Socket
Socket
Sign inDemoInstall

dompurify

Package Overview
Dependencies
0
Maintainers
2
Versions
118
Alerts
File Explorer

Advanced tools

npm Scripts
License

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 0.7.2 to 0.7.3

demos/hooks-svg-demo.html

2

bower.json
{
"name": "DOMPurify",
"version": "0.7.2",
"version": "0.7.3",
"homepage": "https://github.com/cure53/DOMPurify",

@@ -5,0 +5,0 @@ "author": "Cure53 <info@cure53.de>",

26

demos/README.md

@@ -396,1 +396,27 @@ ## What is this?

```
### Hook to sanitize SVGs shown via an `<img>` tag. [Link](hooks-svg-demo.html)
DOMPurify can be used to sanitize SVGs, but there can be some issues with some of their content and that can be solved via custom hooks and parsing. Also, it's possible to allow some tags which are disabled by default when showing SVGs via an `<img>` tag.
Here is an example which works well for content generated by Illustrator:
```javascript
// Add a hook to post-process a sanitized SVG
DOMPurify.addHook('afterSanitizeAttributes', function (node) {
// Fix namespaces added by Adobe Illustrator
node.setAttribute('xmlns', 'http://www.w3.org/2000/svg');
node.setAttribute('xmlns:xlink', 'http://www.w3.org/1999/xlink');
});
// Clean SVG string and allow the "filter" tag
var clean = DOMPurify.sanitize(dirty, {ADD_TAGS: ['filter']});
// Remove partial XML comment left in the HTML
var badTag = clean.indexOf(']&gt;');
var pureSvg = clean.substring(badTag < 0 ? 0 : 5, clean.length);
// Show sanitized content in <img> element
var img = new Image();
img.src = "data:image/svg+xml;base64," + window.btoa(pureSvg);
document.getElementById('sanitized').appendChild(img);
```

2

dist/purify.min.js

@@ -1,2 +0,2 @@

(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.7.2";if(!t||!t.document||t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap||t.MozNamedAttrMap;var c=t.Text;var u=t.Comment;var f=t.DOMParser;if(typeof o==="function"){n=n.createElement("template").content.ownerDocument}var d=n.implementation;var m=n.createNodeIterator;var p=n.getElementsByTagName;var v=n.createDocumentFragment;var h=a.importNode;var y={};r.isSupported=typeof d.createHTMLDocument!=="undefined"&&n.documentMode!==9;var g=function(e,t){var r=t.length;while(r--){e[t[r]]=true}return e};var b=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var T=null;var A=g({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var w=null;var k=g({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","azimuth","baseline-shift","bias","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dy","dy","direction","display","divisor","dur","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","image-rendering","in","in2","k1","k2","k3","k4","kerning","letter-spacing","lighting-color","local","marker-end","marker-mid","marker-start","max","mask","mode","min","offset","operator","opacity","order","overflow","paint-order","path","points","r","rx","ry","radius","restart","scale","seed","shape-rendering","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","transform","text-anchor","text-decoration","text-rendering","u1","u2","viewbox","visibility","word-spacing","wrap","writing-mode","x","x1","x2","y","y1","y2","z","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var x=null;var E=null;var M=true;var O=false;var D=false;var N=false;var S=false;var _=false;var L=false;var z=true;var R=true;var C=g({},["audio","head","math","script","style","svg","video"]);var H=null;var F=n.createElement("form");var I=function(e){if(typeof e!=="object"){e={}}T="ALLOWED_TAGS"in e?g({},e.ALLOWED_TAGS):A;w="ALLOWED_ATTR"in e?g({},e.ALLOWED_ATTR):k;x="FORBID_TAGS"in e?g({},e.FORBID_TAGS):{};E="FORBID_ATTR"in e?g({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;O=e.SAFE_FOR_JQUERY||false;D=e.SAFE_FOR_TEMPLATES||false;N=e.WHOLE_DOCUMENT||false;S=e.RETURN_DOM||false;_=e.RETURN_DOM_FRAGMENT||false;L=e.RETURN_DOM_IMPORT||false;z=e.SANITIZE_DOM!==false;R=e.KEEP_CONTENT!==false;if(_){S=true}if(e.ADD_TAGS){if(T===A){T=b(T)}g(T,e.ADD_TAGS)}if(e.ADD_ATTR){if(w===k){w=b(w)}g(w,e.ADD_ATTR)}if(R){T["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}H=e};var j=function(e){try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var G=function(e){var t,r;try{t=(new f).parseFromString(e,"text/html")}catch(n){}if(!t){t=d.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(N?"html":"body")[0]}else{return p.call(t,N?"html":"body")[0]}};var W=function(e){return m.call(e.ownerDocument||e,e,l.SHOW_ELEMENT|l.SHOW_COMMENT|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var B=function(e){if(e instanceof c||e instanceof u){return false}if(typeof e.nodeName!=="string"||typeof e.textContent!=="string"||typeof e.removeChild!=="function"||!(e.attributes instanceof s)||typeof e.removeAttribute!=="function"||typeof e.setAttribute!=="function"){return true}return false};var q=function(e){Y("beforeSanitizeElements",e,null);if(B(e)){j(e);return true}var t=e.nodeName.toLowerCase();Y("uponSanitizeElement",e,{tagName:t});if(!T[t]||x[t]){if(R&&!C[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(r){}}j(e);return true}if(O&&!e.firstElementChild&&(!e.content||!e.content.firstElementChild)){e.innerHTML=e.textContent.replace(/</g,"&lt;")}if(e.nodeType===3&&D){var n=e.textContent;n=n.replace(K," ");n=n.replace(Q," ");e.textContent=n}Y("afterSanitizeElements",e,null);return false};var P=function(e){Y("beforeSanitizeAttributes",e,null);var r=e.attributes;if(!r){return}var a={attrName:"",attrValue:"",keepAttr:true};var i=r.length;var o,l,s,c,u;while(i--){o=r[i];l=o.name;s=o.value;c=l.toLowerCase();a.attrName=c;a.attrValue=s;a.keepAttr=true;Y("uponSanitizeAttribute",e,a);s=a.attrValue;if(c==="name"&&e.nodeName==="IMG"&&r.id){u=r.id;r=Array.prototype.slice.apply(r);e.removeAttribute("id");e.removeAttribute(l);if(r.indexOf(u)>i){e.setAttribute("id",u.value)}}else{if(l==="id"){e.setAttribute(l,"")}e.removeAttribute(l)}if(!a.keepAttr){continue}if(z&&(c==="id"||c==="name")&&(s in t||s in n||s in F)){continue}if((w[c]&&!E[c]||!D&&M&&U.test(c))&&(!V.test(s.replace(J,""))||c==="src"&&s.indexOf("data:")===0&&e.nodeName==="IMG")){try{if(D){s=s.replace(K," ");s=s.replace(Q," ");e.setAttribute(l,s)}e.setAttribute(l,s)}catch(f){}}}Y("afterSanitizeAttributes",e,null)};var U=/^data-[\w.\u00B7-\uFFFF-]/;var V=/^(?:\w+script|data):/i;var J=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var K=/\{\{.*|.*\}\}/gm;var Q=/<%.*|.*%>/gm;var X=function(e){var t;var r=W(e);Y("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){Y("uponSanitizeShadowNode",t,null);if(q(t)){continue}if(t.content instanceof i){X(t.content)}P(t)}Y("afterSanitizeShadowDOM",e,null)};var Y=function(e,t,n){if(!y[e]){return}y[e].forEach(function(e){e.call(r,t,n,H)})};r.sanitize=function(e,n){if(!e){return""}if(e instanceof Array){e=e.toString()}if(!r.isSupported){if(typeof t.toStaticHTML==="object"&&typeof e==="string"){return t.toStaticHTML(e)}return e}I(n);if(!S&&!N&&e.indexOf("<")===-1){return e}var o=G(e);if(!o){return S?null:""}var l;var s;var c=W(o);while(l=c.nextNode()){if(l.nodeType===3&&l===s){continue}if(q(l)){continue}if(l.content instanceof i){X(l.content)}P(l);s=l}var u;if(S){if(_){u=v.call(o.ownerDocument);while(o.firstChild){u.appendChild(o.firstChild)}}else{u=o}if(L){u=h.call(a,u,true)}return u}return N?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}y[e]=y[e]||[];y[e].push(t)};r.removeHook=function(e){if(y[e]){y[e].pop()}};r.removeHooks=function(e){if(y[e]){y[e]=[]}};r.removeAllHooks=function(){y=[]};return r});
(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.7.3";if(!t||!t.document||t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap||t.MozNamedAttrMap;var c=t.Text;var f=t.Comment;var u=t.DOMParser;if(typeof o==="function"){n=n.createElement("template").content.ownerDocument}var d=n.implementation;var m=n.createNodeIterator;var p=n.getElementsByTagName;var v=n.createDocumentFragment;var h=a.importNode;var g={};r.isSupported=typeof d.createHTMLDocument!=="undefined"&&n.documentMode!==9;var y=function(e,t){var r=t.length;while(r--){e[t[r]]=true}return e};var b=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var T=null;var k=y({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feImage","feMerge","feMergeNode","feMorphology","feOffset","feSpecularLighting","feTile","feTurbulence","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var x=null;var A=y({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","mode","min","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","surfacescale","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","y","y1","y2","z","zoomandpan","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var w=null;var E=null;var M=true;var D=false;var O=false;var S=false;var N=false;var L=false;var _=false;var C=true;var z=true;var R=y({},["audio","head","math","script","style","svg","video"]);var F=null;var H=n.createElement("form");var I=function(e){if(typeof e!=="object"){e={}}T="ALLOWED_TAGS"in e?y({},e.ALLOWED_TAGS):k;x="ALLOWED_ATTR"in e?y({},e.ALLOWED_ATTR):A;w="FORBID_TAGS"in e?y({},e.FORBID_TAGS):{};E="FORBID_ATTR"in e?y({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;D=e.SAFE_FOR_JQUERY||false;O=e.SAFE_FOR_TEMPLATES||false;S=e.WHOLE_DOCUMENT||false;N=e.RETURN_DOM||false;L=e.RETURN_DOM_FRAGMENT||false;_=e.RETURN_DOM_IMPORT||false;C=e.SANITIZE_DOM!==false;z=e.KEEP_CONTENT!==false;if(L){N=true}if(e.ADD_TAGS){if(T===k){T=b(T)}y(T,e.ADD_TAGS)}if(e.ADD_ATTR){if(x===A){x=b(x)}y(x,e.ADD_ATTR)}if(z){T["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}F=e};var B=function(e){try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var G=function(e){var t,r;try{t=(new u).parseFromString(e,"text/html")}catch(n){}if(!t){t=d.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(S?"html":"body")[0]}else{return p.call(t,S?"html":"body")[0]}};var j=function(e){return m.call(e.ownerDocument||e,e,l.SHOW_ELEMENT|l.SHOW_COMMENT|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var W=function(e){if(e instanceof c||e instanceof f){return false}if(typeof e.nodeName!=="string"||typeof e.textContent!=="string"||typeof e.removeChild!=="function"||!(e.attributes instanceof s)||typeof e.removeAttribute!=="function"||typeof e.setAttribute!=="function"){return true}return false};var q=/\{\{.*|.*\}\}/gm;var P=/<%.*|.*%>/gm;var U=function(e){Y("beforeSanitizeElements",e,null);if(W(e)){B(e);return true}var t=e.nodeName.toLowerCase();Y("uponSanitizeElement",e,{tagName:t});if(!T[t]||w[t]){if(z&&!R[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(r){}}B(e);return true}if(D&&!e.firstElementChild&&(!e.content||!e.content.firstElementChild)){e.innerHTML=e.textContent.replace(/</g,"&lt;")}if(O&&e.nodeType===3){var n=e.textContent;n=n.replace(q," ");n=n.replace(P," ");e.textContent=n}Y("afterSanitizeElements",e,null);return false};var V=/^data-[\w.\u00B7-\uFFFF-]/;var J=/^(?:\w+script|data):/i;var K=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var Q=function(e){Y("beforeSanitizeAttributes",e,null);var r=e.attributes;if(!r){return}var a={attrName:"",attrValue:"",keepAttr:true};var i=r.length;var o,l,s,c,f;while(i--){o=r[i];l=o.name;s=o.value;c=l.toLowerCase();a.attrName=c;a.attrValue=s;a.keepAttr=true;Y("uponSanitizeAttribute",e,a);s=a.attrValue;if(c==="name"&&e.nodeName==="IMG"&&r.id){f=r.id;r=Array.prototype.slice.apply(r);e.removeAttribute("id");e.removeAttribute(l);if(r.indexOf(f)>i){e.setAttribute("id",f.value)}}else{if(l==="id"){e.setAttribute(l,"")}e.removeAttribute(l)}if(!a.keepAttr){continue}if(C&&(c==="id"||c==="name")&&(s in t||s in n||s in H)){continue}if((x[c]&&!E[c]||!O&&M&&V.test(c))&&(!J.test(s.replace(K,""))||c==="src"&&s.indexOf("data:")===0&&e.nodeName==="IMG")){try{if(O){s=s.replace(q," ");s=s.replace(P," ")}e.setAttribute(l,s)}catch(u){}}}Y("afterSanitizeAttributes",e,null)};var X=function(e){var t;var r=j(e);Y("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){Y("uponSanitizeShadowNode",t,null);if(U(t)){continue}if(t.content instanceof i){X(t.content)}Q(t)}Y("afterSanitizeShadowDOM",e,null)};var Y=function(e,t,n){if(!g[e]){return}g[e].forEach(function(e){e.call(r,t,n,F)})};r.sanitize=function(e,n){if(!e){e=""}if(typeof e!=="string"){e=e.toString()}if(!r.isSupported){if(typeof t.toStaticHTML==="object"||typeof t.toStaticHTML==="function"){return t.toStaticHTML(e)}return e}I(n);if(!N&&!S&&e.indexOf("<")===-1){return e}var o=G(e);if(!o){return N?null:""}var l;var s;var c=j(o);while(l=c.nextNode()){if(l.nodeType===3&&l===s){continue}if(U(l)){continue}if(l.content instanceof i){X(l.content)}Q(l);s=l}var f;if(N){if(L){f=v.call(o.ownerDocument);while(o.firstChild){f.appendChild(o.firstChild)}}else{f=o}if(_){f=h.call(a,f,true)}return f}return S?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}g[e]=g[e]||[];g[e].push(t)};r.removeHook=function(e){if(g[e]){g[e].pop()}};r.removeHooks=function(e){if(g[e]){g[e]=[]}};r.removeAllHooks=function(){g=[]};return r});
//# sourceMappingURL=./dist/purify.min.js.map

16

package.json

@@ -21,5 +21,5 @@ {

"json-loader": "^0.5.2",
"karma": "^0.13.9",
"karma-browserstack-launcher": "git://github.com/shirish87/karma-browserstack-launcher.git#global_poll",
"karma-chrome-launcher": "^0.2.0",
"karma": "^0.13.15",
"karma-browserstack-launcher": "git://github.com/shirish87/karma-browserstack-launcher.git#global_poll_0.1.6",
"karma-chrome-launcher": "^0.2.1",
"karma-firefox-launcher": "^0.1.6",

@@ -29,8 +29,8 @@ "karma-fixture": "^0.2.5",

"karma-json-fixtures-preprocessor": "0.0.5",
"karma-qunit": "^0.1.5",
"karma-qunit": "^0.1.8",
"karma-webpack": "^1.7.0",
"pre-commit": "^1.1.1",
"pre-commit": "^1.1.2",
"qunit-parameterize": "^0.4.0",
"qunitjs": "^1.14.0",
"uglify-js": "^2.4.24",
"qunitjs": "^1.20.0",
"uglify-js": "^2.5.0",
"webpack": "^1.12.1"

@@ -40,3 +40,3 @@ },

"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
"version": "0.7.2",
"version": "0.7.3",
"main": "src/purify.js",

@@ -43,0 +43,0 @@ "directories": {

4

README.md

@@ -9,3 +9,3 @@ # DOMPurify [![Bower version](https://badge.fury.io/bo/dompurify.svg)](http://badge.fury.io/bo/dompurify) · [![npm version](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js/dompurify) · [![Build Status](https://travis-ci.org/cure53/DOMPurify.svg?branch=master)](https://travis-ci.org/cure53/DOMPurify)

DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover 8 different browsers right now.
DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover [9 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.conf.js#L125) right now.

@@ -89,3 +89,3 @@ DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model)

Yes. The included default configuration values are pretty good already - but you can of course override them. Check out the `/demos` folder to see a bunch of examples on how you can customize DOMPurify.
Yes. The included default configuration values are pretty good already - but you can of course override them. Check out the [`/demos`](https://github.com/cure53/DOMPurify/tree/master/demos) folder to see a bunch of examples on how you can [customize DOMPurify](https://github.com/cure53/DOMPurify/tree/master/demos#what-is-this).

@@ -92,0 +92,0 @@ ```javascript

98

src/purify.js

@@ -24,3 +24,3 @@ ;(function(factory) {

*/
DOMPurify.version = '0.7.2';
DOMPurify.version = '0.7.3';

@@ -121,2 +121,9 @@ if (!window || !window.document || window.document.nodeType !== 9) {

// SVG Filters
'feBlend','feColorMatrix','feComponentTransfer','feComposite',
'feConvolveMatrix','feDiffuseLighting','feDisplacementMap',
'feFlood','feFuncA','feFuncB','feFuncG','feFuncR','feGaussianBlur',
'feImage','feMerge','feMergeNode','feMorphology','feOffset',
'feSpecularLighting','feTile','feTurbulence',
//MathML

@@ -151,18 +158,27 @@ 'math','menclose','merror','mfenced','mfrac','mglyph','mi','mlabeledtr',

'accent-height','accumulate','additivive','alignment-baseline',
'ascent','azimuth','baseline-shift','bias','clip','clip-path',
'clip-rule','color','color-interpolation','color-interpolation-filters',
'color-profile','color-rendering','cx','cy','d','dy','dy','direction',
'display','divisor','dur','elevation','end','fill','fill-opacity',
'fill-rule','filter','flood-color','flood-opacity','font-family',
'font-size','font-size-adjust','font-stretch','font-style','font-variant',
'font-weight','image-rendering','in','in2','k1','k2','k3','k4','kerning',
'letter-spacing','lighting-color','local','marker-end','marker-mid',
'marker-start','max','mask','mode','min','offset','operator','opacity',
'order','overflow','paint-order','path','points','r','rx','ry','radius',
'restart','scale','seed','shape-rendering','stop-color','stop-opacity',
'stroke-dasharray','stroke-dashoffset','stroke-linecap','stroke-linejoin',
'stroke-miterlimit','stroke-opacity','stroke','stroke-width','transform',
'text-anchor','text-decoration','text-rendering','u1','u2','viewbox',
'visibility','word-spacing','wrap','writing-mode','x','x1','x2','y',
'y1','y2','z',
'ascent','attributename','attributetype','azimuth','basefrequency',
'baseline-shift','begin','bias','by','clip','clip-path','clip-rule',
'color','color-interpolation','color-interpolation-filters','color-profile',
'color-rendering','cx','cy','d','dx','dy','diffuseconstant','direction',
'display','divisor','dur','edgemode','elevation','end','fill','fill-opacity',
'fill-rule','filter','flood-color','flood-opacity','font-family','font-size',
'font-size-adjust','font-stretch','font-style','font-variant','font-weight',
'fx', 'fy','g1','g2','glyph-name','glyphref','gradientunits','gradienttransform',
'image-rendering','in','in2','k','k1','k2','k3','k4','kerning','keypoints',
'keysplines','keytimes','lengthadjust','letter-spacing','kernelmatrix',
'kernelunitlength','lighting-color','local','marker-end','marker-mid',
'marker-start','markerheight','markerunits','markerwidth','maskcontentunits',
'maskunits','max','mask','mode','min','numoctaves','offset','operator',
'opacity','order','orient','orientation','origin','overflow','paint-order',
'path','pathlength','patterncontentunits','patterntransform','patternunits',
'points','preservealpha','r','rx','ry','radius','refx','refy','repeatcount',
'repeatdur','restart','rotate','scale','seed','shape-rendering','specularconstant',
'specularexponent','spreadmethod','stddeviation','stitchtiles','stop-color',
'stop-opacity','stroke-dasharray','stroke-dashoffset','stroke-linecap',
'stroke-linejoin','stroke-miterlimit','stroke-opacity','stroke','stroke-width',
'surfacescale','targetx','targety','transform','text-anchor','text-decoration',
'text-rendering','textlength','u1','u2','unicode','values','viewbox',
'visibility','vert-adv-y','vert-origin-x','vert-origin-y','word-spacing',
'wrap','writing-mode','xchannelselector','ychannelselector','x','x1','x2',
'y','y1','y2','z','zoomandpan',

@@ -197,7 +213,7 @@ // MathML

/* Output should be safe for common template engines.
* This means, DOMPurify removes data attributes, mustaches and ERB
* This means, DOMPurify removes data attributes, mustaches and ERB
*/
var SAFE_FOR_TEMPLATES = false;
/* Decide if document with <html>... should be returned */
/* Decide if document with <html>... should be returned */
var WHOLE_DOCUMENT = false;

@@ -319,3 +335,3 @@

try {
doc = new DOMParser().parseFromString(dirty, "text/html");
doc = new DOMParser().parseFromString(dirty, 'text/html');
} catch (e) {}

@@ -381,2 +397,5 @@

var MUSTACHE_EXPR = /\{\{.*|.*\}\}/gm;
var ERB_EXPR = /<%.*|.*%>/gm;
/**

@@ -424,4 +443,4 @@ * _sanitizeElements

/* Convert markup to cover jQuery behavior */
if (SAFE_FOR_JQUERY && !currentNode.firstElementChild
&& (!currentNode.content || !currentNode.content.firstElementChild)) {
if (SAFE_FOR_JQUERY && !currentNode.firstElementChild &&
(!currentNode.content || !currentNode.content.firstElementChild)) {
currentNode.innerHTML = currentNode.textContent.replace(/</g, '&lt;');

@@ -431,3 +450,3 @@ }

/* Sanitize element content to be template-safe */
if(currentNode.nodeType === 3 && SAFE_FOR_TEMPLATES) {
if (SAFE_FOR_TEMPLATES && currentNode.nodeType === 3) {
/* Get the element's text content */

@@ -446,2 +465,7 @@ var content = currentNode.textContent;

var DATA_ATTR = /^data-[\w.\u00B7-\uFFFF-]/;
var IS_SCRIPT_OR_DATA = /^(?:\w+script|data):/i;
/* This needs to be extensive thanks to Webkit/Blink's behavior */
var ATTR_WHITESPACE = /[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;
/**

@@ -504,3 +528,3 @@ * _sanitizeAttributes

// This avoids a crash in Safari v9.0 with double-ids.
// The trick is to first set the id to be empty and then to
// The trick is to first set the id to be empty and then to
// remove the attriubute

@@ -544,3 +568,2 @@ if (name === 'id') {

try {
/* Sanitize attribute content to be template-safe */

@@ -550,3 +573,2 @@ if (SAFE_FOR_TEMPLATES) {

value = value.replace(ERB_EXPR, ' ');
currentNode.setAttribute(name, value);
}

@@ -556,4 +578,2 @@ currentNode.setAttribute(name, value);

}
}

@@ -564,10 +584,3 @@

};
var DATA_ATTR = /^data-[\w.\u00B7-\uFFFF-]/;
var IS_SCRIPT_OR_DATA = /^(?:\w+script|data):/i;
/* This needs to be extensive thanks to Webkit/Blink's behavior */
var ATTR_WHITESPACE = /[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;
var MUSTACHE_EXPR = /\{\{.*|.*\}\}/gm;
var ERB_EXPR = /<%.*|.*%>/gm;
/**

@@ -631,9 +644,11 @@ * _sanitizeShadowDOM

DOMPurify.sanitize = function(dirty, cfg) {
/* Return early if nothing to sanitize is given */
/* Make sure we have a string to sanitize.
DO NOT return early, as this will return the wrong type if
the user has requested a DOM object rather than a string */
if (!dirty) {
return '';
dirty = '';
}
/* Stringify, in case dirty is an array */
if (dirty instanceof Array) {
/* Stringify, in case dirty is an array or other object */
if (typeof dirty !== 'string') {
dirty = dirty.toString();

@@ -644,3 +659,4 @@ }

if (!DOMPurify.isSupported) {
if (typeof window.toStaticHTML === 'object' && typeof dirty === 'string') {
if (typeof window.toStaticHTML === 'object'
|| typeof window.toStaticHTML === 'function') {
return window.toStaticHTML(dirty);

@@ -647,0 +663,0 @@ }

.travis.yml

Sorry, the diff of this file is not supported yet

dist/purify.min.js.map

Sorry, the diff of this file is not supported yet

website/index.html

Sorry, the diff of this file is not supported yet

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc