dompurify
Advanced tools
Comparing version 0.8.0 to 0.8.1
{ | ||
"name": "DOMPurify", | ||
"version": "0.8.0", | ||
"version": "0.8.1", | ||
"homepage": "https://github.com/cure53/DOMPurify", | ||
@@ -5,0 +5,0 @@ "author": "Cure53 <info@cure53.de>", |
@@ -1,2 +0,2 @@ | ||
(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.8.0";r.removed=[];if(!t||!t.document||t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap||t.MozNamedAttrMap;var f=t.Text;var c=t.Comment;var u=t.DOMParser;if(typeof o==="function"){var d=n.createElement("template");if(d.content&&d.content.ownerDocument){n=d.content.ownerDocument}}var m=n.implementation;var p=n.createNodeIterator;var h=n.getElementsByTagName;var v=n.createDocumentFragment;var g=a.importNode;var y={};r.isSupported=typeof m.createHTMLDocument!=="undefined"&&n.documentMode!==9;var b=function(e,t){var r=t.length;while(r--){if(typeof t[r]==="string"){t[r]=t[r].toLowerCase()}e[t[r]]=true}return e};var T=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var x=null;var k=b({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","feSpecularLighting","feTile","feTurbulence","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var A=null;var w=b({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","mode","min","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","surfacescale","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","y","y1","y2","z","zoomandpan","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var E=null;var S=null;var M=true;var O=false;var L=false;var N=false;var D=/\{\{[\s\S]*|[\s\S]*\}\}/gm;var _=/<%[\s\S]*|[\s\S]*%>/gm;var C=false;var z=false;var R=false;var F=false;var H=true;var B=true;var W=b({},["audio","head","math","script","style","svg","video"]);var j=b({},["audio","video","img","source"]);var G=b({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]);var I=null;var q=n.createElement("form");var P=function(e){if(typeof e!=="object"){e={}}x="ALLOWED_TAGS"in e?b({},e.ALLOWED_TAGS):k;A="ALLOWED_ATTR"in e?b({},e.ALLOWED_ATTR):w;E="FORBID_TAGS"in e?b({},e.FORBID_TAGS):{};S="FORBID_ATTR"in e?b({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;O=e.ALLOW_UNKNOWN_PROTOCOLS||false;L=e.SAFE_FOR_JQUERY||false;N=e.SAFE_FOR_TEMPLATES||false;C=e.WHOLE_DOCUMENT||false;z=e.RETURN_DOM||false;R=e.RETURN_DOM_FRAGMENT||false;F=e.RETURN_DOM_IMPORT||false;H=e.SANITIZE_DOM!==false;B=e.KEEP_CONTENT!==false;if(N){M=false}if(R){z=true}if(e.ADD_TAGS){if(x===k){x=T(x)}b(x,e.ADD_TAGS)}if(e.ADD_ATTR){if(A===w){A=T(A)}b(A,e.ADD_ATTR)}if(B){x["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}I=e};var U=function(e){r.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var V=function(e,t){r.removed.push({attribute:t.getAttributeNode(e),from:t});t.removeAttribute(e)};var K=function(e){var t,r;try{t=(new u).parseFromString(e,"text/html")}catch(n){}if(!t||!t.documentElement){t=m.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(C?"html":"body")[0]}return h.call(t,C?"html":"body")[0]};var J=function(e){return p.call(e.ownerDocument||e,e,l.SHOW_ELEMENT|l.SHOW_COMMENT|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var Q=function(e){if(e instanceof f||e instanceof c){return false}if(typeof e.nodeName!=="string"||typeof e.textContent!=="string"||typeof e.removeChild!=="function"||!(e.attributes instanceof s)||typeof e.removeAttribute!=="function"||typeof e.setAttribute!=="function"){return true}return false};var X=function(e){var t,r;ne("beforeSanitizeElements",e,null);if(Q(e)){U(e);return true}t=e.nodeName.toLowerCase();ne("uponSanitizeElement",e,{tagName:t});if(!x[t]||E[t]){if(B&&!W[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(n){}}U(e);return true}if(L&&!e.firstElementChild&&(!e.content||!e.content.firstElementChild)){e.innerHTML=e.textContent.replace(/</g,"<")}if(N&&e.nodeType===3){r=e.textContent;r=r.replace(D," ");r=r.replace(_," ");e.textContent=r}ne("afterSanitizeElements",e,null);return false};var Y=/^data-[\-\w.\u00B7-\uFFFF]/;var Z=/^(?:(?:(?:f|ht)tps?|mailto|tel):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;var $=/^(?:\w+script|data):/i;var ee=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var te=function(e){var r,a,i,o,l,s,f,c;ne("beforeSanitizeAttributes",e,null);s=e.attributes;if(!s){return}f={attrName:"",attrValue:"",keepAttr:true};c=s.length;while(c--){r=s[c];a=r.name;i=r.value;o=a.toLowerCase();f.attrName=o;f.attrValue=i;f.keepAttr=true;ne("uponSanitizeAttribute",e,f);i=f.attrValue;if(o==="name"&&e.nodeName==="IMG"&&s.id){l=s.id;s=Array.prototype.slice.apply(s);V("id",e);V(a,e);if(s.indexOf(l)>c){e.setAttribute("id",l.value)}}else{if(a==="id"){e.setAttribute(a,"")}V(a,e)}if(!f.keepAttr){continue}if(H&&(o==="id"||o==="name")&&(i in t||i in n||i in q)){continue}if(N){i=i.replace(D," ");i=i.replace(_," ")}if(A[o]&&!S[o]&&(G[o]||Z.test(i.replace(ee,""))||o==="src"&&i.indexOf("data:")===0&&j[e.nodeName.toLowerCase()])||M&&Y.test(o)||O&&!$.test(i.replace(ee,""))){try{e.setAttribute(a,i)}catch(u){}}}ne("afterSanitizeAttributes",e,null)};var re=function(e){var t;var r=J(e);ne("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){ne("uponSanitizeShadowNode",t,null);if(X(t)){continue}if(t.content instanceof i){re(t.content)}te(t)}ne("afterSanitizeShadowDOM",e,null)};var ne=function(e,t,n){if(!y[e]){return}y[e].forEach(function(e){e.call(r,t,n,I)})};r.sanitize=function(e,n){var o,l,s,f,c;if(!e){e=""}if(typeof e!=="string"){if(typeof e.toString!=="function"){throw new TypeError("toString is not a function")}else{e=e.toString()}}if(!r.isSupported){if(typeof t.toStaticHTML==="object"||typeof t.toStaticHTML==="function"){return t.toStaticHTML(e)}return e}P(n);r.removed=[];if(!z&&!C&&e.indexOf("<")===-1){return e}o=K(e);if(!o){return z?null:""}f=J(o);while(l=f.nextNode()){if(l.nodeType===3&&l===s){continue}if(X(l)){continue}if(l.content instanceof i){re(l.content)}te(l);s=l}if(z){if(R){c=v.call(o.ownerDocument);while(o.firstChild){c.appendChild(o.firstChild)}}else{c=o}if(F){c=g.call(a,c,true)}return c}return C?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}y[e]=y[e]||[];y[e].push(t)};r.removeHook=function(e){if(y[e]){y[e].pop()}};r.removeHooks=function(e){if(y[e]){y[e]=[]}};r.removeAllHooks=function(){y=[]};return r}); | ||
(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.8.1";r.removed=[];if(!t||!t.document||t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap||t.MozNamedAttrMap;var f=t.Text;var c=t.Comment;var u=t.DOMParser;if(typeof o==="function"){var d=n.createElement("template");if(d.content&&d.content.ownerDocument){n=d.content.ownerDocument}}var m=n.implementation;var p=n.createNodeIterator;var v=n.getElementsByTagName;var h=n.createDocumentFragment;var g=a.importNode;var y={};r.isSupported=typeof m.createHTMLDocument!=="undefined"&&n.documentMode!==9;var b=function(e,t){var r=t.length;while(r--){if(typeof t[r]==="string"){t[r]=t[r].toLowerCase()}e[t[r]]=true}return e};var T=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var x=null;var k=b({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","feSpecularLighting","feTile","feTurbulence","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var A=null;var w=b({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","mode","min","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","surfacescale","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","y","y1","y2","z","zoomandpan","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var E=null;var S=null;var M=true;var O=false;var N=false;var L=false;var D=/\{\{[\s\S]*|[\s\S]*\}\}/gm;var _=/<%[\s\S]*|[\s\S]*%>/gm;var C=false;var z=false;var R=false;var F=false;var H=true;var B=true;var W=b({},["audio","head","math","script","style","svg","video"]);var j=b({},["audio","video","img","source"]);var G=b({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]);var I=null;var q=n.createElement("form");var P=function(e){if(typeof e!=="object"){e={}}x="ALLOWED_TAGS"in e?b({},e.ALLOWED_TAGS):k;A="ALLOWED_ATTR"in e?b({},e.ALLOWED_ATTR):w;E="FORBID_TAGS"in e?b({},e.FORBID_TAGS):{};S="FORBID_ATTR"in e?b({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;O=e.ALLOW_UNKNOWN_PROTOCOLS||false;N=e.SAFE_FOR_JQUERY||false;L=e.SAFE_FOR_TEMPLATES||false;C=e.WHOLE_DOCUMENT||false;z=e.RETURN_DOM||false;R=e.RETURN_DOM_FRAGMENT||false;F=e.RETURN_DOM_IMPORT||false;H=e.SANITIZE_DOM!==false;B=e.KEEP_CONTENT!==false;if(L){M=false}if(R){z=true}if(e.ADD_TAGS){if(x===k){x=T(x)}b(x,e.ADD_TAGS)}if(e.ADD_ATTR){if(A===w){A=T(A)}b(A,e.ADD_ATTR)}if(B){x["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}I=e};var U=function(e){r.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var V=function(e,t){r.removed.push({attribute:t.getAttributeNode(e),from:t});t.removeAttribute(e)};var K=function(e){var t,r;try{t=(new u).parseFromString(e,"text/html")}catch(n){}if(!t||!t.documentElement){t=m.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(C?"html":"body")[0]}return v.call(t,C?"html":"body")[0]};var J=function(e){return p.call(e.ownerDocument||e,e,l.SHOW_ELEMENT|l.SHOW_COMMENT|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var Q=function(e){if(e instanceof f||e instanceof c){return false}if(typeof e.nodeName!=="string"||typeof e.textContent!=="string"||typeof e.removeChild!=="function"||!(e.attributes instanceof s)||typeof e.removeAttribute!=="function"||typeof e.setAttribute!=="function"){return true}return false};var X=function(e){var t,n;ne("beforeSanitizeElements",e,null);if(Q(e)){U(e);return true}t=e.nodeName.toLowerCase();ne("uponSanitizeElement",e,{tagName:t});if(!x[t]||E[t]){if(B&&!W[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(a){}}U(e);return true}if(N&&!e.firstElementChild&&(!e.content||!e.content.firstElementChild)){r.removed.push({element:e.cloneNode()});e.innerHTML=e.textContent.replace(/</g,"<")}if(L&&e.nodeType===3){n=e.textContent;n=n.replace(D," ");n=n.replace(_," ");if(e.textContent!==n){r.removed.push({element:e.cloneNode()});e.textContent=n}}ne("afterSanitizeElements",e,null);return false};var Y=/^data-[\-\w.\u00B7-\uFFFF]/;var Z=/^(?:(?:(?:f|ht)tps?|mailto|tel):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;var $=/^(?:\w+script|data):/i;var ee=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var te=function(e){var a,i,o,l,s,f,c,u;ne("beforeSanitizeAttributes",e,null);f=e.attributes;if(!f){return}c={attrName:"",attrValue:"",keepAttr:true};u=f.length;while(u--){a=f[u];i=a.name;o=a.value;l=i.toLowerCase();c.attrName=l;c.attrValue=o;c.keepAttr=true;ne("uponSanitizeAttribute",e,c);o=c.attrValue;if(l==="name"&&e.nodeName==="IMG"&&f.id){s=f.id;f=Array.prototype.slice.apply(f);V("id",e);V(i,e);if(f.indexOf(s)>u){e.setAttribute("id",s.value)}}else{if(i==="id"){e.setAttribute(i,"")}V(i,e)}if(!c.keepAttr){continue}if(H&&(l==="id"||l==="name")&&(o in t||o in n||o in q)){continue}if(L){o=o.replace(D," ");o=o.replace(_," ")}if(M&&Y.test(l)){}else if(!A[l]||S[l]){continue}else if(G[l]){}else if(Z.test(o.replace(ee,""))){}else if(l==="src"&&o.indexOf("data:")===0&&j[e.nodeName.toLowerCase()]){}else if(O&&!$.test(o.replace(ee,""))){}else{continue}try{e.setAttribute(i,o);r.removed.pop()}catch(d){}}ne("afterSanitizeAttributes",e,null)};var re=function(e){var t;var r=J(e);ne("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){ne("uponSanitizeShadowNode",t,null);if(X(t)){continue}if(t.content instanceof i){re(t.content)}te(t)}ne("afterSanitizeShadowDOM",e,null)};var ne=function(e,t,n){if(!y[e]){return}y[e].forEach(function(e){e.call(r,t,n,I)})};r.sanitize=function(e,n){var o,l,s,f,c;if(!e){e=""}if(typeof e!=="string"){if(typeof e.toString!=="function"){throw new TypeError("toString is not a function")}else{e=e.toString()}}if(!r.isSupported){if(typeof t.toStaticHTML==="object"||typeof t.toStaticHTML==="function"){return t.toStaticHTML(e)}return e}P(n);r.removed=[];if(!z&&!C&&e.indexOf("<")===-1){return e}o=K(e);if(!o){return z?null:""}f=J(o);while(l=f.nextNode()){if(l.nodeType===3&&l===s){continue}if(X(l)){continue}if(l.content instanceof i){re(l.content)}te(l);s=l}if(z){if(R){c=h.call(o.ownerDocument);while(o.firstChild){c.appendChild(o.firstChild)}}else{c=o}if(F){c=g.call(a,c,true)}return c}return C?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}y[e]=y[e]||[];y[e].push(t)};r.removeHook=function(e){if(y[e]){y[e].pop()}};r.removeHooks=function(e){if(y[e]){y[e]=[]}};r.removeAllHooks=function(){y={}};return r}); | ||
//# sourceMappingURL=./dist/purify.min.js.map |
@@ -40,3 +40,3 @@ { | ||
"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.", | ||
"version": "0.8.0", | ||
"version": "0.8.1", | ||
"main": "src/purify.js", | ||
@@ -43,0 +43,0 @@ "directories": { |
@@ -9,3 +9,3 @@ # DOMPurify [![Bower version](https://badge.fury.io/bo/dompurify.svg)](http://badge.fury.io/bo/dompurify) · [![npm version](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js/dompurify) · [![Build Status](https://travis-ci.org/cure53/DOMPurify.svg?branch=master)](https://travis-ci.org/cure53/DOMPurify) | ||
DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover [10 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.conf.js#L145) right now. We also cover Node.js v4.0.0, v5.0.0 and v6.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom). | ||
DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover [12 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.conf.js#L153) right now. We also cover Node.js v4.0.0, v5.0.0 and v6.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom). | ||
@@ -12,0 +12,0 @@ DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model) |
@@ -24,3 +24,3 @@ ;(function(factory) { | ||
*/ | ||
DOMPurify.version = '0.8.0'; | ||
DOMPurify.version = '0.8.1'; | ||
@@ -488,2 +488,3 @@ /** | ||
(!currentNode.content || !currentNode.content.firstElementChild)) { | ||
DOMPurify.removed.push({element: currentNode.cloneNode()}); | ||
currentNode.innerHTML = currentNode.textContent.replace(/</g, '<'); | ||
@@ -498,3 +499,6 @@ } | ||
content = content.replace(ERB_EXPR, ' '); | ||
currentNode.textContent = content; | ||
if (currentNode.textContent !== content) { | ||
DOMPurify.removed.push({element: currentNode.cloneNode()}); | ||
currentNode.textContent = content; | ||
} | ||
} | ||
@@ -597,30 +601,47 @@ | ||
if ( | ||
/* Check the name is permitted */ | ||
(ALLOWED_ATTR[lcName] && !FORBID_ATTR[lcName] && ( | ||
/* Check no script, data or unknown possibly unsafe URI | ||
unless we know URI values are safe for that attribute */ | ||
URI_SAFE_ATTRIBUTES[lcName] || | ||
IS_ALLOWED_URI.test(value.replace(ATTR_WHITESPACE,'')) || | ||
/* Keep image data URIs alive if src is allowed */ | ||
(lcName === 'src' && value.indexOf('data:') === 0 && | ||
DATA_URI_TAGS[currentNode.nodeName.toLowerCase()]) | ||
)) || | ||
/* Allow potentially valid data-* attributes: | ||
* At least one character after "-" (https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes) | ||
* XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804) | ||
* We don't need to check the value; it's always URI safe. | ||
*/ | ||
(ALLOW_DATA_ATTR && DATA_ATTR.test(lcName)) || | ||
/* Allow unknown protocols: | ||
* This provides support for links that are handled by protocol handlers which may be unknown | ||
* ahead of time, e.g. fb:, spotify: | ||
*/ | ||
(ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA.test(value.replace(ATTR_WHITESPACE,''))) | ||
) { | ||
/* Handle invalid data-* attribute set by try-catching it */ | ||
try { | ||
currentNode.setAttribute(name, value); | ||
} catch (e) {} | ||
/* Allow valid data-* attributes: At least one character after "-" | ||
(https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes) | ||
XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804) | ||
We don't need to check the value; it's always URI safe. */ | ||
if (ALLOW_DATA_ATTR && DATA_ATTR.test(lcName)) { | ||
// This attribute is safe | ||
} | ||
/* Otherwise, check the name is permitted */ | ||
else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) { | ||
continue; | ||
} | ||
/* Check value is safe. First, is attr inert? If so, is safe */ | ||
else if (URI_SAFE_ATTRIBUTES[lcName]) { | ||
// This attribute is safe | ||
} | ||
/* Check no script, data or unknown possibly unsafe URI | ||
unless we know URI values are safe for that attribute */ | ||
else if (IS_ALLOWED_URI.test(value.replace(ATTR_WHITESPACE,''))) { | ||
// This attribute is safe | ||
} | ||
/* Keep image data URIs alive if src is allowed */ | ||
else if ( | ||
lcName === 'src' && | ||
value.indexOf('data:') === 0 && | ||
DATA_URI_TAGS[currentNode.nodeName.toLowerCase()]) { | ||
// This attribute is safe | ||
} | ||
/* Allow unknown protocols: This provides support for links that | ||
are handled by protocol handlers which may be unknown ahead of | ||
time, e.g. fb:, spotify: */ | ||
else if ( | ||
ALLOW_UNKNOWN_PROTOCOLS && | ||
!IS_SCRIPT_OR_DATA.test(value.replace(ATTR_WHITESPACE,''))) { | ||
// This attribute is safe | ||
} | ||
/* Anything else, presume unsafe, do not add it back */ | ||
else { | ||
continue; | ||
} | ||
/* Handle invalid data-* attribute set by try-catching it */ | ||
try { | ||
currentNode.setAttribute(name, value); | ||
DOMPurify.removed.pop(); | ||
} catch (e) {} | ||
} | ||
@@ -837,3 +858,3 @@ | ||
DOMPurify.removeAllHooks = function() { | ||
hooks = []; | ||
hooks = {}; | ||
}; | ||
@@ -840,0 +861,0 @@ |
@@ -103,10 +103,18 @@ module.exports = function(config) { | ||
}, | ||
bs_win7_firefox_12: { | ||
bs_win7_firefox_20: { | ||
base: 'BrowserStack', | ||
device: null, | ||
os: 'Windows', | ||
browser_version: '12.0', | ||
browser_version: '20.0', | ||
browser: 'firefox', | ||
os_version: '7' | ||
}, | ||
bs_win7_firefox_15: { | ||
base: 'BrowserStack', | ||
device: null, | ||
os: 'Windows', | ||
browser_version: '15.0', | ||
browser: 'firefox', | ||
os_version: '7' | ||
}, | ||
bs_win81_chrome_22: { | ||
@@ -153,3 +161,4 @@ base: 'BrowserStack', | ||
'bs_win81_opera_31', | ||
'bs_win7_firefox_12', | ||
'bs_win7_firefox_20', | ||
'bs_win7_firefox_15', | ||
'bs_win81_chrome_22', | ||
@@ -156,0 +165,0 @@ 'bs_win10_edge_13', |
@@ -81,3 +81,3 @@ module.exports = function(DOMPurify, window, tests, xssTests) { | ||
assert.contains( DOMPurify.sanitize( '<b>he{{evil<script>alert(1)</script><form><img src=x name=textContent></form>}}ya</b>', {SAFE_FOR_TEMPLATES: true}), | ||
["<b>he ya</b>", "<b>he </b>", "<b>he <form><img src=\"x\"></form> ya</b>"] // Investigate on Safari 8! | ||
["<b>he ya</b>", "<b>he </b>", "<b>he <form><img src=\"x\"></form> ya</b>"] | ||
); | ||
@@ -278,4 +278,10 @@ assert.equal( DOMPurify.sanitize( '<a>123<% <b>456}}</b><style>{{ alert(1) }}</style>456 %></a>', {SAFE_FOR_TEMPLATES: true}), "<a>123 <b> </b><style> </style> </a>" ); | ||
QUnit.test( 'Regression-Test to make sure #166 stays fixed', function (assert) { | ||
var dirty = '<p onFoo="123">HELLO</p>'; | ||
var modified = '<p>HELLO</p>'; | ||
assert.equal(modified, DOMPurify.sanitize(dirty, {ALLOW_UNKNOWN_PROTOCOLS: true})); | ||
} ); | ||
// Test 1 to check if the element count in DOMPurify.removed is correct | ||
QUnit.test( 'DOMPurify.removed shoud contain one element', function (assert) { | ||
QUnit.test( 'DOMPurify.removed should contain one element', function (assert) { | ||
var dirty = '<svg onload=alert(1)><filter><feGaussianBlur /></filter></svg>'; | ||
@@ -287,7 +293,56 @@ DOMPurify.sanitize(dirty); | ||
// Test 2 to check if the element count in DOMPurify.removed is correct | ||
QUnit.test( 'DOMPurify.removed shoud contain one element', function (assert) { | ||
QUnit.test( 'DOMPurify.removed should contain two elements', function (assert) { | ||
var dirty = '1<script>alert(1)<\/script><svg onload=alert(1)><filter><feGaussianBlur /></filter></svg>'; | ||
DOMPurify.sanitize(dirty); | ||
assert.equal(DOMPurify.removed.length, 2); | ||
} ); | ||
} ); | ||
// Test 3 to check if the element count in DOMPurify.removed is correct | ||
QUnit.test( 'DOMPurify.removed should be correct', function (assert) { | ||
var dirty = '<img src=x onerror="alert(1)">'; | ||
DOMPurify.sanitize(dirty); | ||
assert.equal(DOMPurify.removed.length, 1); | ||
} ); | ||
// Test 4 to check that DOMPurify.removed is correct in SAFE_FOR_TEMLATES mode | ||
QUnit.test( 'DOMPurify.removed should be correct in SAFE_FOR_TEMPLATES mode', function (assert) { | ||
var dirty = '<a>123{{456}}</a>'; | ||
DOMPurify.sanitize(dirty, {WHOLE_DOCUMENT: true, SAFE_FOR_TEMPLATES: true}); | ||
assert.equal(DOMPurify.removed.length, 1); | ||
} ); | ||
// Test 5 to check that DOMPurify.removed is correct in SAFE_FOR_TEMLATES mode | ||
QUnit.test( 'DOMPurify.removed should be correct in SAFE_FOR_TEMPLATES mode', function (assert) { | ||
var dirty = '<a>123{{456}}<b>456{{789}}</b></a>'; | ||
DOMPurify.sanitize(dirty, {WHOLE_DOCUMENT: true, SAFE_FOR_TEMPLATES: true}); | ||
assert.equal(DOMPurify.removed.length, 2); | ||
} ); | ||
// Test 6 to check that DOMPurify.removed is correct in SAFE_FOR_TEMLATES mode | ||
QUnit.test( 'DOMPurify.removed should be correct in SAFE_FOR_TEMPLATES mode', function (assert) { | ||
var dirty = '<img src=1 width="{{123}}">'; | ||
DOMPurify.sanitize(dirty, {WHOLE_DOCUMENT: true, SAFE_FOR_TEMPLATES: true}); | ||
assert.equal(DOMPurify.removed.length, 1); | ||
} ); | ||
// Test 7 to check that DOMPurify.removed is correct in SAFE_FOR_JQUERY mode | ||
QUnit.test( 'DOMPurify.removed should be correct in SAFE_FOR_JQUERY mode', function (assert) { | ||
var dirty = '<option><iframe></select><b><script>alert(1)<\/script>'; | ||
DOMPurify.sanitize(dirty, {WHOLE_DOCUMENT: true, SAFE_FOR_JQUERY: true}); | ||
assert.contains(DOMPurify.removed.length, [1,3]); // jsdom removes three nodes | ||
} ); | ||
// Test 8 to check that DOMPurify.removed is correct if tags are clean | ||
QUnit.test( 'DOMPurify.removed should not contain elements if tags are permitted', function (assert) { | ||
var dirty = '<a>123</a>'; | ||
DOMPurify.sanitize(dirty); | ||
assert.equal(DOMPurify.removed.length, 0); | ||
} ); | ||
// Test 9 to check that DOMPurify.removed is correct if the tags and attributes are clean | ||
QUnit.test( 'DOMPurify.removed should not contain elements if all tags and attrs are permitted', function (assert) { | ||
var dirty = '<img src=x>'; | ||
DOMPurify.sanitize(dirty); | ||
assert.equal(DOMPurify.removed.length, 0); | ||
} ); | ||
} |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
646830
10786