umap-project 2.8.2__py3-none-any.whl → 2.9.0__py3-none-any.whl

umap/static/umap/vendors/dompurify/purify.es.js

@@ -1,4 +1,4 @@
-/*! @license DOMPurify 3.1.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.7/LICENSE */
+/*! @license DOMPurify 3.2.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.4/LICENSE */
 
 const {
   entries,
@@ -37,8 +37,10 @@ if (!construct) {
   };
 }
 const arrayForEach = unapply(Array.prototype.forEach);
+const arrayLastIndexOf = unapply(Array.prototype.lastIndexOf);
 const arrayPop = unapply(Array.prototype.pop);
 const arrayPush = unapply(Array.prototype.push);
+const arraySplice = unapply(Array.prototype.splice);
 const stringToLowerCase = unapply(String.prototype.toLowerCase);
 const stringToString = unapply(String.prototype.toString);
 const stringMatch = unapply(String.prototype.match);
@@ -48,12 +50,11 @@ const stringTrim = unapply(String.prototype.trim);
 const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
 const regExpTest = unapply(RegExp.prototype.test);
 const typeErrorCreate = unconstruct(TypeError);
-
 /**
  * Creates a new function that calls the given function with a specified thisArg and arguments.
  *
- * @param {Function} func - The function to be wrapped and called.
- * @returns {Function} A new function that calls the given function with a specified thisArg and arguments.
+ * @param func - The function to be wrapped and called.
+ * @returns A new function that calls the given function with a specified thisArg and arguments.
  */
 function unapply(func) {
   return function (thisArg) {
@@ -63,12 +64,11 @@ function unapply(func) {
     return apply(func, thisArg, args);
   };
 }
-
 /**
  * Creates a new function that constructs an instance of the given constructor function with the provided arguments.
  *
- * @param {Function} func - The constructor function to be wrapped and called.
- * @returns {Function} A new function that constructs an instance of the given constructor function with the provided arguments.
+ * @param func - The constructor function to be wrapped and called.
+ * @returns A new function that constructs an instance of the given constructor function with the provided arguments.
  */
 function unconstruct(func) {
   return function () {
@@ -78,14 +78,13 @@ function unconstruct(func) {
     return construct(func, args);
   };
 }
-
 /**
  * Add properties to a lookup table
  *
- * @param {Object} set - The set to which elements will be added.
- * @param {Array} array - The array containing elements to be added to the set.
- * @param {Function} transformCaseFunc - An optional function to transform the case of each element before adding to the set.
- * @returns {Object} The modified set with added elements.
+ * @param set - The set to which elements will be added.
+ * @param array - The array containing elements to be added to the set.
+ * @param transformCaseFunc - An optional function to transform the case of each element before adding to the set.
+ * @returns The modified set with added elements.
  */
 function addToSet(set, array) {
   let transformCaseFunc = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : stringToLowerCase;
@@ -112,12 +111,11 @@ function addToSet(set, array) {
   }
   return set;
 }
-
 /**
  * Clean up an array to harden against CSPP
  *
- * @param {Array} array - The array to be cleaned.
- * @returns {Array} The cleaned version of the array
+ * @param array - The array to be cleaned.
+ * @returns The cleaned version of the array
  */
 function cleanArray(array) {
   for (let index = 0; index < array.length; index++) {
@@ -128,12 +126,11 @@ function cleanArray(array) {
   }
   return array;
 }
-
 /**
  * Shallow clone an object
  *
- * @param {Object} object - The object to be cloned.
- * @returns {Object} A new object that copies the original.
+ * @param object - The object to be cloned.
+ * @returns A new object that copies the original.
  */
 function clone(object) {
   const newObject = create(null);
@@ -151,13 +148,12 @@ function clone(object) {
   }
   return newObject;
 }
-
 /**
  * This method automatically checks if the prop is function or getter and behaves accordingly.
  *
- * @param {Object} object - The object to look up the getter function in its prototype chain.
- * @param {String} prop - The property name for which to find the getter function.
- * @returns {Function} The getter function found in the prototype chain or a fallback function.
+ * @param object - The object to look up the getter function in its prototype chain.
+ * @param prop - The property name for which to find the getter function.
+ * @returns The getter function found in the prototype chain or a fallback function.
  */
 function lookupGetter(object, prop) {
   while (object !== null) {
@@ -179,18 +175,14 @@ function lookupGetter(object, prop) {
 }
 
 const html$1 = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dialog', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']);
-
-// SVG
 const svg$1 = freeze(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'view', 'vkern']);
 const svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feDropShadow', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']);
-
 // List of SVG elements that are disallowed by default.
 // We still need to know them so that we can do namespace
 // checks properly in case one wants to add them to
 // allow-list.
 const svgDisallowed = freeze(['animate', 'color-profile', 'cursor', 'discard', 'font-face', 'font-face-format', 'font-face-name', 'font-face-src', 'font-face-uri', 'foreignobject', 'hatch', 'hatchpath', 'mesh', 'meshgradient', 'meshpatch', 'meshrow', 'missing-glyph', 'script', 'set', 'solidcolor', 'unknown', 'use']);
 const mathMl$1 = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover', 'mprescripts']);
-
 // Similarly to SVG, we want to know all MathML elements,
 // even those that we disallow by default.
 const mathMlDisallowed = freeze(['maction', 'maligngroup', 'malignmark', 'mlongdiv', 'mscarries', 'mscarry', 'msgroup', 'mstack', 'msline', 'msrow', 'semantics', 'annotation', 'annotation-xml', 'mprescripts', 'none']);
@@ -204,8 +196,8 @@ const xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:x
 // eslint-disable-next-line unicorn/better-regex
 const MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
 const ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);
-const TMPLIT_EXPR = seal(/\${[\w\W]*}/gm);
-const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]/); // eslint-disable-line no-useless-escape
+const TMPLIT_EXPR = seal(/\$\{[\w\W]*/gm); // eslint-disable-line unicorn/better-regex
+const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]+$/); // eslint-disable-line no-useless-escape
 const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
 const IS_ALLOWED_URI = seal(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
 );
@@ -217,18 +209,19 @@ const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);
 
 var EXPRESSIONS = /*#__PURE__*/Object.freeze({
   __proto__: null,
-  MUSTACHE_EXPR: MUSTACHE_EXPR,
-  ERB_EXPR: ERB_EXPR,
-  TMPLIT_EXPR: TMPLIT_EXPR,
-  DATA_ATTR: DATA_ATTR,
   ARIA_ATTR: ARIA_ATTR,
-  IS_ALLOWED_URI: IS_ALLOWED_URI,
-  IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,
   ATTR_WHITESPACE: ATTR_WHITESPACE,
+  CUSTOM_ELEMENT: CUSTOM_ELEMENT,
+  DATA_ATTR: DATA_ATTR,
   DOCTYPE_NAME: DOCTYPE_NAME,
-  CUSTOM_ELEMENT: CUSTOM_ELEMENT
+  ERB_EXPR: ERB_EXPR,
+  IS_ALLOWED_URI: IS_ALLOWED_URI,
+  IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,
+  MUSTACHE_EXPR: MUSTACHE_EXPR,
+  TMPLIT_EXPR: TMPLIT_EXPR
 });
 
+/* eslint-disable @typescript-eslint/indent */
 // https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeType
 const NODE_TYPE = {
   element: 1,
@@ -249,20 +242,18 @@ const NODE_TYPE = {
 const getGlobal = function getGlobal() {
   return typeof window === 'undefined' ? null : window;
 };
-
 /**
  * Creates a no-op policy for internal use only.
  * Don't export this function outside this module!
- * @param {TrustedTypePolicyFactory} trustedTypes The policy factory.
- * @param {HTMLScriptElement} purifyHostElement The Script element used to load DOMPurify (to determine policy name suffix).
- * @return {TrustedTypePolicy} The policy created (or null, if Trusted Types
+ * @param trustedTypes The policy factory.
+ * @param purifyHostElement The Script element used to load DOMPurify (to determine policy name suffix).
+ * @return The policy created (or null, if Trusted Types
  * are not supported or creating the policy failed).
  */
 const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes, purifyHostElement) {
   if (typeof trustedTypes !== 'object' || typeof trustedTypes.createPolicy !== 'function') {
     return null;
   }
-
   // Allow the callers to control the unique policy name
   // by adding a data-tt-policy-suffix to the script element with the DOMPurify.
   // Policy creation with duplicate names throws in Trusted Types.
@@ -289,22 +280,25 @@ const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedType
     return null;
   }
 };
+const _createHooksMap = function _createHooksMap() {
+  return {
+    afterSanitizeAttributes: [],
+    afterSanitizeElements: [],
+    afterSanitizeShadowDOM: [],
+    beforeSanitizeAttributes: [],
+    beforeSanitizeElements: [],
+    beforeSanitizeShadowDOM: [],
+    uponSanitizeAttribute: [],
+    uponSanitizeElement: [],
+    uponSanitizeShadowNode: []
+  };
+};
 function createDOMPurify() {
   let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
   const DOMPurify = root => createDOMPurify(root);
-
-  /**
-   * Version label, exposed for easier checks
-   * if DOMPurify is up to date or not
-   */
-  DOMPurify.version = '3.1.7';
-
-  /**
-   * Array of elements that DOMPurify removed during sanitation.
-   * Empty if nothing was removed.
-   */
+  DOMPurify.version = '3.2.4';
   DOMPurify.removed = [];
-  if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document) {
+  if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
     // Not running in a browser, provide a factory function
     // so that you can pass your own Window
     DOMPurify.isSupported = false;
@@ -332,7 +326,6 @@ function createDOMPurify() {
   const getNextSibling = lookupGetter(ElementPrototype, 'nextSibling');
   const getChildNodes = lookupGetter(ElementPrototype, 'childNodes');
   const getParentNode = lookupGetter(ElementPrototype, 'parentNode');
-
   // As per issue #47, the web-components registry is inherited by a
   // new document created via createHTMLDocument. As per the spec
   // (http://w3c.github.io/webcomponents/spec/custom/#creating-and-passing-registries)
@@ -356,8 +349,7 @@ function createDOMPurify() {
   const {
     importNode
   } = originalDocument;
-  let hooks = {};
-
+  let hooks = _createHooksMap();
   /**
    * Expose whether this browser supports running the full DOMPurify.
    */
@@ -375,22 +367,18 @@ function createDOMPurify() {
   let {
     IS_ALLOWED_URI: IS_ALLOWED_URI$1
   } = EXPRESSIONS;
-
   /**
    * We consider the elements and attributes below to be safe. Ideally
    * don't add any new ones but feel free to remove unwanted ones.
    */
-
   /* allowed element names */
   let ALLOWED_TAGS = null;
   const DEFAULT_ALLOWED_TAGS = addToSet({}, [...html$1, ...svg$1, ...svgFilters, ...mathMl$1, ...text]);
-
   /* Allowed attribute names */
   let ALLOWED_ATTR = null;
   const DEFAULT_ALLOWED_ATTR = addToSet({}, [...html, ...svg, ...mathMl, ...xml]);
-
   /*
-   * Configure how DOMPUrify should handle custom elements and their attributes as well as customized built-in elements.
+   * Configure how DOMPurify should handle custom elements and their attributes as well as customized built-in elements.
    * @property {RegExp|Function|null} tagNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any custom elements)
    * @property {RegExp|Function|null} attributeNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any attributes not on the allow list)
    * @property {boolean} allowCustomizedBuiltInElements allow custom elements derived from built-ins if they pass CUSTOM_ELEMENT_HANDLING.tagNameCheck. Default: `false`.
@@ -415,65 +403,49 @@ function createDOMPurify() {
       value: false
     }
   }));
-
   /* Explicitly forbidden tags (overrides ALLOWED_TAGS/ADD_TAGS) */
   let FORBID_TAGS = null;
-
   /* Explicitly forbidden attributes (overrides ALLOWED_ATTR/ADD_ATTR) */
   let FORBID_ATTR = null;
-
   /* Decide if ARIA attributes are okay */
   let ALLOW_ARIA_ATTR = true;
-
   /* Decide if custom data attributes are okay */
   let ALLOW_DATA_ATTR = true;
-
   /* Decide if unknown protocols are okay */
   let ALLOW_UNKNOWN_PROTOCOLS = false;
-
   /* Decide if self-closing tags in attributes are allowed.
    * Usually removed due to a mXSS issue in jQuery 3.0 */
   let ALLOW_SELF_CLOSE_IN_ATTR = true;
-
   /* Output should be safe for common template engines.
    * This means, DOMPurify removes data attributes, mustaches and ERB
    */
   let SAFE_FOR_TEMPLATES = false;
-
   /* Output should be safe even for XML used within HTML and alike.
    * This means, DOMPurify removes comments when containing risky content.
    */
   let SAFE_FOR_XML = true;
-
   /* Decide if document with <html>... should be returned */
   let WHOLE_DOCUMENT = false;
-
   /* Track whether config is already set on this instance of DOMPurify. */
   let SET_CONFIG = false;
-
   /* Decide if all elements (e.g. style, script) must be children of
    * document.body. By default, browsers might move them to document.head */
   let FORCE_BODY = false;
-
   /* Decide if a DOM `HTMLBodyElement` should be returned, instead of a html
    * string (or a TrustedHTML object if Trusted Types are supported).
    * If `WHOLE_DOCUMENT` is enabled a `HTMLHtmlElement` will be returned instead
    */
   let RETURN_DOM = false;
-
   /* Decide if a DOM `DocumentFragment` should be returned, instead of a html
    * string  (or a TrustedHTML object if Trusted Types are supported) */
   let RETURN_DOM_FRAGMENT = false;
-
   /* Try to return a Trusted Type object instead of a string, return a string in
    * case Trusted Types are not supported  */
   let RETURN_TRUSTED_TYPE = false;
-
   /* Output should be free from DOM clobbering attacks?
    * This sanitizes markups named with colliding, clobberable built-in DOM APIs.
    */
   let SANITIZE_DOM = true;
-
   /* Achieve full DOM Clobbering protection by isolating the namespace of named
    * properties and JS variables, mitigating attacks that abuse the HTML/DOM spec rules.
    *
@@ -489,25 +461,19 @@ function createDOMPurify() {
    */
   let SANITIZE_NAMED_PROPS = false;
   const SANITIZE_NAMED_PROPS_PREFIX = 'user-content-';
-
   /* Keep element content when removing element? */
   let KEEP_CONTENT = true;
-
   /* If a `Node` is passed to sanitize(), then performs sanitization in-place instead
    * of importing it into a new Document and returning a sanitized copy */
   let IN_PLACE = false;
-
   /* Allow usage of profiles like html, svg and mathMl */
   let USE_PROFILES = {};
-
   /* Tags to ignore content of when KEEP_CONTENT is true */
   let FORBID_CONTENTS = null;
   const DEFAULT_FORBID_CONTENTS = addToSet({}, ['annotation-xml', 'audio', 'colgroup', 'desc', 'foreignobject', 'head', 'iframe', 'math', 'mi', 'mn', 'mo', 'ms', 'mtext', 'noembed', 'noframes', 'noscript', 'plaintext', 'script', 'style', 'svg', 'template', 'thead', 'title', 'video', 'xmp']);
-
   /* Tags that are safe for data: URIs */
   let DATA_URI_TAGS = null;
   const DEFAULT_DATA_URI_TAGS = addToSet({}, ['audio', 'video', 'img', 'source', 'image', 'track']);
-
   /* Attributes safe for values like "javascript:" */
   let URI_SAFE_ATTRIBUTES = null;
   const DEFAULT_URI_SAFE_ATTRIBUTES = addToSet({}, ['alt', 'class', 'for', 'id', 'label', 'name', 'pattern', 'placeholder', 'role', 'summary', 'title', 'value', 'style', 'xmlns']);
@@ -517,32 +483,33 @@ function createDOMPurify() {
   /* Document namespace */
   let NAMESPACE = HTML_NAMESPACE;
   let IS_EMPTY_INPUT = false;
-
   /* Allowed XHTML+XML namespaces */
   let ALLOWED_NAMESPACES = null;
   const DEFAULT_ALLOWED_NAMESPACES = addToSet({}, [MATHML_NAMESPACE, SVG_NAMESPACE, HTML_NAMESPACE], stringToString);
-
+  let MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
+  let HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
+  // Certain elements are allowed in both SVG and HTML
+  // namespace. We need to specify them explicitly
+  // so that they don't get erroneously deleted from
+  // HTML namespace.
+  const COMMON_SVG_AND_HTML_ELEMENTS = addToSet({}, ['title', 'style', 'font', 'a', 'script']);
   /* Parsing of strict XHTML documents */
   let PARSER_MEDIA_TYPE = null;
   const SUPPORTED_PARSER_MEDIA_TYPES = ['application/xhtml+xml', 'text/html'];
   const DEFAULT_PARSER_MEDIA_TYPE = 'text/html';
   let transformCaseFunc = null;
-
   /* Keep a reference to config to pass to hooks */
   let CONFIG = null;
-
   /* Ideally, do not touch anything below this line */
   /* ______________________________________________ */
-
   const formElement = document.createElement('form');
   const isRegexOrFunction = function isRegexOrFunction(testValue) {
     return testValue instanceof RegExp || testValue instanceof Function;
   };
-
   /**
    * _parseConfig
    *
-   * @param  {Object} cfg optional config literal
+   * @param cfg optional config literal
    */
   // eslint-disable-next-line complexity
   const _parseConfig = function _parseConfig() {
@@ -550,39 +517,23 @@ function createDOMPurify() {
     if (CONFIG && CONFIG === cfg) {
       return;
     }
-
     /* Shield configuration object from tampering */
     if (!cfg || typeof cfg !== 'object') {
       cfg = {};
     }
-
     /* Shield configuration object from prototype pollution */
     cfg = clone(cfg);
     PARSER_MEDIA_TYPE =
     // eslint-disable-next-line unicorn/prefer-includes
     SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? DEFAULT_PARSER_MEDIA_TYPE : cfg.PARSER_MEDIA_TYPE;
-
     // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
     transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? stringToString : stringToLowerCase;
-
     /* Set configuration parameters */
     ALLOWED_TAGS = objectHasOwnProperty(cfg, 'ALLOWED_TAGS') ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
     ALLOWED_ATTR = objectHasOwnProperty(cfg, 'ALLOWED_ATTR') ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
     ALLOWED_NAMESPACES = objectHasOwnProperty(cfg, 'ALLOWED_NAMESPACES') ? addToSet({}, cfg.ALLOWED_NAMESPACES, stringToString) : DEFAULT_ALLOWED_NAMESPACES;
-    URI_SAFE_ATTRIBUTES = objectHasOwnProperty(cfg, 'ADD_URI_SAFE_ATTR') ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES),
-    // eslint-disable-line indent
-    cfg.ADD_URI_SAFE_ATTR,
-    // eslint-disable-line indent
-    transformCaseFunc // eslint-disable-line indent
-    ) // eslint-disable-line indent
-    : DEFAULT_URI_SAFE_ATTRIBUTES;
-    DATA_URI_TAGS = objectHasOwnProperty(cfg, 'ADD_DATA_URI_TAGS') ? addToSet(clone(DEFAULT_DATA_URI_TAGS),
-    // eslint-disable-line indent
-    cfg.ADD_DATA_URI_TAGS,
-    // eslint-disable-line indent
-    transformCaseFunc // eslint-disable-line indent
-    ) // eslint-disable-line indent
-    : DEFAULT_DATA_URI_TAGS;
+    URI_SAFE_ATTRIBUTES = objectHasOwnProperty(cfg, 'ADD_URI_SAFE_ATTR') ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), cfg.ADD_URI_SAFE_ATTR, transformCaseFunc) : DEFAULT_URI_SAFE_ATTRIBUTES;
+    DATA_URI_TAGS = objectHasOwnProperty(cfg, 'ADD_DATA_URI_TAGS') ? addToSet(clone(DEFAULT_DATA_URI_TAGS), cfg.ADD_DATA_URI_TAGS, transformCaseFunc) : DEFAULT_DATA_URI_TAGS;
     FORBID_CONTENTS = objectHasOwnProperty(cfg, 'FORBID_CONTENTS') ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
     FORBID_TAGS = objectHasOwnProperty(cfg, 'FORBID_TAGS') ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
     FORBID_ATTR = objectHasOwnProperty(cfg, 'FORBID_ATTR') ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
@@ -604,6 +555,8 @@ function createDOMPurify() {
     IN_PLACE = cfg.IN_PLACE || false; // Default false
     IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI;
     NAMESPACE = cfg.NAMESPACE || HTML_NAMESPACE;
+    MATHML_TEXT_INTEGRATION_POINTS = cfg.MATHML_TEXT_INTEGRATION_POINTS || MATHML_TEXT_INTEGRATION_POINTS;
+    HTML_INTEGRATION_POINTS = cfg.HTML_INTEGRATION_POINTS || HTML_INTEGRATION_POINTS;
     CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING || {};
     if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck)) {
       CUSTOM_ELEMENT_HANDLING.tagNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck;
@@ -620,7 +573,6 @@ function createDOMPurify() {
     if (RETURN_DOM_FRAGMENT) {
       RETURN_DOM = true;
     }
-
     /* Parse profile info */
     if (USE_PROFILES) {
       ALLOWED_TAGS = addToSet({}, text);
@@ -645,7 +597,6 @@ function createDOMPurify() {
         addToSet(ALLOWED_ATTR, xml);
       }
     }
-
     /* Merge configuration parameters */
     if (cfg.ADD_TAGS) {
       if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
@@ -668,17 +619,14 @@ function createDOMPurify() {
       }
       addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);
     }
-
     /* Add #text in case KEEP_CONTENT is set to true */
     if (KEEP_CONTENT) {
       ALLOWED_TAGS['#text'] = true;
     }
-
     /* Add html, head and body to ALLOWED_TAGS in case WHOLE_DOCUMENT is true */
     if (WHOLE_DOCUMENT) {
       addToSet(ALLOWED_TAGS, ['html', 'head', 'body']);
     }
-
     /* Add tbody to ALLOWED_TAGS in case tables are permitted, see #286, #365 */
     if (ALLOWED_TAGS.table) {
       addToSet(ALLOWED_TAGS, ['tbody']);
@@ -691,10 +639,8 @@ function createDOMPurify() {
       if (typeof cfg.TRUSTED_TYPES_POLICY.createScriptURL !== 'function') {
         throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');
       }
-
       // Overwrite existing TrustedTypes policy.
       trustedTypesPolicy = cfg.TRUSTED_TYPES_POLICY;
-
       // Sign local variables required by `sanitize`.
       emptyHTML = trustedTypesPolicy.createHTML('');
     } else {
@@ -702,13 +648,11 @@ function createDOMPurify() {
       if (trustedTypesPolicy === undefined) {
         trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, currentScript);
       }
-
       // If creating the internal policy succeeded sign internal variables.
       if (trustedTypesPolicy !== null && typeof emptyHTML === 'string') {
         emptyHTML = trustedTypesPolicy.createHTML('');
       }
     }
-
     // Prevent further manipulation of configuration.
     // Not available in IE8, Safari 5, etc.
     if (freeze) {
@@ -716,30 +660,19 @@ function createDOMPurify() {
     }
     CONFIG = cfg;
   };
-  const MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
-  const HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
-
-  // Certain elements are allowed in both SVG and HTML
-  // namespace. We need to specify them explicitly
-  // so that they don't get erroneously deleted from
-  // HTML namespace.
-  const COMMON_SVG_AND_HTML_ELEMENTS = addToSet({}, ['title', 'style', 'font', 'a', 'script']);
-
   /* Keep track of all possible SVG and MathML tags
    * so that we can perform the namespace checks
    * correctly. */
   const ALL_SVG_TAGS = addToSet({}, [...svg$1, ...svgFilters, ...svgDisallowed]);
   const ALL_MATHML_TAGS = addToSet({}, [...mathMl$1, ...mathMlDisallowed]);
-
   /**
-   * @param  {Element} element a DOM element whose namespace is being checked
-   * @returns {boolean} Return false if the element has a
+   * @param element a DOM element whose namespace is being checked
+   * @returns Return false if the element has a
    *  namespace that a spec-compliant parser would never
    *  return. Return true otherwise.
    */
   const _checkValidNamespace = function _checkValidNamespace(element) {
     let parent = getParentNode(element);
-
     // In JSDOM, if we're inside shadow DOM, then parentNode
     // can be null. We just simulate parent in this case.
     if (!parent || !parent.tagName) {
@@ -760,14 +693,12 @@ function createDOMPurify() {
       if (parent.namespaceURI === HTML_NAMESPACE) {
         return tagName === 'svg';
       }
-
       // The only way to switch from MathML to SVG is via`
       // svg if parent is either <annotation-xml> or MathML
       // text integration points.
       if (parent.namespaceURI === MATHML_NAMESPACE) {
         return tagName === 'svg' && (parentTagName === 'annotation-xml' || MATHML_TEXT_INTEGRATION_POINTS[parentTagName]);
       }
-
       // We only allow elements that are defined in SVG
       // spec. All others are disallowed in SVG namespace.
       return Boolean(ALL_SVG_TAGS[tagName]);
@@ -779,13 +710,11 @@ function createDOMPurify() {
       if (parent.namespaceURI === HTML_NAMESPACE) {
         return tagName === 'math';
       }
-
       // The only way to switch from SVG to MathML is via
       // <math> and HTML integration points
       if (parent.namespaceURI === SVG_NAMESPACE) {
         return tagName === 'math' && HTML_INTEGRATION_POINTS[parentTagName];
       }
-
       // We only allow elements that are defined in MathML
       // spec. All others are disallowed in MathML namespace.
       return Boolean(ALL_MATHML_TAGS[tagName]);
@@ -800,28 +729,24 @@ function createDOMPurify() {
       if (parent.namespaceURI === MATHML_NAMESPACE && !MATHML_TEXT_INTEGRATION_POINTS[parentTagName]) {
         return false;
       }
-
       // We disallow tags that are specific for MathML
       // or SVG and should never appear in HTML namespace
       return !ALL_MATHML_TAGS[tagName] && (COMMON_SVG_AND_HTML_ELEMENTS[tagName] || !ALL_SVG_TAGS[tagName]);
     }
-
     // For XHTML and XML documents that support custom namespaces
     if (PARSER_MEDIA_TYPE === 'application/xhtml+xml' && ALLOWED_NAMESPACES[element.namespaceURI]) {
       return true;
     }
-
     // The code should never reach this place (this means
     // that the element somehow got namespace that is not
     // HTML, SVG, MathML or allowed via ALLOWED_NAMESPACES).
     // Return false just in case.
     return false;
   };
-
   /**
    * _forceRemove
    *
-   * @param  {Node} node a DOM node
+   * @param node a DOM node
    */
   const _forceRemove = function _forceRemove(node) {
     arrayPush(DOMPurify.removed, {
@@ -834,46 +759,43 @@ function createDOMPurify() {
       remove(node);
     }
   };
-
   /**
    * _removeAttribute
    *
-   * @param  {String} name an Attribute name
-   * @param  {Node} node a DOM node
+   * @param name an Attribute name
+   * @param element a DOM node
    */
-  const _removeAttribute = function _removeAttribute(name, node) {
+  const _removeAttribute = function _removeAttribute(name, element) {
     try {
       arrayPush(DOMPurify.removed, {
-        attribute: node.getAttributeNode(name),
-        from: node
+        attribute: element.getAttributeNode(name),
+        from: element
       });
     } catch (_) {
       arrayPush(DOMPurify.removed, {
         attribute: null,
-        from: node
+        from: element
       });
     }
-    node.removeAttribute(name);
-
-    // We void attribute values for unremovable "is"" attributes
-    if (name === 'is' && !ALLOWED_ATTR[name]) {
+    element.removeAttribute(name);
+    // We void attribute values for unremovable "is" attributes
+    if (name === 'is') {
       if (RETURN_DOM || RETURN_DOM_FRAGMENT) {
         try {
-          _forceRemove(node);
+          _forceRemove(element);
         } catch (_) {}
       } else {
         try {
-          node.setAttribute(name, '');
+          element.setAttribute(name, '');
         } catch (_) {}
       }
     }
   };
-
   /**
    * _initDocument
    *
-   * @param  {String} dirty a string of dirty markup
-   * @return {Document} a DOM, filled with the dirty markup
+   * @param dirty - a string of dirty markup
+   * @return a DOM, filled with the dirty markup
    */
   const _initDocument = function _initDocument(dirty) {
     /* Create a HTML document */
@@ -900,7 +822,6 @@ function createDOMPurify() {
         doc = new DOMParser().parseFromString(dirtyPayload, PARSER_MEDIA_TYPE);
       } catch (_) {}
     }
-
     /* Use createHTMLDocument in case DOMParser is not available */
     if (!doc || !doc.documentElement) {
       doc = implementation.createDocument(NAMESPACE, 'template', null);
@@ -914,112 +835,86 @@ function createDOMPurify() {
     if (dirty && leadingWhitespace) {
       body.insertBefore(document.createTextNode(leadingWhitespace), body.childNodes[0] || null);
     }
-
     /* Work on whole document or just its body */
     if (NAMESPACE === HTML_NAMESPACE) {
       return getElementsByTagName.call(doc, WHOLE_DOCUMENT ? 'html' : 'body')[0];
     }
     return WHOLE_DOCUMENT ? doc.documentElement : body;
   };
-
   /**
    * Creates a NodeIterator object that you can use to traverse filtered lists of nodes or elements in a document.
    *
-   * @param  {Node} root The root element or node to start traversing on.
-   * @return {NodeIterator} The created NodeIterator
+   * @param root The root element or node to start traversing on.
+   * @return The created NodeIterator
    */
   const _createNodeIterator = function _createNodeIterator(root) {
     return createNodeIterator.call(root.ownerDocument || root, root,
     // eslint-disable-next-line no-bitwise
     NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION | NodeFilter.SHOW_CDATA_SECTION, null);
   };
-
   /**
    * _isClobbered
    *
-   * @param  {Node} elm element to check for clobbering attacks
-   * @return {Boolean} true if clobbered, false if safe
+   * @param element element to check for clobbering attacks
+   * @return true if clobbered, false if safe
    */
-  const _isClobbered = function _isClobbered(elm) {
-    return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
+  const _isClobbered = function _isClobbered(element) {
+    return element instanceof HTMLFormElement && (typeof element.nodeName !== 'string' || typeof element.textContent !== 'string' || typeof element.removeChild !== 'function' || !(element.attributes instanceof NamedNodeMap) || typeof element.removeAttribute !== 'function' || typeof element.setAttribute !== 'function' || typeof element.namespaceURI !== 'string' || typeof element.insertBefore !== 'function' || typeof element.hasChildNodes !== 'function');
   };
-
   /**
    * Checks whether the given object is a DOM node.
    *
-   * @param  {Node} object object to check whether it's a DOM node
-   * @return {Boolean} true is object is a DOM node
+   * @param value object to check whether it's a DOM node
+   * @return true is object is a DOM node
    */
-  const _isNode = function _isNode(object) {
-    return typeof Node === 'function' && object instanceof Node;
+  const _isNode = function _isNode(value) {
+    return typeof Node === 'function' && value instanceof Node;
   };
-
-  /**
-   * _executeHook
-   * Execute user configurable hooks
-   *
-   * @param  {String} entryPoint  Name of the hook's entry point
-   * @param  {Node} currentNode node to work on with the hook
-   * @param  {Object} data additional hook parameters
-   */
-  const _executeHook = function _executeHook(entryPoint, currentNode, data) {
-    if (!hooks[entryPoint]) {
-      return;
-    }
-    arrayForEach(hooks[entryPoint], hook => {
+  function _executeHooks(hooks, currentNode, data) {
+    arrayForEach(hooks, hook => {
       hook.call(DOMPurify, currentNode, data, CONFIG);
     });
-  };
-
+  }
   /**
    * _sanitizeElements
    *
    * @protect nodeName
    * @protect textContent
    * @protect removeChild
-   *
-   * @param   {Node} currentNode to check for permission to exist
-   * @return  {Boolean} true if node was killed, false if left alive
+   * @param currentNode to check for permission to exist
+   * @return true if node was killed, false if left alive
    */
   const _sanitizeElements = function _sanitizeElements(currentNode) {
     let content = null;
-
     /* Execute a hook if present */
-    _executeHook('beforeSanitizeElements', currentNode, null);
-
+    _executeHooks(hooks.beforeSanitizeElements, currentNode, null);
     /* Check if element is clobbered or can clobber */
     if (_isClobbered(currentNode)) {
       _forceRemove(currentNode);
       return true;
     }
-
     /* Now let's check the element's type and name */
     const tagName = transformCaseFunc(currentNode.nodeName);
-
     /* Execute a hook if present */
-    _executeHook('uponSanitizeElement', currentNode, {
+    _executeHooks(hooks.uponSanitizeElement, currentNode, {
       tagName,
       allowedTags: ALLOWED_TAGS
     });
-
     /* Detect mXSS attempts abusing namespace confusion */
     if (currentNode.hasChildNodes() && !_isNode(currentNode.firstElementChild) && regExpTest(/<[/\w]/g, currentNode.innerHTML) && regExpTest(/<[/\w]/g, currentNode.textContent)) {
       _forceRemove(currentNode);
       return true;
     }
-
     /* Remove any occurrence of processing instructions */
     if (currentNode.nodeType === NODE_TYPE.progressingInstruction) {
       _forceRemove(currentNode);
       return true;
     }
-
     /* Remove any kind of possibly harmful comments */
     if (SAFE_FOR_XML && currentNode.nodeType === NODE_TYPE.comment && regExpTest(/<[/\w]/g, currentNode.data)) {
       _forceRemove(currentNode);
       return true;
     }
-
     /* Remove element if anything forbids its presence */
     if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {
       /* Check if we have a custom element to handle */
@@ -1031,7 +926,6 @@ function createDOMPurify() {
           return false;
         }
       }
-
       /* Keep content except for bad-listed elements */
       if (KEEP_CONTENT && !FORBID_CONTENTS[tagName]) {
         const parentNode = getParentNode(currentNode) || currentNode.parentNode;
@@ -1048,19 +942,16 @@ function createDOMPurify() {
       _forceRemove(currentNode);
       return true;
     }
-
     /* Check whether element has a valid namespace */
     if (currentNode instanceof Element && !_checkValidNamespace(currentNode)) {
       _forceRemove(currentNode);
       return true;
     }
-
     /* Make sure that older browsers don't get fallback-tag mXSS */
     if ((tagName === 'noscript' || tagName === 'noembed' || tagName === 'noframes') && regExpTest(/<\/no(script|embed|frames)/i, currentNode.innerHTML)) {
       _forceRemove(currentNode);
       return true;
     }
-
     /* Sanitize element content to be template-safe */
     if (SAFE_FOR_TEMPLATES && currentNode.nodeType === NODE_TYPE.text) {
       /* Get the element's text content */
@@ -1075,19 +966,17 @@ function createDOMPurify() {
         currentNode.textContent = content;
       }
     }
-
     /* Execute a hook if present */
-    _executeHook('afterSanitizeElements', currentNode, null);
+    _executeHooks(hooks.afterSanitizeElements, currentNode, null);
     return false;
   };
-
   /**
    * _isValidAttribute
    *
-   * @param  {string} lcTag Lowercase tag name of containing element.
-   * @param  {string} lcName Lowercase attribute name.
-   * @param  {string} value Attribute value.
-   * @return {Boolean} Returns true if `value` is valid, otherwise false.
+   * @param lcTag Lowercase tag name of containing element.
+   * @param lcName Lowercase attribute name.
+   * @param value Attribute value.
+   * @return Returns true if `value` is valid, otherwise false.
    */
   // eslint-disable-next-line complexity
   const _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
@@ -1095,7 +984,6 @@ function createDOMPurify() {
     if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
       return false;
     }
-
     /* Allow valid data-* attributes: At least one character after "-"
         (https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
         XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
@@ -1117,19 +1005,17 @@ function createDOMPurify() {
     } else ;
     return true;
   };
-
   /**
    * _isBasicCustomElement
    * checks if at least one dash is included in tagName, and it's not the first char
    * for more sophisticated checking see https://github.com/sindresorhus/validate-element-name
    *
-   * @param {string} tagName name of the tag of the node to sanitize
-   * @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
+   * @param tagName name of the tag of the node to sanitize
+   * @returns Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
    */
   const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
     return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
   };
-
   /**
    * _sanitizeAttributes
    *
@@ -1138,27 +1024,26 @@ function createDOMPurify() {
    * @protect removeAttribute
    * @protect setAttribute
    *
-   * @param  {Node} currentNode to sanitize
+   * @param currentNode to sanitize
    */
   const _sanitizeAttributes = function _sanitizeAttributes(currentNode) {
     /* Execute a hook if present */
-    _executeHook('beforeSanitizeAttributes', currentNode, null);
+    _executeHooks(hooks.beforeSanitizeAttributes, currentNode, null);
     const {
       attributes
     } = currentNode;
-
     /* Check if we have attributes; if not we might have a text node */
-    if (!attributes) {
+    if (!attributes || _isClobbered(currentNode)) {
       return;
     }
     const hookEvent = {
       attrName: '',
       attrValue: '',
       keepAttr: true,
-      allowedAttributes: ALLOWED_ATTR
+      allowedAttributes: ALLOWED_ATTR,
+      forceKeepAttr: undefined
     };
     let l = attributes.length;
-
     /* Go backwards over all attributes; safely remove bad ones */
     while (l--) {
       const attr = attributes[l];
@@ -1169,64 +1054,53 @@ function createDOMPurify() {
       } = attr;
       const lcName = transformCaseFunc(name);
       let value = name === 'value' ? attrValue : stringTrim(attrValue);
-
       /* Execute a hook if present */
       hookEvent.attrName = lcName;
       hookEvent.attrValue = value;
       hookEvent.keepAttr = true;
       hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
-      _executeHook('uponSanitizeAttribute', currentNode, hookEvent);
+      _executeHooks(hooks.uponSanitizeAttribute, currentNode, hookEvent);
       value = hookEvent.attrValue;
-
+      /* Full DOM Clobbering protection via namespace isolation,
+       * Prefix id and name attributes with `user-content-`
+       */
+      if (SANITIZE_NAMED_PROPS && (lcName === 'id' || lcName === 'name')) {
+        // Remove the attribute with this value
+        _removeAttribute(name, currentNode);
+        // Prefix the value and later re-create the attribute with the sanitized value
+        value = SANITIZE_NAMED_PROPS_PREFIX + value;
+      }
+      /* Work around a security issue with comments inside attributes */
+      if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
+        _removeAttribute(name, currentNode);
+        continue;
+      }
       /* Did the hooks approve of the attribute? */
       if (hookEvent.forceKeepAttr) {
         continue;
       }
-
       /* Remove attribute */
       _removeAttribute(name, currentNode);
-
       /* Did the hooks approve of the attribute? */
       if (!hookEvent.keepAttr) {
         continue;
       }
-
       /* Work around a security issue in jQuery 3.0 */
       if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
         _removeAttribute(name, currentNode);
         continue;
       }
-
       /* Sanitize attribute content to be template-safe */
       if (SAFE_FOR_TEMPLATES) {
         arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
           value = stringReplace(value, expr, ' ');
         });
       }
-
       /* Is `value` valid for this attribute? */
       const lcTag = transformCaseFunc(currentNode.nodeName);
       if (!_isValidAttribute(lcTag, lcName, value)) {
         continue;
       }
-
-      /* Full DOM Clobbering protection via namespace isolation,
-       * Prefix id and name attributes with `user-content-`
-       */
-      if (SANITIZE_NAMED_PROPS && (lcName === 'id' || lcName === 'name')) {
-        // Remove the attribute with this value
-        _removeAttribute(name, currentNode);
-
-        // Prefix the value and later re-create the attribute with the sanitized value
-        value = SANITIZE_NAMED_PROPS_PREFIX + value;
-      }
-
-      /* Work around a security issue with comments inside attributes */
-      if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
-        _removeAttribute(name, currentNode);
-        continue;
-      }
-
       /* Handle attributes that require Trusted Types */
       if (trustedTypesPolicy && typeof trustedTypes === 'object' && typeof trustedTypes.getAttributeType === 'function') {
         if (namespaceURI) ; else {
@@ -1244,7 +1118,6 @@ function createDOMPurify() {
           }
         }
       }
-
       /* Handle invalid data-* attribute set by try-catching it */
       try {
         if (namespaceURI) {
@@ -1260,51 +1133,34 @@ function createDOMPurify() {
         }
       } catch (_) {}
     }
-
     /* Execute a hook if present */
-    _executeHook('afterSanitizeAttributes', currentNode, null);
+    _executeHooks(hooks.afterSanitizeAttributes, currentNode, null);
   };
-
   /**
    * _sanitizeShadowDOM
    *
-   * @param  {DocumentFragment} fragment to iterate over recursively
+   * @param fragment to iterate over recursively
    */
   const _sanitizeShadowDOM = function _sanitizeShadowDOM(fragment) {
     let shadowNode = null;
     const shadowIterator = _createNodeIterator(fragment);
-
     /* Execute a hook if present */
-    _executeHook('beforeSanitizeShadowDOM', fragment, null);
+    _executeHooks(hooks.beforeSanitizeShadowDOM, fragment, null);
     while (shadowNode = shadowIterator.nextNode()) {
       /* Execute a hook if present */
-      _executeHook('uponSanitizeShadowNode', shadowNode, null);
-
+      _executeHooks(hooks.uponSanitizeShadowNode, shadowNode, null);
       /* Sanitize tags and elements */
-      if (_sanitizeElements(shadowNode)) {
-        continue;
-      }
-
+      _sanitizeElements(shadowNode);
+      /* Check attributes next */
+      _sanitizeAttributes(shadowNode);
       /* Deep shadow DOM detected */
       if (shadowNode.content instanceof DocumentFragment) {
         _sanitizeShadowDOM(shadowNode.content);
       }
-
-      /* Check attributes, sanitize if necessary */
-      _sanitizeAttributes(shadowNode);
     }
-
     /* Execute a hook if present */
-    _executeHook('afterSanitizeShadowDOM', fragment, null);
+    _executeHooks(hooks.afterSanitizeShadowDOM, fragment, null);
   };
-
-  /**
-   * Sanitize
-   * Public method providing core sanitation functionality
-   *
-   * @param {String|Node} dirty string or DOM node
-   * @param {Object} cfg object
-   */
   // eslint-disable-next-line complexity
   DOMPurify.sanitize = function (dirty) {
     let cfg = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
@@ -1319,7 +1175,6 @@ function createDOMPurify() {
     if (IS_EMPTY_INPUT) {
       dirty = '<!-->';
     }
-
     /* Stringify, in case dirty is an object */
     if (typeof dirty !== 'string' && !_isNode(dirty)) {
       if (typeof dirty.toString === 'function') {
@@ -1331,20 +1186,16 @@ function createDOMPurify() {
         throw typeErrorCreate('toString is not a function');
       }
     }
-
     /* Return dirty HTML if DOMPurify cannot run */
     if (!DOMPurify.isSupported) {
       return dirty;
     }
-
     /* Assign config vars */
     if (!SET_CONFIG) {
       _parseConfig(cfg);
     }
-
     /* Clean up removed elements */
     DOMPurify.removed = [];
-
     /* Check if dirty is correctly typed for IN_PLACE */
     if (typeof dirty === 'string') {
       IN_PLACE = false;
@@ -1378,45 +1229,34 @@ function createDOMPurify() {
       dirty.indexOf('<') === -1) {
         return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(dirty) : dirty;
       }
-
       /* Initialize the document to work on */
       body = _initDocument(dirty);
-
       /* Check we have a DOM node from the data */
       if (!body) {
         return RETURN_DOM ? null : RETURN_TRUSTED_TYPE ? emptyHTML : '';
       }
     }
-
     /* Remove first element node (ours) if FORCE_BODY is set */
     if (body && FORCE_BODY) {
       _forceRemove(body.firstChild);
     }
-
     /* Get node iterator */
     const nodeIterator = _createNodeIterator(IN_PLACE ? dirty : body);
-
     /* Now start iterating over the created document */
     while (currentNode = nodeIterator.nextNode()) {
       /* Sanitize tags and elements */
-      if (_sanitizeElements(currentNode)) {
-        continue;
-      }
-
+      _sanitizeElements(currentNode);
+      /* Check attributes next */
+      _sanitizeAttributes(currentNode);
       /* Shadow DOM detected, sanitize it */
       if (currentNode.content instanceof DocumentFragment) {
         _sanitizeShadowDOM(currentNode.content);
       }
-
-      /* Check attributes, sanitize if necessary */
-      _sanitizeAttributes(currentNode);
     }
-
     /* If we sanitized `dirty` in-place, return it. */
     if (IN_PLACE) {
       return dirty;
     }
-
     /* Return sanitized string or DOM */
     if (RETURN_DOM) {
       if (RETURN_DOM_FRAGMENT) {
@@ -1441,12 +1281,10 @@ function createDOMPurify() {
       return returnNode;
     }
     let serializedHTML = WHOLE_DOCUMENT ? body.outerHTML : body.innerHTML;
-
     /* Serialize doctype if allowed */
     if (WHOLE_DOCUMENT && ALLOWED_TAGS['!doctype'] && body.ownerDocument && body.ownerDocument.doctype && body.ownerDocument.doctype.name && regExpTest(DOCTYPE_NAME, body.ownerDocument.doctype.name)) {
       serializedHTML = '<!DOCTYPE ' + body.ownerDocument.doctype.name + '>\n' + serializedHTML;
     }
-
     /* Sanitize final string template-safe */
     if (SAFE_FOR_TEMPLATES) {
       arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
@@ -1455,39 +1293,15 @@ function createDOMPurify() {
     }
     return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(serializedHTML) : serializedHTML;
   };
-
-  /**
-   * Public method to set the configuration once
-   * setConfig
-   *
-   * @param {Object} cfg configuration object
-   */
   DOMPurify.setConfig = function () {
     let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
     _parseConfig(cfg);
     SET_CONFIG = true;
   };
-
-  /**
-   * Public method to remove the configuration
-   * clearConfig
-   *
-   */
   DOMPurify.clearConfig = function () {
     CONFIG = null;
     SET_CONFIG = false;
   };
-
-  /**
-   * Public method to check if an attribute value is valid.
-   * Uses last set config, if any. Otherwise, uses config defaults.
-   * isValidAttribute
-   *
-   * @param  {String} tag Tag name of containing element.
-   * @param  {String} attr Attribute name.
-   * @param  {String} value Attribute value.
-   * @return {Boolean} Returns true if `value` is valid. Otherwise, returns false.
-   */
   DOMPurify.isValidAttribute = function (tag, attr, value) {
     /* Initialize shared config vars if necessary. */
     if (!CONFIG) {
@@ -1497,54 +1311,24 @@ function createDOMPurify() {
     const lcName = transformCaseFunc(attr);
     return _isValidAttribute(lcTag, lcName, value);
   };
-
-  /**
-   * AddHook
-   * Public method to add DOMPurify hooks
-   *
-   * @param {String} entryPoint entry point for the hook to add
-   * @param {Function} hookFunction function to execute
-   */
   DOMPurify.addHook = function (entryPoint, hookFunction) {
     if (typeof hookFunction !== 'function') {
       return;
     }
-    hooks[entryPoint] = hooks[entryPoint] || [];
     arrayPush(hooks[entryPoint], hookFunction);
   };
-
-  /**
-   * RemoveHook
-   * Public method to remove a DOMPurify hook at a given entryPoint
-   * (pops it from the stack of hooks if more are present)
-   *
-   * @param {String} entryPoint entry point for the hook to remove
-   * @return {Function} removed(popped) hook
-   */
-  DOMPurify.removeHook = function (entryPoint) {
-    if (hooks[entryPoint]) {
-      return arrayPop(hooks[entryPoint]);
+  DOMPurify.removeHook = function (entryPoint, hookFunction) {
+    if (hookFunction !== undefined) {
+      const index = arrayLastIndexOf(hooks[entryPoint], hookFunction);
+      return index === -1 ? undefined : arraySplice(hooks[entryPoint], index, 1)[0];
     }
+    return arrayPop(hooks[entryPoint]);
   };
-
-  /**
-   * RemoveHooks
-   * Public method to remove all DOMPurify hooks at a given entryPoint
-   *
-   * @param  {String} entryPoint entry point for the hooks to remove
-   */
   DOMPurify.removeHooks = function (entryPoint) {
-    if (hooks[entryPoint]) {
-      hooks[entryPoint] = [];
-    }
+    hooks[entryPoint] = [];
   };
-
-  /**
-   * RemoveAllHooks
-   * Public method to remove all DOMPurify hooks
-   */
   DOMPurify.removeAllHooks = function () {
-    hooks = {};
+    hooks = _createHooksMap();
   };
   return DOMPurify;
 }