dompurify
Advanced tools
Comparing version 0.6.0 to 0.6.1
{ | ||
"name": "DOMPurify", | ||
"version": "0.6.0", | ||
"version": "0.6.1", | ||
"homepage": "https://github.com/cure53/DOMPurify", | ||
@@ -5,0 +5,0 @@ "author": "Cure53 <info@cure53.de>", |
@@ -14,4 +14,4 @@ { | ||
"name": "dompurify", | ||
"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (9+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.", | ||
"version": "0.6.0", | ||
"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.", | ||
"version": "0.6.1", | ||
"main": "purify.js", | ||
@@ -18,0 +18,0 @@ "directories": { |
@@ -22,3 +22,3 @@ /* jshint boss: true */ | ||
*/ | ||
DOMPurify.version = '0.6.0'; | ||
DOMPurify.version = '0.6.1'; | ||
@@ -220,13 +220,2 @@ /** | ||
/* Cover IE9's buggy outerHTML behavior */ | ||
if (dom.body === null) { | ||
dom = document.implementation.createHTMLDocument(''); | ||
dom.body.innerHTML = dirty; | ||
if (dom.body.firstChild && dom.body.firstChild.nodeName | ||
&& !WHOLE_DOCUMENT | ||
&& dom.body.firstChild.nodeName === 'STYLE'){ | ||
dom.body.removeChild(dom.body.firstChild); | ||
} | ||
} | ||
/* Work on whole document or just its body */ | ||
@@ -288,2 +277,4 @@ var body = WHOLE_DOCUMENT ? dom.body.parentNode : dom.body; | ||
|| typeof elm.attributes.item !== 'function' | ||
|| (elm.id === 'implementation' || elm.name === 'implementation') | ||
|| (elm.id === 'createNodeIterator' || elm.name === 'createNodeIterator') | ||
) { | ||
@@ -392,9 +383,6 @@ return true; | ||
if(SANITIZE_DOM) { | ||
if(tmp.name === 'id' | ||
if((tmp.name === 'id' || tmp.name === 'name') | ||
&& (tmp.value in window || tmp.value in document)) { | ||
clobbering = true; | ||
} | ||
if(tmp.name === 'name' && tmp.value in document){ | ||
clobbering = true; | ||
} | ||
} | ||
@@ -419,3 +407,6 @@ | ||
) { | ||
currentNode.setAttribute(tmp.name, tmp.value); | ||
/* Handle invalid data attributes safely by try-catching it and do nothing */ | ||
try { | ||
currentNode.setAttribute(tmp.name, tmp.value); | ||
} catch (e) {} | ||
} | ||
@@ -477,4 +468,5 @@ } | ||
/* Feature check and untouched opt-out return */ | ||
if (typeof document.implementation.createHTMLDocument === 'undefined') { | ||
if (window.toStaticHTML !== 'undefined' && typeof dirty === 'string') { | ||
if (typeof document.implementation.createHTMLDocument === 'undefined' | ||
|| (typeof document.documentMode === 'number' && document.documentMode === 9)) { | ||
if (typeof window.toStaticHTML === 'function' && typeof dirty === 'string') { | ||
return window.toStaticHTML(dirty); | ||
@@ -481,0 +473,0 @@ } |
@@ -1,4 +0,4 @@ | ||
# DOMPurify | ||
# DOMPurify [![NPM version](http://img.shields.io/npm/v/dompurify.svg)](https://www.npmjs.org/package/dompurify) | ||
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (9+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. | ||
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. | ||
@@ -5,0 +5,0 @@ DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model) |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
365923
2331