if it's an `is`-attribute, AND
|
|
1011
1025
|
// the value passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck
|
|
1012
|
-
lcName === 'is' && CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, value) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(value))) ;
|
|
1026
|
+
lcName === 'is' && CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, value) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(value))) ;else {
|
|
1013
1027
|
return false;
|
|
1014
1028
|
}
|
|
1015
1029
|
/* Check value is safe. First, is attr inert? If so, is safe */
|
|
1016
|
-
} else if (URI_SAFE_ATTRIBUTES[lcName]) ;
|
|
1030
|
+
} else if (URI_SAFE_ATTRIBUTES[lcName]) ;else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ;else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ;else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ;else if (value) {
|
|
1017
1031
|
return false;
|
|
1018
1032
|
} else ;
|
|
1019
1033
|
return true;
|
|
@@ -1026,7 +1040,7 @@
|
|
|
1026
1040
|
* @param tagName name of the tag of the node to sanitize
|
|
1027
1041
|
* @returns Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
|
|
1028
1042
|
*/
|
|
1029
|
-
|
|
1043
|
+
var _isBasicCustomElement = function _isBasicCustomElement(tagName) {
|
|
1030
1044
|
return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
|
|
1031
1045
|
};
|
|
1032
1046
|
/**
|
|
@@ -1039,112 +1053,113 @@
|
|
|
1039
1053
|
*
|
|
1040
1054
|
* @param currentNode to sanitize
|
|
1041
1055
|
*/
|
|
1042
|
-
|
|
1056
|
+
var _sanitizeAttributes = function _sanitizeAttributes(currentNode) {
|
|
1043
1057
|
/* Execute a hook if present */
|
|
1044
1058
|
_executeHooks(hooks.beforeSanitizeAttributes, currentNode, null);
|
|
1045
|
-
|
|
1046
|
-
attributes
|
|
1047
|
-
} = currentNode;
|
|
1059
|
+
var attributes = currentNode.attributes;
|
|
1048
1060
|
/* Check if we have attributes; if not we might have a text node */
|
|
1049
1061
|
if (!attributes || _isClobbered(currentNode)) {
|
|
1050
1062
|
return;
|
|
1051
1063
|
}
|
|
1052
|
-
|
|
1064
|
+
var hookEvent = {
|
|
1053
1065
|
attrName: '',
|
|
1054
1066
|
attrValue: '',
|
|
1055
1067
|
keepAttr: true,
|
|
1056
1068
|
allowedAttributes: ALLOWED_ATTR,
|
|
1057
1069
|
forceKeepAttr: undefined
|
|
1058
1070
|
};
|
|
1059
|
-
|
|
1071
|
+
var l = attributes.length;
|
|
1060
1072
|
/* Go backwards over all attributes; safely remove bad ones */
|
|
1061
|
-
|
|
1062
|
-
|
|
1063
|
-
|
|
1064
|
-
|
|
1065
|
-
|
|
1066
|
-
|
|
1067
|
-
|
|
1068
|
-
|
|
1069
|
-
|
|
1070
|
-
|
|
1071
|
-
|
|
1072
|
-
|
|
1073
|
-
|
|
1074
|
-
|
|
1075
|
-
|
|
1076
|
-
|
|
1077
|
-
|
|
1078
|
-
|
|
1079
|
-
|
|
1080
|
-
|
|
1081
|
-
|
|
1082
|
-
|
|
1083
|
-
|
|
1084
|
-
|
|
1085
|
-
|
|
1086
|
-
|
|
1087
|
-
|
|
1088
|
-
|
|
1089
|
-
|
|
1090
|
-
|
|
1091
|
-
|
|
1092
|
-
|
|
1093
|
-
|
|
1094
|
-
}
|
|
1095
|
-
/* Remove attribute */
|
|
1096
|
-
_removeAttribute(name, currentNode);
|
|
1097
|
-
/* Did the hooks approve of the attribute? */
|
|
1098
|
-
if (!hookEvent.keepAttr) {
|
|
1099
|
-
continue;
|
|
1100
|
-
}
|
|
1101
|
-
/* Work around a security issue in jQuery 3.0 */
|
|
1102
|
-
if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
|
|
1073
|
+
var _loop = function _loop() {
|
|
1074
|
+
var attr = attributes[l];
|
|
1075
|
+
var name = attr.name,
|
|
1076
|
+
namespaceURI = attr.namespaceURI,
|
|
1077
|
+
attrValue = attr.value;
|
|
1078
|
+
var lcName = transformCaseFunc(name);
|
|
1079
|
+
var value = name === 'value' ? attrValue : stringTrim(attrValue);
|
|
1080
|
+
/* Execute a hook if present */
|
|
1081
|
+
hookEvent.attrName = lcName;
|
|
1082
|
+
hookEvent.attrValue = value;
|
|
1083
|
+
hookEvent.keepAttr = true;
|
|
1084
|
+
hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
|
|
1085
|
+
_executeHooks(hooks.uponSanitizeAttribute, currentNode, hookEvent);
|
|
1086
|
+
value = hookEvent.attrValue;
|
|
1087
|
+
/* Full DOM Clobbering protection via namespace isolation,
|
|
1088
|
+
* Prefix id and name attributes with `user-content-`
|
|
1089
|
+
*/
|
|
1090
|
+
if (SANITIZE_NAMED_PROPS && (lcName === 'id' || lcName === 'name')) {
|
|
1091
|
+
// Remove the attribute with this value
|
|
1092
|
+
_removeAttribute(name, currentNode);
|
|
1093
|
+
// Prefix the value and later re-create the attribute with the sanitized value
|
|
1094
|
+
value = SANITIZE_NAMED_PROPS_PREFIX + value;
|
|
1095
|
+
}
|
|
1096
|
+
/* Work around a security issue with comments inside attributes */
|
|
1097
|
+
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
|
|
1098
|
+
_removeAttribute(name, currentNode);
|
|
1099
|
+
return 0; // continue
|
|
1100
|
+
}
|
|
1101
|
+
/* Did the hooks approve of the attribute? */
|
|
1102
|
+
if (hookEvent.forceKeepAttr) {
|
|
1103
|
+
return 0; // continue
|
|
1104
|
+
}
|
|
1105
|
+
/* Remove attribute */
|
|
1103
1106
|
_removeAttribute(name, currentNode);
|
|
1104
|
-
|
|
1105
|
-
|
|
1106
|
-
|
|
1107
|
-
if (SAFE_FOR_TEMPLATES) {
|
|
1108
|
-
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
|
|
1109
|
-
value = stringReplace(value, expr, ' ');
|
|
1110
|
-
});
|
|
1111
|
-
}
|
|
1112
|
-
/* Is `value` valid for this attribute? */
|
|
1113
|
-
const lcTag = transformCaseFunc(currentNode.nodeName);
|
|
1114
|
-
if (!_isValidAttribute(lcTag, lcName, value)) {
|
|
1115
|
-
continue;
|
|
1116
|
-
}
|
|
1117
|
-
/* Handle attributes that require Trusted Types */
|
|
1118
|
-
if (trustedTypesPolicy && typeof trustedTypes === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
1119
|
-
if (namespaceURI) ; else {
|
|
1120
|
-
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1121
|
-
case 'TrustedHTML':
|
|
1122
|
-
{
|
|
1123
|
-
value = trustedTypesPolicy.createHTML(value);
|
|
1124
|
-
break;
|
|
1125
|
-
}
|
|
1126
|
-
case 'TrustedScriptURL':
|
|
1127
|
-
{
|
|
1128
|
-
value = trustedTypesPolicy.createScriptURL(value);
|
|
1129
|
-
break;
|
|
1130
|
-
}
|
|
1131
|
-
}
|
|
1107
|
+
/* Did the hooks approve of the attribute? */
|
|
1108
|
+
if (!hookEvent.keepAttr) {
|
|
1109
|
+
return 0; // continue
|
|
1132
1110
|
}
|
|
1133
|
-
|
|
1134
|
-
|
|
1135
|
-
|
|
1136
|
-
|
|
1137
|
-
currentNode.setAttributeNS(namespaceURI, name, value);
|
|
1138
|
-
} else {
|
|
1139
|
-
/* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
|
|
1140
|
-
currentNode.setAttribute(name, value);
|
|
1111
|
+
/* Work around a security issue in jQuery 3.0 */
|
|
1112
|
+
if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
|
|
1113
|
+
_removeAttribute(name, currentNode);
|
|
1114
|
+
return 0; // continue
|
|
1141
1115
|
}
|
|
1142
|
-
|
|
1143
|
-
|
|
1144
|
-
|
|
1145
|
-
|
|
1116
|
+
/* Sanitize attribute content to be template-safe */
|
|
1117
|
+
if (SAFE_FOR_TEMPLATES) {
|
|
1118
|
+
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], function (expr) {
|
|
1119
|
+
value = stringReplace(value, expr, ' ');
|
|
1120
|
+
});
|
|
1146
1121
|
}
|
|
1147
|
-
|
|
1122
|
+
/* Is `value` valid for this attribute? */
|
|
1123
|
+
var lcTag = transformCaseFunc(currentNode.nodeName);
|
|
1124
|
+
if (!_isValidAttribute(lcTag, lcName, value)) {
|
|
1125
|
+
return 0; // continue
|
|
1126
|
+
}
|
|
1127
|
+
/* Handle attributes that require Trusted Types */
|
|
1128
|
+
if (trustedTypesPolicy && _typeof(trustedTypes) === 'object' && typeof trustedTypes.getAttributeType === 'function') {
|
|
1129
|
+
if (namespaceURI) ;else {
|
|
1130
|
+
switch (trustedTypes.getAttributeType(lcTag, lcName)) {
|
|
1131
|
+
case 'TrustedHTML':
|
|
1132
|
+
{
|
|
1133
|
+
value = trustedTypesPolicy.createHTML(value);
|
|
1134
|
+
break;
|
|
1135
|
+
}
|
|
1136
|
+
case 'TrustedScriptURL':
|
|
1137
|
+
{
|
|
1138
|
+
value = trustedTypesPolicy.createScriptURL(value);
|
|
1139
|
+
break;
|
|
1140
|
+
}
|
|
1141
|
+
}
|
|
1142
|
+
}
|
|
1143
|
+
}
|
|
1144
|
+
/* Handle invalid data-* attribute set by try-catching it */
|
|
1145
|
+
try {
|
|
1146
|
+
if (namespaceURI) {
|
|
1147
|
+
currentNode.setAttributeNS(namespaceURI, name, value);
|
|
1148
|
+
} else {
|
|
1149
|
+
/* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
|
|
1150
|
+
currentNode.setAttribute(name, value);
|
|
1151
|
+
}
|
|
1152
|
+
if (_isClobbered(currentNode)) {
|
|
1153
|
+
_forceRemove(currentNode);
|
|
1154
|
+
} else {
|
|
1155
|
+
arrayPop(DOMPurify.removed);
|
|
1156
|
+
}
|
|
1157
|
+
} catch (_) {}
|
|
1158
|
+
},
|
|
1159
|
+
_ret;
|
|
1160
|
+
while (l--) {
|
|
1161
|
+
_ret = _loop();
|
|
1162
|
+
if (_ret === 0) continue;
|
|
1148
1163
|
}
|
|
1149
1164
|
/* Execute a hook if present */
|
|
1150
1165
|
_executeHooks(hooks.afterSanitizeAttributes, currentNode, null);
|
|
@@ -1154,9 +1169,9 @@
|
|
|
1154
1169
|
*
|
|
1155
1170
|
* @param fragment to iterate over recursively
|
|
1156
1171
|
*/
|
|
1157
|
-
|
|
1158
|
-
|
|
1159
|
-
|
|
1172
|
+
var _sanitizeShadowDOM = function _sanitizeShadowDOM(fragment) {
|
|
1173
|
+
var shadowNode = null;
|
|
1174
|
+
var shadowIterator = _createNodeIterator(fragment);
|
|
1160
1175
|
/* Execute a hook if present */
|
|
1161
1176
|
_executeHooks(hooks.beforeSanitizeShadowDOM, fragment, null);
|
|
1162
1177
|
while (shadowNode = shadowIterator.nextNode()) {
|
|
@@ -1176,11 +1191,11 @@
|
|
|
1176
1191
|
};
|
|
1177
1192
|
// eslint-disable-next-line complexity
|
|
1178
1193
|
DOMPurify.sanitize = function (dirty) {
|
|
1179
|
-
|
|
1180
|
-
|
|
1181
|
-
|
|
1182
|
-
|
|
1183
|
-
|
|
1194
|
+
var cfg = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
|
|
1195
|
+
var body = null;
|
|
1196
|
+
var importedNode = null;
|
|
1197
|
+
var currentNode = null;
|
|
1198
|
+
var returnNode = null;
|
|
1184
1199
|
/* Make sure we have a string to sanitize.
|
|
1185
1200
|
DO NOT return early, as this will return the wrong type if
|
|
1186
1201
|
the user has requested a DOM object rather than a string */
|
|
@@ -1216,7 +1231,7 @@
|
|
|
1216
1231
|
if (IN_PLACE) {
|
|
1217
1232
|
/* Do some early pre-sanitization to avoid unsafe root nodes */
|
|
1218
1233
|
if (dirty.nodeName) {
|
|
1219
|
-
|
|
1234
|
+
var tagName = transformCaseFunc(dirty.nodeName);
|
|
1220
1235
|
if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {
|
|
1221
1236
|
throw typeErrorCreate('root node is forbidden and cannot be sanitized in-place');
|
|
1222
1237
|
}
|
|
@@ -1254,7 +1269,7 @@
|
|
|
1254
1269
|
_forceRemove(body.firstChild);
|
|
1255
1270
|
}
|
|
1256
1271
|
/* Get node iterator */
|
|
1257
|
-
|
|
1272
|
+
var nodeIterator = _createNodeIterator(IN_PLACE ? dirty : body);
|
|
1258
1273
|
/* Now start iterating over the created document */
|
|
1259
1274
|
while (currentNode = nodeIterator.nextNode()) {
|
|
1260
1275
|
/* Sanitize tags and elements */
|
|
@@ -1293,21 +1308,21 @@
|
|
|
1293
1308
|
}
|
|
1294
1309
|
return returnNode;
|
|
1295
1310
|
}
|
|
1296
|
-
|
|
1311
|
+
var serializedHTML = WHOLE_DOCUMENT ? body.outerHTML : body.innerHTML;
|
|
1297
1312
|
/* Serialize doctype if allowed */
|
|
1298
1313
|
if (WHOLE_DOCUMENT && ALLOWED_TAGS['!doctype'] && body.ownerDocument && body.ownerDocument.doctype && body.ownerDocument.doctype.name && regExpTest(DOCTYPE_NAME, body.ownerDocument.doctype.name)) {
|
|
1299
1314
|
serializedHTML = '<!DOCTYPE ' + body.ownerDocument.doctype.name + '>\n' + serializedHTML;
|
|
1300
1315
|
}
|
|
1301
1316
|
/* Sanitize final string template-safe */
|
|
1302
1317
|
if (SAFE_FOR_TEMPLATES) {
|
|
1303
|
-
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr
|
|
1318
|
+
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], function (expr) {
|
|
1304
1319
|
serializedHTML = stringReplace(serializedHTML, expr, ' ');
|
|
1305
1320
|
});
|
|
1306
1321
|
}
|
|
1307
1322
|
return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(serializedHTML) : serializedHTML;
|
|
1308
1323
|
};
|
|
1309
1324
|
DOMPurify.setConfig = function () {
|
|
1310
|
-
|
|
1325
|
+
var cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
|
|
1311
1326
|
_parseConfig(cfg);
|
|
1312
1327
|
SET_CONFIG = true;
|
|
1313
1328
|
};
|
|
@@ -1320,8 +1335,8 @@
|
|
|
1320
1335
|
if (!CONFIG) {
|
|
1321
1336
|
_parseConfig({});
|
|
1322
1337
|
}
|
|
1323
|
-
|
|
1324
|
-
|
|
1338
|
+
var lcTag = transformCaseFunc(tag);
|
|
1339
|
+
var lcName = transformCaseFunc(attr);
|
|
1325
1340
|
return _isValidAttribute(lcTag, lcName, value);
|
|
1326
1341
|
};
|
|
1327
1342
|
DOMPurify.addHook = function (entryPoint, hookFunction) {
|
|
@@ -1332,7 +1347,7 @@
|
|
|
1332
1347
|
};
|
|
1333
1348
|
DOMPurify.removeHook = function (entryPoint, hookFunction) {
|
|
1334
1349
|
if (hookFunction !== undefined) {
|
|
1335
|
-
|
|
1350
|
+
var index = arrayLastIndexOf(hooks[entryPoint], hookFunction);
|
|
1336
1351
|
return index === -1 ? undefined : arraySplice(hooks[entryPoint], index, 1)[0];
|
|
1337
1352
|
}
|
|
1338
1353
|
return arrayPop(hooks[entryPoint]);
|
|
@@ -1346,12 +1361,8 @@
|
|
|
1346
1361
|
return DOMPurify;
|
|
1347
1362
|
}
|
|
1348
1363
|
var purify = createDOMPurify();
|
|
1349
|
-
|
|
1350
1364
|
return purify;
|
|
1351
|
-
|
|
1352
|
-
}));
|
|
1353
|
-
//# sourceMappingURL=purify.js.map
|
|
1354
|
-
|
|
1365
|
+
});
|
|
1355
1366
|
|
|
1356
1367
|
/***/ })
|
|
1357
1368
|
|