dompurify
Advanced tools
Comparing version 1.0.4 to 1.0.5
@@ -52,3 +52,3 @@ 'use strict'; | ||
| var IS_SCRIPT_OR_DATA = /^(?:\w+script|data):/i; | ||
| var ATTR_WHITESPACE = /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g; // This needs to be extensive thanks to Webkit/Blink's behavior | ||
| var ATTR_WHITESPACE = /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g; // eslint-disable-line no-control-regex | ||
@@ -74,3 +74,3 @@ var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; }; | ||
| */ | ||
| DOMPurify.version = '1.0.4'; | ||
| DOMPurify.version = '1.0.5'; | ||
@@ -93,3 +93,2 @@ /** | ||
| var useDOMParser = false; // See comment below | ||
| var useXHR = false; | ||
@@ -105,7 +104,3 @@ var document = window.document; | ||
| Comment = window.Comment, | ||
| DOMParser = window.DOMParser, | ||
| _window$XMLHttpReques = window.XMLHttpRequest, | ||
| XMLHttpRequest = _window$XMLHttpReques === undefined ? window.XMLHttpRequest : _window$XMLHttpReques, | ||
| _window$encodeURI = window.encodeURI, | ||
| encodeURI = _window$encodeURI === undefined ? window.encodeURI : _window$encodeURI; | ||
| DOMParser = window.DOMParser; | ||
@@ -131,5 +126,5 @@ // As per issue #47, the web-components registry is inherited by a | ||
| createDocumentFragment = _document.createDocumentFragment; | ||
| var importNode = originalDocument.importNode; | ||
| var hooks = {}; | ||
@@ -148,4 +143,2 @@ | ||
| ATTR_WHITESPACE$$1 = ATTR_WHITESPACE; | ||
| var IS_ALLOWED_URI$$1 = IS_ALLOWED_URI; | ||
@@ -158,2 +151,3 @@ /** | ||
| /* allowed element names */ | ||
| var ALLOWED_TAGS = null; | ||
@@ -242,3 +236,3 @@ var DEFAULT_ALLOWED_TAGS = addToSet({}, [].concat(_toConsumableArray(html), _toConsumableArray(svg), _toConsumableArray(svgFilters), _toConsumableArray(mathMl), _toConsumableArray(text))); | ||
| * | ||
| * @param optional config literal | ||
| * @param {Object} cfg optional config literal | ||
| */ | ||
@@ -327,2 +321,7 @@ // eslint-disable-next-line complexity | ||
| /* Add html, head and body to ALLOWED_TAGS in case WHOLE_DOCUMENT is true */ | ||
| if (WHOLE_DOCUMENT) { | ||
| addToSet(ALLOWED_TAGS, ['html', 'head', 'body']); | ||
| } | ||
| // Prevent further manipulation of configuration. | ||
@@ -340,3 +339,3 @@ // Not available in IE8, Safari 5, etc. | ||
| * | ||
| * @param a DOM node | ||
| * @param {Node} node a DOM node | ||
| */ | ||
@@ -355,4 +354,4 @@ var _forceRemove = function _forceRemove(node) { | ||
| * | ||
| * @param an Attribute name | ||
| * @param a DOM node | ||
| * @param {String} name an Attribute name | ||
| * @param {Node} node a DOM node | ||
| */ | ||
@@ -377,4 +376,4 @@ var _removeAttribute = function _removeAttribute(name, node) { | ||
| * | ||
| * @param a string of dirty markup | ||
| * @return a DOM, filled with the dirty markup | ||
| * @param {String} dirty a string of dirty markup | ||
| * @return {Document} a DOM, filled with the dirty markup | ||
| */ | ||
@@ -384,3 +383,2 @@ var _initDocument = function _initDocument(dirty) { | ||
| var doc = void 0; | ||
| var body = void 0; | ||
@@ -391,14 +389,2 @@ if (FORCE_BODY) { | ||
| /* Use XHR if necessary because Safari 10.1 and newer are buggy */ | ||
| if (useXHR) { | ||
| try { | ||
| dirty = encodeURI(dirty); | ||
| } catch (err) {} | ||
| var xhr = new XMLHttpRequest(); | ||
| xhr.responseType = 'document'; | ||
| xhr.open('GET', 'data:text/html;charset=utf-8,' + dirty, false); | ||
| xhr.send(null); | ||
| doc = xhr.response; | ||
| } | ||
| /* Use DOMParser to workaround Firefox bug (see comment below) */ | ||
@@ -415,3 +401,5 @@ if (useDOMParser) { | ||
| doc = implementation.createHTMLDocument(''); | ||
| body = doc.body; | ||
| var _doc = doc, | ||
| body = _doc.body; | ||
| body.parentNode.removeChild(body.parentNode.firstElementChild); | ||
@@ -425,15 +413,3 @@ body.outerHTML = dirty; | ||
| // Safari 10.1+ (unfixed as of time of writing) has a catastrophic bug in | ||
| // its implementation of DOMParser such that the following executes the | ||
| // JavaScript: | ||
| // | ||
| // new DOMParser() | ||
| // .parseFromString('<svg onload=alert(document.domain)>', 'text/html'); | ||
| // | ||
| // Later, it was also noticed that even more assumed benign and inert ways | ||
| // of creating a document are now insecure thanks to Safari. So we work | ||
| // around that with a feature test and use XHR to create the document in | ||
| // case we really have to. That one seems safe for now. | ||
| // | ||
| // However, Firefox uses a different parser for innerHTML rather than | ||
| // Firefox uses a different parser for innerHTML rather than | ||
| // DOMParser (see https://bugzilla.mozilla.org/show_bug.cgi?id=1205631) | ||
@@ -446,8 +422,4 @@ // which means that you *must* use DOMParser, otherwise the output may | ||
| (function () { | ||
| var doc = _initDocument('<svg><g onload="this.parentNode.remove()"></g></svg>'); | ||
| if (!doc.querySelector('svg')) { | ||
| useXHR = true; | ||
| } | ||
| try { | ||
| doc = _initDocument('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'); | ||
| var doc = _initDocument('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'); | ||
| if (doc.querySelector('svg img')) { | ||
@@ -463,4 +435,4 @@ useDOMParser = true; | ||
| * | ||
| * @param document/fragment to create iterator for | ||
| * @return iterator instance | ||
| * @param {Document} root document/fragment to create iterator for | ||
| * @return {Iterator} iterator instance | ||
| */ | ||
@@ -476,4 +448,4 @@ var _createIterator = function _createIterator(root) { | ||
| * | ||
| * @param element to check for clobbering attacks | ||
| * @return true if clobbered, false if safe | ||
| * @param {Node} elm element to check for clobbering attacks | ||
| * @return {Boolean} true if clobbered, false if safe | ||
| */ | ||
@@ -493,4 +465,4 @@ var _isClobbered = function _isClobbered(elm) { | ||
| * | ||
| * @param object to check whether it's a DOM node | ||
| * @return true is object is a DOM node | ||
| * @param {Node} obj object to check whether it's a DOM node | ||
| * @return {Boolean} true is object is a DOM node | ||
| */ | ||
@@ -506,3 +478,4 @@ var _isNode = function _isNode(obj) { | ||
| * @param {String} entryPoint Name of the hook's entry point | ||
| * @param {Node} currentNode | ||
| * @param {Node} currentNode node to work on with the hook | ||
| * @param {Object} data additional hook parameters | ||
| */ | ||
@@ -526,4 +499,4 @@ var _executeHook = function _executeHook(entryPoint, currentNode, data) { | ||
| * | ||
| * @param node to check for permission to exist | ||
| * @return true if node was killed, false if left alive | ||
| * @param {Node} currentNode to check for permission to exist | ||
| * @return {Boolean} true if node was killed, false if left alive | ||
| */ | ||
@@ -566,3 +539,7 @@ var _sanitizeElements = function _sanitizeElements(currentNode) { | ||
| DOMPurify.removed.push({ element: currentNode.cloneNode() }); | ||
| currentNode.innerHTML = currentNode.textContent.replace(/</g, '<'); | ||
| if (currentNode.innerHTML) { | ||
| currentNode.innerHTML = currentNode.innerHTML.replace(/</g, '<'); | ||
| } else { | ||
| currentNode.innerHTML = currentNode.textContent.replace(/</g, '<'); | ||
| } | ||
| } | ||
@@ -602,7 +579,5 @@ | ||
| var attr = void 0; | ||
| var name = void 0; | ||
| var value = void 0; | ||
| var lcName = void 0; | ||
| var idAttr = void 0; | ||
| var attributes = void 0; | ||
| var l = void 0; | ||
@@ -612,5 +587,6 @@ /* Execute a hook if present */ | ||
| attributes = currentNode.attributes; | ||
| var attributes = currentNode.attributes; | ||
| /* Check if we have attributes; if not we might have a text node */ | ||
| if (!attributes) { | ||
@@ -631,3 +607,5 @@ return; | ||
| attr = attributes[l]; | ||
| name = attr.name; | ||
| var _attr = attr, | ||
| name = _attr.name; | ||
| value = attr.value.trim(); | ||
@@ -736,4 +714,3 @@ lcName = name.toLowerCase(); | ||
| * | ||
| * @param fragment to iterate over recursively | ||
| * @return void | ||
| * @param {DocumentFragment} fragment to iterate over recursively | ||
| */ | ||
@@ -808,3 +785,4 @@ var _sanitizeShadowDOM = function _sanitizeShadowDOM(fragment) { | ||
| return window.toStaticHTML(dirty); | ||
| } else if (_isNode(dirty)) { | ||
| } | ||
| if (_isNode(dirty)) { | ||
| return window.toStaticHTML(dirty.outerHTML); | ||
@@ -912,4 +890,3 @@ } | ||
| * | ||
| * @param {Object} configuration object | ||
| * @return void | ||
| * @param {Object} cfg configuration object | ||
| */ | ||
@@ -925,3 +902,2 @@ DOMPurify.setConfig = function (cfg) { | ||
| * | ||
| * @return void | ||
| */ | ||
@@ -937,4 +913,4 @@ DOMPurify.clearConfig = function () { | ||
| * | ||
| * @param {String} entryPoint | ||
| * @param {Function} hookFunction | ||
| * @param {String} entryPoint entry point for the hook to add | ||
| * @param {Function} hookFunction function to execute | ||
| */ | ||
@@ -954,4 +930,3 @@ DOMPurify.addHook = function (entryPoint, hookFunction) { | ||
| * | ||
| * @param {String} entryPoint | ||
| * @return void | ||
| * @param {String} entryPoint entry point for the hook to remove | ||
| */ | ||
@@ -968,4 +943,3 @@ DOMPurify.removeHook = function (entryPoint) { | ||
| * | ||
| * @param {String} entryPoint | ||
| * @return void | ||
| * @param {String} entryPoint entry point for the hooks to remove | ||
| */ | ||
@@ -982,3 +956,2 @@ DOMPurify.removeHooks = function (entryPoint) { | ||
| * | ||
| * @return void | ||
| */ | ||
@@ -985,0 +958,0 @@ DOMPurify.removeAllHooks = function () { |
@@ -50,3 +50,3 @@ var html = ['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']; | ||
| var IS_SCRIPT_OR_DATA = /^(?:\w+script|data):/i; | ||
| var ATTR_WHITESPACE = /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g; // This needs to be extensive thanks to Webkit/Blink's behavior | ||
| var ATTR_WHITESPACE = /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g; // eslint-disable-line no-control-regex | ||
@@ -72,3 +72,3 @@ var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; }; | ||
| */ | ||
| DOMPurify.version = '1.0.4'; | ||
| DOMPurify.version = '1.0.5'; | ||
@@ -91,3 +91,2 @@ /** | ||
| var useDOMParser = false; // See comment below | ||
| var useXHR = false; | ||
@@ -103,7 +102,3 @@ var document = window.document; | ||
| Comment = window.Comment, | ||
| DOMParser = window.DOMParser, | ||
| _window$XMLHttpReques = window.XMLHttpRequest, | ||
| XMLHttpRequest = _window$XMLHttpReques === undefined ? window.XMLHttpRequest : _window$XMLHttpReques, | ||
| _window$encodeURI = window.encodeURI, | ||
| encodeURI = _window$encodeURI === undefined ? window.encodeURI : _window$encodeURI; | ||
| DOMParser = window.DOMParser; | ||
@@ -129,5 +124,5 @@ // As per issue #47, the web-components registry is inherited by a | ||
| createDocumentFragment = _document.createDocumentFragment; | ||
| var importNode = originalDocument.importNode; | ||
| var hooks = {}; | ||
@@ -146,4 +141,2 @@ | ||
| ATTR_WHITESPACE$$1 = ATTR_WHITESPACE; | ||
| var IS_ALLOWED_URI$$1 = IS_ALLOWED_URI; | ||
@@ -156,2 +149,3 @@ /** | ||
| /* allowed element names */ | ||
| var ALLOWED_TAGS = null; | ||
@@ -240,3 +234,3 @@ var DEFAULT_ALLOWED_TAGS = addToSet({}, [].concat(_toConsumableArray(html), _toConsumableArray(svg), _toConsumableArray(svgFilters), _toConsumableArray(mathMl), _toConsumableArray(text))); | ||
| * | ||
| * @param optional config literal | ||
| * @param {Object} cfg optional config literal | ||
| */ | ||
@@ -325,2 +319,7 @@ // eslint-disable-next-line complexity | ||
| /* Add html, head and body to ALLOWED_TAGS in case WHOLE_DOCUMENT is true */ | ||
| if (WHOLE_DOCUMENT) { | ||
| addToSet(ALLOWED_TAGS, ['html', 'head', 'body']); | ||
| } | ||
| // Prevent further manipulation of configuration. | ||
@@ -338,3 +337,3 @@ // Not available in IE8, Safari 5, etc. | ||
| * | ||
| * @param a DOM node | ||
| * @param {Node} node a DOM node | ||
| */ | ||
@@ -353,4 +352,4 @@ var _forceRemove = function _forceRemove(node) { | ||
| * | ||
| * @param an Attribute name | ||
| * @param a DOM node | ||
| * @param {String} name an Attribute name | ||
| * @param {Node} node a DOM node | ||
| */ | ||
@@ -375,4 +374,4 @@ var _removeAttribute = function _removeAttribute(name, node) { | ||
| * | ||
| * @param a string of dirty markup | ||
| * @return a DOM, filled with the dirty markup | ||
| * @param {String} dirty a string of dirty markup | ||
| * @return {Document} a DOM, filled with the dirty markup | ||
| */ | ||
@@ -382,3 +381,2 @@ var _initDocument = function _initDocument(dirty) { | ||
| var doc = void 0; | ||
| var body = void 0; | ||
@@ -389,14 +387,2 @@ if (FORCE_BODY) { | ||
| /* Use XHR if necessary because Safari 10.1 and newer are buggy */ | ||
| if (useXHR) { | ||
| try { | ||
| dirty = encodeURI(dirty); | ||
| } catch (err) {} | ||
| var xhr = new XMLHttpRequest(); | ||
| xhr.responseType = 'document'; | ||
| xhr.open('GET', 'data:text/html;charset=utf-8,' + dirty, false); | ||
| xhr.send(null); | ||
| doc = xhr.response; | ||
| } | ||
| /* Use DOMParser to workaround Firefox bug (see comment below) */ | ||
@@ -413,3 +399,5 @@ if (useDOMParser) { | ||
| doc = implementation.createHTMLDocument(''); | ||
| body = doc.body; | ||
| var _doc = doc, | ||
| body = _doc.body; | ||
| body.parentNode.removeChild(body.parentNode.firstElementChild); | ||
@@ -423,15 +411,3 @@ body.outerHTML = dirty; | ||
| // Safari 10.1+ (unfixed as of time of writing) has a catastrophic bug in | ||
| // its implementation of DOMParser such that the following executes the | ||
| // JavaScript: | ||
| // | ||
| // new DOMParser() | ||
| // .parseFromString('<svg onload=alert(document.domain)>', 'text/html'); | ||
| // | ||
| // Later, it was also noticed that even more assumed benign and inert ways | ||
| // of creating a document are now insecure thanks to Safari. So we work | ||
| // around that with a feature test and use XHR to create the document in | ||
| // case we really have to. That one seems safe for now. | ||
| // | ||
| // However, Firefox uses a different parser for innerHTML rather than | ||
| // Firefox uses a different parser for innerHTML rather than | ||
| // DOMParser (see https://bugzilla.mozilla.org/show_bug.cgi?id=1205631) | ||
@@ -444,8 +420,4 @@ // which means that you *must* use DOMParser, otherwise the output may | ||
| (function () { | ||
| var doc = _initDocument('<svg><g onload="this.parentNode.remove()"></g></svg>'); | ||
| if (!doc.querySelector('svg')) { | ||
| useXHR = true; | ||
| } | ||
| try { | ||
| doc = _initDocument('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'); | ||
| var doc = _initDocument('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'); | ||
| if (doc.querySelector('svg img')) { | ||
@@ -461,4 +433,4 @@ useDOMParser = true; | ||
| * | ||
| * @param document/fragment to create iterator for | ||
| * @return iterator instance | ||
| * @param {Document} root document/fragment to create iterator for | ||
| * @return {Iterator} iterator instance | ||
| */ | ||
@@ -474,4 +446,4 @@ var _createIterator = function _createIterator(root) { | ||
| * | ||
| * @param element to check for clobbering attacks | ||
| * @return true if clobbered, false if safe | ||
| * @param {Node} elm element to check for clobbering attacks | ||
| * @return {Boolean} true if clobbered, false if safe | ||
| */ | ||
@@ -491,4 +463,4 @@ var _isClobbered = function _isClobbered(elm) { | ||
| * | ||
| * @param object to check whether it's a DOM node | ||
| * @return true is object is a DOM node | ||
| * @param {Node} obj object to check whether it's a DOM node | ||
| * @return {Boolean} true is object is a DOM node | ||
| */ | ||
@@ -504,3 +476,4 @@ var _isNode = function _isNode(obj) { | ||
| * @param {String} entryPoint Name of the hook's entry point | ||
| * @param {Node} currentNode | ||
| * @param {Node} currentNode node to work on with the hook | ||
| * @param {Object} data additional hook parameters | ||
| */ | ||
@@ -524,4 +497,4 @@ var _executeHook = function _executeHook(entryPoint, currentNode, data) { | ||
| * | ||
| * @param node to check for permission to exist | ||
| * @return true if node was killed, false if left alive | ||
| * @param {Node} currentNode to check for permission to exist | ||
| * @return {Boolean} true if node was killed, false if left alive | ||
| */ | ||
@@ -564,3 +537,7 @@ var _sanitizeElements = function _sanitizeElements(currentNode) { | ||
| DOMPurify.removed.push({ element: currentNode.cloneNode() }); | ||
| currentNode.innerHTML = currentNode.textContent.replace(/</g, '<'); | ||
| if (currentNode.innerHTML) { | ||
| currentNode.innerHTML = currentNode.innerHTML.replace(/</g, '<'); | ||
| } else { | ||
| currentNode.innerHTML = currentNode.textContent.replace(/</g, '<'); | ||
| } | ||
| } | ||
@@ -600,7 +577,5 @@ | ||
| var attr = void 0; | ||
| var name = void 0; | ||
| var value = void 0; | ||
| var lcName = void 0; | ||
| var idAttr = void 0; | ||
| var attributes = void 0; | ||
| var l = void 0; | ||
@@ -610,5 +585,6 @@ /* Execute a hook if present */ | ||
| attributes = currentNode.attributes; | ||
| var attributes = currentNode.attributes; | ||
| /* Check if we have attributes; if not we might have a text node */ | ||
| if (!attributes) { | ||
@@ -629,3 +605,5 @@ return; | ||
| attr = attributes[l]; | ||
| name = attr.name; | ||
| var _attr = attr, | ||
| name = _attr.name; | ||
| value = attr.value.trim(); | ||
@@ -734,4 +712,3 @@ lcName = name.toLowerCase(); | ||
| * | ||
| * @param fragment to iterate over recursively | ||
| * @return void | ||
| * @param {DocumentFragment} fragment to iterate over recursively | ||
| */ | ||
@@ -806,3 +783,4 @@ var _sanitizeShadowDOM = function _sanitizeShadowDOM(fragment) { | ||
| return window.toStaticHTML(dirty); | ||
| } else if (_isNode(dirty)) { | ||
| } | ||
| if (_isNode(dirty)) { | ||
| return window.toStaticHTML(dirty.outerHTML); | ||
@@ -910,4 +888,3 @@ } | ||
| * | ||
| * @param {Object} configuration object | ||
| * @return void | ||
| * @param {Object} cfg configuration object | ||
| */ | ||
@@ -923,3 +900,2 @@ DOMPurify.setConfig = function (cfg) { | ||
| * | ||
| * @return void | ||
| */ | ||
@@ -935,4 +911,4 @@ DOMPurify.clearConfig = function () { | ||
| * | ||
| * @param {String} entryPoint | ||
| * @param {Function} hookFunction | ||
| * @param {String} entryPoint entry point for the hook to add | ||
| * @param {Function} hookFunction function to execute | ||
| */ | ||
@@ -952,4 +928,3 @@ DOMPurify.addHook = function (entryPoint, hookFunction) { | ||
| * | ||
| * @param {String} entryPoint | ||
| * @return void | ||
| * @param {String} entryPoint entry point for the hook to remove | ||
| */ | ||
@@ -966,4 +941,3 @@ DOMPurify.removeHook = function (entryPoint) { | ||
| * | ||
| * @param {String} entryPoint | ||
| * @return void | ||
| * @param {String} entryPoint entry point for the hooks to remove | ||
| */ | ||
@@ -980,3 +954,2 @@ DOMPurify.removeHooks = function (entryPoint) { | ||
| * | ||
| * @return void | ||
| */ | ||
@@ -983,0 +956,0 @@ DOMPurify.removeAllHooks = function () { |
@@ -56,3 +56,3 @@ (function (global, factory) { | ||
| var IS_SCRIPT_OR_DATA = /^(?:\w+script|data):/i; | ||
| var ATTR_WHITESPACE = /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g; // This needs to be extensive thanks to Webkit/Blink's behavior | ||
| var ATTR_WHITESPACE = /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g; // eslint-disable-line no-control-regex | ||
@@ -78,3 +78,3 @@ var _typeof = typeof Symbol === "function" && typeof Symbol.iterator === "symbol" ? function (obj) { return typeof obj; } : function (obj) { return obj && typeof Symbol === "function" && obj.constructor === Symbol && obj !== Symbol.prototype ? "symbol" : typeof obj; }; | ||
| */ | ||
| DOMPurify.version = '1.0.4'; | ||
| DOMPurify.version = '1.0.5'; | ||
@@ -97,3 +97,2 @@ /** | ||
| var useDOMParser = false; // See comment below | ||
| var useXHR = false; | ||
@@ -109,7 +108,3 @@ var document = window.document; | ||
| Comment = window.Comment, | ||
| DOMParser = window.DOMParser, | ||
| _window$XMLHttpReques = window.XMLHttpRequest, | ||
| XMLHttpRequest = _window$XMLHttpReques === undefined ? window.XMLHttpRequest : _window$XMLHttpReques, | ||
| _window$encodeURI = window.encodeURI, | ||
| encodeURI = _window$encodeURI === undefined ? window.encodeURI : _window$encodeURI; | ||
| DOMParser = window.DOMParser; | ||
@@ -135,5 +130,5 @@ // As per issue #47, the web-components registry is inherited by a | ||
| createDocumentFragment = _document.createDocumentFragment; | ||
| var importNode = originalDocument.importNode; | ||
| var hooks = {}; | ||
@@ -152,4 +147,2 @@ | ||
| ATTR_WHITESPACE$$1 = ATTR_WHITESPACE; | ||
| var IS_ALLOWED_URI$$1 = IS_ALLOWED_URI; | ||
@@ -162,2 +155,3 @@ /** | ||
| /* allowed element names */ | ||
| var ALLOWED_TAGS = null; | ||
@@ -246,3 +240,3 @@ var DEFAULT_ALLOWED_TAGS = addToSet({}, [].concat(_toConsumableArray(html), _toConsumableArray(svg), _toConsumableArray(svgFilters), _toConsumableArray(mathMl), _toConsumableArray(text))); | ||
| * | ||
| * @param optional config literal | ||
| * @param {Object} cfg optional config literal | ||
| */ | ||
@@ -331,2 +325,7 @@ // eslint-disable-next-line complexity | ||
| /* Add html, head and body to ALLOWED_TAGS in case WHOLE_DOCUMENT is true */ | ||
| if (WHOLE_DOCUMENT) { | ||
| addToSet(ALLOWED_TAGS, ['html', 'head', 'body']); | ||
| } | ||
| // Prevent further manipulation of configuration. | ||
@@ -344,3 +343,3 @@ // Not available in IE8, Safari 5, etc. | ||
| * | ||
| * @param a DOM node | ||
| * @param {Node} node a DOM node | ||
| */ | ||
@@ -359,4 +358,4 @@ var _forceRemove = function _forceRemove(node) { | ||
| * | ||
| * @param an Attribute name | ||
| * @param a DOM node | ||
| * @param {String} name an Attribute name | ||
| * @param {Node} node a DOM node | ||
| */ | ||
@@ -381,4 +380,4 @@ var _removeAttribute = function _removeAttribute(name, node) { | ||
| * | ||
| * @param a string of dirty markup | ||
| * @return a DOM, filled with the dirty markup | ||
| * @param {String} dirty a string of dirty markup | ||
| * @return {Document} a DOM, filled with the dirty markup | ||
| */ | ||
@@ -388,3 +387,2 @@ var _initDocument = function _initDocument(dirty) { | ||
| var doc = void 0; | ||
| var body = void 0; | ||
@@ -395,14 +393,2 @@ if (FORCE_BODY) { | ||
| /* Use XHR if necessary because Safari 10.1 and newer are buggy */ | ||
| if (useXHR) { | ||
| try { | ||
| dirty = encodeURI(dirty); | ||
| } catch (err) {} | ||
| var xhr = new XMLHttpRequest(); | ||
| xhr.responseType = 'document'; | ||
| xhr.open('GET', 'data:text/html;charset=utf-8,' + dirty, false); | ||
| xhr.send(null); | ||
| doc = xhr.response; | ||
| } | ||
| /* Use DOMParser to workaround Firefox bug (see comment below) */ | ||
@@ -419,3 +405,5 @@ if (useDOMParser) { | ||
| doc = implementation.createHTMLDocument(''); | ||
| body = doc.body; | ||
| var _doc = doc, | ||
| body = _doc.body; | ||
| body.parentNode.removeChild(body.parentNode.firstElementChild); | ||
@@ -429,15 +417,3 @@ body.outerHTML = dirty; | ||
| // Safari 10.1+ (unfixed as of time of writing) has a catastrophic bug in | ||
| // its implementation of DOMParser such that the following executes the | ||
| // JavaScript: | ||
| // | ||
| // new DOMParser() | ||
| // .parseFromString('<svg onload=alert(document.domain)>', 'text/html'); | ||
| // | ||
| // Later, it was also noticed that even more assumed benign and inert ways | ||
| // of creating a document are now insecure thanks to Safari. So we work | ||
| // around that with a feature test and use XHR to create the document in | ||
| // case we really have to. That one seems safe for now. | ||
| // | ||
| // However, Firefox uses a different parser for innerHTML rather than | ||
| // Firefox uses a different parser for innerHTML rather than | ||
| // DOMParser (see https://bugzilla.mozilla.org/show_bug.cgi?id=1205631) | ||
@@ -450,8 +426,4 @@ // which means that you *must* use DOMParser, otherwise the output may | ||
| (function () { | ||
| var doc = _initDocument('<svg><g onload="this.parentNode.remove()"></g></svg>'); | ||
| if (!doc.querySelector('svg')) { | ||
| useXHR = true; | ||
| } | ||
| try { | ||
| doc = _initDocument('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'); | ||
| var doc = _initDocument('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'); | ||
| if (doc.querySelector('svg img')) { | ||
@@ -467,4 +439,4 @@ useDOMParser = true; | ||
| * | ||
| * @param document/fragment to create iterator for | ||
| * @return iterator instance | ||
| * @param {Document} root document/fragment to create iterator for | ||
| * @return {Iterator} iterator instance | ||
| */ | ||
@@ -480,4 +452,4 @@ var _createIterator = function _createIterator(root) { | ||
| * | ||
| * @param element to check for clobbering attacks | ||
| * @return true if clobbered, false if safe | ||
| * @param {Node} elm element to check for clobbering attacks | ||
| * @return {Boolean} true if clobbered, false if safe | ||
| */ | ||
@@ -497,4 +469,4 @@ var _isClobbered = function _isClobbered(elm) { | ||
| * | ||
| * @param object to check whether it's a DOM node | ||
| * @return true is object is a DOM node | ||
| * @param {Node} obj object to check whether it's a DOM node | ||
| * @return {Boolean} true is object is a DOM node | ||
| */ | ||
@@ -510,3 +482,4 @@ var _isNode = function _isNode(obj) { | ||
| * @param {String} entryPoint Name of the hook's entry point | ||
| * @param {Node} currentNode | ||
| * @param {Node} currentNode node to work on with the hook | ||
| * @param {Object} data additional hook parameters | ||
| */ | ||
@@ -530,4 +503,4 @@ var _executeHook = function _executeHook(entryPoint, currentNode, data) { | ||
| * | ||
| * @param node to check for permission to exist | ||
| * @return true if node was killed, false if left alive | ||
| * @param {Node} currentNode to check for permission to exist | ||
| * @return {Boolean} true if node was killed, false if left alive | ||
| */ | ||
@@ -570,3 +543,7 @@ var _sanitizeElements = function _sanitizeElements(currentNode) { | ||
| DOMPurify.removed.push({ element: currentNode.cloneNode() }); | ||
| currentNode.innerHTML = currentNode.textContent.replace(/</g, '<'); | ||
| if (currentNode.innerHTML) { | ||
| currentNode.innerHTML = currentNode.innerHTML.replace(/</g, '<'); | ||
| } else { | ||
| currentNode.innerHTML = currentNode.textContent.replace(/</g, '<'); | ||
| } | ||
| } | ||
@@ -606,7 +583,5 @@ | ||
| var attr = void 0; | ||
| var name = void 0; | ||
| var value = void 0; | ||
| var lcName = void 0; | ||
| var idAttr = void 0; | ||
| var attributes = void 0; | ||
| var l = void 0; | ||
@@ -616,5 +591,6 @@ /* Execute a hook if present */ | ||
| attributes = currentNode.attributes; | ||
| var attributes = currentNode.attributes; | ||
| /* Check if we have attributes; if not we might have a text node */ | ||
| if (!attributes) { | ||
@@ -635,3 +611,5 @@ return; | ||
| attr = attributes[l]; | ||
| name = attr.name; | ||
| var _attr = attr, | ||
| name = _attr.name; | ||
| value = attr.value.trim(); | ||
@@ -740,4 +718,3 @@ lcName = name.toLowerCase(); | ||
| * | ||
| * @param fragment to iterate over recursively | ||
| * @return void | ||
| * @param {DocumentFragment} fragment to iterate over recursively | ||
| */ | ||
@@ -812,3 +789,4 @@ var _sanitizeShadowDOM = function _sanitizeShadowDOM(fragment) { | ||
| return window.toStaticHTML(dirty); | ||
| } else if (_isNode(dirty)) { | ||
| } | ||
| if (_isNode(dirty)) { | ||
| return window.toStaticHTML(dirty.outerHTML); | ||
@@ -916,4 +894,3 @@ } | ||
| * | ||
| * @param {Object} configuration object | ||
| * @return void | ||
| * @param {Object} cfg configuration object | ||
| */ | ||
@@ -929,3 +906,2 @@ DOMPurify.setConfig = function (cfg) { | ||
| * | ||
| * @return void | ||
| */ | ||
@@ -941,4 +917,4 @@ DOMPurify.clearConfig = function () { | ||
| * | ||
| * @param {String} entryPoint | ||
| * @param {Function} hookFunction | ||
| * @param {String} entryPoint entry point for the hook to add | ||
| * @param {Function} hookFunction function to execute | ||
| */ | ||
@@ -958,4 +934,3 @@ DOMPurify.addHook = function (entryPoint, hookFunction) { | ||
| * | ||
| * @param {String} entryPoint | ||
| * @return void | ||
| * @param {String} entryPoint entry point for the hook to remove | ||
| */ | ||
@@ -972,4 +947,3 @@ DOMPurify.removeHook = function (entryPoint) { | ||
| * | ||
| * @param {String} entryPoint | ||
| * @return void | ||
| * @param {String} entryPoint entry point for the hooks to remove | ||
| */ | ||
@@ -986,3 +960,2 @@ DOMPurify.removeHooks = function (entryPoint) { | ||
| * | ||
| * @return void | ||
| */ | ||
@@ -989,0 +962,0 @@ DOMPurify.removeAllHooks = function () { |
@@ -1,2 +0,2 @@ | ||
| !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):e.DOMPurify=t()}(this,function(){"use strict";function e(e,t){for(var n=t.length;n--;)"string"==typeof t[n]&&(t[n]=t[n].toLowerCase()),e[t[n]]=!0;return e}function t(e){var t={},n=void 0;for(n in e)Object.prototype.hasOwnProperty.call(e,n)&&(t[n]=e[n]);return t}function n(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t<e.length;t++)n[t]=e[t];return n}return Array.from(e)}function o(){var x=arguments.length>0&&void 0!==arguments[0]?arguments[0]:A(),S=function(e){return o(e)};if(S.version="1.0.4",S.removed=[],!x||!x.document||9!==x.document.nodeType)return S.isSupported=!1,S;var k=x.document,w=!1,E=!1,L=x.document,O=x.DocumentFragment,M=x.HTMLTemplateElement,N=x.Node,D=x.NodeFilter,_=x.NamedNodeMap,R=void 0===_?x.NamedNodeMap||x.MozNamedAttrMap:_,C=x.Text,F=x.Comment,z=x.DOMParser,H=x.XMLHttpRequest,I=void 0===H?x.XMLHttpRequest:H,j=x.encodeURI,U=void 0===j?x.encodeURI:j;if("function"==typeof M){var P=L.createElement("template");P.content&&P.content.ownerDocument&&(L=P.content.ownerDocument)}var W=L,q=W.implementation,G=W.createNodeIterator,B=W.getElementsByTagName,X=W.createDocumentFragment,V=k.importNode,Y={};S.isSupported=q&&void 0!==q.createHTMLDocument&&9!==L.documentMode;var K=p,$=f,J=h,Q=g,Z=v,ee=b,te=y,ne=null,oe=e({},[].concat(n(r),n(i),n(a),n(l),n(s))),re=null,ie=e({},[].concat(n(c),n(d),n(u),n(m))),ae=null,le=null,se=!0,ce=!0,de=!1,ue=!1,me=!1,pe=!1,fe=!1,he=!1,ge=!1,ye=!1,ve=!1,be=!0,Te=!0,Ae={},xe=e({},["audio","head","math","script","style","template","svg","video"]),Se=e({},["audio","video","img","source","image"]),ke=e({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]),we=null,Ee=L.createElement("form"),Le=function(o){"object"!==(void 0===o?"undefined":T(o))&&(o={}),ne="ALLOWED_TAGS"in o?e({},o.ALLOWED_TAGS):oe,re="ALLOWED_ATTR"in o?e({},o.ALLOWED_ATTR):ie,ae="FORBID_TAGS"in o?e({},o.FORBID_TAGS):{},le="FORBID_ATTR"in o?e({},o.FORBID_ATTR):{},Ae="USE_PROFILES"in o&&o.USE_PROFILES,se=!1!==o.ALLOW_ARIA_ATTR,ce=!1!==o.ALLOW_DATA_ATTR,de=o.ALLOW_UNKNOWN_PROTOCOLS||!1,ue=o.SAFE_FOR_JQUERY||!1,me=o.SAFE_FOR_TEMPLATES||!1,pe=o.WHOLE_DOCUMENT||!1,ge=o.RETURN_DOM||!1,ye=o.RETURN_DOM_FRAGMENT||!1,ve=o.RETURN_DOM_IMPORT||!1,he=o.FORCE_BODY||!1,be=!1!==o.SANITIZE_DOM,Te=!1!==o.KEEP_CONTENT,te=o.ALLOWED_URI_REGEXP||te,me&&(ce=!1),ye&&(ge=!0),Ae&&(ne=e({},[].concat(n(s))),re=[],!0===Ae.html&&(e(ne,r),e(re,c)),!0===Ae.svg&&(e(ne,i),e(re,d),e(re,m)),!0===Ae.svgFilters&&(e(ne,a),e(re,d),e(re,m)),!0===Ae.mathMl&&(e(ne,l),e(re,u),e(re,m))),o.ADD_TAGS&&(ne===oe&&(ne=t(ne)),e(ne,o.ADD_TAGS)),o.ADD_ATTR&&(re===ie&&(re=t(re)),e(re,o.ADD_ATTR)),o.ADD_URI_SAFE_ATTR&&e(ke,o.ADD_URI_SAFE_ATTR),Te&&(ne["#text"]=!0),Object&&"freeze"in Object&&Object.freeze(o),we=o},Oe=function(e){S.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}},Me=function(e,t){try{S.removed.push({attribute:t.getAttributeNode(e),from:t})}catch(e){S.removed.push({attribute:null,from:t})}t.removeAttribute(e)},Ne=function(e){var t=void 0,n=void 0;if(he&&(e="<remove></remove>"+e),E){try{e=U(e)}catch(e){}var o=new I;o.responseType="document",o.open("GET","data:text/html;charset=utf-8,"+e,!1),o.send(null),t=o.response}if(w)try{t=(new z).parseFromString(e,"text/html")}catch(e){}return t&&t.documentElement||((n=(t=q.createHTMLDocument("")).body).parentNode.removeChild(n.parentNode.firstElementChild),n.outerHTML=e),B.call(t,pe?"html":"body")[0]};S.isSupported&&function(){var e=Ne('<svg><g onload="this.parentNode.remove()"></g></svg>');e.querySelector("svg")||(E=!0);try{(e=Ne('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">')).querySelector("svg img")&&(w=!0)}catch(e){}}();var De=function(e){return G.call(e.ownerDocument||e,e,D.SHOW_ELEMENT|D.SHOW_COMMENT|D.SHOW_TEXT,function(){return D.FILTER_ACCEPT},!1)},_e=function(e){return!(e instanceof C||e instanceof F)&&!("string"==typeof e.nodeName&&"string"==typeof e.textContent&&"function"==typeof e.removeChild&&e.attributes instanceof R&&"function"==typeof e.removeAttribute&&"function"==typeof e.setAttribute)},Re=function(e){return"object"===(void 0===N?"undefined":T(N))?e instanceof N:e&&"object"===(void 0===e?"undefined":T(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},Ce=function(e,t,n){Y[e]&&Y[e].forEach(function(e){e.call(S,t,n,we)})},Fe=function(e){var t=void 0;if(Ce("beforeSanitizeElements",e,null),_e(e))return Oe(e),!0;var n=e.nodeName.toLowerCase();if(Ce("uponSanitizeElement",e,{tagName:n,allowedTags:ne}),!ne[n]||ae[n]){if(Te&&!xe[n]&&"function"==typeof e.insertAdjacentHTML)try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(e){}return Oe(e),!0}return!ue||e.firstElementChild||e.content&&e.content.firstElementChild||!/</g.test(e.textContent)||(S.removed.push({element:e.cloneNode()}),e.innerHTML=e.textContent.replace(/</g,"<")),me&&3===e.nodeType&&(t=(t=(t=e.textContent).replace(K," ")).replace($," "),e.textContent!==t&&(S.removed.push({element:e.cloneNode()}),e.textContent=t)),Ce("afterSanitizeElements",e,null),!1},ze=function(e){var t=void 0,n=void 0,o=void 0,r=void 0,i=void 0,a=void 0,l=void 0;if(Ce("beforeSanitizeAttributes",e,null),a=e.attributes){var s={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:re};for(l=a.length;l--;){if(t=a[l],n=t.name,o=t.value.trim(),r=n.toLowerCase(),s.attrName=r,s.attrValue=o,s.keepAttr=!0,Ce("uponSanitizeAttribute",e,s),o=s.attrValue,"name"===r&&"IMG"===e.nodeName&&a.id)i=a.id,a=Array.prototype.slice.apply(a),Me("id",e),Me(n,e),a.indexOf(i)>l&&e.setAttribute("id",i.value);else{if("INPUT"===e.nodeName&&"type"===r&&"file"===o&&(re[r]||!le[r]))continue;"id"===n&&e.setAttribute(n,""),Me(n,e)}if(s.keepAttr&&(!be||"id"!==r&&"name"!==r||!(o in L||o in Ee))){if(me&&(o=(o=o.replace(K," ")).replace($," ")),ce&&J.test(r));else if(se&&Q.test(r));else{if(!re[r]||le[r])continue;if(ke[r]);else if(te.test(o.replace(ee,"")));else if("src"!==r&&"xlink:href"!==r||0!==o.indexOf("data:")||!Se[e.nodeName.toLowerCase()]){if(de&&!Z.test(o.replace(ee,"")));else if(o)continue}else;}try{e.setAttribute(n,o),S.removed.pop()}catch(e){}}}Ce("afterSanitizeAttributes",e,null)}},He=function e(t){var n=void 0,o=De(t);for(Ce("beforeSanitizeShadowDOM",t,null);n=o.nextNode();)Ce("uponSanitizeShadowNode",n,null),Fe(n)||(n.content instanceof O&&e(n.content),ze(n));Ce("afterSanitizeShadowDOM",t,null)};return S.sanitize=function(e,t){var n=void 0,o=void 0,r=void 0,i=void 0,a=void 0;if(e||(e="\x3c!--\x3e"),"string"!=typeof e&&!Re(e)){if("function"!=typeof e.toString)throw new TypeError("toString is not a function");if("string"!=typeof(e=e.toString()))throw new TypeError("dirty is not a string, aborting")}if(!S.isSupported){if("object"===T(x.toStaticHTML)||"function"==typeof x.toStaticHTML){if("string"==typeof e)return x.toStaticHTML(e);if(Re(e))return x.toStaticHTML(e.outerHTML)}return e}if(fe||Le(t),S.removed=[],e instanceof N)1===(o=(n=Ne("\x3c!--\x3e")).ownerDocument.importNode(e,!0)).nodeType&&"BODY"===o.nodeName?n=o:n.appendChild(o);else{if(!ge&&!pe&&-1===e.indexOf("<"))return e;if(!(n=Ne(e)))return ge?null:""}he&&Oe(n.firstChild);for(var l=De(n);r=l.nextNode();)3===r.nodeType&&r===i||Fe(r)||(r.content instanceof O&&He(r.content),ze(r),i=r);if(ge){if(ye)for(a=X.call(n.ownerDocument);n.firstChild;)a.appendChild(n.firstChild);else a=n;return ve&&(a=V.call(k,a,!0)),a}return pe?n.outerHTML:n.innerHTML},S.setConfig=function(e){Le(e),fe=!0},S.clearConfig=function(){we=null,fe=!1},S.addHook=function(e,t){"function"==typeof t&&(Y[e]=Y[e]||[],Y[e].push(t))},S.removeHook=function(e){Y[e]&&Y[e].pop()},S.removeHooks=function(e){Y[e]&&(Y[e]=[])},S.removeAllHooks=function(){Y={}},S}var r=["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"],i=["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","audio","canvas","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","video","view","vkern"],a=["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"],l=["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"],s=["#text"],c=["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","crossorigin","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","integrity","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns"],d=["accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"],u=["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"],m=["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"],p=/\{\{[\s\S]*|[\s\S]*\}\}/gm,f=/<%[\s\S]*|[\s\S]*%>/gm,h=/^data-[\-\w.\u00B7-\uFFFF]/,g=/^aria-[\-\w]+$/,y=/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,v=/^(?:\w+script|data):/i,b=/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g,T="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},A=function(){return"undefined"==typeof window?null:window};return o()}); | ||
| !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):e.DOMPurify=t()}(this,function(){"use strict";function e(e,t){for(var n=t.length;n--;)"string"==typeof t[n]&&(t[n]=t[n].toLowerCase()),e[t[n]]=!0;return e}function t(e){var t={},n=void 0;for(n in e)Object.prototype.hasOwnProperty.call(e,n)&&(t[n]=e[n]);return t}function n(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t<e.length;t++)n[t]=e[t];return n}return Array.from(e)}function o(){var x=arguments.length>0&&void 0!==arguments[0]?arguments[0]:A(),S=function(e){return o(e)};if(S.version="1.0.5",S.removed=[],!x||!x.document||9!==x.document.nodeType)return S.isSupported=!1,S;var k=x.document,w=!1,E=x.document,L=x.DocumentFragment,O=x.HTMLTemplateElement,M=x.Node,D=x.NodeFilter,N=x.NamedNodeMap,_=void 0===N?x.NamedNodeMap||x.MozNamedAttrMap:N,R=x.Text,C=x.Comment,F=x.DOMParser;if("function"==typeof O){var z=E.createElement("template");z.content&&z.content.ownerDocument&&(E=z.content.ownerDocument)}var H=E,I=H.implementation,j=H.createNodeIterator,P=H.getElementsByTagName,W=H.createDocumentFragment,U=k.importNode,B={};S.isSupported=I&&void 0!==I.createHTMLDocument&&9!==E.documentMode;var G=f,q=p,V=h,Y=g,K=v,X=b,$=y,J=null,Q=e({},[].concat(n(r),n(i),n(a),n(l),n(s))),Z=null,ee=e({},[].concat(n(c),n(d),n(u),n(m))),te=null,ne=null,oe=!0,re=!0,ie=!1,ae=!1,le=!1,se=!1,ce=!1,de=!1,ue=!1,me=!1,fe=!1,pe=!0,he=!0,ge={},ye=e({},["audio","head","math","script","style","template","svg","video"]),ve=e({},["audio","video","img","source","image"]),be=e({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]),Te=null,Ae=E.createElement("form"),xe=function(o){"object"!==(void 0===o?"undefined":T(o))&&(o={}),J="ALLOWED_TAGS"in o?e({},o.ALLOWED_TAGS):Q,Z="ALLOWED_ATTR"in o?e({},o.ALLOWED_ATTR):ee,te="FORBID_TAGS"in o?e({},o.FORBID_TAGS):{},ne="FORBID_ATTR"in o?e({},o.FORBID_ATTR):{},ge="USE_PROFILES"in o&&o.USE_PROFILES,oe=!1!==o.ALLOW_ARIA_ATTR,re=!1!==o.ALLOW_DATA_ATTR,ie=o.ALLOW_UNKNOWN_PROTOCOLS||!1,ae=o.SAFE_FOR_JQUERY||!1,le=o.SAFE_FOR_TEMPLATES||!1,se=o.WHOLE_DOCUMENT||!1,ue=o.RETURN_DOM||!1,me=o.RETURN_DOM_FRAGMENT||!1,fe=o.RETURN_DOM_IMPORT||!1,de=o.FORCE_BODY||!1,pe=!1!==o.SANITIZE_DOM,he=!1!==o.KEEP_CONTENT,$=o.ALLOWED_URI_REGEXP||$,le&&(re=!1),me&&(ue=!0),ge&&(J=e({},[].concat(n(s))),Z=[],!0===ge.html&&(e(J,r),e(Z,c)),!0===ge.svg&&(e(J,i),e(Z,d),e(Z,m)),!0===ge.svgFilters&&(e(J,a),e(Z,d),e(Z,m)),!0===ge.mathMl&&(e(J,l),e(Z,u),e(Z,m))),o.ADD_TAGS&&(J===Q&&(J=t(J)),e(J,o.ADD_TAGS)),o.ADD_ATTR&&(Z===ee&&(Z=t(Z)),e(Z,o.ADD_ATTR)),o.ADD_URI_SAFE_ATTR&&e(be,o.ADD_URI_SAFE_ATTR),he&&(J["#text"]=!0),se&&e(J,["html","head","body"]),Object&&"freeze"in Object&&Object.freeze(o),Te=o},Se=function(e){S.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}},ke=function(e,t){try{S.removed.push({attribute:t.getAttributeNode(e),from:t})}catch(e){S.removed.push({attribute:null,from:t})}t.removeAttribute(e)},we=function(e){var t=void 0;if(de&&(e="<remove></remove>"+e),w)try{t=(new F).parseFromString(e,"text/html")}catch(e){}if(!t||!t.documentElement){var n=(t=I.createHTMLDocument("")).body;n.parentNode.removeChild(n.parentNode.firstElementChild),n.outerHTML=e}return P.call(t,se?"html":"body")[0]};S.isSupported&&function(){try{we('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">').querySelector("svg img")&&(w=!0)}catch(e){}}();var Ee=function(e){return j.call(e.ownerDocument||e,e,D.SHOW_ELEMENT|D.SHOW_COMMENT|D.SHOW_TEXT,function(){return D.FILTER_ACCEPT},!1)},Le=function(e){return!(e instanceof R||e instanceof C)&&!("string"==typeof e.nodeName&&"string"==typeof e.textContent&&"function"==typeof e.removeChild&&e.attributes instanceof _&&"function"==typeof e.removeAttribute&&"function"==typeof e.setAttribute)},Oe=function(e){return"object"===(void 0===M?"undefined":T(M))?e instanceof M:e&&"object"===(void 0===e?"undefined":T(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},Me=function(e,t,n){B[e]&&B[e].forEach(function(e){e.call(S,t,n,Te)})},De=function(e){var t=void 0;if(Me("beforeSanitizeElements",e,null),Le(e))return Se(e),!0;var n=e.nodeName.toLowerCase();if(Me("uponSanitizeElement",e,{tagName:n,allowedTags:J}),!J[n]||te[n]){if(he&&!ye[n]&&"function"==typeof e.insertAdjacentHTML)try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(e){}return Se(e),!0}return!ae||e.firstElementChild||e.content&&e.content.firstElementChild||!/</g.test(e.textContent)||(S.removed.push({element:e.cloneNode()}),e.innerHTML?e.innerHTML=e.innerHTML.replace(/</g,"<"):e.innerHTML=e.textContent.replace(/</g,"<")),le&&3===e.nodeType&&(t=(t=(t=e.textContent).replace(G," ")).replace(q," "),e.textContent!==t&&(S.removed.push({element:e.cloneNode()}),e.textContent=t)),Me("afterSanitizeElements",e,null),!1},Ne=function(e){var t=void 0,n=void 0,o=void 0,r=void 0,i=void 0;Me("beforeSanitizeAttributes",e,null);var a=e.attributes;if(a){var l={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:Z};for(i=a.length;i--;){var s=(t=a[i]).name;if(n=t.value.trim(),o=s.toLowerCase(),l.attrName=o,l.attrValue=n,l.keepAttr=!0,Me("uponSanitizeAttribute",e,l),n=l.attrValue,"name"===o&&"IMG"===e.nodeName&&a.id)r=a.id,a=Array.prototype.slice.apply(a),ke("id",e),ke(s,e),a.indexOf(r)>i&&e.setAttribute("id",r.value);else{if("INPUT"===e.nodeName&&"type"===o&&"file"===n&&(Z[o]||!ne[o]))continue;"id"===s&&e.setAttribute(s,""),ke(s,e)}if(l.keepAttr&&(!pe||"id"!==o&&"name"!==o||!(n in E||n in Ae))){if(le&&(n=(n=n.replace(G," ")).replace(q," ")),re&&V.test(o));else if(oe&&Y.test(o));else{if(!Z[o]||ne[o])continue;if(be[o]);else if($.test(n.replace(X,"")));else if("src"!==o&&"xlink:href"!==o||0!==n.indexOf("data:")||!ve[e.nodeName.toLowerCase()]){if(ie&&!K.test(n.replace(X,"")));else if(n)continue}else;}try{e.setAttribute(s,n),S.removed.pop()}catch(e){}}}Me("afterSanitizeAttributes",e,null)}},_e=function e(t){var n=void 0,o=Ee(t);for(Me("beforeSanitizeShadowDOM",t,null);n=o.nextNode();)Me("uponSanitizeShadowNode",n,null),De(n)||(n.content instanceof L&&e(n.content),Ne(n));Me("afterSanitizeShadowDOM",t,null)};return S.sanitize=function(e,t){var n=void 0,o=void 0,r=void 0,i=void 0,a=void 0;if(e||(e="\x3c!--\x3e"),"string"!=typeof e&&!Oe(e)){if("function"!=typeof e.toString)throw new TypeError("toString is not a function");if("string"!=typeof(e=e.toString()))throw new TypeError("dirty is not a string, aborting")}if(!S.isSupported){if("object"===T(x.toStaticHTML)||"function"==typeof x.toStaticHTML){if("string"==typeof e)return x.toStaticHTML(e);if(Oe(e))return x.toStaticHTML(e.outerHTML)}return e}if(ce||xe(t),S.removed=[],e instanceof M)1===(o=(n=we("\x3c!--\x3e")).ownerDocument.importNode(e,!0)).nodeType&&"BODY"===o.nodeName?n=o:n.appendChild(o);else{if(!ue&&!se&&-1===e.indexOf("<"))return e;if(!(n=we(e)))return ue?null:""}de&&Se(n.firstChild);for(var l=Ee(n);r=l.nextNode();)3===r.nodeType&&r===i||De(r)||(r.content instanceof L&&_e(r.content),Ne(r),i=r);if(ue){if(me)for(a=W.call(n.ownerDocument);n.firstChild;)a.appendChild(n.firstChild);else a=n;return fe&&(a=U.call(k,a,!0)),a}return se?n.outerHTML:n.innerHTML},S.setConfig=function(e){xe(e),ce=!0},S.clearConfig=function(){Te=null,ce=!1},S.addHook=function(e,t){"function"==typeof t&&(B[e]=B[e]||[],B[e].push(t))},S.removeHook=function(e){B[e]&&B[e].pop()},S.removeHooks=function(e){B[e]&&(B[e]=[])},S.removeAllHooks=function(){B={}},S}var r=["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"],i=["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","audio","canvas","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","video","view","vkern"],a=["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"],l=["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"],s=["#text"],c=["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","crossorigin","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","integrity","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns"],d=["accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"],u=["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"],m=["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"],f=/\{\{[\s\S]*|[\s\S]*\}\}/gm,p=/<%[\s\S]*|[\s\S]*%>/gm,h=/^data-[\-\w.\u00B7-\uFFFF]/,g=/^aria-[\-\w]+$/,y=/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,v=/^(?:\w+script|data):/i,b=/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g,T="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},A=function(){return"undefined"==typeof window?null:window};return o()}); | ||
| //# sourceMappingURL=purify.min.js.map |
@@ -65,5 +65,5 @@ { | ||
| "babel": "^6.23.0", | ||
| "babel-core": "^6.26.0", | ||
| "babel-core": "^6.26.3", | ||
| "babel-plugin-external-helpers": "^6.22.0", | ||
| "babel-preset-env": "^1.6.1", | ||
| "babel-preset-env": "^1.7.0", | ||
| "cross-env": "^5.1.3", | ||
@@ -75,3 +75,3 @@ "eslint-config-prettier": "^2.6.0", | ||
| "jsdom": "8.x.x", | ||
| "karma": "^2.0.0", | ||
| "karma": "^2.0.2", | ||
| "karma-browserstack-launcher": "^1.3.0", | ||
@@ -103,7 +103,10 @@ "karma-chrome-launcher": "^2.2.0", | ||
| "rollup-watch": "^4.3.1", | ||
| "xo": "^0.18.1" | ||
| "xo": "^0.21.1" | ||
| }, | ||
| "resolutions": { | ||
| "natives": "1.1.3" | ||
| }, | ||
| "name": "dompurify", | ||
| "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.", | ||
| "version": "1.0.4", | ||
| "version": "1.0.5", | ||
| "directories": { | ||
@@ -110,0 +113,0 @@ "test": "test" |
@@ -7,7 +7,7 @@ # DOMPurify [](http://badge.fury.io/bo/dompurify) · [](http://badge.fury.io/js/dompurify) · [](https://travis-ci.org/cure53/DOMPurify) · [](https://www.npmjs.com/package/dompurify) | ||
| It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 1.0.4! | ||
| It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 1.0.5. | ||
| DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing. | ||
| Our automated tests cover [16 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v4.0.0, v5.0.0 and v6.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom). | ||
| Our automated tests cover [21 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v6.0.0, v8.0.0, v9.0.0 and v10.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom). | ||
@@ -14,0 +14,0 @@ DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model). Please, read it. Like, really. |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is too big to display
No alert changes
Worsened metrics
- Total package byte prevSize
- decreased by-0.46%
953594
- Lines of code
- decreased by-4.25%
12741
No dependency changes