dompurify - npm Package Compare versions

Comparing version 0.7.3 to 0.7.4

bower.json

		{
		"name": "DOMPurify",
		"version": "0.7.3",
		"version": "0.7.4",
		"homepage": "https://github.com/cure53/DOMPurify",
		@@ -5,0 +5,0 @@ "author": "Cure53 <info@cure53.de>",

dist/purify.min.js

		@@ -1,2 +0,2 @@
		(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.7.3";if(!t\|\|!t.document\|\|t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap\|\|t.MozNamedAttrMap;var c=t.Text;var f=t.Comment;var u=t.DOMParser;if(typeof o==="function"){n=n.createElement("template").content.ownerDocument}var d=n.implementation;var m=n.createNodeIterator;var p=n.getElementsByTagName;var v=n.createDocumentFragment;var h=a.importNode;var g={};r.isSupported=typeof d.createHTMLDocument!=="undefined"&&n.documentMode!==9;var y=function(e,t){var r=t.length;while(r--){e[t[r]]=true}return e};var b=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var T=null;var k=y({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feImage","feMerge","feMergeNode","feMorphology","feOffset","feSpecularLighting","feTile","feTurbulence","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var x=null;var A=y({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","mode","min","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","surfacescale","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","y","y1","y2","z","zoomandpan","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var w=null;var E=null;var M=true;var D=false;var O=false;var S=false;var N=false;var L=false;var _=false;var C=true;var z=true;var R=y({},["audio","head","math","script","style","svg","video"]);var F=null;var H=n.createElement("form");var I=function(e){if(typeof e!=="object"){e={}}T="ALLOWED_TAGS"in e?y({},e.ALLOWED_TAGS):k;x="ALLOWED_ATTR"in e?y({},e.ALLOWED_ATTR):A;w="FORBID_TAGS"in e?y({},e.FORBID_TAGS):{};E="FORBID_ATTR"in e?y({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;D=e.SAFE_FOR_JQUERY\|\|false;O=e.SAFE_FOR_TEMPLATES\|\|false;S=e.WHOLE_DOCUMENT\|\|false;N=e.RETURN_DOM\|\|false;L=e.RETURN_DOM_FRAGMENT\|\|false;_=e.RETURN_DOM_IMPORT\|\|false;C=e.SANITIZE_DOM!==false;z=e.KEEP_CONTENT!==false;if(L){N=true}if(e.ADD_TAGS){if(T===k){T=b(T)}y(T,e.ADD_TAGS)}if(e.ADD_ATTR){if(x===A){x=b(x)}y(x,e.ADD_ATTR)}if(z){T["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}F=e};var B=function(e){try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var G=function(e){var t,r;try{t=(new u).parseFromString(e,"text/html")}catch(n){}if(!t){t=d.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(S?"html":"body")[0]}else{return p.call(t,S?"html":"body")[0]}};var j=function(e){return m.call(e.ownerDocument\|\|e,e,l.SHOW_ELEMENT\|l.SHOW_COMMENT\|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var W=function(e){if(e instanceof c\|\|e instanceof f){return false}if(typeof e.nodeName!=="string"\|\|typeof e.textContent!=="string"\|\|typeof e.removeChild!=="function"\|\|!(e.attributes instanceof s)\|\|typeof e.removeAttribute!=="function"\|\|typeof e.setAttribute!=="function"){return true}return false};var q=/\{\{.\|.\}\}/gm;var P=/<%.\|.%>/gm;var U=function(e){Y("beforeSanitizeElements",e,null);if(W(e)){B(e);return true}var t=e.nodeName.toLowerCase();Y("uponSanitizeElement",e,{tagName:t});if(!T[t]\|\|w[t]){if(z&&!R[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(r){}}B(e);return true}if(D&&!e.firstElementChild&&(!e.content\|\|!e.content.firstElementChild)){e.innerHTML=e.textContent.replace(/</g,"<")}if(O&&e.nodeType===3){var n=e.textContent;n=n.replace(q," ");n=n.replace(P," ");e.textContent=n}Y("afterSanitizeElements",e,null);return false};var V=/^data-[\w.\u00B7-\uFFFF-]/;var J=/^(?:\w+script\|data):/i;var K=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var Q=function(e){Y("beforeSanitizeAttributes",e,null);var r=e.attributes;if(!r){return}var a={attrName:"",attrValue:"",keepAttr:true};var i=r.length;var o,l,s,c,f;while(i--){o=r[i];l=o.name;s=o.value;c=l.toLowerCase();a.attrName=c;a.attrValue=s;a.keepAttr=true;Y("uponSanitizeAttribute",e,a);s=a.attrValue;if(c==="name"&&e.nodeName==="IMG"&&r.id){f=r.id;r=Array.prototype.slice.apply(r);e.removeAttribute("id");e.removeAttribute(l);if(r.indexOf(f)>i){e.setAttribute("id",f.value)}}else{if(l==="id"){e.setAttribute(l,"")}e.removeAttribute(l)}if(!a.keepAttr){continue}if(C&&(c==="id"\|\|c==="name")&&(s in t\|\|s in n\|\|s in H)){continue}if((x[c]&&!E[c]\|\|!O&&M&&V.test(c))&&(!J.test(s.replace(K,""))\|\|c==="src"&&s.indexOf("data:")===0&&e.nodeName==="IMG")){try{if(O){s=s.replace(q," ");s=s.replace(P," ")}e.setAttribute(l,s)}catch(u){}}}Y("afterSanitizeAttributes",e,null)};var X=function(e){var t;var r=j(e);Y("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){Y("uponSanitizeShadowNode",t,null);if(U(t)){continue}if(t.content instanceof i){X(t.content)}Q(t)}Y("afterSanitizeShadowDOM",e,null)};var Y=function(e,t,n){if(!g[e]){return}g[e].forEach(function(e){e.call(r,t,n,F)})};r.sanitize=function(e,n){if(!e){e=""}if(typeof e!=="string"){e=e.toString()}if(!r.isSupported){if(typeof t.toStaticHTML==="object"\|\|typeof t.toStaticHTML==="function"){return t.toStaticHTML(e)}return e}I(n);if(!N&&!S&&e.indexOf("<")===-1){return e}var o=G(e);if(!o){return N?null:""}var l;var s;var c=j(o);while(l=c.nextNode()){if(l.nodeType===3&&l===s){continue}if(U(l)){continue}if(l.content instanceof i){X(l.content)}Q(l);s=l}var f;if(N){if(L){f=v.call(o.ownerDocument);while(o.firstChild){f.appendChild(o.firstChild)}}else{f=o}if(_){f=h.call(a,f,true)}return f}return S?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}g[e]=g[e]\|\|[];g[e].push(t)};r.removeHook=function(e){if(g[e]){g[e].pop()}};r.removeHooks=function(e){if(g[e]){g[e]=[]}};r.removeAllHooks=function(){g=[]};return r});
		(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.7.4";if(!t\|\|!t.document\|\|t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap\|\|t.MozNamedAttrMap;var f=t.Text;var c=t.Comment;var u=t.DOMParser;if(typeof o==="function"){n=n.createElement("template").content.ownerDocument}var d=n.implementation;var m=n.createNodeIterator;var p=n.getElementsByTagName;var h=n.createDocumentFragment;var v=a.importNode;var g={};r.isSupported=typeof d.createHTMLDocument!=="undefined"&&n.documentMode!==9;var y=function(e,t){var r=t.length;while(r--){e[t[r]]=true}return e};var b=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var T=null;var x=y({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feImage","feMerge","feMergeNode","feMorphology","feOffset","feSpecularLighting","feTile","feTurbulence","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var k=null;var A=y({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","mode","min","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","surfacescale","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","y","y1","y2","z","zoomandpan","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var w=null;var E=null;var M=true;var S=false;var D=false;var O=/\{\{[\s\S]\|[\s\S]\}\}/gm;var L=/<%[\s\S]\|[\s\S]%>/gm;var N=false;var _=false;var z=false;var C=false;var R=true;var F=true;var H=y({},["audio","head","math","script","style","svg","video"]);var B=y({},["audio","video","img","source"]);var I=y({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]);var j=null;var G=n.createElement("form");var W=function(e){if(typeof e!=="object"){e={}}T="ALLOWED_TAGS"in e?y({},e.ALLOWED_TAGS):x;k="ALLOWED_ATTR"in e?y({},e.ALLOWED_ATTR):A;w="FORBID_TAGS"in e?y({},e.FORBID_TAGS):{};E="FORBID_ATTR"in e?y({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;S=e.SAFE_FOR_JQUERY\|\|false;D=e.SAFE_FOR_TEMPLATES\|\|false;N=e.WHOLE_DOCUMENT\|\|false;_=e.RETURN_DOM\|\|false;z=e.RETURN_DOM_FRAGMENT\|\|false;C=e.RETURN_DOM_IMPORT\|\|false;R=e.SANITIZE_DOM!==false;F=e.KEEP_CONTENT!==false;if(z){_=true}if(e.ADD_TAGS){if(T===x){T=b(T)}y(T,e.ADD_TAGS)}if(e.ADD_ATTR){if(k===A){k=b(k)}y(k,e.ADD_ATTR)}if(F){T["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}j=e};var q=function(e){try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var P=function(e){var t,r;try{t=(new u).parseFromString(e,"text/html")}catch(n){}if(!t){t=d.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(N?"html":"body")[0]}return p.call(t,N?"html":"body")[0]};var U=function(e){return m.call(e.ownerDocument\|\|e,e,l.SHOW_ELEMENT\|l.SHOW_COMMENT\|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var V=function(e){if(e instanceof f\|\|e instanceof c){return false}if(typeof e.nodeName!=="string"\|\|typeof e.textContent!=="string"\|\|typeof e.removeChild!=="function"\|\|!(e.attributes instanceof s)\|\|typeof e.removeAttribute!=="function"\|\|typeof e.setAttribute!=="function"){return true}return false};var J=function(e){var t,r;$("beforeSanitizeElements",e,null);if(V(e)){q(e);return true}t=e.nodeName.toLowerCase();$("uponSanitizeElement",e,{tagName:t});if(!T[t]\|\|w[t]){if(F&&!H[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(n){}}q(e);return true}if(S&&!e.firstElementChild&&(!e.content\|\|!e.content.firstElementChild)){e.innerHTML=e.textContent.replace(/</g,"<")}if(D&&e.nodeType===3){r=e.textContent;r=r.replace(O," ");r=r.replace(L," ");e.textContent=r}$("afterSanitizeElements",e,null);return false};var K=/^data-[\w.\u00B7-\uFFFF-]/;var Q=/^(?:[^a-z]\|(?=([a-z+.-]+))\1(?!:)\|(?:mailto\|tel\|(?:ht\|f)tps?):)/i;var X=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var Y=function(e){var r,a,i,o,l,s,f,c;$("beforeSanitizeAttributes",e,null);s=e.attributes;if(!s){return}f={attrName:"",attrValue:"",keepAttr:true};c=s.length;while(c--){r=s[c];a=r.name;i=r.value;o=a.toLowerCase();f.attrName=o;f.attrValue=i;f.keepAttr=true;$("uponSanitizeAttribute",e,f);i=f.attrValue;if(o==="name"&&e.nodeName==="IMG"&&s.id){l=s.id;s=Array.prototype.slice.apply(s);e.removeAttribute("id");e.removeAttribute(a);if(s.indexOf(l)>c){e.setAttribute("id",l.value)}}else{if(a==="id"){e.setAttribute(a,"")}e.removeAttribute(a)}if(!f.keepAttr){continue}if(R&&(o==="id"\|\|o==="name")&&(i in t\|\|i in n\|\|i in G)){continue}if(D){i=i.replace(O," ");i=i.replace(L," ")}if((k[o]&&!E[o]\|\|!D&&M&&K.test(o))&&(Q.test(i.replace(X,""))\|\|o==="src"&&i.indexOf("data:")===0&&B[e.nodeName.toLowerCase()]\|\|I[o])){try{e.setAttribute(a,i)}catch(u){}}}$("afterSanitizeAttributes",e,null)};var Z=function(e){var t;var r=U(e);$("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){$("uponSanitizeShadowNode",t,null);if(J(t)){continue}if(t.content instanceof i){Z(t.content)}Y(t)}$("afterSanitizeShadowDOM",e,null)};var $=function(e,t,n){if(!g[e]){return}g[e].forEach(function(e){e.call(r,t,n,j)})};r.sanitize=function(e,n){var o,l,s,f,c;if(!e){e=""}if(typeof e!=="string"){if(typeof e.toString!=="function"){throw new TypeError("toString is not a function")}else{e=e.toString()}}if(!r.isSupported){if(typeof t.toStaticHTML==="object"\|\|typeof t.toStaticHTML==="function"){return t.toStaticHTML(e)}return e}W(n);if(!_&&!N&&e.indexOf("<")===-1){return e}o=P(e);if(!o){return _?null:""}f=U(o);while(l=f.nextNode()){if(l.nodeType===3&&l===s){continue}if(J(l)){continue}if(l.content instanceof i){Z(l.content)}Y(l);s=l}if(_){if(z){c=h.call(o.ownerDocument);while(o.firstChild){c.appendChild(o.firstChild)}}else{c=o}if(C){c=v.call(a,c,true)}return c}return N?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}g[e]=g[e]\|\|[];g[e].push(t)};r.removeHook=function(e){if(g[e]){g[e].pop()}};r.removeHooks=function(e){if(g[e]){g[e]=[]}};r.removeAllHooks=function(){g=[]};return r});
		//# sourceMappingURL=./dist/purify.min.js.map

package.json

		@@ -38,3 +38,3 @@ {
		"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
		"version": "0.7.3",
		"version": "0.7.4",
		"main": "src/purify.js",
		@@ -41,0 +41,0 @@ "directories": {

README.md

		@@ -186,6 +186,6 @@ # DOMPurify [![Bower version](https://badge.fury.io/bo/dompurify.svg)](http://badge.fury.io/bo/dompurify) · [![npm version](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js/dompurify) · [![Build Status](https://travis-ci.org/cure53/DOMPurify.svg?branch=master)](https://travis-ci.org/cure53/DOMPurify)

		Several people need to be listed here! [@garethheyes](https://twitter.com/garethheyes) for invaluable help, [@shafigullin](https://twitter.com/shafigullin) for breaking the library multiple times and thereby strengthening it, [@mmrupp](https://twitter.com/mmrupp) and [@irsdl](https://twitter.com/irsdl) for doing the same.
		Several people need to be listed here! [@garethheyes](https://twitter.com/garethheyes) and [@filedescriptor](https://twitter.com/filedescriptor) for invaluable help, [@shafigullin](https://twitter.com/shafigullin) for breaking the library multiple times and thereby strengthening it, [@mmrupp](https://twitter.com/mmrupp) and [@irsdl](https://twitter.com/irsdl) for doing the same.

		Big thanks also go to [@asutherland](https://twitter.com/asutherland), [@mathias](https://twitter.com/mathias), [@cgvwzq](https://twitter.com/cgvwzq), [@robbertatwork](https://twitter.com/robbertatwork), [@giutro](https://twitter.com/giutro) and [@fhemberger](https://twitter.com/fhemberger)! Further, thanks [@neilj](https://twitter.com/neilj) for his code review and countless small optimizations, fixes and beautifications. Big thanks also go to [@tdeekens](https://twitter.com/tdeekens) for doing all the hard work and getting us on track with Travis CI and BrowserStack.
		Big thanks also go to [@asutherland](https://twitter.com/asutherland), [@mathias](https://twitter.com/mathias), [@cgvwzq](https://twitter.com/cgvwzq), [@robbertatwork](https://twitter.com/robbertatwork), [@giutro](https://twitter.com/giutro) and [@fhemberger](https://twitter.com/fhemberger)! Further, thanks [@neilj](https://twitter.com/neilj) and [@0xsobky](https://twitter.com/0xsobky) for their code reviews and countless small optimizations, fixes and beautifications. Big thanks also go to [@tdeekens](https://twitter.com/tdeekens) for doing all the hard work and getting us on track with Travis CI and BrowserStack.

		And last but not least, thanks to [BrowserStack](https://browserstack.com) for supporting this project with their services for free and delivering excellent, dedicated and very professional support on top of that.

106

src/purify.js

		@@ -24,3 +24,3 @@ ;(function(factory) {
		*/
		DOMPurify.version = '0.7.3';
		DOMPurify.version = '0.7.4';

		@@ -215,2 +215,6 @@ if (!window \|\| !window.document \|\| window.document.nodeType !== 9) {

		/* Specify template detection regex for SAFE_FOR_TEMPLATES mode */
		var MUSTACHE_EXPR = /\{\{[\s\S]\|[\s\S]\}\}/gm;
		var ERB_EXPR = /<%[\s\S]\|[\s\S]%>/gm;

		/* Decide if document with <html>... should be returned */
		@@ -244,2 +248,13 @@ var WHOLE_DOCUMENT = false;

		/* Tags that are safe for data: URIs */
		var DATA_URI_TAGS = _addToSet({}, [
		'audio', 'video', 'img', 'source'
		]);

		/* Attributes safe for values like "javascript:" */
		var URI_SAFE_ATTRIBUTES = _addToSet({}, [
		'alt','class','for','id','label','name','pattern','placeholder',
		'summary','title','value','style','xmlns'
		]);

		/* Keep a reference to config to pass to hooks */
		@@ -283,2 +298,6 @@ var CONFIG = null;

		if (SAFE_FOR_TEMPLATES) {
		ALLOW_DATA_ATTR = false;
		}

		if (RETURN_DOM_FRAGMENT) {
		@@ -340,3 +359,3 @@ RETURN_DOM = true;
		DOMParser with text/html support is only in very recent browsers. */
		if (!doc){
		if (!doc) {
		doc = implementation.createHTMLDocument('');
		@@ -349,9 +368,8 @@ body = doc.body;
		/* Work on whole document or just its body */
		if (typeof doc.getElementsByTagName === 'function'){
		if (typeof doc.getElementsByTagName === 'function') {
		return doc.getElementsByTagName(
		WHOLE_DOCUMENT ? 'html' : 'body')[0];
		} else {
		return getElementsByTagName.call(doc,
		WHOLE_DOCUMENT ? 'html' : 'body')[0];
		}
		return getElementsByTagName.call(doc,
		WHOLE_DOCUMENT ? 'html' : 'body')[0];
		};
		@@ -398,5 +416,2 @@

		var MUSTACHE_EXPR = /\{\{.\|.\}\}/gm;
		var ERB_EXPR = /<%.\|.%>/gm;

		/**
		@@ -413,2 +428,3 @@ * _sanitizeElements
		var _sanitizeElements = function(currentNode) {
		var tagName, content;
		/* Execute a hook if present */
		@@ -424,3 +440,3 @@ _executeHook('beforeSanitizeElements', currentNode, null);
		/* Now let's check the element's type and name */
		var tagName = currentNode.nodeName.toLowerCase();
		tagName = currentNode.nodeName.toLowerCase();

		@@ -454,3 +470,3 @@ /* Execute a hook if present */
		/* Get the element's text content */
		var content = currentNode.textContent;
		content = currentNode.textContent;
		content = content.replace(MUSTACHE_EXPR, ' ');
		@@ -468,3 +484,3 @@ content = content.replace(ERB_EXPR, ' ');
		var DATA_ATTR = /^data-[\w.\u00B7-\uFFFF-]/;
		var IS_SCRIPT_OR_DATA = /^(?:\w+script\|data):/i;
		var IS_ALLOWED_URI = /^(?:(?:(?:f\|ht)tps?\|mailto\|tel):\|[^a-z]\|[a-z+.\-]+(?:[^a-z+.\-:]\|$))/i;
		/* This needs to be extensive thanks to Webkit/Blink's behavior */
		@@ -485,6 +501,7 @@ var ATTR_WHITESPACE = /[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;
		var _sanitizeAttributes = function(currentNode) {
		var attr, name, value, lcName, idAttr, attributes, hookEvent, l;
		/* Execute a hook if present */
		_executeHook('beforeSanitizeAttributes', currentNode, null);

		var attributes = currentNode.attributes;
		attributes = currentNode.attributes;

		@@ -494,3 +511,3 @@ /* Check if we have attributes; if not we might have a text node */

		var hookEvent = {
		hookEvent = {
		attrName: '',
		@@ -500,4 +517,3 @@ attrValue: '',
		};
		var l = attributes.length;
		var attr, name, value, lcName, idAttr;
		l = attributes.length;

		@@ -553,26 +569,28 @@ /* Go backwards over all attributes; safely remove bad ones */

		/* Sanitize attribute content to be template-safe */
		if (SAFE_FOR_TEMPLATES) {
		value = value.replace(MUSTACHE_EXPR, ' ');
		value = value.replace(ERB_EXPR, ' ');
		}

		if (
		/* Check the name is permitted */
		(
		(ALLOWED_ATTR[lcName] && !FORBID_ATTR[lcName]) \|\|
		/* Allow potentially valid data-* attributes
		* At least one character after "-" (https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
		* XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804) */
		(!SAFE_FOR_TEMPLATES && ALLOW_DATA_ATTR && DATA_ATTR.test(lcName))
		) &&
		/* Get rid of script and data URIs */
		(
		!IS_SCRIPT_OR_DATA.test(value.replace(ATTR_WHITESPACE,'')) \|\|
		/* Keep image data URIs alive if src is allowed */
		(lcName === 'src' && value.indexOf('data:') === 0 &&
		currentNode.nodeName === 'IMG')
		)
		(ALLOWED_ATTR[lcName] && !FORBID_ATTR[lcName] && (
		/* Check no script, data or unknown possibly unsafe URI
		unless we know URI values are safe for that attribute */
		URI_SAFE_ATTRIBUTES[lcName] \|\|
		IS_ALLOWED_URI.test(value.replace(ATTR_WHITESPACE,'')) \|\|
		/* Keep image data URIs alive if src is allowed */
		(lcName === 'src' && value.indexOf('data:') === 0 &&
		DATA_URI_TAGS[currentNode.nodeName.toLowerCase()])
		)) \|\|
		/* Allow potentially valid data-* attributes:
		* At least one character after "-" (https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
		* XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
		* We don't need to check the value; it's always URI safe.
		*/
		(ALLOW_DATA_ATTR && DATA_ATTR.test(lcName))
		) {
		/* Handle invalid data-* attribute set by try-catching it */
		try {
		/* Sanitize attribute content to be template-safe */
		if (SAFE_FOR_TEMPLATES) {
		value = value.replace(MUSTACHE_EXPR, ' ');
		value = value.replace(ERB_EXPR, ' ');
		}
		currentNode.setAttribute(name, value);
		@@ -645,2 +663,3 @@ } catch (e) {}
		DOMPurify.sanitize = function(dirty, cfg) {
		var body, currentNode, oldNode, nodeIterator, returnNode;
		/* Make sure we have a string to sanitize.
		@@ -653,5 +672,9 @@ DO NOT return early, as this will return the wrong type if

		/* Stringify, in case dirty is an array or other object */
		/* Stringify, in case dirty is an object */
		if (typeof dirty !== 'string') {
		dirty = dirty.toString();
		if (typeof dirty.toString !== 'function') {
		throw new TypeError('toString is not a function');
		} else {
		dirty = dirty.toString();
		}
		}
		@@ -661,3 +684,3 @@
		if (!DOMPurify.isSupported) {
		if (typeof window.toStaticHTML === 'object'
		if (typeof window.toStaticHTML === 'object'
		\|\| typeof window.toStaticHTML === 'function') {
		@@ -678,3 +701,3 @@ return window.toStaticHTML(dirty);
		/* Initialize the document to work on */
		var body = _initDocument(dirty);
		body = _initDocument(dirty);

		@@ -687,5 +710,3 @@ /* Check we have a DOM node from the data */
		/* Get node iterator */
		var currentNode;
		var oldNode;
		var nodeIterator = _createIterator(body);
		nodeIterator = _createIterator(body);

		@@ -717,3 +738,2 @@ /* Now start iterating over the created document */
		/* Return sanitized string or DOM */
		var returnNode;
		if (RETURN_DOM) {
		@@ -720,0 +740,0 @@

test/test-suite.js

		@@ -81,2 +81,3 @@ module.exports = function(DOMPurify, tests, xssTests) {
		assert.equal( DOMPurify.sanitize( '<a>123<% <b>456}}</b><style>{{ alert(1) }}</style>456 %></a>', {SAFE_FOR_TEMPLATES: true}), "<a>123 <b> </b><style> </style> </a>" );
		assert.equal( DOMPurify.sanitize( '<a href="}}javascript:alert(1)"></a>', {SAFE_FOR_TEMPLATES: true}), "<a></a>" );
		});
		@@ -83,0 +84,0 @@ QUnit.test( 'Config-Flag tests: SANITIZE_DOM', function(assert) {

dist/purify.min.js.map

Sorry, the diff of this file is not supported yet

test/fixtures/expect.js

Sorry, the diff of this file is too big to display

website/index.html

Sorry, the diff of this file is not supported yet

dompurify - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics