dompurify - npm Package Compare versions

dompurify

Package Overview

Dependencies

Maintainers

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 0.8.0 to 0.8.1

bower.json

		{
		"name": "DOMPurify",
		"version": "0.8.0",
		"version": "0.8.1",
		"homepage": "https://github.com/cure53/DOMPurify",
		@@ -5,0 +5,0 @@ "author": "Cure53 <info@cure53.de>",

dist/purify.min.js

		@@ -1,2 +0,2 @@
		(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.8.0";r.removed=[];if(!t\|\|!t.document\|\|t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap\|\|t.MozNamedAttrMap;var f=t.Text;var c=t.Comment;var u=t.DOMParser;if(typeof o==="function"){var d=n.createElement("template");if(d.content&&d.content.ownerDocument){n=d.content.ownerDocument}}var m=n.implementation;var p=n.createNodeIterator;var h=n.getElementsByTagName;var v=n.createDocumentFragment;var g=a.importNode;var y={};r.isSupported=typeof m.createHTMLDocument!=="undefined"&&n.documentMode!==9;var b=function(e,t){var r=t.length;while(r--){if(typeof t[r]==="string"){t[r]=t[r].toLowerCase()}e[t[r]]=true}return e};var T=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var x=null;var k=b({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","feSpecularLighting","feTile","feTurbulence","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var A=null;var w=b({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","mode","min","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","surfacescale","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","y","y1","y2","z","zoomandpan","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var E=null;var S=null;var M=true;var O=false;var L=false;var N=false;var D=/\{\{[\s\S]\|[\s\S]\}\}/gm;var _=/<%[\s\S]\|[\s\S]%>/gm;var C=false;var z=false;var R=false;var F=false;var H=true;var B=true;var W=b({},["audio","head","math","script","style","svg","video"]);var j=b({},["audio","video","img","source"]);var G=b({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]);var I=null;var q=n.createElement("form");var P=function(e){if(typeof e!=="object"){e={}}x="ALLOWED_TAGS"in e?b({},e.ALLOWED_TAGS):k;A="ALLOWED_ATTR"in e?b({},e.ALLOWED_ATTR):w;E="FORBID_TAGS"in e?b({},e.FORBID_TAGS):{};S="FORBID_ATTR"in e?b({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;O=e.ALLOW_UNKNOWN_PROTOCOLS\|\|false;L=e.SAFE_FOR_JQUERY\|\|false;N=e.SAFE_FOR_TEMPLATES\|\|false;C=e.WHOLE_DOCUMENT\|\|false;z=e.RETURN_DOM\|\|false;R=e.RETURN_DOM_FRAGMENT\|\|false;F=e.RETURN_DOM_IMPORT\|\|false;H=e.SANITIZE_DOM!==false;B=e.KEEP_CONTENT!==false;if(N){M=false}if(R){z=true}if(e.ADD_TAGS){if(x===k){x=T(x)}b(x,e.ADD_TAGS)}if(e.ADD_ATTR){if(A===w){A=T(A)}b(A,e.ADD_ATTR)}if(B){x["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}I=e};var U=function(e){r.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var V=function(e,t){r.removed.push({attribute:t.getAttributeNode(e),from:t});t.removeAttribute(e)};var K=function(e){var t,r;try{t=(new u).parseFromString(e,"text/html")}catch(n){}if(!t\|\|!t.documentElement){t=m.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(C?"html":"body")[0]}return h.call(t,C?"html":"body")[0]};var J=function(e){return p.call(e.ownerDocument\|\|e,e,l.SHOW_ELEMENT\|l.SHOW_COMMENT\|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var Q=function(e){if(e instanceof f\|\|e instanceof c){return false}if(typeof e.nodeName!=="string"\|\|typeof e.textContent!=="string"\|\|typeof e.removeChild!=="function"\|\|!(e.attributes instanceof s)\|\|typeof e.removeAttribute!=="function"\|\|typeof e.setAttribute!=="function"){return true}return false};var X=function(e){var t,r;ne("beforeSanitizeElements",e,null);if(Q(e)){U(e);return true}t=e.nodeName.toLowerCase();ne("uponSanitizeElement",e,{tagName:t});if(!x[t]\|\|E[t]){if(B&&!W[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(n){}}U(e);return true}if(L&&!e.firstElementChild&&(!e.content\|\|!e.content.firstElementChild)){e.innerHTML=e.textContent.replace(/</g,"<")}if(N&&e.nodeType===3){r=e.textContent;r=r.replace(D," ");r=r.replace(_," ");e.textContent=r}ne("afterSanitizeElements",e,null);return false};var Y=/^data-[\-\w.\u00B7-\uFFFF]/;var Z=/^(?:(?:(?:f\|ht)tps?\|mailto\|tel):\|[^a-z]\|[a-z+.\-]+(?:[^a-z+.\-:]\|$))/i;var $=/^(?:\w+script\|data):/i;var ee=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var te=function(e){var r,a,i,o,l,s,f,c;ne("beforeSanitizeAttributes",e,null);s=e.attributes;if(!s){return}f={attrName:"",attrValue:"",keepAttr:true};c=s.length;while(c--){r=s[c];a=r.name;i=r.value;o=a.toLowerCase();f.attrName=o;f.attrValue=i;f.keepAttr=true;ne("uponSanitizeAttribute",e,f);i=f.attrValue;if(o==="name"&&e.nodeName==="IMG"&&s.id){l=s.id;s=Array.prototype.slice.apply(s);V("id",e);V(a,e);if(s.indexOf(l)>c){e.setAttribute("id",l.value)}}else{if(a==="id"){e.setAttribute(a,"")}V(a,e)}if(!f.keepAttr){continue}if(H&&(o==="id"\|\|o==="name")&&(i in t\|\|i in n\|\|i in q)){continue}if(N){i=i.replace(D," ");i=i.replace(_," ")}if(A[o]&&!S[o]&&(G[o]\|\|Z.test(i.replace(ee,""))\|\|o==="src"&&i.indexOf("data:")===0&&j[e.nodeName.toLowerCase()])\|\|M&&Y.test(o)\|\|O&&!$.test(i.replace(ee,""))){try{e.setAttribute(a,i)}catch(u){}}}ne("afterSanitizeAttributes",e,null)};var re=function(e){var t;var r=J(e);ne("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){ne("uponSanitizeShadowNode",t,null);if(X(t)){continue}if(t.content instanceof i){re(t.content)}te(t)}ne("afterSanitizeShadowDOM",e,null)};var ne=function(e,t,n){if(!y[e]){return}y[e].forEach(function(e){e.call(r,t,n,I)})};r.sanitize=function(e,n){var o,l,s,f,c;if(!e){e=""}if(typeof e!=="string"){if(typeof e.toString!=="function"){throw new TypeError("toString is not a function")}else{e=e.toString()}}if(!r.isSupported){if(typeof t.toStaticHTML==="object"\|\|typeof t.toStaticHTML==="function"){return t.toStaticHTML(e)}return e}P(n);r.removed=[];if(!z&&!C&&e.indexOf("<")===-1){return e}o=K(e);if(!o){return z?null:""}f=J(o);while(l=f.nextNode()){if(l.nodeType===3&&l===s){continue}if(X(l)){continue}if(l.content instanceof i){re(l.content)}te(l);s=l}if(z){if(R){c=v.call(o.ownerDocument);while(o.firstChild){c.appendChild(o.firstChild)}}else{c=o}if(F){c=g.call(a,c,true)}return c}return C?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}y[e]=y[e]\|\|[];y[e].push(t)};r.removeHook=function(e){if(y[e]){y[e].pop()}};r.removeHooks=function(e){if(y[e]){y[e]=[]}};r.removeAllHooks=function(){y=[]};return r});
		(function(e){"use strict";var t=typeof window==="undefined"?null:window;if(typeof define==="function"&&define.amd){define(function(){return e(t)})}else if(typeof module!=="undefined"){module.exports=e(t)}else{t.DOMPurify=e(t)}})(function e(t){"use strict";var r=function(t){return e(t)};r.version="0.8.1";r.removed=[];if(!t\|\|!t.document\|\|t.document.nodeType!==9){r.isSupported=false;return r}var n=t.document;var a=n;var i=t.DocumentFragment;var o=t.HTMLTemplateElement;var l=t.NodeFilter;var s=t.NamedNodeMap\|\|t.MozNamedAttrMap;var f=t.Text;var c=t.Comment;var u=t.DOMParser;if(typeof o==="function"){var d=n.createElement("template");if(d.content&&d.content.ownerDocument){n=d.content.ownerDocument}}var m=n.implementation;var p=n.createNodeIterator;var v=n.getElementsByTagName;var h=n.createDocumentFragment;var g=a.importNode;var y={};r.isSupported=typeof m.createHTMLDocument!=="undefined"&&n.documentMode!==9;var b=function(e,t){var r=t.length;while(r--){if(typeof t[r]==="string"){t[r]=t[r].toLowerCase()}e[t[r]]=true}return e};var T=function(e){var t={};var r;for(r in e){if(e.hasOwnProperty(r)){t[r]=e[r]}}return t};var x=null;var k=b({},["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr","svg","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","switch","symbol","text","textpath","title","tref","tspan","view","vkern","feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","feSpecularLighting","feTile","feTurbulence","math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover","#text"]);var A=null;var w=b({},["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","rows","rowspan","spellcheck","scope","selected","shape","size","span","srclang","start","src","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns","accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","mode","min","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","surfacescale","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","y","y1","y2","z","zoomandpan","accent","accentunder","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","display","displaystyle","fence","frame","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]);var E=null;var S=null;var M=true;var O=false;var N=false;var L=false;var D=/\{\{[\s\S]\|[\s\S]\}\}/gm;var _=/<%[\s\S]\|[\s\S]%>/gm;var C=false;var z=false;var R=false;var F=false;var H=true;var B=true;var W=b({},["audio","head","math","script","style","svg","video"]);var j=b({},["audio","video","img","source"]);var G=b({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]);var I=null;var q=n.createElement("form");var P=function(e){if(typeof e!=="object"){e={}}x="ALLOWED_TAGS"in e?b({},e.ALLOWED_TAGS):k;A="ALLOWED_ATTR"in e?b({},e.ALLOWED_ATTR):w;E="FORBID_TAGS"in e?b({},e.FORBID_TAGS):{};S="FORBID_ATTR"in e?b({},e.FORBID_ATTR):{};M=e.ALLOW_DATA_ATTR!==false;O=e.ALLOW_UNKNOWN_PROTOCOLS\|\|false;N=e.SAFE_FOR_JQUERY\|\|false;L=e.SAFE_FOR_TEMPLATES\|\|false;C=e.WHOLE_DOCUMENT\|\|false;z=e.RETURN_DOM\|\|false;R=e.RETURN_DOM_FRAGMENT\|\|false;F=e.RETURN_DOM_IMPORT\|\|false;H=e.SANITIZE_DOM!==false;B=e.KEEP_CONTENT!==false;if(L){M=false}if(R){z=true}if(e.ADD_TAGS){if(x===k){x=T(x)}b(x,e.ADD_TAGS)}if(e.ADD_ATTR){if(A===w){A=T(A)}b(A,e.ADD_ATTR)}if(B){x["#text"]=true}if(Object&&"freeze"in Object){Object.freeze(e)}I=e};var U=function(e){r.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}};var V=function(e,t){r.removed.push({attribute:t.getAttributeNode(e),from:t});t.removeAttribute(e)};var K=function(e){var t,r;try{t=(new u).parseFromString(e,"text/html")}catch(n){}if(!t\|\|!t.documentElement){t=m.createHTMLDocument("");r=t.body;r.parentNode.removeChild(r.parentNode.firstElementChild);r.outerHTML=e}if(typeof t.getElementsByTagName==="function"){return t.getElementsByTagName(C?"html":"body")[0]}return v.call(t,C?"html":"body")[0]};var J=function(e){return p.call(e.ownerDocument\|\|e,e,l.SHOW_ELEMENT\|l.SHOW_COMMENT\|l.SHOW_TEXT,function(){return l.FILTER_ACCEPT},false)};var Q=function(e){if(e instanceof f\|\|e instanceof c){return false}if(typeof e.nodeName!=="string"\|\|typeof e.textContent!=="string"\|\|typeof e.removeChild!=="function"\|\|!(e.attributes instanceof s)\|\|typeof e.removeAttribute!=="function"\|\|typeof e.setAttribute!=="function"){return true}return false};var X=function(e){var t,n;ne("beforeSanitizeElements",e,null);if(Q(e)){U(e);return true}t=e.nodeName.toLowerCase();ne("uponSanitizeElement",e,{tagName:t});if(!x[t]\|\|E[t]){if(B&&!W[t]&&typeof e.insertAdjacentHTML==="function"){try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(a){}}U(e);return true}if(N&&!e.firstElementChild&&(!e.content\|\|!e.content.firstElementChild)){r.removed.push({element:e.cloneNode()});e.innerHTML=e.textContent.replace(/</g,"<")}if(L&&e.nodeType===3){n=e.textContent;n=n.replace(D," ");n=n.replace(_," ");if(e.textContent!==n){r.removed.push({element:e.cloneNode()});e.textContent=n}}ne("afterSanitizeElements",e,null);return false};var Y=/^data-[\-\w.\u00B7-\uFFFF]/;var Z=/^(?:(?:(?:f\|ht)tps?\|mailto\|tel):\|[^a-z]\|[a-z+.\-]+(?:[^a-z+.\-:]\|$))/i;var $=/^(?:\w+script\|data):/i;var ee=/[\x00-\x20\xA0\u1680\u180E\u2000-\u2029\u205f\u3000]/g;var te=function(e){var a,i,o,l,s,f,c,u;ne("beforeSanitizeAttributes",e,null);f=e.attributes;if(!f){return}c={attrName:"",attrValue:"",keepAttr:true};u=f.length;while(u--){a=f[u];i=a.name;o=a.value;l=i.toLowerCase();c.attrName=l;c.attrValue=o;c.keepAttr=true;ne("uponSanitizeAttribute",e,c);o=c.attrValue;if(l==="name"&&e.nodeName==="IMG"&&f.id){s=f.id;f=Array.prototype.slice.apply(f);V("id",e);V(i,e);if(f.indexOf(s)>u){e.setAttribute("id",s.value)}}else{if(i==="id"){e.setAttribute(i,"")}V(i,e)}if(!c.keepAttr){continue}if(H&&(l==="id"\|\|l==="name")&&(o in t\|\|o in n\|\|o in q)){continue}if(L){o=o.replace(D," ");o=o.replace(_," ")}if(M&&Y.test(l)){}else if(!A[l]\|\|S[l]){continue}else if(G[l]){}else if(Z.test(o.replace(ee,""))){}else if(l==="src"&&o.indexOf("data:")===0&&j[e.nodeName.toLowerCase()]){}else if(O&&!$.test(o.replace(ee,""))){}else{continue}try{e.setAttribute(i,o);r.removed.pop()}catch(d){}}ne("afterSanitizeAttributes",e,null)};var re=function(e){var t;var r=J(e);ne("beforeSanitizeShadowDOM",e,null);while(t=r.nextNode()){ne("uponSanitizeShadowNode",t,null);if(X(t)){continue}if(t.content instanceof i){re(t.content)}te(t)}ne("afterSanitizeShadowDOM",e,null)};var ne=function(e,t,n){if(!y[e]){return}y[e].forEach(function(e){e.call(r,t,n,I)})};r.sanitize=function(e,n){var o,l,s,f,c;if(!e){e=""}if(typeof e!=="string"){if(typeof e.toString!=="function"){throw new TypeError("toString is not a function")}else{e=e.toString()}}if(!r.isSupported){if(typeof t.toStaticHTML==="object"\|\|typeof t.toStaticHTML==="function"){return t.toStaticHTML(e)}return e}P(n);r.removed=[];if(!z&&!C&&e.indexOf("<")===-1){return e}o=K(e);if(!o){return z?null:""}f=J(o);while(l=f.nextNode()){if(l.nodeType===3&&l===s){continue}if(X(l)){continue}if(l.content instanceof i){re(l.content)}te(l);s=l}if(z){if(R){c=h.call(o.ownerDocument);while(o.firstChild){c.appendChild(o.firstChild)}}else{c=o}if(F){c=g.call(a,c,true)}return c}return C?o.outerHTML:o.innerHTML};r.addHook=function(e,t){if(typeof t!=="function"){return}y[e]=y[e]\|\|[];y[e].push(t)};r.removeHook=function(e){if(y[e]){y[e].pop()}};r.removeHooks=function(e){if(y[e]){y[e]=[]}};r.removeAllHooks=function(){y={}};return r});
		//# sourceMappingURL=./dist/purify.min.js.map

package.json

		@@ -40,3 +40,3 @@ {
		"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
		"version": "0.8.0",
		"version": "0.8.1",
		"main": "src/purify.js",
		@@ -43,0 +43,0 @@ "directories": {

README.md

		@@ -9,3 +9,3 @@ # DOMPurify [![Bower version](https://badge.fury.io/bo/dompurify.svg)](http://badge.fury.io/bo/dompurify) · [![npm version](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js/dompurify) · [![Build Status](https://travis-ci.org/cure53/DOMPurify.svg?branch=master)](https://travis-ci.org/cure53/DOMPurify)

		DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover [10 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.conf.js#L145) right now. We also cover Node.js v4.0.0, v5.0.0 and v6.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom).
		DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on IE6 or other legacy browsers. It simply does nothing there. Our automated tests cover [12 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.conf.js#L153) right now. We also cover Node.js v4.0.0, v5.0.0 and v6.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom).

		@@ -12,0 +12,0 @@ DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model)

src/purify.js

		@@ -24,3 +24,3 @@ ;(function(factory) {
		*/
		DOMPurify.version = '0.8.0';
		DOMPurify.version = '0.8.1';

		@@ -488,2 +488,3 @@ /**
		(!currentNode.content \|\| !currentNode.content.firstElementChild)) {
		DOMPurify.removed.push({element: currentNode.cloneNode()});
		currentNode.innerHTML = currentNode.textContent.replace(/</g, '<');
		@@ -498,3 +499,6 @@ }
		content = content.replace(ERB_EXPR, ' ');
		currentNode.textContent = content;
		if (currentNode.textContent !== content) {
		DOMPurify.removed.push({element: currentNode.cloneNode()});
		currentNode.textContent = content;
		}
		}
		@@ -597,30 +601,47 @@

		if (
		/* Check the name is permitted */
		(ALLOWED_ATTR[lcName] && !FORBID_ATTR[lcName] && (
		/* Check no script, data or unknown possibly unsafe URI
		unless we know URI values are safe for that attribute */
		URI_SAFE_ATTRIBUTES[lcName] \|\|
		IS_ALLOWED_URI.test(value.replace(ATTR_WHITESPACE,'')) \|\|
		/* Keep image data URIs alive if src is allowed */
		(lcName === 'src' && value.indexOf('data:') === 0 &&
		DATA_URI_TAGS[currentNode.nodeName.toLowerCase()])
		)) \|\|
		/* Allow potentially valid data-* attributes:
		* At least one character after "-" (https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
		* XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
		* We don't need to check the value; it's always URI safe.
		*/
		(ALLOW_DATA_ATTR && DATA_ATTR.test(lcName)) \|\|
		/* Allow unknown protocols:
		* This provides support for links that are handled by protocol handlers which may be unknown
		* ahead of time, e.g. fb:, spotify:
		*/
		(ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA.test(value.replace(ATTR_WHITESPACE,'')))
		) {
		/* Handle invalid data-* attribute set by try-catching it */
		try {
		currentNode.setAttribute(name, value);
		} catch (e) {}
		/* Allow valid data-* attributes: At least one character after "-"
		(https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
		XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
		We don't need to check the value; it's always URI safe. */
		if (ALLOW_DATA_ATTR && DATA_ATTR.test(lcName)) {
		// This attribute is safe
		}
		/* Otherwise, check the name is permitted */
		else if (!ALLOWED_ATTR[lcName] \|\| FORBID_ATTR[lcName]) {
		continue;
		}
		/* Check value is safe. First, is attr inert? If so, is safe */
		else if (URI_SAFE_ATTRIBUTES[lcName]) {
		// This attribute is safe
		}
		/* Check no script, data or unknown possibly unsafe URI
		unless we know URI values are safe for that attribute */
		else if (IS_ALLOWED_URI.test(value.replace(ATTR_WHITESPACE,''))) {
		// This attribute is safe
		}
		/* Keep image data URIs alive if src is allowed */
		else if (
		lcName === 'src' &&
		value.indexOf('data:') === 0 &&
		DATA_URI_TAGS[currentNode.nodeName.toLowerCase()]) {
		// This attribute is safe
		}
		/* Allow unknown protocols: This provides support for links that
		are handled by protocol handlers which may be unknown ahead of
		time, e.g. fb:, spotify: */
		else if (
		ALLOW_UNKNOWN_PROTOCOLS &&
		!IS_SCRIPT_OR_DATA.test(value.replace(ATTR_WHITESPACE,''))) {
		// This attribute is safe
		}
		/* Anything else, presume unsafe, do not add it back */
		else {
		continue;
		}

		/* Handle invalid data-* attribute set by try-catching it */
		try {
		currentNode.setAttribute(name, value);
		DOMPurify.removed.pop();
		} catch (e) {}
		}
		@@ -837,3 +858,3 @@
		DOMPurify.removeAllHooks = function() {
		hooks = [];
		hooks = {};
		};
		@@ -840,0 +861,0 @@

test/karma.conf.js

		@@ -103,10 +103,18 @@ module.exports = function(config) {
		},
		bs_win7_firefox_12: {
		bs_win7_firefox_20: {
		base: 'BrowserStack',
		device: null,
		os: 'Windows',
		browser_version: '12.0',
		browser_version: '20.0',
		browser: 'firefox',
		os_version: '7'
		},
		bs_win7_firefox_15: {
		base: 'BrowserStack',
		device: null,
		os: 'Windows',
		browser_version: '15.0',
		browser: 'firefox',
		os_version: '7'
		},
		bs_win81_chrome_22: {
		@@ -153,3 +161,4 @@ base: 'BrowserStack',
		'bs_win81_opera_31',
		'bs_win7_firefox_12',
		'bs_win7_firefox_20',
		'bs_win7_firefox_15',
		'bs_win81_chrome_22',
		@@ -156,0 +165,0 @@ 'bs_win10_edge_13',

test/test-suite.js

		@@ -81,3 +81,3 @@ module.exports = function(DOMPurify, window, tests, xssTests) {
		assert.contains( DOMPurify.sanitize( '<b>he{{evil<script>alert(1)</script><form><img src=x name=textContent></form>}}ya</b>', {SAFE_FOR_TEMPLATES: true}),
		["<b>he ya</b>", "<b>he </b>", "<b>he <form><img src=\"x\"></form> ya</b>"] // Investigate on Safari 8!
		["<b>he ya</b>", "<b>he </b>", "<b>he <form><img src=\"x\"></form> ya</b>"]
		);
		@@ -278,4 +278,10 @@ assert.equal( DOMPurify.sanitize( '<a>123<% <b>456}}</b><style>{{ alert(1) }}</style>456 %></a>', {SAFE_FOR_TEMPLATES: true}), "<a>123 <b> </b><style> </style> </a>" );

		QUnit.test( 'Regression-Test to make sure #166 stays fixed', function (assert) {
		var dirty = '<p onFoo="123">HELLO</p>';
		var modified = '<p>HELLO</p>';
		assert.equal(modified, DOMPurify.sanitize(dirty, {ALLOW_UNKNOWN_PROTOCOLS: true}));
		} );

		// Test 1 to check if the element count in DOMPurify.removed is correct
		QUnit.test( 'DOMPurify.removed shoud contain one element', function (assert) {
		QUnit.test( 'DOMPurify.removed should contain one element', function (assert) {
		var dirty = '<svg onload=alert(1)><filter><feGaussianBlur /></filter></svg>';
		@@ -287,7 +293,56 @@ DOMPurify.sanitize(dirty);
		// Test 2 to check if the element count in DOMPurify.removed is correct
		QUnit.test( 'DOMPurify.removed shoud contain one element', function (assert) {
		QUnit.test( 'DOMPurify.removed should contain two elements', function (assert) {
		var dirty = '1<script>alert(1)<\/script><svg onload=alert(1)><filter><feGaussianBlur /></filter></svg>';
		DOMPurify.sanitize(dirty);
		assert.equal(DOMPurify.removed.length, 2);
		} );
		} );

		// Test 3 to check if the element count in DOMPurify.removed is correct
		QUnit.test( 'DOMPurify.removed should be correct', function (assert) {
		var dirty = '<img src=x onerror="alert(1)">';
		DOMPurify.sanitize(dirty);
		assert.equal(DOMPurify.removed.length, 1);
		} );

		// Test 4 to check that DOMPurify.removed is correct in SAFE_FOR_TEMLATES mode
		QUnit.test( 'DOMPurify.removed should be correct in SAFE_FOR_TEMPLATES mode', function (assert) {
		var dirty = '<a>123{{456}}</a>';
		DOMPurify.sanitize(dirty, {WHOLE_DOCUMENT: true, SAFE_FOR_TEMPLATES: true});
		assert.equal(DOMPurify.removed.length, 1);
		} );

		// Test 5 to check that DOMPurify.removed is correct in SAFE_FOR_TEMLATES mode
		QUnit.test( 'DOMPurify.removed should be correct in SAFE_FOR_TEMPLATES mode', function (assert) {
		var dirty = '<a>123{{456}}<b>456{{789}}</b></a>';
		DOMPurify.sanitize(dirty, {WHOLE_DOCUMENT: true, SAFE_FOR_TEMPLATES: true});
		assert.equal(DOMPurify.removed.length, 2);
		} );

		// Test 6 to check that DOMPurify.removed is correct in SAFE_FOR_TEMLATES mode
		QUnit.test( 'DOMPurify.removed should be correct in SAFE_FOR_TEMPLATES mode', function (assert) {
		var dirty = '<img src=1 width="{{123}}">';
		DOMPurify.sanitize(dirty, {WHOLE_DOCUMENT: true, SAFE_FOR_TEMPLATES: true});
		assert.equal(DOMPurify.removed.length, 1);
		} );

		// Test 7 to check that DOMPurify.removed is correct in SAFE_FOR_JQUERY mode
		QUnit.test( 'DOMPurify.removed should be correct in SAFE_FOR_JQUERY mode', function (assert) {
		var dirty = '<option><iframe></select><b><script>alert(1)<\/script>';
		DOMPurify.sanitize(dirty, {WHOLE_DOCUMENT: true, SAFE_FOR_JQUERY: true});
		assert.contains(DOMPurify.removed.length, [1,3]); // jsdom removes three nodes
		} );

		// Test 8 to check that DOMPurify.removed is correct if tags are clean
		QUnit.test( 'DOMPurify.removed should not contain elements if tags are permitted', function (assert) {
		var dirty = '<a>123</a>';
		DOMPurify.sanitize(dirty);
		assert.equal(DOMPurify.removed.length, 0);
		} );

		// Test 9 to check that DOMPurify.removed is correct if the tags and attributes are clean
		QUnit.test( 'DOMPurify.removed should not contain elements if all tags and attrs are permitted', function (assert) {
		var dirty = '<img src=x>';
		DOMPurify.sanitize(dirty);
		assert.equal(DOMPurify.removed.length, 0);
		} );
		}

dist/purify.min.js.map

Sorry, the diff of this file is not supported yet

website/index.html

Sorry, the diff of this file is not supported yet

Improved metrics