dompurify - npm Package Compare versions

Comparing version 0.7.1 to 0.7.2

website/index.html

bower.json

		{
		"name": "DOMPurify",
		"version": "0.7.1",
		"version": "0.7.2",
		"homepage": "https://github.com/cure53/DOMPurify",
		@@ -5,0 +5,0 @@ "author": "Cure53 <info@cure53.de>",

dist/purify.min.js

		@@ -1,2 +0,2 @@
		(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.7.0";if(!t\|\|!t.document\|\|t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap\|\|t.MozNamedAttrMap;var c=t.Text;var u=t.Comment;var f=t.DOMParser;if(typeof o==="function"){n=n.createElement("template").content.ownerDocument}var d=n.implementation;var m=n.createNodeIterator;var p=n.getElementsByTagName;var v=n.createDocumentFragment;var h=a.importNode;var y={};r.isSupported=typeof d.createHTMLDocument!=="undefined"&&n.documentMode!==9;var g=function(e,t){var r=t.length;while(r--){e[t[r]]=true}return e};var b=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var T=null;var A=g({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var w=null;var k=g({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","azimuth","baseline-shift","bias","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dy","dy","direction","display","divisor","dur","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","image-rendering","in","in2","k1","k2","k3","k4","kerning","letter-spacing","lighting-color","local","marker-end","marker-mid","marker-start","max","mask","mode","min","offset","operator","opacity","order","overflow","paint-order","path","points","r","rx","ry","radius","restart","scale","seed","shape-rendering","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","transform","text-anchor","text-decoration","text-rendering","u1","u2","viewbox","visibility","word-spacing","wrap","writing-mode","x","x1","x2","y","y1","y2","z","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space"]);var x=null;var E=null;var D=true;var M=false;var O=false;var N=false;var S=false;var L=false;var _=true;var z=true;var R=g({},["audio","head","math","script","style","svg","video"]);var H=null;var C=n.createElement("form");var F=function(e){if(typeof e!=="object"){e={}}T="ALLOWED_TAGS"in e?g({},e.ALLOWED_TAGS):A;w="ALLOWED_ATTR"in e?g({},e.ALLOWED_ATTR):k;x="FORBID_TAGS"in e?g({},e.FORBID_TAGS):{};E="FORBID_ATTR"in e?g({},e.FORBID_ATTR):{};D=e.ALLOW_DATA_ATTR!==false;M=e.SAFE_FOR_JQUERY\|\|false;O=e.WHOLE_DOCUMENT\|\|false;N=e.RETURN_DOM\|\|false;S=e.RETURN_DOM_FRAGMENT\|\|false;L=e.RETURN_DOM_IMPORT\|\|false;_=e.SANITIZE_DOM!==false;z=e.KEEP_CONTENT!==false;if(S){N=true}if(e.ADD_TAGS){if(T===A){T=b(T)}g(T,e.ADD_TAGS)}if(e.ADD_ATTR){if(w===k){w=b(w)}g(w,e.ADD_ATTR)}if(z){T["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}H=e};var I=function(e){try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var G=function(e){var t,r;try{t=(new f).parseFromString(e,"text/html")}catch(n){}if(!t){t=d.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(O?"html":"body")[0]}else{return p.call(t,O?"html":"body")[0]}};var W=function(e){return m.call(e.ownerDocument\|\|e,e,l.SHOW_ELEMENT\|l.SHOW_COMMENT\|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var j=function(e){if(e instanceof c\|\|e instanceof u){return false}if(typeof e.nodeName!=="string"\|\|typeof e.textContent!=="string"\|\|typeof e.removeChild!=="function"\|\|!(e.attributes instanceof s)\|\|typeof e.removeAttribute!=="function"\|\|typeof e.setAttribute!=="function"){return true}return false};var B=function(e){K("beforeSanitizeElements",e,null);if(j(e)){I(e);return true}var t=e.nodeName.toLowerCase();K("uponSanitizeElement",e,{tagName:t});if(!T[t]\|\|x[t]){if(z&&!R[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(r){}}I(e);return true}if(M&&!e.firstElementChild){e.innerHTML=e.textContent.replace(/</g,"<")}K("afterSanitizeElements",e,null);return false};var q=function(e){K("beforeSanitizeAttributes",e,null);var r=e.attributes;if(!r){return}var a={attrName:"",attrValue:"",keepAttr:true};var i=r.length;var o,l,s,c,u;while(i--){o=r[i];l=o.name;s=o.value;c=l.toLowerCase();a.attrName=c;a.attrValue=s;a.keepAttr=true;K("uponSanitizeAttribute",e,a);s=a.attrValue;if(c==="name"&&e.nodeName==="IMG"&&r.id){u=r.id;r=Array.prototype.slice.apply(r);e.removeAttribute("id");e.removeAttribute(l);if(r.indexOf(u)>i){e.setAttribute("id",u.value)}}else{e.removeAttribute(l)}if(!a.keepAttr){continue}if(_&&(c==="id"\|\|c==="name")&&(s in t\|\|s in n\|\|s in C)){continue}if((w[c]&&!E[c]\|\|D&&P.test(c))&&(!U.test(s.replace(V,""))\|\|c==="src"&&s.indexOf("data:")===0&&e.nodeName==="IMG")){try{e.setAttribute(l,s)}catch(f){}}}K("afterSanitizeAttributes",e,null)};var P=/^data-[\w.\u00B7-\uFFFF-]/;var U=/^(?:\w+script\|data):/i;var V=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var J=function(e){var t;var r=W(e);K("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){K("uponSanitizeShadowNode",t,null);if(B(t)){continue}if(t.content instanceof i){J(t.content)}q(t)}K("afterSanitizeShadowDOM",e,null)};var K=function(e,t,n){if(!y[e]){return}y[e].forEach(function(e){e.call(r,t,n,H)})};r.sanitize=function(e,n){if(!e){e=""}if(!r.isSupported){if(typeof t.toStaticHTML==="function"&&typeof e==="string"){return t.toStaticHTML(e)}return e}F(n);if(!N&&!O&&e.indexOf("<")===-1){return e}var o=G(e);if(!o){return N?null:""}var l;var s;var c=W(o);while(l=c.nextNode()){if(l.nodeType===3&&l===s){continue}if(B(l)){continue}if(l.content instanceof i){J(l.content)}q(l);s=l}var u;if(N){if(S){u=v.call(o.ownerDocument);while(o.firstChild){u.appendChild(o.firstChild)}}else{u=o}if(L){u=h.call(a,u,true)}return u}return O?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}y[e]=y[e]\|\|[];y[e].push(t)};r.removeHook=function(e){if(y[e]){y[e].pop()}};r.removeHooks=function(e){if(y[e]){y[e]=[]}};r.removeAllHooks=function(){y=[]};return r});
		(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.7.2";if(!t\|\|!t.document\|\|t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap\|\|t.MozNamedAttrMap;var c=t.Text;var u=t.Comment;var f=t.DOMParser;if(typeof o==="function"){n=n.createElement("template").content.ownerDocument}var d=n.implementation;var m=n.createNodeIterator;var p=n.getElementsByTagName;var v=n.createDocumentFragment;var h=a.importNode;var y={};r.isSupported=typeof d.createHTMLDocument!=="undefined"&&n.documentMode!==9;var g=function(e,t){var r=t.length;while(r--){e[t[r]]=true}return e};var b=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var T=null;var A=g({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var w=null;var k=g({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","azimuth","baseline-shift","bias","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dy","dy","direction","display","divisor","dur","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","image-rendering","in","in2","k1","k2","k3","k4","kerning","letter-spacing","lighting-color","local","marker-end","marker-mid","marker-start","max","mask","mode","min","offset","operator","opacity","order","overflow","paint-order","path","points","r","rx","ry","radius","restart","scale","seed","shape-rendering","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","transform","text-anchor","text-decoration","text-rendering","u1","u2","viewbox","visibility","word-spacing","wrap","writing-mode","x","x1","x2","y","y1","y2","z","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var x=null;var E=null;var M=true;var O=false;var D=false;var N=false;var S=false;var _=false;var L=false;var z=true;var R=true;var C=g({},["audio","head","math","script","style","svg","video"]);var H=null;var F=n.createElement("form");var I=function(e){if(typeof e!=="object"){e={}}T="ALLOWED_TAGS"in e?g({},e.ALLOWED_TAGS):A;w="ALLOWED_ATTR"in e?g({},e.ALLOWED_ATTR):k;x="FORBID_TAGS"in e?g({},e.FORBID_TAGS):{};E="FORBID_ATTR"in e?g({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;O=e.SAFE_FOR_JQUERY\|\|false;D=e.SAFE_FOR_TEMPLATES\|\|false;N=e.WHOLE_DOCUMENT\|\|false;S=e.RETURN_DOM\|\|false;_=e.RETURN_DOM_FRAGMENT\|\|false;L=e.RETURN_DOM_IMPORT\|\|false;z=e.SANITIZE_DOM!==false;R=e.KEEP_CONTENT!==false;if(_){S=true}if(e.ADD_TAGS){if(T===A){T=b(T)}g(T,e.ADD_TAGS)}if(e.ADD_ATTR){if(w===k){w=b(w)}g(w,e.ADD_ATTR)}if(R){T["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}H=e};var j=function(e){try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var G=function(e){var t,r;try{t=(new f).parseFromString(e,"text/html")}catch(n){}if(!t){t=d.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(N?"html":"body")[0]}else{return p.call(t,N?"html":"body")[0]}};var W=function(e){return m.call(e.ownerDocument\|\|e,e,l.SHOW_ELEMENT\|l.SHOW_COMMENT\|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var B=function(e){if(e instanceof c\|\|e instanceof u){return false}if(typeof e.nodeName!=="string"\|\|typeof e.textContent!=="string"\|\|typeof e.removeChild!=="function"\|\|!(e.attributes instanceof s)\|\|typeof e.removeAttribute!=="function"\|\|typeof e.setAttribute!=="function"){return true}return false};var q=function(e){Y("beforeSanitizeElements",e,null);if(B(e)){j(e);return true}var t=e.nodeName.toLowerCase();Y("uponSanitizeElement",e,{tagName:t});if(!T[t]\|\|x[t]){if(R&&!C[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(r){}}j(e);return true}if(O&&!e.firstElementChild&&(!e.content\|\|!e.content.firstElementChild)){e.innerHTML=e.textContent.replace(/</g,"<")}if(e.nodeType===3&&D){var n=e.textContent;n=n.replace(K," ");n=n.replace(Q," ");e.textContent=n}Y("afterSanitizeElements",e,null);return false};var P=function(e){Y("beforeSanitizeAttributes",e,null);var r=e.attributes;if(!r){return}var a={attrName:"",attrValue:"",keepAttr:true};var i=r.length;var o,l,s,c,u;while(i--){o=r[i];l=o.name;s=o.value;c=l.toLowerCase();a.attrName=c;a.attrValue=s;a.keepAttr=true;Y("uponSanitizeAttribute",e,a);s=a.attrValue;if(c==="name"&&e.nodeName==="IMG"&&r.id){u=r.id;r=Array.prototype.slice.apply(r);e.removeAttribute("id");e.removeAttribute(l);if(r.indexOf(u)>i){e.setAttribute("id",u.value)}}else{if(l==="id"){e.setAttribute(l,"")}e.removeAttribute(l)}if(!a.keepAttr){continue}if(z&&(c==="id"\|\|c==="name")&&(s in t\|\|s in n\|\|s in F)){continue}if((w[c]&&!E[c]\|\|!D&&M&&U.test(c))&&(!V.test(s.replace(J,""))\|\|c==="src"&&s.indexOf("data:")===0&&e.nodeName==="IMG")){try{if(D){s=s.replace(K," ");s=s.replace(Q," ");e.setAttribute(l,s)}e.setAttribute(l,s)}catch(f){}}}Y("afterSanitizeAttributes",e,null)};var U=/^data-[\w.\u00B7-\uFFFF-]/;var V=/^(?:\w+script\|data):/i;var J=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var K=/\{\{.\|.\}\}/gm;var Q=/<%.\|.%>/gm;var X=function(e){var t;var r=W(e);Y("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){Y("uponSanitizeShadowNode",t,null);if(q(t)){continue}if(t.content instanceof i){X(t.content)}P(t)}Y("afterSanitizeShadowDOM",e,null)};var Y=function(e,t,n){if(!y[e]){return}y[e].forEach(function(e){e.call(r,t,n,H)})};r.sanitize=function(e,n){if(!e){return""}if(e instanceof Array){e=e.toString()}if(!r.isSupported){if(typeof t.toStaticHTML==="object"&&typeof e==="string"){return t.toStaticHTML(e)}return e}I(n);if(!S&&!N&&e.indexOf("<")===-1){return e}var o=G(e);if(!o){return S?null:""}var l;var s;var c=W(o);while(l=c.nextNode()){if(l.nodeType===3&&l===s){continue}if(q(l)){continue}if(l.content instanceof i){X(l.content)}P(l);s=l}var u;if(S){if(_){u=v.call(o.ownerDocument);while(o.firstChild){u.appendChild(o.firstChild)}}else{u=o}if(L){u=h.call(a,u,true)}return u}return N?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}y[e]=y[e]\|\|[];y[e].push(t)};r.removeHook=function(e){if(y[e]){y[e].pop()}};r.removeHooks=function(e){if(y[e]){y[e]=[]}};r.removeAllHooks=function(){y=[]};return r});
		//# sourceMappingURL=./dist/purify.min.js.map

package.json

		@@ -22,3 +22,3 @@ {
		"karma": "^0.13.9",
		"karma-browserstack-launcher": "^0.1.4",
		"karma-browserstack-launcher": "git://github.com/shirish87/karma-browserstack-launcher.git#global_poll",
		"karma-chrome-launcher": "^0.2.0",
		@@ -39,3 +39,3 @@ "karma-firefox-launcher": "^0.1.6",
		"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
		"version": "0.7.1",
		"version": "0.7.2",
		"main": "src/purify.js",
		@@ -42,0 +42,0 @@ "directories": {

README.md

		@@ -5,6 +5,8 @@ # DOMPurify [![Bower version](https://badge.fury.io/bo/dompurify.svg)](http://badge.fury.io/bo/dompurify) · [![npm version](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js/dompurify) · [![Build Status](https://travis-ci.org/cure53/DOMPurify.svg?branch=master)](https://travis-ci.org/cure53/DOMPurify)

		DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
		DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.

		It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Spartan, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover 8 different browsers right now.
		It's also very simple to use and get started with.

		DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover 8 different browsers right now.

		DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model)
		@@ -82,3 +84,3 @@

		DOMPurify currently supports HTML5, SVG and MathML. DOMPurify per default allows CSS, HTML custom data attributes. DOMPurify also supports the Shadow DOM - and sanitizes DOM templates recursively. DOMPurify also allows you to sanitize HTML for being used with the jQuery `$()` and `elm.html()` methods.
		DOMPurify currently supports HTML5, SVG and MathML. DOMPurify per default allows CSS, HTML custom data attributes. DOMPurify also supports the Shadow DOM - and sanitizes DOM templates recursively. DOMPurify also allows you to sanitize HTML for being used with the jQuery `$()` and `elm.html()` methods but requires the `SAFE_FOR_JQUERY` flag for that - see below.

		@@ -91,2 +93,8 @@
		```javascript
		// make output safe for usage in jQuery's $()/html() method (default is false)
		var clean = DOMPurify.sanitize(dirty, {SAFE_FOR_JQUERY: true});

		// strip {{ ... }} and <% ... %> to make output safe for template systems
		var clean = DOMPurify.sanitize(dirty, {SAFE_FOR_TEMPLATES: true});

		// allow only <b>
		@@ -129,5 +137,2 @@ var clean = DOMPurify.sanitize(dirty, {ALLOWED_TAGS: ['b']});

		// make output safe for usage in jQuery's $()/html() method (default is false)
		var clean = DOMPurify.sanitize(dirty, {SAFE_FOR_JQUERY: true});

		// disable DOM Clobbering protection on output (default is true, handle with care!)
		@@ -189,2 +194,2 @@ var clean = DOMPurify.sanitize(dirty, {SANITIZE_DOM: false});

		And last but not least, thanks to [BrowserStack](https://browserstack.com) for supporting this project with their services for free!
		And last but not least, thanks to [BrowserStack](https://browserstack.com) for supporting this project with their services for free and delivering excellent, dedicated and very professional support on top of that.

src/purify.js

		@@ -24,3 +24,3 @@ ;(function(factory) {
		*/
		DOMPurify.version = '0.7.1';
		DOMPurify.version = '0.7.2';

		@@ -194,3 +194,8 @@ if (!window \|\| !window.document \|\| window.document.nodeType !== 9) {

		/* Decide if document with <html>... should be returned */
		/* Output should be safe for common template engines.
		* This means, DOMPurify removes data attributes, mustaches and ERB
		*/
		var SAFE_FOR_TEMPLATES = false;

		/* Decide if document with <html>... should be returned */
		var WHOLE_DOCUMENT = false;
		@@ -253,2 +258,3 @@
		SAFE_FOR_JQUERY = cfg.SAFE_FOR_JQUERY \|\| false; // Default false
		SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES \|\| false; // Default false
		WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT \|\| false; // Default false
		@@ -414,7 +420,17 @@ RETURN_DOM = cfg.RETURN_DOM \|\| false; // Default false

		/* Finally, convert markup to cover jQuery behavior */
		if (SAFE_FOR_JQUERY && !currentNode.firstElementChild) {
		/* Convert markup to cover jQuery behavior */
		if (SAFE_FOR_JQUERY && !currentNode.firstElementChild
		&& (!currentNode.content \|\| !currentNode.content.firstElementChild)) {
		currentNode.innerHTML = currentNode.textContent.replace(/</g, '<');
		}

		/* Sanitize element content to be template-safe */
		if(currentNode.nodeType === 3 && SAFE_FOR_TEMPLATES) {
		/* Get the element's text content */
		var content = currentNode.textContent;
		content = content.replace(MUSTACHE_EXPR, ' ');
		content = content.replace(ERB_EXPR, ' ');
		currentNode.textContent = content;
		}

		/* Execute a hook if present */
		@@ -482,2 +498,8 @@ _executeHook('afterSanitizeElements', currentNode, null);
		} else {
		// This avoids a crash in Safari v9.0 with double-ids.
		// The trick is to first set the id to be empty and then to
		// remove the attriubute
		if (name === 'id') {
		currentNode.setAttribute(name, '');
		}
		currentNode.removeAttribute(name);
		@@ -505,3 +527,3 @@ }
		* XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804) */
		(ALLOW_DATA_ATTR && DATA_ATTR.test(lcName))
		(!SAFE_FOR_TEMPLATES && ALLOW_DATA_ATTR && DATA_ATTR.test(lcName))
		) &&
		@@ -518,5 +540,14 @@ /* Get rid of script and data URIs */
		try {

		/* Sanitize attribute content to be template-safe */
		if (SAFE_FOR_TEMPLATES) {
		value = value.replace(MUSTACHE_EXPR, ' ');
		value = value.replace(ERB_EXPR, ' ');
		currentNode.setAttribute(name, value);
		}
		currentNode.setAttribute(name, value);
		} catch (e) {}
		}


		}
		@@ -532,2 +563,5 @@

		var MUSTACHE_EXPR = /\{\{.\|.\}\}/gm;
		var ERB_EXPR = /<%.\|.%>/gm;

		/**
		@@ -591,9 +625,15 @@ * _sanitizeShadowDOM
		DOMPurify.sanitize = function(dirty, cfg) {
		/* Return early if nothing to sanitize is given */
		if (!dirty) {
		dirty = '';
		return '';
		}

		/* Stringify, in case dirty is an array */
		if (dirty instanceof Array) {
		dirty = dirty.toString();
		}

		/* Check we can run. Otherwise fall back or ignore */
		if (!DOMPurify.isSupported) {
		if (typeof window.toStaticHTML === 'function' && typeof dirty === 'string') {
		if (typeof window.toStaticHTML === 'object' && typeof dirty === 'string') {
		return window.toStaticHTML(dirty);
		@@ -600,0 +640,0 @@ }

test/karma.conf.js

		@@ -114,2 +114,10 @@ module.exports = function(config) {
		os_version: '8.1'
		},
		bs_win10_edge_12: {
		base: 'BrowserStack',
		device: null,
		os: 'Windows',
		browser_version: '12.0',
		browser: 'edge',
		os_version: '10'
		}
		@@ -126,3 +134,4 @@ },
		'bs_win7_firefox_12',
		'bs_win81_chrome_22'
		'bs_win81_chrome_22',
		'bs_win10_edge_12'
		],
		@@ -129,0 +138,0 @@

test/test-suite.js

		@@ -60,3 +60,24 @@ module.exports = function(DOMPurify, tests, xssTests) {
		assert.equal( DOMPurify.sanitize( '<b><style><style/><img src=xx: onerror=alert(1)>', {SAFE_FOR_JQUERY: true}), "<b><style><style/><img src=xx: onerror=alert(1)></style></b>" );
		assert.contains( DOMPurify.sanitize( '1<template><s>000</s></template>2', {SAFE_FOR_JQUERY: true}), ["1<template><s>000</s></template>2", "1<template></template>2"] );
		assert.contains( DOMPurify.sanitize( '<template><s>000</s></template>', {SAFE_FOR_JQUERY: true}), ["", "<template><s>000</s></template>"]);
		});
		QUnit.test( 'Config-Flag tests: SAFE_FOR_TEMPLATES', function(assert) {
		//SAFE_FOR_TEMPLATES
		assert.equal( DOMPurify.sanitize( '<a>123{{456}}<b><style><% alert(1) %></style>456</b></a>', {SAFE_FOR_TEMPLATES: true}), "<a> <b><style> </style>456</b></a>" );
		assert.equal( DOMPurify.sanitize( '<a data-bind="style: alert(1)"></a>', {SAFE_FOR_TEMPLATES: true}), "<a></a>" );
		assert.equal( DOMPurify.sanitize( '<a data-harmless=""></a>', {SAFE_FOR_TEMPLATES: true, ALLOW_DATA_ATTR: true}), "<a></a>" );
		assert.equal( DOMPurify.sanitize( '<a data-harmless=""></a>', {SAFE_FOR_TEMPLATES: false, ALLOW_DATA_ATTR: false}), "<a></a>" );
		assert.equal( DOMPurify.sanitize( '<a>{{123}}{{456}}<b><style><% alert(1) %><% 123 %></style>456</b></a>', {SAFE_FOR_TEMPLATES: true}), "<a> <b><style> </style>456</b></a>" );
		assert.equal( DOMPurify.sanitize( '<a>{{123}}abc{{456}}<b><style><% alert(1) %>def<% 123 %></style>456</b></a>', {SAFE_FOR_TEMPLATES: true}), "<a> <b><style> </style>456</b></a>" );
		assert.equal( DOMPurify.sanitize( '<a>123{{45{{6}}<b><style><% alert(1)%> %></style>456</b></a>', {SAFE_FOR_TEMPLATES: true}), "<a> <b><style> </style>456</b></a>" );
		assert.equal( DOMPurify.sanitize( '<a>123{{45}}6}}<b><style><% <%alert(1) %></style>456</b></a>', {SAFE_FOR_TEMPLATES: true}), "<a> <b><style> </style>456</b></a>" );
		assert.equal( DOMPurify.sanitize( '<a>123{{<b>456}}</b><style><% alert(1) %></style>456</a>', {SAFE_FOR_TEMPLATES: true}), "<a>123 <b> </b><style> </style>456</a>" );
		assert.contains( DOMPurify.sanitize( '<b>{{evil<script>alert(1)</script><form><img src=x name=textContent></form>}}</b>', {SAFE_FOR_TEMPLATES: true}),
		["<b> </b>", "<b> </b>", "<b> <form><img src=\"x\"></form> </b>"]
		);
		assert.contains( DOMPurify.sanitize( '<b>he{{evil<script>alert(1)</script><form><img src=x name=textContent></form>}}ya</b>', {SAFE_FOR_TEMPLATES: true}),
		["<b>he ya</b>", "<b>he </b>", "<b>he <form><img src=\"x\"></form> ya</b>"] // Investigate on Safari 8!
		);
		assert.equal( DOMPurify.sanitize( '<a>123<% <b>456}}</b><style>{{ alert(1) }}</style>456 %></a>', {SAFE_FOR_TEMPLATES: true}), "<a>123 <b> </b><style> </style> </a>" );
		});
		QUnit.test( 'Config-Flag tests: SANITIZE_DOM', function(assert) {
		@@ -131,2 +152,6 @@ // SANITIZE_DOM
		});
		QUnit.test( 'Test dirty being an array', function(assert) {
		assert.equal( DOMPurify.sanitize( ['<a>123<b>456</b></a>']), "<a>123<b>456</b></a>" );
		assert.equal( DOMPurify.sanitize( ['<img src=', 'x onerror=alert(1)>']), "<img src=\",x\">" );
		});
		// XSS tests: Native DOM methods (alert() should not be called)
		@@ -133,0 +158,0 @@ QUnit

website/index.tpl

dist/purify.min.js.map

Sorry, the diff of this file is not supported yet

test/fixtures/expect.js

Sorry, the diff of this file is too big to display

dompurify - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics