dompurify
Advanced tools
dompurify - npm Package Compare versions
Comparing version 1.0.9 to 1.0.10
@@ -24,3 +24,3 @@ 'use strict'; | ||
| var svg$1 = freeze$2(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
| var svg$1 = freeze$2(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
@@ -51,2 +51,3 @@ var mathMl$1 = freeze$2(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']); | ||
| } | ||
| var l = array.length; | ||
@@ -58,8 +59,14 @@ while (l--) { | ||
| if (lcElement !== element) { | ||
| array[l] = lcElement; | ||
| // Config presets (e.g. tags.js, attrs.js) are immutable. | ||
| if (!Object.isFrozen(array)) { | ||
| array[l] = lcElement; | ||
| } | ||
| element = lcElement; | ||
| } | ||
| } | ||
| set[element] = true; | ||
| } | ||
| return set; | ||
@@ -71,2 +78,3 @@ } | ||
| var newObject = {}; | ||
| var property = void 0; | ||
@@ -78,2 +86,3 @@ for (property in object) { | ||
| } | ||
| return newObject; | ||
@@ -146,3 +155,3 @@ } | ||
| }); | ||
| } catch (e) { | ||
| } catch (error) { | ||
| // Policy creation failed (most likely another DOMPurify script has | ||
@@ -167,3 +176,3 @@ // already run). Skip creating the policy, as this will only cause errors | ||
| */ | ||
| DOMPurify.version = '1.0.9'; | ||
| DOMPurify.version = '1.0.10'; | ||
@@ -347,2 +356,3 @@ /** | ||
| } | ||
| /* Set configuration parameters */ | ||
@@ -386,2 +396,3 @@ ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS) : DEFAULT_ALLOWED_TAGS; | ||
| } | ||
| if (USE_PROFILES.svg === true) { | ||
@@ -392,2 +403,3 @@ addToSet(ALLOWED_TAGS, svg); | ||
| } | ||
| if (USE_PROFILES.svgFilters === true) { | ||
@@ -398,2 +410,3 @@ addToSet(ALLOWED_TAGS, svgFilters); | ||
| } | ||
| if (USE_PROFILES.mathMl === true) { | ||
@@ -411,4 +424,6 @@ addToSet(ALLOWED_TAGS, mathMl); | ||
| } | ||
| addToSet(ALLOWED_TAGS, cfg.ADD_TAGS); | ||
| } | ||
| if (cfg.ADD_ATTR) { | ||
@@ -418,4 +433,6 @@ if (ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) { | ||
| } | ||
| addToSet(ALLOWED_ATTR, cfg.ADD_ATTR); | ||
| } | ||
| if (cfg.ADD_URI_SAFE_ATTR) { | ||
@@ -458,3 +475,3 @@ addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR); | ||
| node.parentNode.removeChild(node); | ||
| } catch (err) { | ||
| } catch (error) { | ||
| node.outerHTML = emptyHTML; | ||
@@ -476,3 +493,3 @@ } | ||
| }); | ||
| } catch (err) { | ||
| } catch (error) { | ||
| DOMPurify.removed.push({ | ||
@@ -483,2 +500,3 @@ attribute: null, | ||
| } | ||
| node.removeAttribute(name); | ||
@@ -513,3 +531,3 @@ }; | ||
| doc = new DOMParser().parseFromString(dirty, 'text/html'); | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| } | ||
@@ -557,4 +575,5 @@ | ||
| } | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| })(); | ||
| (function () { | ||
@@ -566,3 +585,3 @@ try { | ||
| } | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| })(); | ||
@@ -593,5 +612,7 @@ } | ||
| } | ||
| if (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function') { | ||
| return true; | ||
| } | ||
| return false; | ||
@@ -638,2 +659,3 @@ }; | ||
| */ | ||
| // eslint-disable-next-line complexity | ||
| var _sanitizeElements = function _sanitizeElements(currentNode) { | ||
@@ -667,4 +689,5 @@ var content = void 0; | ||
| currentNode.insertAdjacentHTML('AfterEnd', trustedTypesPolicy ? trustedTypesPolicy.createHTML(htmlToInsert) : htmlToInsert); | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| } | ||
| _forceRemove(currentNode); | ||
@@ -674,2 +697,13 @@ return true; | ||
| /* Remove in case a noscript/noembed XSS is suspected */ | ||
| if (tagName === 'noscript' && currentNode.innerHTML.match(/<\/noscript/i)) { | ||
| _forceRemove(currentNode); | ||
| return true; | ||
| } | ||
| if (tagName === 'noembed' && currentNode.innerHTML.match(/<\/noembed/i)) { | ||
| _forceRemove(currentNode); | ||
| return true; | ||
| } | ||
| /* Convert markup to cover jQuery behavior */ | ||
@@ -711,2 +745,3 @@ if (SAFE_FOR_JQUERY && !currentNode.firstElementChild && (!currentNode.content || !currentNode.content.firstElementChild) && /</g.test(currentNode.textContent)) { | ||
| */ | ||
| // eslint-disable-next-line complexity | ||
| var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) { | ||
@@ -718,8 +753,2 @@ /* Make sure attribute cannot clobber */ | ||
| /* Sanitize attribute content to be template-safe */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| value = value.replace(MUSTACHE_EXPR$$1, ' '); | ||
| value = value.replace(ERB_EXPR$$1, ' '); | ||
| } | ||
| /* Allow valid data-* attributes: At least one character after "-" | ||
@@ -761,2 +790,3 @@ (https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes) | ||
| } | ||
| return true; | ||
@@ -773,5 +803,4 @@ }; | ||
| * | ||
| * @param {Node} node to sanitize | ||
| * @param {Node} currentNode to sanitize | ||
| */ | ||
| // eslint-disable-next-line complexity | ||
| var _sanitizeAttributes = function _sanitizeAttributes(currentNode) { | ||
@@ -843,2 +872,3 @@ var attr = void 0; | ||
| } | ||
| _removeAttribute(name, currentNode); | ||
@@ -852,2 +882,8 @@ } | ||
| /* Sanitize attribute content to be template-safe */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| value = value.replace(MUSTACHE_EXPR$$1, ' '); | ||
| value = value.replace(ERB_EXPR$$1, ' '); | ||
| } | ||
| /* Is `value` valid for this attribute? */ | ||
@@ -867,4 +903,5 @@ var lcTag = currentNode.nodeName.toLowerCase(); | ||
| } | ||
| DOMPurify.removed.pop(); | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| } | ||
@@ -950,2 +987,3 @@ | ||
| } | ||
| if (_isNode(dirty)) { | ||
@@ -955,2 +993,3 @@ return window.toStaticHTML(dirty.outerHTML); | ||
| } | ||
| return dirty; | ||
@@ -978,2 +1017,3 @@ } | ||
| } else { | ||
| // eslint-disable-next-line unicorn/prefer-node-append | ||
| body.appendChild(importedNode); | ||
@@ -983,3 +1023,3 @@ } | ||
| /* Exit directly if we have nothing to do */ | ||
| if (!RETURN_DOM && !WHOLE_DOCUMENT && dirty.indexOf('<') === -1) { | ||
| if (!RETURN_DOM && !SAFE_FOR_TEMPLATES && !WHOLE_DOCUMENT && dirty.indexOf('<') === -1) { | ||
| return trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty; | ||
@@ -1041,2 +1081,3 @@ } | ||
| while (body.firstChild) { | ||
| // eslint-disable-next-line unicorn/prefer-node-append | ||
| returnNode.appendChild(body.firstChild); | ||
@@ -1061,2 +1102,9 @@ } | ||
| var serializedHTML = WHOLE_DOCUMENT ? body.outerHTML : body.innerHTML; | ||
| /* Sanitize final string template-safe */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| serializedHTML = serializedHTML.replace(MUSTACHE_EXPR$$1, ' '); | ||
| serializedHTML = serializedHTML.replace(ERB_EXPR$$1, ' '); | ||
| } | ||
| return trustedTypesPolicy ? trustedTypesPolicy.createHTML(serializedHTML) : serializedHTML; | ||
@@ -1101,2 +1149,3 @@ }; | ||
| } | ||
| var lcTag = tag.toLowerCase(); | ||
@@ -1118,2 +1167,3 @@ var lcName = attr.toLowerCase(); | ||
| } | ||
| hooks[entryPoint] = hooks[entryPoint] || []; | ||
@@ -1120,0 +1170,0 @@ hooks[entryPoint].push(hookFunction); |
@@ -22,3 +22,3 @@ var freeze$1 = Object.freeze || function (x) { | ||
| var svg$1 = freeze$2(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
| var svg$1 = freeze$2(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
@@ -49,2 +49,3 @@ var mathMl$1 = freeze$2(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']); | ||
| } | ||
| var l = array.length; | ||
@@ -56,8 +57,14 @@ while (l--) { | ||
| if (lcElement !== element) { | ||
| array[l] = lcElement; | ||
| // Config presets (e.g. tags.js, attrs.js) are immutable. | ||
| if (!Object.isFrozen(array)) { | ||
| array[l] = lcElement; | ||
| } | ||
| element = lcElement; | ||
| } | ||
| } | ||
| set[element] = true; | ||
| } | ||
| return set; | ||
@@ -69,2 +76,3 @@ } | ||
| var newObject = {}; | ||
| var property = void 0; | ||
@@ -76,2 +84,3 @@ for (property in object) { | ||
| } | ||
| return newObject; | ||
@@ -144,3 +153,3 @@ } | ||
| }); | ||
| } catch (e) { | ||
| } catch (error) { | ||
| // Policy creation failed (most likely another DOMPurify script has | ||
@@ -165,3 +174,3 @@ // already run). Skip creating the policy, as this will only cause errors | ||
| */ | ||
| DOMPurify.version = '1.0.9'; | ||
| DOMPurify.version = '1.0.10'; | ||
@@ -345,2 +354,3 @@ /** | ||
| } | ||
| /* Set configuration parameters */ | ||
@@ -384,2 +394,3 @@ ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS) : DEFAULT_ALLOWED_TAGS; | ||
| } | ||
| if (USE_PROFILES.svg === true) { | ||
@@ -390,2 +401,3 @@ addToSet(ALLOWED_TAGS, svg); | ||
| } | ||
| if (USE_PROFILES.svgFilters === true) { | ||
@@ -396,2 +408,3 @@ addToSet(ALLOWED_TAGS, svgFilters); | ||
| } | ||
| if (USE_PROFILES.mathMl === true) { | ||
@@ -409,4 +422,6 @@ addToSet(ALLOWED_TAGS, mathMl); | ||
| } | ||
| addToSet(ALLOWED_TAGS, cfg.ADD_TAGS); | ||
| } | ||
| if (cfg.ADD_ATTR) { | ||
@@ -416,4 +431,6 @@ if (ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) { | ||
| } | ||
| addToSet(ALLOWED_ATTR, cfg.ADD_ATTR); | ||
| } | ||
| if (cfg.ADD_URI_SAFE_ATTR) { | ||
@@ -456,3 +473,3 @@ addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR); | ||
| node.parentNode.removeChild(node); | ||
| } catch (err) { | ||
| } catch (error) { | ||
| node.outerHTML = emptyHTML; | ||
@@ -474,3 +491,3 @@ } | ||
| }); | ||
| } catch (err) { | ||
| } catch (error) { | ||
| DOMPurify.removed.push({ | ||
@@ -481,2 +498,3 @@ attribute: null, | ||
| } | ||
| node.removeAttribute(name); | ||
@@ -511,3 +529,3 @@ }; | ||
| doc = new DOMParser().parseFromString(dirty, 'text/html'); | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| } | ||
@@ -555,4 +573,5 @@ | ||
| } | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| })(); | ||
| (function () { | ||
@@ -564,3 +583,3 @@ try { | ||
| } | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| })(); | ||
@@ -591,5 +610,7 @@ } | ||
| } | ||
| if (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function') { | ||
| return true; | ||
| } | ||
| return false; | ||
@@ -636,2 +657,3 @@ }; | ||
| */ | ||
| // eslint-disable-next-line complexity | ||
| var _sanitizeElements = function _sanitizeElements(currentNode) { | ||
@@ -665,4 +687,5 @@ var content = void 0; | ||
| currentNode.insertAdjacentHTML('AfterEnd', trustedTypesPolicy ? trustedTypesPolicy.createHTML(htmlToInsert) : htmlToInsert); | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| } | ||
| _forceRemove(currentNode); | ||
@@ -672,2 +695,13 @@ return true; | ||
| /* Remove in case a noscript/noembed XSS is suspected */ | ||
| if (tagName === 'noscript' && currentNode.innerHTML.match(/<\/noscript/i)) { | ||
| _forceRemove(currentNode); | ||
| return true; | ||
| } | ||
| if (tagName === 'noembed' && currentNode.innerHTML.match(/<\/noembed/i)) { | ||
| _forceRemove(currentNode); | ||
| return true; | ||
| } | ||
| /* Convert markup to cover jQuery behavior */ | ||
@@ -709,2 +743,3 @@ if (SAFE_FOR_JQUERY && !currentNode.firstElementChild && (!currentNode.content || !currentNode.content.firstElementChild) && /</g.test(currentNode.textContent)) { | ||
| */ | ||
| // eslint-disable-next-line complexity | ||
| var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) { | ||
@@ -716,8 +751,2 @@ /* Make sure attribute cannot clobber */ | ||
| /* Sanitize attribute content to be template-safe */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| value = value.replace(MUSTACHE_EXPR$$1, ' '); | ||
| value = value.replace(ERB_EXPR$$1, ' '); | ||
| } | ||
| /* Allow valid data-* attributes: At least one character after "-" | ||
@@ -759,2 +788,3 @@ (https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes) | ||
| } | ||
| return true; | ||
@@ -771,5 +801,4 @@ }; | ||
| * | ||
| * @param {Node} node to sanitize | ||
| * @param {Node} currentNode to sanitize | ||
| */ | ||
| // eslint-disable-next-line complexity | ||
| var _sanitizeAttributes = function _sanitizeAttributes(currentNode) { | ||
@@ -841,2 +870,3 @@ var attr = void 0; | ||
| } | ||
| _removeAttribute(name, currentNode); | ||
@@ -850,2 +880,8 @@ } | ||
| /* Sanitize attribute content to be template-safe */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| value = value.replace(MUSTACHE_EXPR$$1, ' '); | ||
| value = value.replace(ERB_EXPR$$1, ' '); | ||
| } | ||
| /* Is `value` valid for this attribute? */ | ||
@@ -865,4 +901,5 @@ var lcTag = currentNode.nodeName.toLowerCase(); | ||
| } | ||
| DOMPurify.removed.pop(); | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| } | ||
@@ -948,2 +985,3 @@ | ||
| } | ||
| if (_isNode(dirty)) { | ||
@@ -953,2 +991,3 @@ return window.toStaticHTML(dirty.outerHTML); | ||
| } | ||
| return dirty; | ||
@@ -976,2 +1015,3 @@ } | ||
| } else { | ||
| // eslint-disable-next-line unicorn/prefer-node-append | ||
| body.appendChild(importedNode); | ||
@@ -981,3 +1021,3 @@ } | ||
| /* Exit directly if we have nothing to do */ | ||
| if (!RETURN_DOM && !WHOLE_DOCUMENT && dirty.indexOf('<') === -1) { | ||
| if (!RETURN_DOM && !SAFE_FOR_TEMPLATES && !WHOLE_DOCUMENT && dirty.indexOf('<') === -1) { | ||
| return trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty; | ||
@@ -1039,2 +1079,3 @@ } | ||
| while (body.firstChild) { | ||
| // eslint-disable-next-line unicorn/prefer-node-append | ||
| returnNode.appendChild(body.firstChild); | ||
@@ -1059,2 +1100,9 @@ } | ||
| var serializedHTML = WHOLE_DOCUMENT ? body.outerHTML : body.innerHTML; | ||
| /* Sanitize final string template-safe */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| serializedHTML = serializedHTML.replace(MUSTACHE_EXPR$$1, ' '); | ||
| serializedHTML = serializedHTML.replace(ERB_EXPR$$1, ' '); | ||
| } | ||
| return trustedTypesPolicy ? trustedTypesPolicy.createHTML(serializedHTML) : serializedHTML; | ||
@@ -1099,2 +1147,3 @@ }; | ||
| } | ||
| var lcTag = tag.toLowerCase(); | ||
@@ -1116,2 +1165,3 @@ var lcName = attr.toLowerCase(); | ||
| } | ||
| hooks[entryPoint] = hooks[entryPoint] || []; | ||
@@ -1118,0 +1168,0 @@ hooks[entryPoint].push(hookFunction); |
@@ -28,3 +28,3 @@ (function (global, factory) { | ||
| var svg$1 = freeze$2(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
| var svg$1 = freeze$2(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
@@ -55,2 +55,3 @@ var mathMl$1 = freeze$2(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']); | ||
| } | ||
| var l = array.length; | ||
@@ -62,8 +63,14 @@ while (l--) { | ||
| if (lcElement !== element) { | ||
| array[l] = lcElement; | ||
| // Config presets (e.g. tags.js, attrs.js) are immutable. | ||
| if (!Object.isFrozen(array)) { | ||
| array[l] = lcElement; | ||
| } | ||
| element = lcElement; | ||
| } | ||
| } | ||
| set[element] = true; | ||
| } | ||
| return set; | ||
@@ -75,2 +82,3 @@ } | ||
| var newObject = {}; | ||
| var property = void 0; | ||
@@ -82,2 +90,3 @@ for (property in object) { | ||
| } | ||
| return newObject; | ||
@@ -150,3 +159,3 @@ } | ||
| }); | ||
| } catch (e) { | ||
| } catch (error) { | ||
| // Policy creation failed (most likely another DOMPurify script has | ||
@@ -171,3 +180,3 @@ // already run). Skip creating the policy, as this will only cause errors | ||
| */ | ||
| DOMPurify.version = '1.0.9'; | ||
| DOMPurify.version = '1.0.10'; | ||
@@ -351,2 +360,3 @@ /** | ||
| } | ||
| /* Set configuration parameters */ | ||
@@ -390,2 +400,3 @@ ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS) : DEFAULT_ALLOWED_TAGS; | ||
| } | ||
| if (USE_PROFILES.svg === true) { | ||
@@ -396,2 +407,3 @@ addToSet(ALLOWED_TAGS, svg); | ||
| } | ||
| if (USE_PROFILES.svgFilters === true) { | ||
@@ -402,2 +414,3 @@ addToSet(ALLOWED_TAGS, svgFilters); | ||
| } | ||
| if (USE_PROFILES.mathMl === true) { | ||
@@ -415,4 +428,6 @@ addToSet(ALLOWED_TAGS, mathMl); | ||
| } | ||
| addToSet(ALLOWED_TAGS, cfg.ADD_TAGS); | ||
| } | ||
| if (cfg.ADD_ATTR) { | ||
@@ -422,4 +437,6 @@ if (ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) { | ||
| } | ||
| addToSet(ALLOWED_ATTR, cfg.ADD_ATTR); | ||
| } | ||
| if (cfg.ADD_URI_SAFE_ATTR) { | ||
@@ -462,3 +479,3 @@ addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR); | ||
| node.parentNode.removeChild(node); | ||
| } catch (err) { | ||
| } catch (error) { | ||
| node.outerHTML = emptyHTML; | ||
@@ -480,3 +497,3 @@ } | ||
| }); | ||
| } catch (err) { | ||
| } catch (error) { | ||
| DOMPurify.removed.push({ | ||
@@ -487,2 +504,3 @@ attribute: null, | ||
| } | ||
| node.removeAttribute(name); | ||
@@ -517,3 +535,3 @@ }; | ||
| doc = new DOMParser().parseFromString(dirty, 'text/html'); | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| } | ||
@@ -561,4 +579,5 @@ | ||
| } | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| })(); | ||
| (function () { | ||
@@ -570,3 +589,3 @@ try { | ||
| } | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| })(); | ||
@@ -597,5 +616,7 @@ } | ||
| } | ||
| if (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function') { | ||
| return true; | ||
| } | ||
| return false; | ||
@@ -642,2 +663,3 @@ }; | ||
| */ | ||
| // eslint-disable-next-line complexity | ||
| var _sanitizeElements = function _sanitizeElements(currentNode) { | ||
@@ -671,4 +693,5 @@ var content = void 0; | ||
| currentNode.insertAdjacentHTML('AfterEnd', trustedTypesPolicy ? trustedTypesPolicy.createHTML(htmlToInsert) : htmlToInsert); | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| } | ||
| _forceRemove(currentNode); | ||
@@ -678,2 +701,13 @@ return true; | ||
| /* Remove in case a noscript/noembed XSS is suspected */ | ||
| if (tagName === 'noscript' && currentNode.innerHTML.match(/<\/noscript/i)) { | ||
| _forceRemove(currentNode); | ||
| return true; | ||
| } | ||
| if (tagName === 'noembed' && currentNode.innerHTML.match(/<\/noembed/i)) { | ||
| _forceRemove(currentNode); | ||
| return true; | ||
| } | ||
| /* Convert markup to cover jQuery behavior */ | ||
@@ -715,2 +749,3 @@ if (SAFE_FOR_JQUERY && !currentNode.firstElementChild && (!currentNode.content || !currentNode.content.firstElementChild) && /</g.test(currentNode.textContent)) { | ||
| */ | ||
| // eslint-disable-next-line complexity | ||
| var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) { | ||
@@ -722,8 +757,2 @@ /* Make sure attribute cannot clobber */ | ||
| /* Sanitize attribute content to be template-safe */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| value = value.replace(MUSTACHE_EXPR$$1, ' '); | ||
| value = value.replace(ERB_EXPR$$1, ' '); | ||
| } | ||
| /* Allow valid data-* attributes: At least one character after "-" | ||
@@ -765,2 +794,3 @@ (https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes) | ||
| } | ||
| return true; | ||
@@ -777,5 +807,4 @@ }; | ||
| * | ||
| * @param {Node} node to sanitize | ||
| * @param {Node} currentNode to sanitize | ||
| */ | ||
| // eslint-disable-next-line complexity | ||
| var _sanitizeAttributes = function _sanitizeAttributes(currentNode) { | ||
@@ -847,2 +876,3 @@ var attr = void 0; | ||
| } | ||
| _removeAttribute(name, currentNode); | ||
@@ -856,2 +886,8 @@ } | ||
| /* Sanitize attribute content to be template-safe */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| value = value.replace(MUSTACHE_EXPR$$1, ' '); | ||
| value = value.replace(ERB_EXPR$$1, ' '); | ||
| } | ||
| /* Is `value` valid for this attribute? */ | ||
@@ -871,4 +907,5 @@ var lcTag = currentNode.nodeName.toLowerCase(); | ||
| } | ||
| DOMPurify.removed.pop(); | ||
| } catch (err) {} | ||
| } catch (error) {} | ||
| } | ||
@@ -954,2 +991,3 @@ | ||
| } | ||
| if (_isNode(dirty)) { | ||
@@ -959,2 +997,3 @@ return window.toStaticHTML(dirty.outerHTML); | ||
| } | ||
| return dirty; | ||
@@ -982,2 +1021,3 @@ } | ||
| } else { | ||
| // eslint-disable-next-line unicorn/prefer-node-append | ||
| body.appendChild(importedNode); | ||
@@ -987,3 +1027,3 @@ } | ||
| /* Exit directly if we have nothing to do */ | ||
| if (!RETURN_DOM && !WHOLE_DOCUMENT && dirty.indexOf('<') === -1) { | ||
| if (!RETURN_DOM && !SAFE_FOR_TEMPLATES && !WHOLE_DOCUMENT && dirty.indexOf('<') === -1) { | ||
| return trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty; | ||
@@ -1045,2 +1085,3 @@ } | ||
| while (body.firstChild) { | ||
| // eslint-disable-next-line unicorn/prefer-node-append | ||
| returnNode.appendChild(body.firstChild); | ||
@@ -1065,2 +1106,9 @@ } | ||
| var serializedHTML = WHOLE_DOCUMENT ? body.outerHTML : body.innerHTML; | ||
| /* Sanitize final string template-safe */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| serializedHTML = serializedHTML.replace(MUSTACHE_EXPR$$1, ' '); | ||
| serializedHTML = serializedHTML.replace(ERB_EXPR$$1, ' '); | ||
| } | ||
| return trustedTypesPolicy ? trustedTypesPolicy.createHTML(serializedHTML) : serializedHTML; | ||
@@ -1105,2 +1153,3 @@ }; | ||
| } | ||
| var lcTag = tag.toLowerCase(); | ||
@@ -1122,2 +1171,3 @@ var lcName = attr.toLowerCase(); | ||
| } | ||
| hooks[entryPoint] = hooks[entryPoint] || []; | ||
@@ -1124,0 +1174,0 @@ hooks[entryPoint].push(hookFunction); |
@@ -1,2 +0,2 @@ | ||
| !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):e.DOMPurify=t()}(this,function(){"use strict";function e(e,t){y&&y(e,null);for(var n=t.length;n--;){var r=t[n];if("string"==typeof r){var o=r.toLowerCase();o!==r&&(t[n]=o,r=o)}e[r]=!0}return e}function t(e){var t={},n=void 0;for(n in e)g(h,e,[n])&&(t[n]=e[n]);return t}function n(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t<e.length;t++)n[t]=e[t];return n}return Array.from(e)}function r(){var o=arguments.length>0&&void 0!==arguments[0]?arguments[0]:N(),u=function(e){return r(e)};if(u.version="1.0.9",u.removed=[],!o||!o.document||9!==o.document.nodeType)return u.isSupported=!1,u;var h=o.document,y=!1,g=!1,v=o.document,D=o.DocumentFragment,R=o.HTMLTemplateElement,C=o.Node,H=o.NodeFilter,z=o.NamedNodeMap,F=void 0===z?o.NamedNodeMap||o.MozNamedAttrMap:z,I=o.Text,j=o.Comment,P=o.DOMParser,U=o.TrustedTypes;if("function"==typeof R){var W=v.createElement("template");W.content&&W.content.ownerDocument&&(v=W.content.ownerDocument)}var B=_(U,h),G=B?B.createHTML(""):"",q=v,V=q.implementation,Y=q.createNodeIterator,K=q.getElementsByTagName,X=q.createDocumentFragment,$=h.importNode,J={};u.isSupported=V&&void 0!==V.createHTMLDocument&&9!==v.documentMode;var Q=b,Z=T,ee=A,te=x,ne=S,re=w,oe=L,ie=null,ae=e({},[].concat(n(i),n(a),n(l),n(c),n(s))),le=null,ce=e({},[].concat(n(d),n(f),n(p),n(m))),se=null,ue=null,de=!0,fe=!0,pe=!1,me=!1,he=!1,ye=!1,ge=!1,ve=!1,be=!1,Te=!1,Ae=!1,xe=!0,Le=!0,Se=!1,we={},ke=e({},["audio","head","math","script","style","template","svg","video"]),Me=e({},["audio","video","img","source","image"]),Ee=e({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]),Oe=null,Ne=v.createElement("form"),_e=function(r){Oe&&Oe===r||(r&&"object"===(void 0===r?"undefined":k(r))||(r={}),ie="ALLOWED_TAGS"in r?e({},r.ALLOWED_TAGS):ae,le="ALLOWED_ATTR"in r?e({},r.ALLOWED_ATTR):ce,se="FORBID_TAGS"in r?e({},r.FORBID_TAGS):{},ue="FORBID_ATTR"in r?e({},r.FORBID_ATTR):{},we="USE_PROFILES"in r&&r.USE_PROFILES,de=!1!==r.ALLOW_ARIA_ATTR,fe=!1!==r.ALLOW_DATA_ATTR,pe=r.ALLOW_UNKNOWN_PROTOCOLS||!1,me=r.SAFE_FOR_JQUERY||!1,he=r.SAFE_FOR_TEMPLATES||!1,ye=r.WHOLE_DOCUMENT||!1,be=r.RETURN_DOM||!1,Te=r.RETURN_DOM_FRAGMENT||!1,Ae=r.RETURN_DOM_IMPORT||!1,ve=r.FORCE_BODY||!1,xe=!1!==r.SANITIZE_DOM,Le=!1!==r.KEEP_CONTENT,Se=r.IN_PLACE||!1,oe=r.ALLOWED_URI_REGEXP||oe,he&&(fe=!1),Te&&(be=!0),we&&(ie=e({},[].concat(n(s))),le=[],!0===we.html&&(e(ie,i),e(le,d)),!0===we.svg&&(e(ie,a),e(le,f),e(le,m)),!0===we.svgFilters&&(e(ie,l),e(le,f),e(le,m)),!0===we.mathMl&&(e(ie,c),e(le,p),e(le,m))),r.ADD_TAGS&&(ie===ae&&(ie=t(ie)),e(ie,r.ADD_TAGS)),r.ADD_ATTR&&(le===ce&&(le=t(le)),e(le,r.ADD_ATTR)),r.ADD_URI_SAFE_ATTR&&e(Ee,r.ADD_URI_SAFE_ATTR),Le&&(ie["#text"]=!0),ye&&e(ie,["html","head","body"]),ie.table&&e(ie,["tbody"]),O&&O(r),Oe=r)},De=function(e){u.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=G}},Re=function(e,t){try{u.removed.push({attribute:t.getAttributeNode(e),from:t})}catch(e){u.removed.push({attribute:null,from:t})}t.removeAttribute(e)},Ce=function(t){var n=void 0,r=void 0;if(ve)t="<remove></remove>"+t;else{var o=t.match(/^[\s]+/);(r=o&&o[0])&&(t=t.slice(r.length))}if(y)try{n=(new P).parseFromString(t,"text/html")}catch(e){}if(g&&e(se,["title"]),!n||!n.documentElement){var i=(n=V.createHTMLDocument("")).body;i.parentNode.removeChild(i.parentNode.firstElementChild),i.outerHTML=B?B.createHTML(t):t}return r&&n.body.insertBefore(v.createTextNode(r),n.body.childNodes[0]||null),K.call(n,ye?"html":"body")[0]};u.isSupported&&(function(){try{Ce('<svg><p><style><img src="</style><img src=x onerror=1//">').querySelector("svg img")&&(y=!0)}catch(e){}}(),function(){try{Ce("<x/><title></title><img>").querySelector("title").innerHTML.match(/<\/title/)&&(g=!0)}catch(e){}}());var He=function(e){return Y.call(e.ownerDocument||e,e,H.SHOW_ELEMENT|H.SHOW_COMMENT|H.SHOW_TEXT,function(){return H.FILTER_ACCEPT},!1)},ze=function(e){return!(e instanceof I||e instanceof j)&&!("string"==typeof e.nodeName&&"string"==typeof e.textContent&&"function"==typeof e.removeChild&&e.attributes instanceof F&&"function"==typeof e.removeAttribute&&"function"==typeof e.setAttribute)},Fe=function(e){return"object"===(void 0===C?"undefined":k(C))?e instanceof C:e&&"object"===(void 0===e?"undefined":k(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},Ie=function(e,t,n){J[e]&&J[e].forEach(function(e){e.call(u,t,n,Oe)})},je=function(e){var t=void 0;if(Ie("beforeSanitizeElements",e,null),ze(e))return De(e),!0;var n=e.nodeName.toLowerCase();if(Ie("uponSanitizeElement",e,{tagName:n,allowedTags:ie}),!ie[n]||se[n]){if(Le&&!ke[n]&&"function"==typeof e.insertAdjacentHTML)try{var r=e.innerHTML;e.insertAdjacentHTML("AfterEnd",B?B.createHTML(r):r)}catch(e){}return De(e),!0}return!me||e.firstElementChild||e.content&&e.content.firstElementChild||!/</g.test(e.textContent)||(u.removed.push({element:e.cloneNode()}),e.innerHTML?e.innerHTML=e.innerHTML.replace(/</g,"<"):e.innerHTML=e.textContent.replace(/</g,"<")),he&&3===e.nodeType&&(t=(t=(t=e.textContent).replace(Q," ")).replace(Z," "),e.textContent!==t&&(u.removed.push({element:e.cloneNode()}),e.textContent=t)),Ie("afterSanitizeElements",e,null),!1},Pe=function(e,t,n){if(xe&&("id"===t||"name"===t)&&(n in v||n in Ne))return!1;if(he&&(n=(n=n.replace(Q," ")).replace(Z," ")),fe&&ee.test(t));else if(de&&te.test(t));else{if(!le[t]||ue[t])return!1;if(Ee[t]);else if(oe.test(n.replace(re,"")));else if("src"!==t&&"xlink:href"!==t||"script"===e||0!==n.indexOf("data:")||!Me[e]){if(pe&&!ne.test(n.replace(re,"")));else if(n)return!1}else;}return!0},Ue=function(e){var t=void 0,n=void 0,r=void 0,o=void 0,i=void 0;Ie("beforeSanitizeAttributes",e,null);var a=e.attributes;if(a){var l={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:le};for(i=a.length;i--;){var c=t=a[i],s=c.name,d=c.namespaceURI;if(n=t.value.trim(),r=s.toLowerCase(),l.attrName=r,l.attrValue=n,l.keepAttr=!0,Ie("uponSanitizeAttribute",e,l),n=l.attrValue,"name"===r&&"IMG"===e.nodeName&&a.id)o=a.id,a=M(E,a,[]),Re("id",e),Re(s,e),a.indexOf(o)>i&&e.setAttribute("id",o.value);else{if("INPUT"===e.nodeName&&"type"===r&&"file"===n&&(le[r]||!ue[r]))continue;"id"===s&&e.setAttribute(s,""),Re(s,e)}if(l.keepAttr){var f=e.nodeName.toLowerCase();if(Pe(f,r,n))try{d?e.setAttributeNS(d,s,n):e.setAttribute(s,n),u.removed.pop()}catch(e){}}}Ie("afterSanitizeAttributes",e,null)}},We=function e(t){var n=void 0,r=He(t);for(Ie("beforeSanitizeShadowDOM",t,null);n=r.nextNode();)Ie("uponSanitizeShadowNode",n,null),je(n)||(n.content instanceof D&&e(n.content),Ue(n));Ie("afterSanitizeShadowDOM",t,null)};return u.sanitize=function(e,t){var n=void 0,r=void 0,i=void 0,a=void 0,l=void 0;if(e||(e="\x3c!--\x3e"),"string"!=typeof e&&!Fe(e)){if("function"!=typeof e.toString)throw new TypeError("toString is not a function");if("string"!=typeof(e=e.toString()))throw new TypeError("dirty is not a string, aborting")}if(!u.isSupported){if("object"===k(o.toStaticHTML)||"function"==typeof o.toStaticHTML){if("string"==typeof e)return o.toStaticHTML(e);if(Fe(e))return o.toStaticHTML(e.outerHTML)}return e}if(ge||_e(t),u.removed=[],Se);else if(e instanceof C)1===(r=(n=Ce("\x3c!--\x3e")).ownerDocument.importNode(e,!0)).nodeType&&"BODY"===r.nodeName?n=r:n.appendChild(r);else{if(!be&&!ye&&-1===e.indexOf("<"))return B?B.createHTML(e):e;if(!(n=Ce(e)))return be?null:G}n&&ve&&De(n.firstChild);for(var c=He(Se?e:n);i=c.nextNode();)3===i.nodeType&&i===a||je(i)||(i.content instanceof D&&We(i.content),Ue(i),a=i);if(a=null,Se)return e;if(be){if(Te)for(l=X.call(n.ownerDocument);n.firstChild;)l.appendChild(n.firstChild);else l=n;return Ae&&(l=$.call(h,l,!0)),l}var s=ye?n.outerHTML:n.innerHTML;return B?B.createHTML(s):s},u.setConfig=function(e){_e(e),ge=!0},u.clearConfig=function(){Oe=null,ge=!1},u.isValidAttribute=function(e,t,n){Oe||_e({});var r=e.toLowerCase(),o=t.toLowerCase();return Pe(r,o,n)},u.addHook=function(e,t){"function"==typeof t&&(J[e]=J[e]||[],J[e].push(t))},u.removeHook=function(e){J[e]&&J[e].pop()},u.removeHooks=function(e){J[e]&&(J[e]=[])},u.removeAllHooks=function(){J={}},u}var o=Object.freeze||function(e){return e},i=o(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),a=o(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","audio","canvas","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","video","view","vkern"]),l=o(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),c=o(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"]),s=o(["#text"]),u=Object.freeze||function(e){return e},d=u(["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","crossorigin","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","integrity","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns"]),f=u(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),p=u(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),m=u(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),h=Object.hasOwnProperty,y=Object.setPrototypeOf,g=("undefined"!=typeof Reflect&&Reflect).apply;g||(g=function(e,t,n){return e.apply(t,n)});var v=Object.seal||function(e){return e},b=v(/\{\{[\s\S]*|[\s\S]*\}\}/gm),T=v(/<%[\s\S]*|[\s\S]*%>/gm),A=v(/^data-[\-\w.\u00B7-\uFFFF]/),x=v(/^aria-[\-\w]+$/),L=v(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),S=v(/^(?:\w+script|data):/i),w=v(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g),k="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},M=("undefined"!=typeof Reflect&&Reflect).apply,E=Array.prototype.slice,O=Object.freeze,N=function(){return"undefined"==typeof window?null:window};M||(M=function(e,t,n){return e.apply(t,n)});var _=function(e,t){if("object"!==(void 0===e?"undefined":k(e))||"function"!=typeof e.createPolicy)return null;var n=null;t.currentScript&&t.currentScript.hasAttribute("data-tt-policy-suffix")&&(n=t.currentScript.getAttribute("data-tt-policy-suffix"));var r="dompurify"+(n?"#"+n:"");try{return e.createPolicy(r,{createHTML:function(e){return e}})}catch(e){return console.warn("TrustedTypes policy "+r+" could not be created."),null}};return r()}); | ||
| !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):e.DOMPurify=t()}(this,function(){"use strict";function e(e,t){y&&y(e,null);for(var n=t.length;n--;){var r=t[n];if("string"==typeof r){var o=r.toLowerCase();o!==r&&(Object.isFrozen(t)||(t[n]=o),r=o)}e[r]=!0}return e}function t(e){var t={},n=void 0;for(n in e)g(h,e,[n])&&(t[n]=e[n]);return t}function n(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t<e.length;t++)n[t]=e[t];return n}return Array.from(e)}function r(){var o=arguments.length>0&&void 0!==arguments[0]?arguments[0]:N(),u=function(e){return r(e)};if(u.version="1.0.10",u.removed=[],!o||!o.document||9!==o.document.nodeType)return u.isSupported=!1,u;var h=o.document,y=!1,g=!1,v=o.document,D=o.DocumentFragment,R=o.HTMLTemplateElement,C=o.Node,H=o.NodeFilter,z=o.NamedNodeMap,F=void 0===z?o.NamedNodeMap||o.MozNamedAttrMap:z,I=o.Text,j=o.Comment,P=o.DOMParser,U=o.TrustedTypes;if("function"==typeof R){var W=v.createElement("template");W.content&&W.content.ownerDocument&&(v=W.content.ownerDocument)}var B=_(U,h),G=B?B.createHTML(""):"",q=v,V=q.implementation,Y=q.createNodeIterator,K=q.getElementsByTagName,X=q.createDocumentFragment,$=h.importNode,J={};u.isSupported=V&&void 0!==V.createHTMLDocument&&9!==v.documentMode;var Q=b,Z=T,ee=A,te=x,ne=S,re=M,oe=L,ie=null,ae=e({},[].concat(n(i),n(a),n(l),n(c),n(s))),le=null,ce=e({},[].concat(n(d),n(f),n(p),n(m))),se=null,ue=null,de=!0,fe=!0,pe=!1,me=!1,he=!1,ye=!1,ge=!1,ve=!1,be=!1,Te=!1,Ae=!1,xe=!0,Le=!0,Se=!1,Me={},we=e({},["audio","head","math","script","style","template","svg","video"]),ke=e({},["audio","video","img","source","image"]),Ee=e({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]),Oe=null,Ne=v.createElement("form"),_e=function(r){Oe&&Oe===r||(r&&"object"===(void 0===r?"undefined":w(r))||(r={}),ie="ALLOWED_TAGS"in r?e({},r.ALLOWED_TAGS):ae,le="ALLOWED_ATTR"in r?e({},r.ALLOWED_ATTR):ce,se="FORBID_TAGS"in r?e({},r.FORBID_TAGS):{},ue="FORBID_ATTR"in r?e({},r.FORBID_ATTR):{},Me="USE_PROFILES"in r&&r.USE_PROFILES,de=!1!==r.ALLOW_ARIA_ATTR,fe=!1!==r.ALLOW_DATA_ATTR,pe=r.ALLOW_UNKNOWN_PROTOCOLS||!1,me=r.SAFE_FOR_JQUERY||!1,he=r.SAFE_FOR_TEMPLATES||!1,ye=r.WHOLE_DOCUMENT||!1,be=r.RETURN_DOM||!1,Te=r.RETURN_DOM_FRAGMENT||!1,Ae=r.RETURN_DOM_IMPORT||!1,ve=r.FORCE_BODY||!1,xe=!1!==r.SANITIZE_DOM,Le=!1!==r.KEEP_CONTENT,Se=r.IN_PLACE||!1,oe=r.ALLOWED_URI_REGEXP||oe,he&&(fe=!1),Te&&(be=!0),Me&&(ie=e({},[].concat(n(s))),le=[],!0===Me.html&&(e(ie,i),e(le,d)),!0===Me.svg&&(e(ie,a),e(le,f),e(le,m)),!0===Me.svgFilters&&(e(ie,l),e(le,f),e(le,m)),!0===Me.mathMl&&(e(ie,c),e(le,p),e(le,m))),r.ADD_TAGS&&(ie===ae&&(ie=t(ie)),e(ie,r.ADD_TAGS)),r.ADD_ATTR&&(le===ce&&(le=t(le)),e(le,r.ADD_ATTR)),r.ADD_URI_SAFE_ATTR&&e(Ee,r.ADD_URI_SAFE_ATTR),Le&&(ie["#text"]=!0),ye&&e(ie,["html","head","body"]),ie.table&&e(ie,["tbody"]),O&&O(r),Oe=r)},De=function(e){u.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=G}},Re=function(e,t){try{u.removed.push({attribute:t.getAttributeNode(e),from:t})}catch(e){u.removed.push({attribute:null,from:t})}t.removeAttribute(e)},Ce=function(t){var n=void 0,r=void 0;if(ve)t="<remove></remove>"+t;else{var o=t.match(/^[\s]+/);(r=o&&o[0])&&(t=t.slice(r.length))}if(y)try{n=(new P).parseFromString(t,"text/html")}catch(e){}if(g&&e(se,["title"]),!n||!n.documentElement){var i=(n=V.createHTMLDocument("")).body;i.parentNode.removeChild(i.parentNode.firstElementChild),i.outerHTML=B?B.createHTML(t):t}return r&&n.body.insertBefore(v.createTextNode(r),n.body.childNodes[0]||null),K.call(n,ye?"html":"body")[0]};u.isSupported&&(function(){try{Ce('<svg><p><style><img src="</style><img src=x onerror=1//">').querySelector("svg img")&&(y=!0)}catch(e){}}(),function(){try{Ce("<x/><title></title><img>").querySelector("title").innerHTML.match(/<\/title/)&&(g=!0)}catch(e){}}());var He=function(e){return Y.call(e.ownerDocument||e,e,H.SHOW_ELEMENT|H.SHOW_COMMENT|H.SHOW_TEXT,function(){return H.FILTER_ACCEPT},!1)},ze=function(e){return!(e instanceof I||e instanceof j)&&!("string"==typeof e.nodeName&&"string"==typeof e.textContent&&"function"==typeof e.removeChild&&e.attributes instanceof F&&"function"==typeof e.removeAttribute&&"function"==typeof e.setAttribute)},Fe=function(e){return"object"===(void 0===C?"undefined":w(C))?e instanceof C:e&&"object"===(void 0===e?"undefined":w(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},Ie=function(e,t,n){J[e]&&J[e].forEach(function(e){e.call(u,t,n,Oe)})},je=function(e){var t=void 0;if(Ie("beforeSanitizeElements",e,null),ze(e))return De(e),!0;var n=e.nodeName.toLowerCase();if(Ie("uponSanitizeElement",e,{tagName:n,allowedTags:ie}),!ie[n]||se[n]){if(Le&&!we[n]&&"function"==typeof e.insertAdjacentHTML)try{var r=e.innerHTML;e.insertAdjacentHTML("AfterEnd",B?B.createHTML(r):r)}catch(e){}return De(e),!0}return"noscript"===n&&e.innerHTML.match(/<\/noscript/i)?(De(e),!0):"noembed"===n&&e.innerHTML.match(/<\/noembed/i)?(De(e),!0):(!me||e.firstElementChild||e.content&&e.content.firstElementChild||!/</g.test(e.textContent)||(u.removed.push({element:e.cloneNode()}),e.innerHTML?e.innerHTML=e.innerHTML.replace(/</g,"<"):e.innerHTML=e.textContent.replace(/</g,"<")),he&&3===e.nodeType&&(t=(t=(t=e.textContent).replace(Q," ")).replace(Z," "),e.textContent!==t&&(u.removed.push({element:e.cloneNode()}),e.textContent=t)),Ie("afterSanitizeElements",e,null),!1)},Pe=function(e,t,n){if(xe&&("id"===t||"name"===t)&&(n in v||n in Ne))return!1;if(fe&&ee.test(t));else if(de&&te.test(t));else{if(!le[t]||ue[t])return!1;if(Ee[t]);else if(oe.test(n.replace(re,"")));else if("src"!==t&&"xlink:href"!==t||"script"===e||0!==n.indexOf("data:")||!ke[e]){if(pe&&!ne.test(n.replace(re,"")));else if(n)return!1}else;}return!0},Ue=function(e){var t=void 0,n=void 0,r=void 0,o=void 0,i=void 0;Ie("beforeSanitizeAttributes",e,null);var a=e.attributes;if(a){var l={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:le};for(i=a.length;i--;){var c=t=a[i],s=c.name,d=c.namespaceURI;if(n=t.value.trim(),r=s.toLowerCase(),l.attrName=r,l.attrValue=n,l.keepAttr=!0,Ie("uponSanitizeAttribute",e,l),n=l.attrValue,"name"===r&&"IMG"===e.nodeName&&a.id)o=a.id,a=k(E,a,[]),Re("id",e),Re(s,e),a.indexOf(o)>i&&e.setAttribute("id",o.value);else{if("INPUT"===e.nodeName&&"type"===r&&"file"===n&&(le[r]||!ue[r]))continue;"id"===s&&e.setAttribute(s,""),Re(s,e)}if(l.keepAttr){he&&(n=(n=n.replace(Q," ")).replace(Z," "));var f=e.nodeName.toLowerCase();if(Pe(f,r,n))try{d?e.setAttributeNS(d,s,n):e.setAttribute(s,n),u.removed.pop()}catch(e){}}}Ie("afterSanitizeAttributes",e,null)}},We=function e(t){var n=void 0,r=He(t);for(Ie("beforeSanitizeShadowDOM",t,null);n=r.nextNode();)Ie("uponSanitizeShadowNode",n,null),je(n)||(n.content instanceof D&&e(n.content),Ue(n));Ie("afterSanitizeShadowDOM",t,null)};return u.sanitize=function(e,t){var n=void 0,r=void 0,i=void 0,a=void 0,l=void 0;if(e||(e="\x3c!--\x3e"),"string"!=typeof e&&!Fe(e)){if("function"!=typeof e.toString)throw new TypeError("toString is not a function");if("string"!=typeof(e=e.toString()))throw new TypeError("dirty is not a string, aborting")}if(!u.isSupported){if("object"===w(o.toStaticHTML)||"function"==typeof o.toStaticHTML){if("string"==typeof e)return o.toStaticHTML(e);if(Fe(e))return o.toStaticHTML(e.outerHTML)}return e}if(ge||_e(t),u.removed=[],Se);else if(e instanceof C)1===(r=(n=Ce("\x3c!--\x3e")).ownerDocument.importNode(e,!0)).nodeType&&"BODY"===r.nodeName?n=r:n.appendChild(r);else{if(!be&&!he&&!ye&&-1===e.indexOf("<"))return B?B.createHTML(e):e;if(!(n=Ce(e)))return be?null:G}n&&ve&&De(n.firstChild);for(var c=He(Se?e:n);i=c.nextNode();)3===i.nodeType&&i===a||je(i)||(i.content instanceof D&&We(i.content),Ue(i),a=i);if(a=null,Se)return e;if(be){if(Te)for(l=X.call(n.ownerDocument);n.firstChild;)l.appendChild(n.firstChild);else l=n;return Ae&&(l=$.call(h,l,!0)),l}var s=ye?n.outerHTML:n.innerHTML;return he&&(s=(s=s.replace(Q," ")).replace(Z," ")),B?B.createHTML(s):s},u.setConfig=function(e){_e(e),ge=!0},u.clearConfig=function(){Oe=null,ge=!1},u.isValidAttribute=function(e,t,n){Oe||_e({});var r=e.toLowerCase(),o=t.toLowerCase();return Pe(r,o,n)},u.addHook=function(e,t){"function"==typeof t&&(J[e]=J[e]||[],J[e].push(t))},u.removeHook=function(e){J[e]&&J[e].pop()},u.removeHooks=function(e){J[e]&&(J[e]=[])},u.removeAllHooks=function(){J={}},u}var o=Object.freeze||function(e){return e},i=o(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),a=o(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","audio","canvas","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","video","view","vkern"]),l=o(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),c=o(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"]),s=o(["#text"]),u=Object.freeze||function(e){return e},d=u(["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","crossorigin","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","integrity","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns"]),f=u(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","version","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),p=u(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),m=u(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),h=Object.hasOwnProperty,y=Object.setPrototypeOf,g=("undefined"!=typeof Reflect&&Reflect).apply;g||(g=function(e,t,n){return e.apply(t,n)});var v=Object.seal||function(e){return e},b=v(/\{\{[\s\S]*|[\s\S]*\}\}/gm),T=v(/<%[\s\S]*|[\s\S]*%>/gm),A=v(/^data-[\-\w.\u00B7-\uFFFF]/),x=v(/^aria-[\-\w]+$/),L=v(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),S=v(/^(?:\w+script|data):/i),M=v(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g),w="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},k=("undefined"!=typeof Reflect&&Reflect).apply,E=Array.prototype.slice,O=Object.freeze,N=function(){return"undefined"==typeof window?null:window};k||(k=function(e,t,n){return e.apply(t,n)});var _=function(e,t){if("object"!==(void 0===e?"undefined":w(e))||"function"!=typeof e.createPolicy)return null;var n=null;t.currentScript&&t.currentScript.hasAttribute("data-tt-policy-suffix")&&(n=t.currentScript.getAttribute("data-tt-policy-suffix"));var r="dompurify"+(n?"#"+n:"");try{return e.createPolicy(r,{createHTML:function(e){return e}})}catch(e){return console.warn("TrustedTypes policy "+r+" could not be created."),null}};return r()}); | ||
| //# sourceMappingURL=purify.min.js.map |
@@ -70,4 +70,4 @@ { | ||
| "jsdom": "8.x.x", | ||
| "karma": "^2.0.5", | ||
| "karma-browserstack-launcher": "^1.3.0", | ||
| "karma": "^4.0.0", | ||
| "karma-browserstack-launcher": "^1.4.0", | ||
| "karma-chrome-launcher": "^2.2.0", | ||
@@ -98,3 +98,3 @@ "karma-firefox-launcher": "^1.1.0", | ||
| "rollup-watch": "^4.3.1", | ||
| "xo": "^0.21.1" | ||
| "xo": "^0.24.0" | ||
| }, | ||
@@ -106,3 +106,3 @@ "resolutions": { | ||
| "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.", | ||
| "version": "1.0.9", | ||
| "version": "1.0.10", | ||
| "directories": { | ||
@@ -109,0 +109,0 @@ "test": "test" |
@@ -9,7 +9,7 @@ # DOMPurify | ||
| It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 1.0.9. | ||
| It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 1.0.10. | ||
| DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing. | ||
| Our automated tests cover [22 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v6.0.0, v8.0.0, v9.0.0 and v10.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom). | ||
| Our automated tests cover [25 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v8.0.0, v9.0.0 and v10.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom). | ||
@@ -114,4 +114,21 @@ DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model). Please, read it. Like, really. | ||
| ## Can I configure it? | ||
| ## What about DOMPurify and Trusted Types? | ||
| In version 1.0.9, support for [Trusted Types API](https://github.com/WICG/trusted-types) was added to DOMPurify. | ||
| When `DOMPurify.sanitize` is used in the environment where the Trusted Types API is available (this happens e.g. in Chrome `chrome://flags/#enable-experimental-web-platform-features`), it returns a `TrustedHTML` value instead of a string (the behavior for `RETURN_DOM`, `RETURN_DOM_FRAGMENT`, and `RETURN_DOM_IMPORT` config options does not change). | ||
| That return value is implicitly casted to a string when needed, returning the actual sanitized HTML snippet. In particular, you can directly use it with DOM sinks like `innerHTML`, or concatenate it with other strings. For most use cases, the API change does not introduce any visible change. | ||
| That said, `TrustedHTML` values are intentionally immutable, and don't inherit from `String.prototype`. In rare cases where you expect the value to implement String prototype functions (e.g. if you want to `String.replace` the sanitized output), cast the value to a string like so: | ||
| ```javascript | ||
| const sanitizedAsString = (DOMPurify.sanitize(foo) + ''); | ||
| sanitizedAsString.replace(...) | ||
| ``` | ||
| Please note, that if that change breaks your application, you *might* be doing something wrong. The sanitized HTML snippet should not be modified, as it might introduce XSS vulnerabilities. | ||
| ## Can I configure DOMPurify? | ||
| Yes. The included default configuration values are pretty good already - but you can of course override them. Check out the [`/demos`](https://github.com/cure53/DOMPurify/tree/master/demos) folder to see a bunch of examples on how you can [customize DOMPurify](https://github.com/cure53/DOMPurify/tree/master/demos#what-is-this). | ||
@@ -124,2 +141,5 @@ | ||
| // strip {{ ... }} and <% ... %> to make output safe for template systems | ||
| // be careful please, this mode is not recommended for production usage. | ||
| // allowing template parsing in user-controlled HTML is not advised at all. | ||
| // only use this mode if there is really no alternative. | ||
| var clean = DOMPurify.sanitize(dirty, {SAFE_FOR_TEMPLATES: true}); | ||
@@ -277,3 +297,3 @@ | ||
| Further, thanks [@neilj](https://twitter.com/neilj) and [@0xsobky](https://twitter.com/0xsobky) for their code reviews and countless small optimizations, fixes and beautifications. | ||
| Further, thanks [@neilj](https://twitter.com/neilj) and [@0xsobky](https://twitter.com/0xsobky) for their code reviews and countless small optimizations, fixes and beautifications. Thanks also go out to [@kkotowicz](https://twitter.com/kkotowicz) for his Trusted Types implementation and the connected section on our README page. | ||
@@ -280,0 +300,0 @@ Big thanks also go to [@tdeekens](https://twitter.com/tdeekens) for doing all the hard work and getting us on track with Travis CI and BrowserStack. And thanks to [@Joris-van-der-Wel](https://github.com/Joris-van-der-Wel) for setting up DOMPurify for jsdom and creating the additional test suite. And again [@tdeekens](https://twitter.com/tdeekens) for his [incredible efforts](https://github.com/cure53/DOMPurify/pull/206) and contribution to refactor DOMPurify into using ES201x, proper build tools, better test coverage and much more! |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by2.27%
470420
- Lines of code
- increased by2%
3061
- Number of lines in readme file
- increased by7.17%
299
No dependency changes