Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

@locker/html-sanitizer

Package Overview
Dependencies
Maintainers
8
Versions
232
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@locker/html-sanitizer - npm Package Compare versions

Comparing version 0.21.5 to 0.22.1

4

dist/index.cjs.d.ts
import { SandboxKey } from '@locker/shared';
import createDOMPurify from "dompurify";
import { HookEvent, Config, DOMPurifyI, HookName, SanitizeAttributeHookEvent } from "dompurify";
import { SanitizeAttributeHookEvent, Config, DOMPurifyI, HookEvent, HookName } from "dompurify";
type BaseDOMPurifyConfigName = "NODE_ALL_IN_PLACE" | "NODE_SVG" | "STRING_BLOB_HTML";

@@ -28,3 +28,3 @@ interface DOMPurifyConfig extends Config {

// Sanitize a URL representing a SVG href attribute value.
declare function uponSanitizeAttribute(node: Node, data: HookEvent, _config: DOMPurifyConfig): createDOMPurify.HookEvent;
declare function uponSanitizeAttribute(node: Node, data: SanitizeAttributeHookEvent, _config: DOMPurifyConfig): createDOMPurify.SanitizeAttributeHookEvent;
declare function blobSanitizer(sandboxKey: SandboxKey): ReturnType<typeof getSanitizerForConfig>;

@@ -31,0 +31,0 @@ export { getSanitizerForConfig, sanitizeSvgHref, sanitizeSvgTextReturnDOM, uponSanitizeAttribute, blobSanitizer, BaseDOMPurifyConfigName, DOMPurifyConfig, DOMPurifyInterface, HookCallback, HooksRegistry, NormalizedHref };

22

dist/index.cjs.js

@@ -20,6 +20,8 @@ /*!

var createDOMPurify__default$LWS = /*#__PURE__*/_interopDefaultLegacy$LWS(createDOMPurify$LWS);
const additionalAttributes$LWS = ['role', 'target'];
const additionalAttributes$LWS = ['role', 'part', 'target'];
const htmlTags$LWS = ['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'body', 'br', 'button', 'caption', 'canvas', 'center', 'cite', 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'em', 'fieldset', 'figure', 'figcaption', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'i', 'iframe', 'img', 'input', 'ins', 'keygen', 'kbd', 'label', 'legend', 'li', 'map', 'mark', 'menu', 'meter', 'nav', 'ol', 'optgroup', 'option', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'];
const miscTags$LWS = ['#comment', '#document-fragment'];
const svgTags$LWS = ['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'audio', 'canvas', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'video', 'view', 'vkern', 'use'];
const allTags$LWS = shared$LWS.ArrayConcat(htmlTags$LWS, svgTags$LWS);
const allHTMLTags$LWS = shared$LWS.ArrayConcat(htmlTags$LWS, svgTags$LWS, miscTags$LWS);
const allSVGTags$LWS = shared$LWS.ArrayConcat(svgTags$LWS, miscTags$LWS);
const CUSTOM_ELEMENT_HANDLING$LWS = {

@@ -40,3 +42,3 @@ attributeNameCheck: /.+/,

// https://github.com/cure53/DOMPurify/issues/664
ALLOWED_TAGS: shared$LWS.ArrayConcat(allTags$LWS, '#document-fragment'),
ALLOWED_TAGS: shared$LWS.shallowCloneArray(allHTMLTags$LWS),
CUSTOM_ELEMENT_HANDLING: shared$LWS.ObjectAssign({}, CUSTOM_ELEMENT_HANDLING$LWS),

@@ -51,3 +53,3 @@ IN_PLACE: true,

ADD_ATTR: shared$LWS.shallowCloneArray(additionalAttributes$LWS),
ALLOWED_TAGS: shared$LWS.shallowCloneArray(svgTags$LWS),
ALLOWED_TAGS: shared$LWS.shallowCloneArray(allSVGTags$LWS),
CUSTOM_ELEMENT_HANDLING: shared$LWS.ObjectAssign({}, CUSTOM_ELEMENT_HANDLING$LWS),

@@ -62,3 +64,3 @@ RETURN_DOM_FRAGMENT: true,

ADD_ATTR: shared$LWS.shallowCloneArray(additionalAttributes$LWS),
ALLOWED_TAGS: shared$LWS.ReflectApply(shared$LWS.ArrayProtoFilter, allTags$LWS, [tag$LWS => tag$LWS !== 'iframe']),
ALLOWED_TAGS: shared$LWS.ReflectApply(shared$LWS.ArrayProtoFilter, allHTMLTags$LWS, [tag$LWS => tag$LWS !== 'iframe']),
CUSTOM_ELEMENT_HANDLING: shared$LWS.ObjectAssign({}, CUSTOM_ELEMENT_HANDLING$LWS),

@@ -260,2 +262,10 @@ SANITIZE_DOM: false,

}
// To support Lit, we must tell DOMPurify that attributes starting with "@", ".", or "?" are allowed.
// Ref:
// https://lit.dev/docs/components/events/
// https://lit.dev/docs/templates/expressions/#property-expressions
// https://lit.dev/docs/templates/expressions/#boolean-attribute-expressions
if (attrName$LWS && (shared$LWS.ReflectApply(shared$LWS.StringProtoStartsWith, attrName$LWS, ['@']) || shared$LWS.ReflectApply(shared$LWS.StringProtoStartsWith, attrName$LWS, ['.']) || shared$LWS.ReflectApply(shared$LWS.StringProtoStartsWith, attrName$LWS, ['?']))) {
data$LWS.forceKeepAttr = true;
}
return data$LWS;

@@ -274,2 +284,2 @@ }

exports.uponSanitizeAttribute = uponSanitizeAttribute$LWS;
/*! version: 0.21.5 */
/*! version: 0.22.1 */

4

dist/index.mjs.d.ts
import { SandboxKey } from '@locker/shared';
import createDOMPurify from "dompurify";
import { HookEvent, Config, DOMPurifyI, HookName, SanitizeAttributeHookEvent } from "dompurify";
import { SanitizeAttributeHookEvent, Config, DOMPurifyI, HookEvent, HookName } from "dompurify";
type BaseDOMPurifyConfigName = "NODE_ALL_IN_PLACE" | "NODE_SVG" | "STRING_BLOB_HTML";

@@ -28,3 +28,3 @@ interface DOMPurifyConfig extends Config {

// Sanitize a URL representing a SVG href attribute value.
declare function uponSanitizeAttribute(node: Node, data: HookEvent, _config: DOMPurifyConfig): createDOMPurify.HookEvent;
declare function uponSanitizeAttribute(node: Node, data: SanitizeAttributeHookEvent, _config: DOMPurifyConfig): createDOMPurify.SanitizeAttributeHookEvent;
declare function blobSanitizer(sandboxKey: SandboxKey): ReturnType<typeof getSanitizerForConfig>;

@@ -31,0 +31,0 @@ export { getSanitizerForConfig, sanitizeSvgHref, sanitizeSvgTextReturnDOM, uponSanitizeAttribute, blobSanitizer, BaseDOMPurifyConfigName, DOMPurifyConfig, DOMPurifyInterface, HookCallback, HooksRegistry, NormalizedHref };

22

dist/index.mjs.js

@@ -9,6 +9,8 @@ /*!

import { trusted as trusted$LWS } from '@locker/trusted-types';
const additionalAttributes$LWS = ['role', 'target'];
const additionalAttributes$LWS = ['role', 'part', 'target'];
const htmlTags$LWS = ['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blockquote', 'body', 'br', 'button', 'caption', 'canvas', 'center', 'cite', 'code', 'col', 'colgroup', 'command', 'datalist', 'dd', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'em', 'fieldset', 'figure', 'figcaption', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'i', 'iframe', 'img', 'input', 'ins', 'keygen', 'kbd', 'label', 'legend', 'li', 'map', 'mark', 'menu', 'meter', 'nav', 'ol', 'optgroup', 'option', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'small', 'source', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'];
const miscTags$LWS = ['#comment', '#document-fragment'];
const svgTags$LWS = ['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'audio', 'canvas', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'video', 'view', 'vkern', 'use'];
const allTags$LWS = ArrayConcat$LWS(htmlTags$LWS, svgTags$LWS);
const allHTMLTags$LWS = ArrayConcat$LWS(htmlTags$LWS, svgTags$LWS, miscTags$LWS);
const allSVGTags$LWS = ArrayConcat$LWS(svgTags$LWS, miscTags$LWS);
const CUSTOM_ELEMENT_HANDLING$LWS = {

@@ -29,3 +31,3 @@ attributeNameCheck: /.+/,

// https://github.com/cure53/DOMPurify/issues/664
ALLOWED_TAGS: ArrayConcat$LWS(allTags$LWS, '#document-fragment'),
ALLOWED_TAGS: shallowCloneArray$LWS(allHTMLTags$LWS),
CUSTOM_ELEMENT_HANDLING: ObjectAssign$LWS({}, CUSTOM_ELEMENT_HANDLING$LWS),

@@ -40,3 +42,3 @@ IN_PLACE: true,

ADD_ATTR: shallowCloneArray$LWS(additionalAttributes$LWS),
ALLOWED_TAGS: shallowCloneArray$LWS(svgTags$LWS),
ALLOWED_TAGS: shallowCloneArray$LWS(allSVGTags$LWS),
CUSTOM_ELEMENT_HANDLING: ObjectAssign$LWS({}, CUSTOM_ELEMENT_HANDLING$LWS),

@@ -51,3 +53,3 @@ RETURN_DOM_FRAGMENT: true,

ADD_ATTR: shallowCloneArray$LWS(additionalAttributes$LWS),
ALLOWED_TAGS: ReflectApply$LWS(ArrayProtoFilter$LWS, allTags$LWS, [tag$LWS => tag$LWS !== 'iframe']),
ALLOWED_TAGS: ReflectApply$LWS(ArrayProtoFilter$LWS, allHTMLTags$LWS, [tag$LWS => tag$LWS !== 'iframe']),
CUSTOM_ELEMENT_HANDLING: ObjectAssign$LWS({}, CUSTOM_ELEMENT_HANDLING$LWS),

@@ -249,2 +251,10 @@ SANITIZE_DOM: false,

}
// To support Lit, we must tell DOMPurify that attributes starting with "@", ".", or "?" are allowed.
// Ref:
// https://lit.dev/docs/components/events/
// https://lit.dev/docs/templates/expressions/#property-expressions
// https://lit.dev/docs/templates/expressions/#boolean-attribute-expressions
if (attrName$LWS && (ReflectApply$LWS(StringProtoStartsWith$LWS, attrName$LWS, ['@']) || ReflectApply$LWS(StringProtoStartsWith$LWS, attrName$LWS, ['.']) || ReflectApply$LWS(StringProtoStartsWith$LWS, attrName$LWS, ['?']))) {
data$LWS.forceKeepAttr = true;
}
return data$LWS;

@@ -259,2 +269,2 @@ }

export { blobSanitizer$LWS as blobSanitizer, getSanitizerForConfig$LWS as getSanitizerForConfig, sanitizeSvgHref$LWS as sanitizeSvgHref, sanitizeSvgTextReturnDOM$LWS as sanitizeSvgTextReturnDOM, uponSanitizeAttribute$LWS as uponSanitizeAttribute };
/*! version: 0.21.5 */
/*! version: 0.22.1 */

10

package.json
{
"name": "@locker/html-sanitizer",
"version": "0.21.5",
"version": "0.22.1",
"license": "SEE LICENSE IN LICENSE.txt",

@@ -19,6 +19,6 @@ "author": "Salesforce UI Security Team",

"dependencies": {
"@locker/shared": "0.21.5",
"@locker/shared-dom": "0.21.5",
"@locker/shared-url": "0.21.5",
"@locker/trusted-types": "0.21.5",
"@locker/shared": "0.22.1",
"@locker/shared-dom": "0.22.1",
"@locker/shared-url": "0.22.1",
"@locker/trusted-types": "0.22.1",
"@types/dompurify": "3.0.2",

@@ -25,0 +25,0 @@ "dompurify": "3.0.5"

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc