Socket
Socket
Sign inDemoInstall

dompurify

Package Overview
Dependencies
0
Maintainers
2
Versions
118
Alerts
File Explorer

Advanced tools

npm Scripts
License

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 0.7.4 to 0.8.0

test/jsdom-node-runner.js
test/jsdom-node.js

7

bower.json
{
"name": "DOMPurify",
"version": "0.7.4",
"version": "0.8.0",
"homepage": "https://github.com/cure53/DOMPurify",

@@ -29,6 +29,3 @@ "author": "Cure53 <info@cure53.de>",

"demo"
],
"devDependencies": {
"jQuery": "1.11.0"
}
]
}

2

dist/purify.min.js

@@ -1,2 +0,2 @@

(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.7.4";if(!t||!t.document||t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap||t.MozNamedAttrMap;var f=t.Text;var c=t.Comment;var u=t.DOMParser;if(typeof o==="function"){n=n.createElement("template").content.ownerDocument}var d=n.implementation;var m=n.createNodeIterator;var p=n.getElementsByTagName;var h=n.createDocumentFragment;var v=a.importNode;var g={};r.isSupported=typeof d.createHTMLDocument!=="undefined"&&n.documentMode!==9;var y=function(e,t){var r=t.length;while(r--){e[t[r]]=true}return e};var b=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var T=null;var x=y({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feImage","feMerge","feMergeNode","feMorphology","feOffset","feSpecularLighting","feTile","feTurbulence","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var k=null;var A=y({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","mode","min","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","surfacescale","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","y","y1","y2","z","zoomandpan","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var w=null;var E=null;var M=true;var S=false;var D=false;var O=/\{\{[\s\S]*|[\s\S]*\}\}/gm;var L=/<%[\s\S]*|[\s\S]*%>/gm;var N=false;var _=false;var z=false;var C=false;var R=true;var F=true;var H=y({},["audio","head","math","script","style","svg","video"]);var B=y({},["audio","video","img","source"]);var I=y({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]);var j=null;var G=n.createElement("form");var W=function(e){if(typeof e!=="object"){e={}}T="ALLOWED_TAGS"in e?y({},e.ALLOWED_TAGS):x;k="ALLOWED_ATTR"in e?y({},e.ALLOWED_ATTR):A;w="FORBID_TAGS"in e?y({},e.FORBID_TAGS):{};E="FORBID_ATTR"in e?y({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;S=e.SAFE_FOR_JQUERY||false;D=e.SAFE_FOR_TEMPLATES||false;N=e.WHOLE_DOCUMENT||false;_=e.RETURN_DOM||false;z=e.RETURN_DOM_FRAGMENT||false;C=e.RETURN_DOM_IMPORT||false;R=e.SANITIZE_DOM!==false;F=e.KEEP_CONTENT!==false;if(z){_=true}if(e.ADD_TAGS){if(T===x){T=b(T)}y(T,e.ADD_TAGS)}if(e.ADD_ATTR){if(k===A){k=b(k)}y(k,e.ADD_ATTR)}if(F){T["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}j=e};var q=function(e){try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var P=function(e){var t,r;try{t=(new u).parseFromString(e,"text/html")}catch(n){}if(!t){t=d.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(N?"html":"body")[0]}return p.call(t,N?"html":"body")[0]};var U=function(e){return m.call(e.ownerDocument||e,e,l.SHOW_ELEMENT|l.SHOW_COMMENT|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var V=function(e){if(e instanceof f||e instanceof c){return false}if(typeof e.nodeName!=="string"||typeof e.textContent!=="string"||typeof e.removeChild!=="function"||!(e.attributes instanceof s)||typeof e.removeAttribute!=="function"||typeof e.setAttribute!=="function"){return true}return false};var J=function(e){var t,r;$("beforeSanitizeElements",e,null);if(V(e)){q(e);return true}t=e.nodeName.toLowerCase();$("uponSanitizeElement",e,{tagName:t});if(!T[t]||w[t]){if(F&&!H[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(n){}}q(e);return true}if(S&&!e.firstElementChild&&(!e.content||!e.content.firstElementChild)){e.innerHTML=e.textContent.replace(/</g,"&lt;")}if(D&&e.nodeType===3){r=e.textContent;r=r.replace(O," ");r=r.replace(L," ");e.textContent=r}$("afterSanitizeElements",e,null);return false};var K=/^data-[\w.\u00B7-\uFFFF-]/;var Q=/^(?:[^a-z]|(?=([a-z+.-]+))\1(?!:)|(?:mailto|tel|(?:ht|f)tps?):)/i;var X=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var Y=function(e){var r,a,i,o,l,s,f,c;$("beforeSanitizeAttributes",e,null);s=e.attributes;if(!s){return}f={attrName:"",attrValue:"",keepAttr:true};c=s.length;while(c--){r=s[c];a=r.name;i=r.value;o=a.toLowerCase();f.attrName=o;f.attrValue=i;f.keepAttr=true;$("uponSanitizeAttribute",e,f);i=f.attrValue;if(o==="name"&&e.nodeName==="IMG"&&s.id){l=s.id;s=Array.prototype.slice.apply(s);e.removeAttribute("id");e.removeAttribute(a);if(s.indexOf(l)>c){e.setAttribute("id",l.value)}}else{if(a==="id"){e.setAttribute(a,"")}e.removeAttribute(a)}if(!f.keepAttr){continue}if(R&&(o==="id"||o==="name")&&(i in t||i in n||i in G)){continue}if(D){i=i.replace(O," ");i=i.replace(L," ")}if((k[o]&&!E[o]||!D&&M&&K.test(o))&&(Q.test(i.replace(X,""))||o==="src"&&i.indexOf("data:")===0&&B[e.nodeName.toLowerCase()]||I[o])){try{e.setAttribute(a,i)}catch(u){}}}$("afterSanitizeAttributes",e,null)};var Z=function(e){var t;var r=U(e);$("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){$("uponSanitizeShadowNode",t,null);if(J(t)){continue}if(t.content instanceof i){Z(t.content)}Y(t)}$("afterSanitizeShadowDOM",e,null)};var $=function(e,t,n){if(!g[e]){return}g[e].forEach(function(e){e.call(r,t,n,j)})};r.sanitize=function(e,n){var o,l,s,f,c;if(!e){e=""}if(typeof e!=="string"){if(typeof e.toString!=="function"){throw new TypeError("toString is not a function")}else{e=e.toString()}}if(!r.isSupported){if(typeof t.toStaticHTML==="object"||typeof t.toStaticHTML==="function"){return t.toStaticHTML(e)}return e}W(n);if(!_&&!N&&e.indexOf("<")===-1){return e}o=P(e);if(!o){return _?null:""}f=U(o);while(l=f.nextNode()){if(l.nodeType===3&&l===s){continue}if(J(l)){continue}if(l.content instanceof i){Z(l.content)}Y(l);s=l}if(_){if(z){c=h.call(o.ownerDocument);while(o.firstChild){c.appendChild(o.firstChild)}}else{c=o}if(C){c=v.call(a,c,true)}return c}return N?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}g[e]=g[e]||[];g[e].push(t)};r.removeHook=function(e){if(g[e]){g[e].pop()}};r.removeHooks=function(e){if(g[e]){g[e]=[]}};r.removeAllHooks=function(){g=[]};return r});
(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.8.0";r.removed=[];if(!t||!t.document||t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap||t.MozNamedAttrMap;var f=t.Text;var c=t.Comment;var u=t.DOMParser;if(typeof o==="function"){var d=n.createElement("template");if(d.content&&d.content.ownerDocument){n=d.content.ownerDocument}}var m=n.implementation;var p=n.createNodeIterator;var h=n.getElementsByTagName;var v=n.createDocumentFragment;var g=a.importNode;var y={};r.isSupported=typeof m.createHTMLDocument!=="undefined"&&n.documentMode!==9;var b=function(e,t){var r=t.length;while(r--){if(typeof t[r]==="string"){t[r]=t[r].toLowerCase()}e[t[r]]=true}return e};var T=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var x=null;var k=b({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","feSpecularLighting","feTile","feTurbulence","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var A=null;var w=b({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","mode","min","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","surfacescale","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","y","y1","y2","z","zoomandpan","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var E=null;var S=null;var M=true;var O=false;var L=false;var N=false;var D=/\{\{[\s\S]*|[\s\S]*\}\}/gm;var _=/<%[\s\S]*|[\s\S]*%>/gm;var C=false;var z=false;var R=false;var F=false;var H=true;var B=true;var W=b({},["audio","head","math","script","style","svg","video"]);var j=b({},["audio","video","img","source"]);var G=b({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]);var I=null;var q=n.createElement("form");var P=function(e){if(typeof e!=="object"){e={}}x="ALLOWED_TAGS"in e?b({},e.ALLOWED_TAGS):k;A="ALLOWED_ATTR"in e?b({},e.ALLOWED_ATTR):w;E="FORBID_TAGS"in e?b({},e.FORBID_TAGS):{};S="FORBID_ATTR"in e?b({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;O=e.ALLOW_UNKNOWN_PROTOCOLS||false;L=e.SAFE_FOR_JQUERY||false;N=e.SAFE_FOR_TEMPLATES||false;C=e.WHOLE_DOCUMENT||false;z=e.RETURN_DOM||false;R=e.RETURN_DOM_FRAGMENT||false;F=e.RETURN_DOM_IMPORT||false;H=e.SANITIZE_DOM!==false;B=e.KEEP_CONTENT!==false;if(N){M=false}if(R){z=true}if(e.ADD_TAGS){if(x===k){x=T(x)}b(x,e.ADD_TAGS)}if(e.ADD_ATTR){if(A===w){A=T(A)}b(A,e.ADD_ATTR)}if(B){x["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}I=e};var U=function(e){r.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var V=function(e,t){r.removed.push({attribute:t.getAttributeNode(e),from:t});t.removeAttribute(e)};var K=function(e){var t,r;try{t=(new u).parseFromString(e,"text/html")}catch(n){}if(!t||!t.documentElement){t=m.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(C?"html":"body")[0]}return h.call(t,C?"html":"body")[0]};var J=function(e){return p.call(e.ownerDocument||e,e,l.SHOW_ELEMENT|l.SHOW_COMMENT|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var Q=function(e){if(e instanceof f||e instanceof c){return false}if(typeof e.nodeName!=="string"||typeof e.textContent!=="string"||typeof e.removeChild!=="function"||!(e.attributes instanceof s)||typeof e.removeAttribute!=="function"||typeof e.setAttribute!=="function"){return true}return false};var X=function(e){var t,r;ne("beforeSanitizeElements",e,null);if(Q(e)){U(e);return true}t=e.nodeName.toLowerCase();ne("uponSanitizeElement",e,{tagName:t});if(!x[t]||E[t]){if(B&&!W[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(n){}}U(e);return true}if(L&&!e.firstElementChild&&(!e.content||!e.content.firstElementChild)){e.innerHTML=e.textContent.replace(/</g,"&lt;")}if(N&&e.nodeType===3){r=e.textContent;r=r.replace(D," ");r=r.replace(_," ");e.textContent=r}ne("afterSanitizeElements",e,null);return false};var Y=/^data-[\-\w.\u00B7-\uFFFF]/;var Z=/^(?:(?:(?:f|ht)tps?|mailto|tel):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;var $=/^(?:\w+script|data):/i;var ee=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var te=function(e){var r,a,i,o,l,s,f,c;ne("beforeSanitizeAttributes",e,null);s=e.attributes;if(!s){return}f={attrName:"",attrValue:"",keepAttr:true};c=s.length;while(c--){r=s[c];a=r.name;i=r.value;o=a.toLowerCase();f.attrName=o;f.attrValue=i;f.keepAttr=true;ne("uponSanitizeAttribute",e,f);i=f.attrValue;if(o==="name"&&e.nodeName==="IMG"&&s.id){l=s.id;s=Array.prototype.slice.apply(s);V("id",e);V(a,e);if(s.indexOf(l)>c){e.setAttribute("id",l.value)}}else{if(a==="id"){e.setAttribute(a,"")}V(a,e)}if(!f.keepAttr){continue}if(H&&(o==="id"||o==="name")&&(i in t||i in n||i in q)){continue}if(N){i=i.replace(D," ");i=i.replace(_," ")}if(A[o]&&!S[o]&&(G[o]||Z.test(i.replace(ee,""))||o==="src"&&i.indexOf("data:")===0&&j[e.nodeName.toLowerCase()])||M&&Y.test(o)||O&&!$.test(i.replace(ee,""))){try{e.setAttribute(a,i)}catch(u){}}}ne("afterSanitizeAttributes",e,null)};var re=function(e){var t;var r=J(e);ne("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){ne("uponSanitizeShadowNode",t,null);if(X(t)){continue}if(t.content instanceof i){re(t.content)}te(t)}ne("afterSanitizeShadowDOM",e,null)};var ne=function(e,t,n){if(!y[e]){return}y[e].forEach(function(e){e.call(r,t,n,I)})};r.sanitize=function(e,n){var o,l,s,f,c;if(!e){e=""}if(typeof e!=="string"){if(typeof e.toString!=="function"){throw new TypeError("toString is not a function")}else{e=e.toString()}}if(!r.isSupported){if(typeof t.toStaticHTML==="object"||typeof t.toStaticHTML==="function"){return t.toStaticHTML(e)}return e}P(n);r.removed=[];if(!z&&!C&&e.indexOf("<")===-1){return e}o=K(e);if(!o){return z?null:""}f=J(o);while(l=f.nextNode()){if(l.nodeType===3&&l===s){continue}if(X(l)){continue}if(l.content instanceof i){re(l.content)}te(l);s=l}if(z){if(R){c=v.call(o.ownerDocument);while(o.firstChild){c.appendChild(o.firstChild)}}else{c=o}if(F){c=g.call(a,c,true)}return c}return C?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}y[e]=y[e]||[];y[e].push(t)};r.removeHook=function(e){if(y[e]){y[e].pop()}};r.removeHooks=function(e){if(y[e]){y[e]=[]}};r.removeAllHooks=function(){y=[]};return r});
//# sourceMappingURL=./dist/purify.min.js.map

44

package.json
{
"scripts": {
"build-demo": "node scripts/build-demo.js",
"qunit": "node scripts/server.js",
"jshint": "node node_modules/jshint/bin/jshint src/purify.js || true",
"lint": "jshint src/purify.js",
"minify": "scripts/minify.sh",
"amend-minified": "scripts/amend-minified.sh",
"test": "npm run jshint && npm run-script travis-ci",
"travis-ci": "[ \"${TRAVIS_PULL_REQUEST}\" = \"false\" ] && ./node_modules/.bin/karma start test/karma.conf.js --log-level warn --reporters dots --single-run || false",
"ci-test": "./node_modules/.bin/karma start test/karma.conf.js --single-run",
"local-test": "npm run jshint;./node_modules/.bin/karma start test/karma.conf.js --browsers Firefox,Chrome --single-run"
"test:jsdom": "node test/jsdom-node-runner --dot",
"test:karma": "karma start test/karma.conf.js --log-level warn --single-run",
"test:ci": "npm run lint && npm run test:jsdom && (([ \"${TRAVIS_PULL_REQUEST}\" != \"false\" ] || [ \"${TEST_BROWSERSTACK}\" != \"true\" ]) || karma start test/karma.conf.js --log-level error --reporters dots --single-run)",
"test": "npm run lint && npm run test:jsdom && npm run test:karma -- --browsers Firefox,Chrome"
},
"pre-commit": [
"jshint",
"lint",
"minify",

@@ -19,22 +18,25 @@ "amend-minified"

"devDependencies": {
"jshint": "^2.4.4",
"json-loader": "^0.5.2",
"karma": "^0.13.15",
"karma-browserstack-launcher": "git://github.com/shirish87/karma-browserstack-launcher.git#global_poll_0.1.6",
"karma-chrome-launcher": "^0.2.1",
"karma-firefox-launcher": "^0.1.6",
"karma-fixture": "^0.2.5",
"karma-html2js-preprocessor": "^0.1.0",
"karma-json-fixtures-preprocessor": "0.0.5",
"karma-qunit": "^0.1.8",
"jquery": "^2.2.3",
"jsdom": "8.x.x",
"jshint": "^2.9.2",
"json-loader": "^0.5.4",
"karma": "^0.13.22",
"karma-browserstack-launcher": "1.0.0",
"karma-chrome-launcher": "^1.0.1",
"karma-firefox-launcher": "^1.0.0",
"karma-fixture": "^0.2.6",
"karma-html2js-preprocessor": "^1.0.0",
"karma-json-fixtures-preprocessor": "0.0.6",
"karma-qunit": "^1.0.0",
"karma-webpack": "^1.7.0",
"pre-commit": "^1.1.2",
"qunit-parameterize": "^0.4.0",
"qunitjs": "^1.20.0",
"uglify-js": "^2.5.0",
"webpack": "^1.12.1"
"qunit-tap": "^1.5.0",
"qunitjs": "^1.23.1",
"uglify-js": "^2.6.2",
"webpack": "^1.13.0"
},
"name": "dompurify",
"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
"version": "0.7.4",
"version": "0.8.0",
"main": "src/purify.js",

@@ -41,0 +43,0 @@ "directories": {

44

README.md

@@ -9,3 +9,3 @@ # DOMPurify [![Bower version](https://badge.fury.io/bo/dompurify.svg)](http://badge.fury.io/bo/dompurify) · [![npm version](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js/dompurify) · [![Build Status](https://travis-ci.org/cure53/DOMPurify.svg?branch=master)](https://travis-ci.org/cure53/DOMPurify)

DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover [9 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.conf.js#L125) right now.
DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover [10 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.conf.js#L145) right now. We also cover Node.js v4.0.0, v5.0.0 and v6.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom).

@@ -42,2 +42,4 @@ DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model)

After sanitizing your markup, you can also have a look at the property `DOMPurify.removed` and find out, what elements and attributes were thrown out.
If you're using an [AMD](https://github.com/amdjs/amdjs-api/wiki/AMD) module loader like [Require.js](http://requirejs.org/), you can load this script asynchronously as well:

@@ -51,3 +53,3 @@

You can also grab the files straight from npm (requires either [io.js](https://iojs.org) or [Browserify](http://browserify.org/), **Node.js 0.x is not supported**):
DOMPurify also works server-side with node.js as well as client-side via [Browserify](http://browserify.org/) or similar translators. Node.js 0.x is not supported; either [io.js](https://iojs.org) or Node.js 4.x or newer is required.

@@ -59,6 +61,17 @@ ```bash

```javascript
var DOMPurify = require('dompurify');
var clean = DOMPurify.sanitize(dirty);
const createDOMPurify = require('dompurify');
const jsdom = require('jsdom');
const window = jsdom.jsdom('', {
features: {
FetchExternalResources: false, // disables resource loading over HTTP / filesystem
ProcessExternalResources: false // do not execute JS within script blocks
}
}).defaultView;
const DOMPurify = createDOMPurify(window);
const clean = DOMPurify.sanitize(dirty));
```
Strictly speaking, DOMPurify creates a document without a browsing context and you can replace it with `const window = jsdom.jsdom().defaultView;`, however, the longer case protects against accidental bugs in jsdom or DOMPurify.
## Is there a demo?

@@ -122,2 +135,6 @@

// allow external protocol handlers in URL attributes (default is false)
// by default only http, https, ftp, ftps, tel and mailto are allowed.
var clean = DOMPurify.sanitize(dirty, {ALLOW_UNKNOWN_PROTOCOLS: true});
// return a DOM HTMLBodyElement instead of an HTML string (default is false)

@@ -145,3 +162,3 @@ var clean = DOMPurify.sanitize(dirty, {RETURN_DOM: true});

```
There is even [more examples here](https://github.com/cure53/DOMPurify/tree/master/demos#what-it-this), showing how you can run, customize and configure DOMPurify to fit your needs.
There is even [more examples here](https://github.com/cure53/DOMPurify/tree/master/demos#what-is-this), showing how you can run, customize and configure DOMPurify to fit your needs.

@@ -177,4 +194,6 @@ ## Hooks

You can further run local tests by executing `npm run-script local-test` or, in case you have a BrowserStack account with automation available, run the tests using `npm run-script ci-test`.
You can further run local tests by executing `npm test`. The tests work fine with Node.js v0.6.2 and jsdom@8.5.0.
All relevant commits will be signed with the key `0x24BB6BF4` for additional security (since 8th of April 2016).
## Security Mailing List

@@ -186,13 +205,16 @@

Feature releases will not be announced to this list.
## What's on the road-map?
## Who contributed?
We recently implemented a Hook-API allowing developers to create their own DOMPurify plugins and customize its functionality without changing the core. Thus, we are looking forward for plugins and extensions - pull requests are welcome! Oh, and we will increase the amount of browsers and HTML-mappings in our automates tests to make sure nothing slips through.
Several people need to be listed here!
## Who contributed?
[@garethheyes](https://twitter.com/garethheyes) and [@filedescriptor](https://twitter.com/filedescriptor) for invaluable help, [@shafigullin](https://twitter.com/shafigullin) for breaking the library multiple times and thereby strengthening it, [@mmrupp](https://twitter.com/mmrupp) and [@irsdl](https://twitter.com/irsdl) for doing the same.
Several people need to be listed here! [@garethheyes](https://twitter.com/garethheyes) and [@filedescriptor](https://twitter.com/filedescriptor) for invaluable help, [@shafigullin](https://twitter.com/shafigullin) for breaking the library multiple times and thereby strengthening it, [@mmrupp](https://twitter.com/mmrupp) and [@irsdl](https://twitter.com/irsdl) for doing the same.
Big thanks also go to [@asutherland](https://twitter.com/asutherland), [@mathias](https://twitter.com/mathias), [@cgvwzq](https://twitter.com/cgvwzq), [@robbertatwork](https://twitter.com/robbertatwork), [@giutro](https://twitter.com/giutro) and [@fhemberger](https://twitter.com/fhemberger)!
Big thanks also go to [@asutherland](https://twitter.com/asutherland), [@mathias](https://twitter.com/mathias), [@cgvwzq](https://twitter.com/cgvwzq), [@robbertatwork](https://twitter.com/robbertatwork), [@giutro](https://twitter.com/giutro) and [@fhemberger](https://twitter.com/fhemberger)! Further, thanks [@neilj](https://twitter.com/neilj) and [@0xsobky](https://twitter.com/0xsobky) for their code reviews and countless small optimizations, fixes and beautifications. Big thanks also go to [@tdeekens](https://twitter.com/tdeekens) for doing all the hard work and getting us on track with Travis CI and BrowserStack.
Further, thanks [@neilj](https://twitter.com/neilj) and [@0xsobky](https://twitter.com/0xsobky) for their code reviews and countless small optimizations, fixes and beautifications.
Big thanks also go to [@tdeekens](https://twitter.com/tdeekens) for doing all the hard work and getting us on track with Travis CI and BrowserStack. And thanks to [@Joris-van-der-Wel](https://github.com/Joris-van-der-Wel) for setting up DOMPurify for jsdom and creating the additional test suite.
And last but not least, thanks to [BrowserStack](https://browserstack.com) for supporting this project with their services for free and delivering excellent, dedicated and very professional support on top of that.

69

src/purify.js

@@ -24,4 +24,10 @@ ;(function(factory) {

*/
DOMPurify.version = '0.7.4';
DOMPurify.version = '0.8.0';
/**
* Array of elements that DOMPurify removed during sanitation.
* Empty if nothing was removed.
*/
DOMPurify.removed = [];
if (!window || !window.document || window.document.nodeType !== 9) {

@@ -51,3 +57,6 @@ // not running in a browser, provide a factory function

if (typeof HTMLTemplateElement === 'function') {
document = document.createElement('template').content.ownerDocument;
var template = document.createElement('template');
if (template.content && template.content.ownerDocument) {
document = template.content.ownerDocument;
}
}

@@ -73,2 +82,5 @@ var implementation = document.implementation;

while (l--) {
if (typeof array[l] === 'string') {
array[l] = array[l].toLowerCase();
}
set[array[l]] = true;

@@ -118,3 +130,3 @@ }

'animatemotion','animatetransform','circle','clippath','defs','desc',
'ellipse','font','g','glyph','glyphref','hkern','image','line',
'ellipse','filter','font','g','glyph','glyphref','hkern','image','line',
'lineargradient','marker','mask','metadata','mpath','path','pattern',

@@ -128,3 +140,3 @@ 'polygon','polyline','radialgradient','rect','stop','switch','symbol',

'feFlood','feFuncA','feFuncB','feFuncG','feFuncR','feGaussianBlur',
'feImage','feMerge','feMergeNode','feMorphology','feOffset',
'feMerge','feMergeNode','feMorphology','feOffset',
'feSpecularLighting','feTile','feTurbulence',

@@ -177,5 +189,5 @@

'points','preservealpha','r','rx','ry','radius','refx','refy','repeatcount',
'repeatdur','restart','rotate','scale','seed','shape-rendering','specularconstant',
'specularexponent','spreadmethod','stddeviation','stitchtiles','stop-color',
'stop-opacity','stroke-dasharray','stroke-dashoffset','stroke-linecap',
'repeatdur','restart','result','rotate','scale','seed','shape-rendering',
'specularconstant','specularexponent','spreadmethod','stddeviation','stitchtiles',
'stop-color','stop-opacity','stroke-dasharray','stroke-dashoffset','stroke-linecap',
'stroke-linejoin','stroke-miterlimit','stroke-opacity','stroke','stroke-width',

@@ -212,2 +224,5 @@ 'surfacescale','targetx','targety','transform','text-anchor','text-decoration',

/* Decide if unknown protocols are okay */
var ALLOW_UNKNOWN_PROTOCOLS = false;
/* Output should be safe for jQuery's $() factory? */

@@ -293,2 +308,3 @@ var SAFE_FOR_JQUERY = false;

ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false; // Default true
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
SAFE_FOR_JQUERY = cfg.SAFE_FOR_JQUERY || false; // Default false

@@ -341,2 +357,3 @@ SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false

var _forceRemove = function(node) {
DOMPurify.removed.push({element: node});
try {

@@ -350,2 +367,16 @@ node.parentNode.removeChild(node);

/**
* _removeAttribute
*
* @param an Attribute name
* @param a DOM node
*/
var _removeAttribute = function(name, node) {
DOMPurify.removed.push({
attribute: node.getAttributeNode(name),
from: node
});
node.removeAttribute(name);
};
/**
* _initDocument

@@ -364,4 +395,5 @@ *

/* Some browsers throw, some browsers return null for the code above
DOMParser with text/html support is only in very recent browsers. */
if (!doc) {
DOMParser with text/html support is only in very recent browsers.
See #159 why the check here is extra-thorough */
if (!doc || !doc.documentElement) {
doc = implementation.createHTMLDocument('');

@@ -484,4 +516,5 @@ body = doc.body;

var DATA_ATTR = /^data-[\w.\u00B7-\uFFFF-]/;
var DATA_ATTR = /^data-[\-\w.\u00B7-\uFFFF]/;
var IS_ALLOWED_URI = /^(?:(?:(?:f|ht)tps?|mailto|tel):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;
var IS_SCRIPT_OR_DATA = /^(?:\w+script|data):/i;
/* This needs to be extensive thanks to Webkit/Blink's behavior */

@@ -540,4 +573,4 @@ var ATTR_WHITESPACE = /[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;

attributes = Array.prototype.slice.apply(attributes);
currentNode.removeAttribute('id');
currentNode.removeAttribute(name);
_removeAttribute('id', currentNode);
_removeAttribute(name, currentNode);
if (attributes.indexOf(idAttr) > l) {

@@ -553,3 +586,3 @@ currentNode.setAttribute('id', idAttr.value);

}
currentNode.removeAttribute(name);
_removeAttribute(name, currentNode);
}

@@ -591,3 +624,8 @@

*/
(ALLOW_DATA_ATTR && DATA_ATTR.test(lcName))
(ALLOW_DATA_ATTR && DATA_ATTR.test(lcName)) ||
/* Allow unknown protocols:
* This provides support for links that are handled by protocol handlers which may be unknown
* ahead of time, e.g. fb:, spotify:
*/
(ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA.test(value.replace(ATTR_WHITESPACE,'')))
) {

@@ -692,2 +730,5 @@ /* Handle invalid data-* attribute set by try-catching it */

/* Clean up removed elements */
DOMPurify.removed = [];
/* Exit directly if we have nothing to do */

@@ -694,0 +735,0 @@ if (!RETURN_DOM && !WHOLE_DOCUMENT && dirty.indexOf('<') === -1) {

30

test/karma.conf.js

@@ -7,3 +7,3 @@ module.exports = function(config) {

files: [
'bower_components/jQuery/dist/jquery.js',
'node_modules/jquery/dist/jquery.js',
'node_modules/qunit-parameterize/qunit-parameterize.js',

@@ -53,2 +53,6 @@ 'test/config/setup.js',

webpackMiddleware: {
noInfo: true
},
customLaunchers: {

@@ -117,9 +121,25 @@ bs_win81_ie_11: {

},
bs_win10_edge_12: {
bs_win10_edge_13: {
base: 'BrowserStack',
device: null,
os: 'Windows',
browser_version: '12.0',
browser_version: '13.0',
browser: 'edge',
os_version: '10'
},
bs_win10_firefox_46: {
base: 'BrowserStack',
device: null,
os: 'Windows',
browser_version: '46.0',
browser: 'firefox',
os_version: '10'
},
bs_win10_chrome_50: {
base: 'BrowserStack',
device: null,
os: 'Windows',
browser_version: '50.0',
browser: 'chrome',
os_version: '10'
}

@@ -137,3 +157,5 @@ },

'bs_win81_chrome_22',
'bs_win10_edge_12'
'bs_win10_edge_13',
'bs_win10_firefox_46',
'bs_win10_chrome_50'
],

@@ -140,0 +162,0 @@

2

test/purify.min.spec.js

@@ -10,2 +10,2 @@ var

QUnit.module('DOMPurify dist');
testSuite(DOMPurify, tests, xssTests);
testSuite(DOMPurify, window, tests, xssTests);

2

test/purify.spec.js

@@ -10,2 +10,2 @@ var

QUnit.module('DOMPurify src');
testSuite(DOMPurify, tests, xssTests);
testSuite(DOMPurify, window, tests, xssTests);

29

test/test-suite.js

@@ -1,2 +0,5 @@

module.exports = function(DOMPurify, tests, xssTests) {
module.exports = function(DOMPurify, window, tests, xssTests) {
var document = window.document;
var jQuery = window.jQuery;
QUnit

@@ -263,2 +266,26 @@ .cases(tests)

} );
QUnit.test( 'sanitize() should allow unknown protocols when ALLOW_UNKNOWN_PROTOCOLS is true', function (assert) {
var dirty = '<div><a href="spotify:track:12345"><img src="cid:1234567"></a></div>';
assert.equal(dirty, DOMPurify.sanitize(dirty, {ALLOW_UNKNOWN_PROTOCOLS: true}));
} );
QUnit.test( 'sanitize() should not allow javascript when ALLOW_UNKNOWN_PROTOCOLS is true', function (assert) {
var dirty = '<div><a href="javascript:alert(document.title)"><img src="cid:1234567"/></a></div>';
var modified = '<div><a><img src="cid:1234567"></a></div>';
assert.equal(modified, DOMPurify.sanitize(dirty, {ALLOW_UNKNOWN_PROTOCOLS: true}));
} );
// Test 1 to check if the element count in DOMPurify.removed is correct
QUnit.test( 'DOMPurify.removed shoud contain one element', function (assert) {
var dirty = '<svg onload=alert(1)><filter><feGaussianBlur /></filter></svg>';
DOMPurify.sanitize(dirty);
assert.equal(DOMPurify.removed.length, 1);
} );
// Test 2 to check if the element count in DOMPurify.removed is correct
QUnit.test( 'DOMPurify.removed shoud contain one element', function (assert) {
var dirty = '1<script>alert(1)<\/script><svg onload=alert(1)><filter><feGaussianBlur /></filter></svg>';
DOMPurify.sanitize(dirty);
assert.equal(DOMPurify.removed.length, 2);
} );
}
.travis.yml

Sorry, the diff of this file is not supported yet

dist/purify.min.js.map

Sorry, the diff of this file is not supported yet

test/fixtures/expect.js

Sorry, the diff of this file is too big to display

website/index.html

Sorry, the diff of this file is not supported yet

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc