New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
@locker/html-sanitizer
Advanced tools
@locker/html-sanitizer - npm Package Compare versions
Comparing version 0.15.4 to 0.15.5
@@ -158,3 +158,6 @@ /*! | ||
| const protocol$LWS = sharedDom$LWS.HTMLAnchorElementProtocolGetter(normalizerAnchor$LWS); | ||
| const [requestedUrl$LWS, requestedFragment$LWS] = shared$LWS.StringSplit(href$LWS, '#'); | ||
| const { | ||
| 0: requestedUrl$LWS, | ||
| 1: requestedFragment$LWS | ||
| } = shared$LWS.StringSplit(href$LWS, '#'); | ||
| const normalizedUrl$LWS = shared$LWS.StringReplace(shared$LWS.StringToLowerCase(requestedUrl$LWS), urlReplacer$LWS, ''); | ||
@@ -223,3 +226,3 @@ const normalizedFragment$LWS = requestedFragment$LWS ? `${normalizedUrl$LWS}_${shared$LWS.StringReplace(requestedFragment$LWS, urlReplacer$LWS, '')}` : ''; | ||
| if (attrValue$LWS && nodeName$LWS === 'USE' && shared$LWS.ArrayIncludes(ATTRIBUTES$LWS, attrName$LWS)) { | ||
| data$LWS.attrValue = sanitizeSvgHrefValue$LWS(attrValue$LWS); | ||
| data$LWS.attrValue = sanitizeSvgHref$LWS(attrValue$LWS); | ||
| } | ||
@@ -230,3 +233,3 @@ | ||
| function sanitizeSvgHrefValue$LWS(url$LWS) { | ||
| function sanitizeSvgHref$LWS(url$LWS) { | ||
| if (shared$LWS.StringStartsWith(url$LWS, '#')) { | ||
@@ -302,3 +305,3 @@ return url$LWS; | ||
| exports.sanitizeHrefAttributeHook = sanitizeHrefAttributeHook$LWS; | ||
| exports.sanitizeSvgHrefValue = sanitizeSvgHrefValue$LWS; | ||
| exports.sanitizeSvgHref = sanitizeSvgHref$LWS; | ||
| exports.sanitizeSvgInnerHtml = sanitizeSvgInnerHtml$LWS; | ||
@@ -308,2 +311,2 @@ exports.sanitizeSvgTextReturnDOM = sanitizeSvgTextReturnDOM$LWS; | ||
| exports.svgSanitizer = svgSanitizer$LWS; | ||
| /*! version: 0.15.4 */ | ||
| /*! version: 0.15.5 */ |
| /*! | ||
| * Copyright (C) 2019 salesforce.com, inc. | ||
| */ | ||
| import { ArrayConcat, ArrayFilter, ArrayIncludes, WeakMapCtor, WeakMapGet, MapForEach, WeakMapSet, MapCtor, SetCtor, StringStartsWith, SetHas, SetAdd, SetDelete, StringSplit, StringReplace, StringToLowerCase } from '@locker/shared'; | ||
| import { DocumentCreateElement, NodeNameGetter, DocumentGetElementById, WindowSetInterval, XhrCtor, EventTargetAddEventListener, XhrStatusGetter, XhrResponseTextGetter, DocumentFragmentGetElementById, ElementSetAttribute, NodeAppendChild, XhrOpen, XhrSend, HTMLAnchorElementHrefSetter, HTMLAnchorElementHrefGetter, HTMLAnchorElementProtocolGetter, ElementQuerySelector, ElementInnerHTMLSetter, HTMLTemplateElementContentGetter, ElementInnerHTMLGetter, ElementOuterHTMLGetter, DocumentDocumentElementGetter, DOMImplementationCreateDocument, DocumentImplementation, NAMESPACE_XHTML, NodeOwnerDocumentGetter, DocumentCreateComment, DocumentCreateElementNS, NAMESPACE_SVG, ElementClosest, NodeClone, NodeFirstChildGetter, WindowClearInterval, DocumentBodyGetter } from '@locker/shared-dom'; | ||
| import DOMPurify from 'dompurify'; | ||
| import { ArrayConcat as ArrayConcat$LWS, ArrayFilter as ArrayFilter$LWS, ArrayIncludes as ArrayIncludes$LWS, WeakMapCtor as WeakMapCtor$LWS, WeakMapGet as WeakMapGet$LWS, MapForEach as MapForEach$LWS, WeakMapSet as WeakMapSet$LWS, MapCtor as MapCtor$LWS, SetCtor as SetCtor$LWS, StringStartsWith as StringStartsWith$LWS, SetHas as SetHas$LWS, SetAdd as SetAdd$LWS, SetDelete as SetDelete$LWS, StringSplit as StringSplit$LWS, StringReplace as StringReplace$LWS, StringToLowerCase as StringToLowerCase$LWS } from '@locker/shared'; | ||
| import { DocumentCreateElement as DocumentCreateElement$LWS, NodeNameGetter as NodeNameGetter$LWS, DocumentGetElementById as DocumentGetElementById$LWS, WindowSetInterval as WindowSetInterval$LWS, XhrCtor as XhrCtor$LWS, EventTargetAddEventListener as EventTargetAddEventListener$LWS, XhrStatusGetter as XhrStatusGetter$LWS, XhrResponseTextGetter as XhrResponseTextGetter$LWS, DocumentFragmentGetElementById as DocumentFragmentGetElementById$LWS, ElementSetAttribute as ElementSetAttribute$LWS, NodeAppendChild as NodeAppendChild$LWS, XhrOpen as XhrOpen$LWS, XhrSend as XhrSend$LWS, HTMLAnchorElementHrefSetter as HTMLAnchorElementHrefSetter$LWS, HTMLAnchorElementHrefGetter as HTMLAnchorElementHrefGetter$LWS, HTMLAnchorElementProtocolGetter as HTMLAnchorElementProtocolGetter$LWS, ElementQuerySelector as ElementQuerySelector$LWS, ElementInnerHTMLSetter as ElementInnerHTMLSetter$LWS, HTMLTemplateElementContentGetter as HTMLTemplateElementContentGetter$LWS, ElementInnerHTMLGetter as ElementInnerHTMLGetter$LWS, ElementOuterHTMLGetter as ElementOuterHTMLGetter$LWS, DocumentDocumentElementGetter as DocumentDocumentElementGetter$LWS, DOMImplementationCreateDocument as DOMImplementationCreateDocument$LWS, DocumentImplementation as DocumentImplementation$LWS, NAMESPACE_XHTML as NAMESPACE_XHTML$LWS, NodeOwnerDocumentGetter as NodeOwnerDocumentGetter$LWS, DocumentCreateComment as DocumentCreateComment$LWS, DocumentCreateElementNS as DocumentCreateElementNS$LWS, NAMESPACE_SVG as NAMESPACE_SVG$LWS, ElementClosest as ElementClosest$LWS, NodeClone as NodeClone$LWS, NodeFirstChildGetter as NodeFirstChildGetter$LWS, WindowClearInterval as WindowClearInterval$LWS, DocumentBodyGetter as DocumentBodyGetter$LWS } from '@locker/shared-dom'; | ||
| import DOMPurify$LWS from 'dompurify'; | ||
| const ariaAttributes$LWS = ['aria-activedescendant', 'aria-atomic', 'aria-autocomplete', 'aria-busy', 'aria-checked', 'aria-controls', 'aria-describedby', 'aria-disabled', 'aria-readonly', 'aria-dropeffect', 'aria-expanded', 'aria-flowto', 'aria-grabbed', 'aria-haspopup', 'aria-hidden', 'aria-disabled', 'aria-invalid', 'aria-label', 'aria-labelledby', 'aria-level', 'aria-live', 'aria-multiline', 'aria-multiselectable', 'aria-orientation', 'aria-owns', 'aria-posinset', 'aria-pressed', 'aria-readonly', 'aria-relevant', 'aria-required', 'aria-selected', 'aria-setsize', 'aria-sort', 'aria-valuemax', 'aria-valuemin', 'aria-valuenow', 'aria-valuetext', 'role', 'target']; | ||
| const htmlTags$LWS = ['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'body', 'br', 'button', 'caption', 'canvas', 'center', 'cite', 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'em', 'fieldset', 'figure', 'figcaption', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'i', 'iframe', 'img', 'input', 'ins', 'keygen', 'kbd', 'label', 'legend', 'li', 'map', 'mark', 'menu', 'meter', 'nav', 'ol', 'optgroup', 'option', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']; | ||
| const svgTags$LWS = ['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'audio', 'canvas', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'video', 'view', 'vkern', 'use']; | ||
| const allTags$LWS = ArrayConcat(svgTags$LWS, htmlTags$LWS); // generic, sanitizer attempts in place sanitization and returns node | ||
| const allTags$LWS = ArrayConcat$LWS(svgTags$LWS, htmlTags$LWS); // generic, sanitizer attempts in place sanitization and returns node | ||
@@ -32,3 +32,3 @@ const NODE_ALL_IN_PLACE$LWS = { | ||
| ADD_ATTR: ariaAttributes$LWS, | ||
| ALLOWED_TAGS: ArrayFilter(allTags$LWS, t$LWS => !ArrayIncludes(['iframe'], t$LWS)), | ||
| ALLOWED_TAGS: ArrayFilter$LWS(allTags$LWS, t$LWS => !ArrayIncludes$LWS(['iframe'], t$LWS)), | ||
| SANITIZE_DOM: false | ||
@@ -43,6 +43,6 @@ }; | ||
| }); | ||
| const instances$LWS = new WeakMapCtor(); | ||
| const instances$LWS = new WeakMapCtor$LWS(); | ||
| function sanitizer(config$LWS, hooks$LWS) { | ||
| let dompurify$LWS = WeakMapGet(instances$LWS, config$LWS); | ||
| function sanitizer$LWS(config$LWS, hooks$LWS) { | ||
| let dompurify$LWS = WeakMapGet$LWS(instances$LWS, config$LWS); | ||
@@ -53,7 +53,7 @@ if (dompurify$LWS) { | ||
| dompurify$LWS = DOMPurify(); | ||
| dompurify$LWS = DOMPurify$LWS(); | ||
| dompurify$LWS.setConfig(config$LWS); | ||
| if (hooks$LWS) { | ||
| MapForEach(hooks$LWS, (cb$LWS, hookName$LWS) => { | ||
| MapForEach$LWS(hooks$LWS, (cb$LWS, hookName$LWS) => { | ||
| dompurify$LWS.addHook(hookName$LWS, cb$LWS); | ||
@@ -63,3 +63,3 @@ }); | ||
| WeakMapSet(instances$LWS, config$LWS, dompurify$LWS); | ||
| WeakMapSet$LWS(instances$LWS, config$LWS, dompurify$LWS); | ||
| return dompurify$LWS; | ||
@@ -69,3 +69,3 @@ } | ||
| const ATTRIBUTES$LWS = ['href', 'xlink:href']; | ||
| const SANITIZER_HOOKS$LWS = new MapCtor([['uponSanitizeAttribute', sanitizeHrefAttributeHook], ['uponSanitizeElement', allowCustomTagHook]]); | ||
| const SANITIZER_HOOKS$LWS = new MapCtor$LWS([['uponSanitizeAttribute', sanitizeHrefAttributeHook$LWS], ['uponSanitizeElement', allowCustomTagHook$LWS]]); | ||
| const URL_SCHEMES$LWS = ['http:', 'https:']; | ||
@@ -75,6 +75,6 @@ const { | ||
| } = window; | ||
| const htmlTemplate$LWS = DocumentCreateElement(document$LWS, 'template'); | ||
| const normalizerAnchor$LWS = DocumentCreateElement(document$LWS, 'a'); // Queue for managing pending xhr requests. | ||
| const htmlTemplate$LWS = DocumentCreateElement$LWS(document$LWS, 'template'); | ||
| const normalizerAnchor$LWS = DocumentCreateElement$LWS(document$LWS, 'a'); // Queue for managing pending xhr requests. | ||
| const queue$LWS = new SetCtor(); // Regex to find all non lowercase alphanumeric. | ||
| const queue$LWS = new SetCtor$LWS(); // Regex to find all non lowercase alphanumeric. | ||
@@ -88,7 +88,7 @@ const urlReplacer$LWS = /[^a-z0-9]+/gi; // The Regex is based on the WHATWG spec: | ||
| function checkExistingAndDequeue$LWS(container$LWS, normalizedHref$LWS) { | ||
| if (SetHas(queue$LWS, normalizedHref$LWS.normalizedUrl)) { | ||
| if (SetHas$LWS(queue$LWS, normalizedHref$LWS.normalizedUrl)) { | ||
| const checkFn$LWS = () => { | ||
| if (!SetHas(queue$LWS, normalizedHref$LWS.normalizedUrl)) { | ||
| if (!SetHas$LWS(queue$LWS, normalizedHref$LWS.normalizedUrl)) { | ||
| updater$LWS(container$LWS, normalizedHref$LWS); | ||
| WindowClearInterval(window, interval$LWS); | ||
| WindowClearInterval$LWS(window, interval$LWS); | ||
| } | ||
@@ -98,3 +98,3 @@ }; // Wait for request to finish, then update content. | ||
| const interval$LWS = WindowSetInterval(window, checkFn$LWS, 50); | ||
| const interval$LWS = WindowSetInterval$LWS(window, checkFn$LWS, 50); | ||
| } else { | ||
@@ -106,7 +106,7 @@ updater$LWS(container$LWS, normalizedHref$LWS); | ||
| function createUrlContainer$LWS(url$LWS) { | ||
| const container$LWS = DocumentCreateElement(document$LWS, 'div'); | ||
| ElementSetAttribute(container$LWS, 'style', 'display:none'); | ||
| ElementSetAttribute(container$LWS, 'id', url$LWS); | ||
| const body$LWS = DocumentBodyGetter(document$LWS); | ||
| NodeAppendChild(body$LWS, container$LWS); | ||
| const container$LWS = DocumentCreateElement$LWS(document$LWS, 'div'); | ||
| ElementSetAttribute$LWS(container$LWS, 'style', 'display:none'); | ||
| ElementSetAttribute$LWS(container$LWS, 'id', url$LWS); | ||
| const body$LWS = DocumentBodyGetter$LWS(document$LWS); | ||
| NodeAppendChild$LWS(body$LWS, container$LWS); | ||
| return container$LWS; | ||
@@ -119,36 +119,39 @@ } | ||
| SetAdd(queue$LWS, normalizedHref$LWS.normalizedUrl); // Initiate an XHR to fetch the resource. | ||
| SetAdd$LWS(queue$LWS, normalizedHref$LWS.normalizedUrl); // Initiate an XHR to fetch the resource. | ||
| const xhr$LWS = new XhrCtor(); | ||
| EventTargetAddEventListener(xhr$LWS, 'load', () => { | ||
| const status$LWS = XhrStatusGetter(xhr$LWS); // istanbul ignore next: the following is well tested via integration-karma | ||
| const xhr$LWS = new XhrCtor$LWS(); | ||
| EventTargetAddEventListener$LWS(xhr$LWS, 'load', () => { | ||
| const status$LWS = XhrStatusGetter$LWS(xhr$LWS); // istanbul ignore next: the following is well tested via integration-karma | ||
| if (status$LWS === 200) { | ||
| // Retrieved content should be sanitized immediately. | ||
| const fragment$LWS = sanitizeSvgTextReturnDOM(XhrResponseTextGetter(xhr$LWS)); // Look for the container again in case other requests have finished | ||
| const fragment$LWS = sanitizeSvgTextReturnDOM$LWS(XhrResponseTextGetter$LWS(xhr$LWS)); // Look for the container again in case other requests have finished | ||
| // earlier for the same URL. | ||
| if (normalizedHref$LWS.requestedFragment) { | ||
| const el$LWS = DocumentFragmentGetElementById(fragment$LWS, normalizedHref$LWS.requestedFragment); | ||
| const el$LWS = DocumentFragmentGetElementById$LWS(fragment$LWS, normalizedHref$LWS.requestedFragment); | ||
| if (el$LWS) { | ||
| ElementSetAttribute(el$LWS, 'id', normalizedHref$LWS.normalizedFragment); | ||
| ElementSetAttribute$LWS(el$LWS, 'id', normalizedHref$LWS.normalizedFragment); | ||
| } | ||
| } | ||
| NodeAppendChild(container$LWS, fragment$LWS); | ||
| SetDelete(queue$LWS, normalizedHref$LWS.normalizedUrl); | ||
| NodeAppendChild$LWS(container$LWS, fragment$LWS); | ||
| SetDelete$LWS(queue$LWS, normalizedHref$LWS.normalizedUrl); | ||
| } | ||
| }); | ||
| XhrOpen(xhr$LWS, 'GET', normalizedHref$LWS.requestedUrl); | ||
| XhrSend(xhr$LWS); | ||
| XhrOpen$LWS(xhr$LWS, 'GET', normalizedHref$LWS.requestedUrl); | ||
| XhrSend$LWS(xhr$LWS); | ||
| } | ||
| function parseHref$LWS(url$LWS) { | ||
| HTMLAnchorElementHrefSetter(normalizerAnchor$LWS, url$LWS); | ||
| const href$LWS = HTMLAnchorElementHrefGetter(normalizerAnchor$LWS); | ||
| const protocol$LWS = HTMLAnchorElementProtocolGetter(normalizerAnchor$LWS); | ||
| const [requestedUrl$LWS, requestedFragment$LWS] = StringSplit(href$LWS, '#'); | ||
| const normalizedUrl$LWS = StringReplace(StringToLowerCase(requestedUrl$LWS), urlReplacer$LWS, ''); | ||
| const normalizedFragment$LWS = requestedFragment$LWS ? `${normalizedUrl$LWS}_${StringReplace(requestedFragment$LWS, urlReplacer$LWS, '')}` : ''; | ||
| HTMLAnchorElementHrefSetter$LWS(normalizerAnchor$LWS, url$LWS); | ||
| const href$LWS = HTMLAnchorElementHrefGetter$LWS(normalizerAnchor$LWS); | ||
| const protocol$LWS = HTMLAnchorElementProtocolGetter$LWS(normalizerAnchor$LWS); | ||
| const { | ||
| 0: requestedUrl$LWS, | ||
| 1: requestedFragment$LWS | ||
| } = StringSplit$LWS(href$LWS, '#'); | ||
| const normalizedUrl$LWS = StringReplace$LWS(StringToLowerCase$LWS(requestedUrl$LWS), urlReplacer$LWS, ''); | ||
| const normalizedFragment$LWS = requestedFragment$LWS ? `${normalizedUrl$LWS}_${StringReplace$LWS(requestedFragment$LWS, urlReplacer$LWS, '')}` : ''; | ||
| return { | ||
@@ -168,8 +171,8 @@ normalizedFragment: normalizedFragment$LWS, | ||
| } = normalizedHref$LWS; | ||
| let el$LWS = ElementQuerySelector(container$LWS, `#${normalizedFragment$LWS}`); | ||
| let el$LWS = ElementQuerySelector$LWS(container$LWS, `#${normalizedFragment$LWS}`); | ||
| if (!el$LWS) { | ||
| try { | ||
| el$LWS = ElementQuerySelector(container$LWS, `#${requestedFragment$LWS}`); | ||
| ElementSetAttribute(el$LWS, 'id', normalizedFragment$LWS); | ||
| el$LWS = ElementQuerySelector$LWS(container$LWS, `#${requestedFragment$LWS}`); | ||
| ElementSetAttribute$LWS(el$LWS, 'id', normalizedFragment$LWS); | ||
| } catch (_unused$LWS) {// Catch all malformed CSS3 selectors. | ||
@@ -183,23 +186,23 @@ // getElementById not available on Node. | ||
| function blobSanitizer() { | ||
| return sanitizer(STRING_BLOB_HTML$LWS, SANITIZER_HOOKS$LWS); | ||
| function blobSanitizer$LWS() { | ||
| return sanitizer$LWS(STRING_BLOB_HTML$LWS, SANITIZER_HOOKS$LWS); | ||
| } | ||
| function svgSanitizer() { | ||
| return sanitizer(NODE_SVG$LWS, SANITIZER_HOOKS$LWS); | ||
| function svgSanitizer$LWS() { | ||
| return sanitizer$LWS(NODE_SVG$LWS, SANITIZER_HOOKS$LWS); | ||
| } | ||
| function sanitize(dirty$LWS) { | ||
| ElementInnerHTMLSetter(htmlTemplate$LWS, dirty$LWS); | ||
| const content$LWS = HTMLTemplateElementContentGetter(htmlTemplate$LWS); | ||
| const sanitizer$1$LWS = sanitizer(NODE_ALL_IN_PLACE$LWS, SANITIZER_HOOKS$LWS); | ||
| function sanitize$LWS(dirty$LWS) { | ||
| ElementInnerHTMLSetter$LWS(htmlTemplate$LWS, dirty$LWS); | ||
| const content$LWS = HTMLTemplateElementContentGetter$LWS(htmlTemplate$LWS); | ||
| const sanitizer$1$LWS = sanitizer$LWS(NODE_ALL_IN_PLACE$LWS, SANITIZER_HOOKS$LWS); | ||
| sanitizer$1$LWS.sanitize(content$LWS); | ||
| return ElementInnerHTMLGetter(htmlTemplate$LWS); | ||
| return ElementInnerHTMLGetter$LWS(htmlTemplate$LWS); | ||
| } | ||
| function sanitizeDocument(doc$LWS) { | ||
| const content$LWS = ElementOuterHTMLGetter(DocumentDocumentElementGetter(doc$LWS)); | ||
| const contentSanitized$LWS = sanitize(content$LWS); | ||
| const newDoc$LWS = DOMImplementationCreateDocument(DocumentImplementation(doc$LWS), NAMESPACE_XHTML, 'html'); | ||
| ElementInnerHTMLSetter(DocumentDocumentElementGetter(newDoc$LWS), contentSanitized$LWS); | ||
| function sanitizeDocument$LWS(doc$LWS) { | ||
| const content$LWS = ElementOuterHTMLGetter$LWS(DocumentDocumentElementGetter$LWS(doc$LWS)); | ||
| const contentSanitized$LWS = sanitize$LWS(content$LWS); | ||
| const newDoc$LWS = DOMImplementationCreateDocument$LWS(DocumentImplementation$LWS(doc$LWS), NAMESPACE_XHTML$LWS, 'html'); | ||
| ElementInnerHTMLSetter$LWS(DocumentDocumentElementGetter$LWS(newDoc$LWS), contentSanitized$LWS); | ||
| return newDoc$LWS; | ||
@@ -209,3 +212,3 @@ } // Sanitize a URL representing a SVG href attribute value. | ||
| function sanitizeHrefAttributeHook(node$LWS, data$LWS, _config$LWS) { | ||
| function sanitizeHrefAttributeHook$LWS(node$LWS, data$LWS, _config$LWS) { | ||
| const { | ||
@@ -215,6 +218,6 @@ attrValue: attrValue$LWS, | ||
| } = data$LWS; | ||
| const nodeName$LWS = NodeNameGetter(node$LWS); | ||
| const nodeName$LWS = NodeNameGetter$LWS(node$LWS); | ||
| if (attrValue$LWS && nodeName$LWS === 'USE' && ArrayIncludes(ATTRIBUTES$LWS, attrName$LWS)) { | ||
| data$LWS.attrValue = sanitizeSvgHrefValue(attrValue$LWS); | ||
| if (attrValue$LWS && nodeName$LWS === 'USE' && ArrayIncludes$LWS(ATTRIBUTES$LWS, attrName$LWS)) { | ||
| data$LWS.attrValue = sanitizeSvgHref$LWS(attrValue$LWS); | ||
| } | ||
@@ -225,4 +228,4 @@ | ||
| function sanitizeSvgHrefValue(url$LWS) { | ||
| if (StringStartsWith(url$LWS, '#')) { | ||
| function sanitizeSvgHref$LWS(url$LWS) { | ||
| if (StringStartsWith$LWS(url$LWS, '#')) { | ||
| return url$LWS; | ||
@@ -233,4 +236,4 @@ } | ||
| if (ArrayIncludes(URL_SCHEMES$LWS, normalizedHref$LWS.protocol)) { | ||
| const container$LWS = DocumentGetElementById(document$LWS, normalizedHref$LWS.normalizedUrl); // Have we sanitized this URL already? | ||
| if (ArrayIncludes$LWS(URL_SCHEMES$LWS, normalizedHref$LWS.protocol)) { | ||
| const container$LWS = DocumentGetElementById$LWS(document$LWS, normalizedHref$LWS.normalizedUrl); // Have we sanitized this URL already? | ||
@@ -252,9 +255,9 @@ if (container$LWS && normalizedHref$LWS.normalizedFragment) { | ||
| function createSvgContainer$LWS(ownerDoc$LWS) { | ||
| return DocumentCreateElementNS(ownerDoc$LWS, NAMESPACE_SVG, 'svg'); | ||
| return DocumentCreateElementNS$LWS(ownerDoc$LWS, NAMESPACE_SVG$LWS, 'svg'); | ||
| } | ||
| function sanitizeSvgInnerHtml(stringOrSvg$LWS, dirty$LWS = '') { | ||
| function sanitizeSvgInnerHtml$LWS(stringOrSvg$LWS, dirty$LWS = '') { | ||
| let container$LWS; | ||
| const ownerDoc$LWS = typeof stringOrSvg$LWS === 'string' ? document$LWS : NodeOwnerDocumentGetter(stringOrSvg$LWS); | ||
| const comment$LWS = DocumentCreateComment(ownerDoc$LWS, ''); | ||
| const ownerDoc$LWS = typeof stringOrSvg$LWS === 'string' ? document$LWS : NodeOwnerDocumentGetter$LWS(stringOrSvg$LWS); | ||
| const comment$LWS = DocumentCreateComment$LWS(ownerDoc$LWS, ''); | ||
@@ -265,20 +268,20 @@ if (typeof stringOrSvg$LWS === 'string') { | ||
| } else { | ||
| const closestSvg$LWS = ElementClosest(stringOrSvg$LWS, 'svg'); | ||
| container$LWS = closestSvg$LWS ? NodeClone(closestSvg$LWS, false) : createSvgContainer$LWS(ownerDoc$LWS); | ||
| const closestSvg$LWS = ElementClosest$LWS(stringOrSvg$LWS, 'svg'); | ||
| container$LWS = closestSvg$LWS ? NodeClone$LWS(closestSvg$LWS, false) : createSvgContainer$LWS(ownerDoc$LWS); | ||
| } | ||
| NodeAppendChild(container$LWS, comment$LWS); | ||
| const outerHTML$LWS = ElementOuterHTMLGetter(container$LWS); | ||
| const replacedOuterHTML$LWS = StringReplace(outerHTML$LWS, '<!---->', dirty$LWS); | ||
| const fragment$LWS = sanitizeSvgTextReturnDOM(replacedOuterHTML$LWS); | ||
| const firstChild$LWS = NodeFirstChildGetter(fragment$LWS); | ||
| return ElementInnerHTMLGetter(firstChild$LWS); | ||
| NodeAppendChild$LWS(container$LWS, comment$LWS); | ||
| const outerHTML$LWS = ElementOuterHTMLGetter$LWS(container$LWS); | ||
| const replacedOuterHTML$LWS = StringReplace$LWS(outerHTML$LWS, '<!---->', dirty$LWS); | ||
| const fragment$LWS = sanitizeSvgTextReturnDOM$LWS(replacedOuterHTML$LWS); | ||
| const firstChild$LWS = NodeFirstChildGetter$LWS(fragment$LWS); | ||
| return ElementInnerHTMLGetter$LWS(firstChild$LWS); | ||
| } | ||
| function sanitizeSvgTextReturnDOM(dirty$LWS) { | ||
| const sanitizer = svgSanitizer(); | ||
| return sanitizer.sanitize(dirty$LWS); | ||
| function sanitizeSvgTextReturnDOM$LWS(dirty$LWS) { | ||
| const sanitizer$LWS = svgSanitizer$LWS(); | ||
| return sanitizer$LWS.sanitize(dirty$LWS); | ||
| } | ||
| function allowCustomTagHook(node$LWS, data$LWS, _config$LWS) { | ||
| function allowCustomTagHook$LWS(node$LWS, data$LWS, _config$LWS) { | ||
| const { | ||
@@ -294,3 +297,3 @@ allowedTags: allowedTags$LWS, | ||
| export { config$LWS as CONFIG, allowCustomTagHook, blobSanitizer, sanitize, sanitizeDocument, sanitizeHrefAttributeHook, sanitizeSvgHrefValue, sanitizeSvgInnerHtml, sanitizeSvgTextReturnDOM, sanitizer, svgSanitizer }; | ||
| /*! version: 0.15.4 */ | ||
| export { config$LWS as CONFIG, allowCustomTagHook$LWS as allowCustomTagHook, blobSanitizer$LWS as blobSanitizer, sanitize$LWS as sanitize, sanitizeDocument$LWS as sanitizeDocument, sanitizeHrefAttributeHook$LWS as sanitizeHrefAttributeHook, sanitizeSvgHref$LWS as sanitizeSvgHref, sanitizeSvgInnerHtml$LWS as sanitizeSvgInnerHtml, sanitizeSvgTextReturnDOM$LWS as sanitizeSvgTextReturnDOM, sanitizer$LWS as sanitizer, svgSanitizer$LWS as svgSanitizer }; | ||
| /*! version: 0.15.5 */ |
| { | ||
| "name": "@locker/html-sanitizer", | ||
| "version": "0.15.4", | ||
| "version": "0.15.5", | ||
| "license": "Salesforce Developer Agreement", | ||
@@ -20,4 +20,4 @@ "author": "Salesforce UI Security Team", | ||
| "dependencies": { | ||
| "@locker/shared": "0.15.4", | ||
| "@locker/shared-dom": "0.15.4", | ||
| "@locker/shared": "0.15.5", | ||
| "@locker/shared-dom": "0.15.5", | ||
| "@types/dompurify": "2.3.1", | ||
@@ -30,3 +30,3 @@ "dompurify": "2.3.4" | ||
| ], | ||
| "gitHead": "bc643ba0793f6915a3c4ff4e95ac1cba6c1b5165" | ||
| "gitHead": "9908c09daf0ae97dc6ea9afc4bfeee6dc8ad085d" | ||
| } |
@@ -10,3 +10,3 @@ import { Config, HookEvent } from 'dompurify'; | ||
| export declare function sanitizeHrefAttributeHook(node: Node, data: HookEvent, _config: Config): HookEvent; | ||
| export declare function sanitizeSvgHrefValue(url: string): string; | ||
| export declare function sanitizeSvgHref(url: string): string; | ||
| export declare function sanitizeSvgInnerHtml(stringOrSvg: string | SVGElement, dirty?: string): string; | ||
@@ -13,0 +13,0 @@ export declare function sanitizeSvgTextReturnDOM(dirty: string): DocumentFragment; |
Sorry, the diff of this file is not supported yet
New alerts
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by6.11%
39931
- Lines of code
- increased by2.5%
534
Worsened metrics
- Number of medium supply chain risk alerts
- increased byInfinity%
1
Dependency changes
+ Added@locker/shared@0.15.5(transitive)
+ Added@locker/shared-dom@0.15.5(transitive)
- Removed@locker/shared@0.15.4(transitive)
- Removed@locker/shared-dom@0.15.4(transitive)
Updated@locker/shared@0.15.5
Updated@locker/shared-dom@0.15.5