dompurify
Advanced tools
Comparing version 0.7.1 to 0.7.2
{ | ||
"name": "DOMPurify", | ||
"version": "0.7.1", | ||
"version": "0.7.2", | ||
"homepage": "https://github.com/cure53/DOMPurify", | ||
@@ -5,0 +5,0 @@ "author": "Cure53 <info@cure53.de>", |
@@ -1,2 +0,2 @@ | ||
(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.7.0";if(!t||!t.document||t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap||t.MozNamedAttrMap;var c=t.Text;var u=t.Comment;var f=t.DOMParser;if(typeof o==="function"){n=n.createElement("template").content.ownerDocument}var d=n.implementation;var m=n.createNodeIterator;var p=n.getElementsByTagName;var v=n.createDocumentFragment;var h=a.importNode;var y={};r.isSupported=typeof d.createHTMLDocument!=="undefined"&&n.documentMode!==9;var g=function(e,t){var r=t.length;while(r--){e[t[r]]=true}return e};var b=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var T=null;var A=g({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var w=null;var k=g({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","azimuth","baseline-shift","bias","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dy","dy","direction","display","divisor","dur","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","image-rendering","in","in2","k1","k2","k3","k4","kerning","letter-spacing","lighting-color","local","marker-end","marker-mid","marker-start","max","mask","mode","min","offset","operator","opacity","order","overflow","paint-order","path","points","r","rx","ry","radius","restart","scale","seed","shape-rendering","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","transform","text-anchor","text-decoration","text-rendering","u1","u2","viewbox","visibility","word-spacing","wrap","writing-mode","x","x1","x2","y","y1","y2","z","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space"]);var x=null;var E=null;var D=true;var M=false;var O=false;var N=false;var S=false;var L=false;var _=true;var z=true;var R=g({},["audio","head","math","script","style","svg","video"]);var H=null;var C=n.createElement("form");var F=function(e){if(typeof e!=="object"){e={}}T="ALLOWED_TAGS"in e?g({},e.ALLOWED_TAGS):A;w="ALLOWED_ATTR"in e?g({},e.ALLOWED_ATTR):k;x="FORBID_TAGS"in e?g({},e.FORBID_TAGS):{};E="FORBID_ATTR"in e?g({},e.FORBID_ATTR):{};D=e.ALLOW_DATA_ATTR!==false;M=e.SAFE_FOR_JQUERY||false;O=e.WHOLE_DOCUMENT||false;N=e.RETURN_DOM||false;S=e.RETURN_DOM_FRAGMENT||false;L=e.RETURN_DOM_IMPORT||false;_=e.SANITIZE_DOM!==false;z=e.KEEP_CONTENT!==false;if(S){N=true}if(e.ADD_TAGS){if(T===A){T=b(T)}g(T,e.ADD_TAGS)}if(e.ADD_ATTR){if(w===k){w=b(w)}g(w,e.ADD_ATTR)}if(z){T["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}H=e};var I=function(e){try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var G=function(e){var t,r;try{t=(new f).parseFromString(e,"text/html")}catch(n){}if(!t){t=d.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(O?"html":"body")[0]}else{return p.call(t,O?"html":"body")[0]}};var W=function(e){return m.call(e.ownerDocument||e,e,l.SHOW_ELEMENT|l.SHOW_COMMENT|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var j=function(e){if(e instanceof c||e instanceof u){return false}if(typeof e.nodeName!=="string"||typeof e.textContent!=="string"||typeof e.removeChild!=="function"||!(e.attributes instanceof s)||typeof e.removeAttribute!=="function"||typeof e.setAttribute!=="function"){return true}return false};var B=function(e){K("beforeSanitizeElements",e,null);if(j(e)){I(e);return true}var t=e.nodeName.toLowerCase();K("uponSanitizeElement",e,{tagName:t});if(!T[t]||x[t]){if(z&&!R[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(r){}}I(e);return true}if(M&&!e.firstElementChild){e.innerHTML=e.textContent.replace(/</g,"<")}K("afterSanitizeElements",e,null);return false};var q=function(e){K("beforeSanitizeAttributes",e,null);var r=e.attributes;if(!r){return}var a={attrName:"",attrValue:"",keepAttr:true};var i=r.length;var o,l,s,c,u;while(i--){o=r[i];l=o.name;s=o.value;c=l.toLowerCase();a.attrName=c;a.attrValue=s;a.keepAttr=true;K("uponSanitizeAttribute",e,a);s=a.attrValue;if(c==="name"&&e.nodeName==="IMG"&&r.id){u=r.id;r=Array.prototype.slice.apply(r);e.removeAttribute("id");e.removeAttribute(l);if(r.indexOf(u)>i){e.setAttribute("id",u.value)}}else{e.removeAttribute(l)}if(!a.keepAttr){continue}if(_&&(c==="id"||c==="name")&&(s in t||s in n||s in C)){continue}if((w[c]&&!E[c]||D&&P.test(c))&&(!U.test(s.replace(V,""))||c==="src"&&s.indexOf("data:")===0&&e.nodeName==="IMG")){try{e.setAttribute(l,s)}catch(f){}}}K("afterSanitizeAttributes",e,null)};var P=/^data-[\w.\u00B7-\uFFFF-]/;var U=/^(?:\w+script|data):/i;var V=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var J=function(e){var t;var r=W(e);K("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){K("uponSanitizeShadowNode",t,null);if(B(t)){continue}if(t.content instanceof i){J(t.content)}q(t)}K("afterSanitizeShadowDOM",e,null)};var K=function(e,t,n){if(!y[e]){return}y[e].forEach(function(e){e.call(r,t,n,H)})};r.sanitize=function(e,n){if(!e){e=""}if(!r.isSupported){if(typeof t.toStaticHTML==="function"&&typeof e==="string"){return t.toStaticHTML(e)}return e}F(n);if(!N&&!O&&e.indexOf("<")===-1){return e}var o=G(e);if(!o){return N?null:""}var l;var s;var c=W(o);while(l=c.nextNode()){if(l.nodeType===3&&l===s){continue}if(B(l)){continue}if(l.content instanceof i){J(l.content)}q(l);s=l}var u;if(N){if(S){u=v.call(o.ownerDocument);while(o.firstChild){u.appendChild(o.firstChild)}}else{u=o}if(L){u=h.call(a,u,true)}return u}return O?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}y[e]=y[e]||[];y[e].push(t)};r.removeHook=function(e){if(y[e]){y[e].pop()}};r.removeHooks=function(e){if(y[e]){y[e]=[]}};r.removeAllHooks=function(){y=[]};return r}); | ||
(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.7.2";if(!t||!t.document||t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap||t.MozNamedAttrMap;var c=t.Text;var u=t.Comment;var f=t.DOMParser;if(typeof o==="function"){n=n.createElement("template").content.ownerDocument}var d=n.implementation;var m=n.createNodeIterator;var p=n.getElementsByTagName;var v=n.createDocumentFragment;var h=a.importNode;var y={};r.isSupported=typeof d.createHTMLDocument!=="undefined"&&n.documentMode!==9;var g=function(e,t){var r=t.length;while(r--){e[t[r]]=true}return e};var b=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var T=null;var A=g({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var w=null;var k=g({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","azimuth","baseline-shift","bias","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dy","dy","direction","display","divisor","dur","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","image-rendering","in","in2","k1","k2","k3","k4","kerning","letter-spacing","lighting-color","local","marker-end","marker-mid","marker-start","max","mask","mode","min","offset","operator","opacity","order","overflow","paint-order","path","points","r","rx","ry","radius","restart","scale","seed","shape-rendering","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","transform","text-anchor","text-decoration","text-rendering","u1","u2","viewbox","visibility","word-spacing","wrap","writing-mode","x","x1","x2","y","y1","y2","z","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var x=null;var E=null;var M=true;var O=false;var D=false;var N=false;var S=false;var _=false;var L=false;var z=true;var R=true;var C=g({},["audio","head","math","script","style","svg","video"]);var H=null;var F=n.createElement("form");var I=function(e){if(typeof e!=="object"){e={}}T="ALLOWED_TAGS"in e?g({},e.ALLOWED_TAGS):A;w="ALLOWED_ATTR"in e?g({},e.ALLOWED_ATTR):k;x="FORBID_TAGS"in e?g({},e.FORBID_TAGS):{};E="FORBID_ATTR"in e?g({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;O=e.SAFE_FOR_JQUERY||false;D=e.SAFE_FOR_TEMPLATES||false;N=e.WHOLE_DOCUMENT||false;S=e.RETURN_DOM||false;_=e.RETURN_DOM_FRAGMENT||false;L=e.RETURN_DOM_IMPORT||false;z=e.SANITIZE_DOM!==false;R=e.KEEP_CONTENT!==false;if(_){S=true}if(e.ADD_TAGS){if(T===A){T=b(T)}g(T,e.ADD_TAGS)}if(e.ADD_ATTR){if(w===k){w=b(w)}g(w,e.ADD_ATTR)}if(R){T["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}H=e};var j=function(e){try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var G=function(e){var t,r;try{t=(new f).parseFromString(e,"text/html")}catch(n){}if(!t){t=d.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(N?"html":"body")[0]}else{return p.call(t,N?"html":"body")[0]}};var W=function(e){return m.call(e.ownerDocument||e,e,l.SHOW_ELEMENT|l.SHOW_COMMENT|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var B=function(e){if(e instanceof c||e instanceof u){return false}if(typeof e.nodeName!=="string"||typeof e.textContent!=="string"||typeof e.removeChild!=="function"||!(e.attributes instanceof s)||typeof e.removeAttribute!=="function"||typeof e.setAttribute!=="function"){return true}return false};var q=function(e){Y("beforeSanitizeElements",e,null);if(B(e)){j(e);return true}var t=e.nodeName.toLowerCase();Y("uponSanitizeElement",e,{tagName:t});if(!T[t]||x[t]){if(R&&!C[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(r){}}j(e);return true}if(O&&!e.firstElementChild&&(!e.content||!e.content.firstElementChild)){e.innerHTML=e.textContent.replace(/</g,"<")}if(e.nodeType===3&&D){var n=e.textContent;n=n.replace(K," ");n=n.replace(Q," ");e.textContent=n}Y("afterSanitizeElements",e,null);return false};var P=function(e){Y("beforeSanitizeAttributes",e,null);var r=e.attributes;if(!r){return}var a={attrName:"",attrValue:"",keepAttr:true};var i=r.length;var o,l,s,c,u;while(i--){o=r[i];l=o.name;s=o.value;c=l.toLowerCase();a.attrName=c;a.attrValue=s;a.keepAttr=true;Y("uponSanitizeAttribute",e,a);s=a.attrValue;if(c==="name"&&e.nodeName==="IMG"&&r.id){u=r.id;r=Array.prototype.slice.apply(r);e.removeAttribute("id");e.removeAttribute(l);if(r.indexOf(u)>i){e.setAttribute("id",u.value)}}else{if(l==="id"){e.setAttribute(l,"")}e.removeAttribute(l)}if(!a.keepAttr){continue}if(z&&(c==="id"||c==="name")&&(s in t||s in n||s in F)){continue}if((w[c]&&!E[c]||!D&&M&&U.test(c))&&(!V.test(s.replace(J,""))||c==="src"&&s.indexOf("data:")===0&&e.nodeName==="IMG")){try{if(D){s=s.replace(K," ");s=s.replace(Q," ");e.setAttribute(l,s)}e.setAttribute(l,s)}catch(f){}}}Y("afterSanitizeAttributes",e,null)};var U=/^data-[\w.\u00B7-\uFFFF-]/;var V=/^(?:\w+script|data):/i;var J=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var K=/\{\{.*|.*\}\}/gm;var Q=/<%.*|.*%>/gm;var X=function(e){var t;var r=W(e);Y("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){Y("uponSanitizeShadowNode",t,null);if(q(t)){continue}if(t.content instanceof i){X(t.content)}P(t)}Y("afterSanitizeShadowDOM",e,null)};var Y=function(e,t,n){if(!y[e]){return}y[e].forEach(function(e){e.call(r,t,n,H)})};r.sanitize=function(e,n){if(!e){return""}if(e instanceof Array){e=e.toString()}if(!r.isSupported){if(typeof t.toStaticHTML==="object"&&typeof e==="string"){return t.toStaticHTML(e)}return e}I(n);if(!S&&!N&&e.indexOf("<")===-1){return e}var o=G(e);if(!o){return S?null:""}var l;var s;var c=W(o);while(l=c.nextNode()){if(l.nodeType===3&&l===s){continue}if(q(l)){continue}if(l.content instanceof i){X(l.content)}P(l);s=l}var u;if(S){if(_){u=v.call(o.ownerDocument);while(o.firstChild){u.appendChild(o.firstChild)}}else{u=o}if(L){u=h.call(a,u,true)}return u}return N?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}y[e]=y[e]||[];y[e].push(t)};r.removeHook=function(e){if(y[e]){y[e].pop()}};r.removeHooks=function(e){if(y[e]){y[e]=[]}};r.removeAllHooks=function(){y=[]};return r}); | ||
//# sourceMappingURL=./dist/purify.min.js.map |
@@ -22,3 +22,3 @@ { | ||
"karma": "^0.13.9", | ||
"karma-browserstack-launcher": "^0.1.4", | ||
"karma-browserstack-launcher": "git://github.com/shirish87/karma-browserstack-launcher.git#global_poll", | ||
"karma-chrome-launcher": "^0.2.0", | ||
@@ -39,3 +39,3 @@ "karma-firefox-launcher": "^0.1.6", | ||
"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.", | ||
"version": "0.7.1", | ||
"version": "0.7.2", | ||
"main": "src/purify.js", | ||
@@ -42,0 +42,0 @@ "directories": { |
@@ -5,6 +5,8 @@ # DOMPurify [![Bower version](https://badge.fury.io/bo/dompurify.svg)](http://badge.fury.io/bo/dompurify) · [![npm version](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js/dompurify) · [![Build Status](https://travis-ci.org/cure53/DOMPurify.svg?branch=master)](https://travis-ci.org/cure53/DOMPurify) | ||
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. | ||
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. | ||
It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Spartan, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover 8 different browsers right now. | ||
It's also very simple to use and get started with. | ||
DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover 8 different browsers right now. | ||
DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model) | ||
@@ -82,3 +84,3 @@ | ||
DOMPurify currently supports HTML5, SVG and MathML. DOMPurify per default allows CSS, HTML custom data attributes. DOMPurify also supports the Shadow DOM - and sanitizes DOM templates recursively. DOMPurify also allows you to sanitize HTML for being used with the jQuery `$()` and `elm.html()` methods. | ||
DOMPurify currently supports HTML5, SVG and MathML. DOMPurify per default allows CSS, HTML custom data attributes. DOMPurify also supports the Shadow DOM - and sanitizes DOM templates recursively. DOMPurify also allows you to sanitize HTML for being used with the jQuery `$()` and `elm.html()` methods but requires the `SAFE_FOR_JQUERY` flag for that - see below. | ||
@@ -91,2 +93,8 @@ | ||
```javascript | ||
// make output safe for usage in jQuery's $()/html() method (default is false) | ||
var clean = DOMPurify.sanitize(dirty, {SAFE_FOR_JQUERY: true}); | ||
// strip {{ ... }} and <% ... %> to make output safe for template systems | ||
var clean = DOMPurify.sanitize(dirty, {SAFE_FOR_TEMPLATES: true}); | ||
// allow only <b> | ||
@@ -129,5 +137,2 @@ var clean = DOMPurify.sanitize(dirty, {ALLOWED_TAGS: ['b']}); | ||
// make output safe for usage in jQuery's $()/html() method (default is false) | ||
var clean = DOMPurify.sanitize(dirty, {SAFE_FOR_JQUERY: true}); | ||
// disable DOM Clobbering protection on output (default is true, handle with care!) | ||
@@ -189,2 +194,2 @@ var clean = DOMPurify.sanitize(dirty, {SANITIZE_DOM: false}); | ||
And last but not least, thanks to [BrowserStack](https://browserstack.com) for supporting this project with their services for free! | ||
And last but not least, thanks to [BrowserStack](https://browserstack.com) for supporting this project with their services for free and delivering excellent, dedicated and very professional support on top of that. |
@@ -24,3 +24,3 @@ ;(function(factory) { | ||
*/ | ||
DOMPurify.version = '0.7.1'; | ||
DOMPurify.version = '0.7.2'; | ||
@@ -194,3 +194,8 @@ if (!window || !window.document || window.document.nodeType !== 9) { | ||
/* Decide if document with <html>... should be returned */ | ||
/* Output should be safe for common template engines. | ||
* This means, DOMPurify removes data attributes, mustaches and ERB | ||
*/ | ||
var SAFE_FOR_TEMPLATES = false; | ||
/* Decide if document with <html>... should be returned */ | ||
var WHOLE_DOCUMENT = false; | ||
@@ -253,2 +258,3 @@ | ||
SAFE_FOR_JQUERY = cfg.SAFE_FOR_JQUERY || false; // Default false | ||
SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false | ||
WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false | ||
@@ -414,7 +420,17 @@ RETURN_DOM = cfg.RETURN_DOM || false; // Default false | ||
/* Finally, convert markup to cover jQuery behavior */ | ||
if (SAFE_FOR_JQUERY && !currentNode.firstElementChild) { | ||
/* Convert markup to cover jQuery behavior */ | ||
if (SAFE_FOR_JQUERY && !currentNode.firstElementChild | ||
&& (!currentNode.content || !currentNode.content.firstElementChild)) { | ||
currentNode.innerHTML = currentNode.textContent.replace(/</g, '<'); | ||
} | ||
/* Sanitize element content to be template-safe */ | ||
if(currentNode.nodeType === 3 && SAFE_FOR_TEMPLATES) { | ||
/* Get the element's text content */ | ||
var content = currentNode.textContent; | ||
content = content.replace(MUSTACHE_EXPR, ' '); | ||
content = content.replace(ERB_EXPR, ' '); | ||
currentNode.textContent = content; | ||
} | ||
/* Execute a hook if present */ | ||
@@ -482,2 +498,8 @@ _executeHook('afterSanitizeElements', currentNode, null); | ||
} else { | ||
// This avoids a crash in Safari v9.0 with double-ids. | ||
// The trick is to first set the id to be empty and then to | ||
// remove the attriubute | ||
if (name === 'id') { | ||
currentNode.setAttribute(name, ''); | ||
} | ||
currentNode.removeAttribute(name); | ||
@@ -505,3 +527,3 @@ } | ||
* XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804) */ | ||
(ALLOW_DATA_ATTR && DATA_ATTR.test(lcName)) | ||
(!SAFE_FOR_TEMPLATES && ALLOW_DATA_ATTR && DATA_ATTR.test(lcName)) | ||
) && | ||
@@ -518,5 +540,14 @@ /* Get rid of script and data URIs */ | ||
try { | ||
/* Sanitize attribute content to be template-safe */ | ||
if (SAFE_FOR_TEMPLATES) { | ||
value = value.replace(MUSTACHE_EXPR, ' '); | ||
value = value.replace(ERB_EXPR, ' '); | ||
currentNode.setAttribute(name, value); | ||
} | ||
currentNode.setAttribute(name, value); | ||
} catch (e) {} | ||
} | ||
} | ||
@@ -532,2 +563,5 @@ | ||
var MUSTACHE_EXPR = /\{\{.*|.*\}\}/gm; | ||
var ERB_EXPR = /<%.*|.*%>/gm; | ||
/** | ||
@@ -591,9 +625,15 @@ * _sanitizeShadowDOM | ||
DOMPurify.sanitize = function(dirty, cfg) { | ||
/* Return early if nothing to sanitize is given */ | ||
if (!dirty) { | ||
dirty = ''; | ||
return ''; | ||
} | ||
/* Stringify, in case dirty is an array */ | ||
if (dirty instanceof Array) { | ||
dirty = dirty.toString(); | ||
} | ||
/* Check we can run. Otherwise fall back or ignore */ | ||
if (!DOMPurify.isSupported) { | ||
if (typeof window.toStaticHTML === 'function' && typeof dirty === 'string') { | ||
if (typeof window.toStaticHTML === 'object' && typeof dirty === 'string') { | ||
return window.toStaticHTML(dirty); | ||
@@ -600,0 +640,0 @@ } |
@@ -114,2 +114,10 @@ module.exports = function(config) { | ||
os_version: '8.1' | ||
}, | ||
bs_win10_edge_12: { | ||
base: 'BrowserStack', | ||
device: null, | ||
os: 'Windows', | ||
browser_version: '12.0', | ||
browser: 'edge', | ||
os_version: '10' | ||
} | ||
@@ -126,3 +134,4 @@ }, | ||
'bs_win7_firefox_12', | ||
'bs_win81_chrome_22' | ||
'bs_win81_chrome_22', | ||
'bs_win10_edge_12' | ||
], | ||
@@ -129,0 +138,0 @@ |
@@ -60,3 +60,24 @@ module.exports = function(DOMPurify, tests, xssTests) { | ||
assert.equal( DOMPurify.sanitize( '<b><style><style/><img src=xx: onerror=alert(1)>', {SAFE_FOR_JQUERY: true}), "<b><style><style/><img src=xx: onerror=alert(1)></style></b>" ); | ||
assert.contains( DOMPurify.sanitize( '1<template><s>000</s></template>2', {SAFE_FOR_JQUERY: true}), ["1<template><s>000</s></template>2", "1<template></template>2"] ); | ||
assert.contains( DOMPurify.sanitize( '<template><s>000</s></template>', {SAFE_FOR_JQUERY: true}), ["", "<template><s>000</s></template>"]); | ||
}); | ||
QUnit.test( 'Config-Flag tests: SAFE_FOR_TEMPLATES', function(assert) { | ||
//SAFE_FOR_TEMPLATES | ||
assert.equal( DOMPurify.sanitize( '<a>123{{456}}<b><style><% alert(1) %></style>456</b></a>', {SAFE_FOR_TEMPLATES: true}), "<a> <b><style> </style>456</b></a>" ); | ||
assert.equal( DOMPurify.sanitize( '<a data-bind="style: alert(1)"></a>', {SAFE_FOR_TEMPLATES: true}), "<a></a>" ); | ||
assert.equal( DOMPurify.sanitize( '<a data-harmless=""></a>', {SAFE_FOR_TEMPLATES: true, ALLOW_DATA_ATTR: true}), "<a></a>" ); | ||
assert.equal( DOMPurify.sanitize( '<a data-harmless=""></a>', {SAFE_FOR_TEMPLATES: false, ALLOW_DATA_ATTR: false}), "<a></a>" ); | ||
assert.equal( DOMPurify.sanitize( '<a>{{123}}{{456}}<b><style><% alert(1) %><% 123 %></style>456</b></a>', {SAFE_FOR_TEMPLATES: true}), "<a> <b><style> </style>456</b></a>" ); | ||
assert.equal( DOMPurify.sanitize( '<a>{{123}}abc{{456}}<b><style><% alert(1) %>def<% 123 %></style>456</b></a>', {SAFE_FOR_TEMPLATES: true}), "<a> <b><style> </style>456</b></a>" ); | ||
assert.equal( DOMPurify.sanitize( '<a>123{{45{{6}}<b><style><% alert(1)%> %></style>456</b></a>', {SAFE_FOR_TEMPLATES: true}), "<a> <b><style> </style>456</b></a>" ); | ||
assert.equal( DOMPurify.sanitize( '<a>123{{45}}6}}<b><style><% <%alert(1) %></style>456</b></a>', {SAFE_FOR_TEMPLATES: true}), "<a> <b><style> </style>456</b></a>" ); | ||
assert.equal( DOMPurify.sanitize( '<a>123{{<b>456}}</b><style><% alert(1) %></style>456</a>', {SAFE_FOR_TEMPLATES: true}), "<a>123 <b> </b><style> </style>456</a>" ); | ||
assert.contains( DOMPurify.sanitize( '<b>{{evil<script>alert(1)</script><form><img src=x name=textContent></form>}}</b>', {SAFE_FOR_TEMPLATES: true}), | ||
["<b> </b>", "<b> </b>", "<b> <form><img src=\"x\"></form> </b>"] | ||
); | ||
assert.contains( DOMPurify.sanitize( '<b>he{{evil<script>alert(1)</script><form><img src=x name=textContent></form>}}ya</b>', {SAFE_FOR_TEMPLATES: true}), | ||
["<b>he ya</b>", "<b>he </b>", "<b>he <form><img src=\"x\"></form> ya</b>"] // Investigate on Safari 8! | ||
); | ||
assert.equal( DOMPurify.sanitize( '<a>123<% <b>456}}</b><style>{{ alert(1) }}</style>456 %></a>', {SAFE_FOR_TEMPLATES: true}), "<a>123 <b> </b><style> </style> </a>" ); | ||
}); | ||
QUnit.test( 'Config-Flag tests: SANITIZE_DOM', function(assert) { | ||
@@ -131,2 +152,6 @@ // SANITIZE_DOM | ||
}); | ||
QUnit.test( 'Test dirty being an array', function(assert) { | ||
assert.equal( DOMPurify.sanitize( ['<a>123<b>456</b></a>']), "<a>123<b>456</b></a>" ); | ||
assert.equal( DOMPurify.sanitize( ['<img src=', 'x onerror=alert(1)>']), "<img src=\",x\">" ); | ||
}); | ||
// XSS tests: Native DOM methods (alert() should not be called) | ||
@@ -133,0 +158,0 @@ QUnit |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is too big to display
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
616397
10496
191