dompurify - npm Package Compare versions

Comparing version 0.6.0 to 0.6.1

bower.json

 {
   "name": "DOMPurify",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "homepage": "https://github.com/cure53/DOMPurify",
@@ -5,0 +5,0 @@ "author": "Cure53 <info@cure53.de>",

package.json

@@ -14,4 +14,4 @@ {
   "name": "dompurify",
-  "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (9+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
-  "version": "0.6.0",
+  "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
+  "version": "0.6.1",
   "main": "purify.js",
@@ -18,0 +18,0 @@ "directories": {

purify.js

@@ -22,3 +22,3 @@ /* jshint boss: true */
      */
-    DOMPurify.version = '0.6.0';
+    DOMPurify.version = '0.6.1';
     
@@ -220,13 +220,2 @@ /**
 
-            /* Cover IE9's buggy outerHTML behavior */
-            if (dom.body === null) {
-                dom = document.implementation.createHTMLDocument('');
-                dom.body.innerHTML = dirty;
-                if (dom.body.firstChild && dom.body.firstChild.nodeName
-                    && !WHOLE_DOCUMENT
-                    && dom.body.firstChild.nodeName === 'STYLE'){
-                    dom.body.removeChild(dom.body.firstChild);
-                }
-            }
-
             /* Work on whole document or just its body */
@@ -288,2 +277,4 @@ var body = WHOLE_DOCUMENT ? dom.body.parentNode : dom.body;
                 || typeof elm.attributes.item !== 'function'
+                || (elm.id === 'implementation' || elm.name === 'implementation')
+                || (elm.id === 'createNodeIterator' || elm.name === 'createNodeIterator')
             ) {
@@ -392,9 +383,6 @@ return true;
                 if(SANITIZE_DOM) {
-                    if(tmp.name === 'id'
+                    if((tmp.name === 'id' || tmp.name === 'name')
                         && (tmp.value in window || tmp.value in document)) {
                         clobbering = true;
                     }
-                    if(tmp.name === 'name' && tmp.value in document){
-                        clobbering = true;
-                    }
                 }
@@ -419,3 +407,6 @@
                 ) {
-                    currentNode.setAttribute(tmp.name, tmp.value);
+                    /* Handle invalid data attributes safely by try-catching it and do nothing */
+                    try {
+                        currentNode.setAttribute(tmp.name, tmp.value);
+                    } catch (e) {}
                 }
@@ -477,4 +468,5 @@ }
         /* Feature check and untouched opt-out return */
-        if (typeof document.implementation.createHTMLDocument === 'undefined') {
-            if (window.toStaticHTML !== 'undefined' && typeof dirty === 'string') {
+        if (typeof document.implementation.createHTMLDocument === 'undefined'
+            || (typeof document.documentMode === 'number' && document.documentMode === 9)) {
+            if (typeof window.toStaticHTML === 'function' && typeof dirty === 'string') {
                 return window.toStaticHTML(dirty);
@@ -481,0 +473,0 @@ }

README.md

@@ -1,4 +0,4 @@
-# DOMPurify
+# DOMPurify [![NPM version](http://img.shields.io/npm/v/dompurify.svg)](https://www.npmjs.org/package/dompurify)
 
-DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (9+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there.
+DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there.
 
@@ -5,0 +5,0 @@ DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model)

No alert changes

Improved metrics

Total package byte prevSize

365923

increased by0.12%

Worsened metrics

Lines of code

2331

decreased by-0.3%

No dependency changes