dompurify
Advanced tools
Comparing version 0.4.3 to 0.4.4
{ | ||
"name": "DOMPurify", | ||
"version": "0.4.3", | ||
"version": "0.4.4", | ||
"homepage": "https://github.com/cure53/DOMPurify", | ||
@@ -5,0 +5,0 @@ "author": "Cure53 <info@cure53.de>", |
@@ -15,3 +15,3 @@ { | ||
"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (9+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.", | ||
"version": "0.4.3", | ||
"version": "0.4.4", | ||
"main": "purify.js", | ||
@@ -18,0 +18,0 @@ "directories": { |
@@ -148,2 +148,7 @@ /* jshint boss: true */ | ||
/* Shield configuration object from tampering */ | ||
if (typeof cfg !== 'object'){ | ||
cfg = {}; | ||
} | ||
/* Set configuration parameters */ | ||
@@ -175,2 +180,7 @@ 'ALLOWED_ATTR' in cfg ? ALLOWED_ATTR = cfg.ALLOWED_ATTR : null; | ||
/* Exit directly if we have nothing to do */ | ||
if (typeof dirty === 'string' && dirty.indexOf('<') === -1) { | ||
return dirty; | ||
} | ||
/* Create documents to map markup to */ | ||
@@ -185,3 +195,4 @@ var dom = document.implementation.createHTMLDocument(''); | ||
dom.body.innerHTML = dirty; | ||
if(dom.body.firstChild.nodeName && !WHOLE_DOCUMENT | ||
if(dom.body.firstChild && dom.body.firstChild.nodeName | ||
&& !WHOLE_DOCUMENT | ||
&& dom.body.firstChild.nodeName === 'STYLE'){ | ||
@@ -338,3 +349,4 @@ dom.body.removeChild(dom.body.firstChild); | ||
if(SANITIZE_DOM) { | ||
if(tmp.name === 'id' && window[tmp.value]) { | ||
if(tmp.name === 'id' | ||
&& (window[tmp.value] || document[tmp.value])) { | ||
clobbering = true; | ||
@@ -395,2 +407,7 @@ } | ||
}; | ||
/* Feature check and untouched opt-out return */ | ||
if(typeof document.implementation.createHTMLDocument === 'undefined') { | ||
return dirty; | ||
} | ||
@@ -403,5 +420,5 @@ /* Assign config vars */ | ||
/* Early exit in case document is empty */ | ||
if(typeof body === 'undefined') { | ||
return ''; | ||
/* Early exit in case document is empty */ | ||
if(typeof body !== 'object') { | ||
return body ? body : ''; | ||
} | ||
@@ -408,0 +425,0 @@ |
# DOMPurify | ||
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (9+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. | ||
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (9+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. | ||
DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. | ||
## What does it do? | ||
@@ -6,0 +8,0 @@ |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
355539
2269
113