Socket
Socket
Sign inDemoInstall

dompurify

Package Overview
Dependencies
0
Maintainers
1
Versions
118
Alerts
File Explorer

Advanced tools

npm Scripts
License

Install Socket

Detect and block malicious and high-risk dependencies

Install

Comparing version 1.0.5 to 1.0.6

153

dist/purify.cjs.js

@@ -73,3 +73,3 @@ 'use strict';

*/
DOMPurify.version = '1.0.5';
DOMPurify.version = '1.0.6';

@@ -207,2 +207,6 @@ /**

/* If a `Node` is passed to sanitize(), then performs sanitization in-place instead
* of importing it into a new Document and returning a sanitized copy */
var IN_PLACE = false;
/* Allow usage of profiles like html, svg and mathMl */

@@ -257,2 +261,3 @@ var USE_PROFILES = {};

KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true
IN_PLACE = cfg.IN_PLACE || false; // Default false

@@ -321,2 +326,7 @@ IS_ALLOWED_URI$$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$$1;

/* Add tbody to ALLOWED_TAGS in case tables are permitted, see #286 */
if (ALLOWED_TAGS.table) {
addToSet(ALLOWED_TAGS, ['tbody']);
}
// Prevent further manipulation of configuration.

@@ -547,2 +557,60 @@ // Not available in IE8, Safari 5, etc.

/**
* _isValidAttribute
*
* @param {string} lcTag Lowercase tag name of containing element.
* @param {string} lcName Lowercase attribute name.
* @param {string} value Attribute value.
* @return {Boolean} Returns true if `value` is valid, otherwise false.
*/
var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
/* Make sure attribute cannot clobber */
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
return false;
}
/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
value = value.replace(MUSTACHE_EXPR$$1, ' ');
value = value.replace(ERB_EXPR$$1, ' ');
}
/* Allow valid data-* attributes: At least one character after "-"
(https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
We don't need to check the value; it's always URI safe. */
if (ALLOW_DATA_ATTR && DATA_ATTR$$1.test(lcName)) {
// This attribute is safe
} else if (ALLOW_ARIA_ATTR && ARIA_ATTR$$1.test(lcName)) {
// This attribute is safe
/* Otherwise, check the name is permitted */
} else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) {
return false;
/* Check value is safe. First, is attr inert? If so, is safe */
} else if (URI_SAFE_ATTRIBUTES[lcName]) {
// This attribute is safe
/* Check no script, data or unknown possibly unsafe URI
unless we know URI values are safe for that attribute */
} else if (IS_ALLOWED_URI$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Keep image data URIs alive if src/xlink:href is allowed */
} else if ((lcName === 'src' || lcName === 'xlink:href') && value.indexOf('data:') === 0 && DATA_URI_TAGS[lcTag]) {
// This attribute is safe
/* Allow unknown protocols: This provides support for links that
are handled by protocol handlers which may be unknown ahead of
time, e.g. fb:, spotify: */
} else if (ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Check for binary attributes */
// eslint-disable-next-line no-negated-condition
} else if (!value) {
// Binary attributes are safe at this point
/* Anything else, presume unsafe, do not add it back */
} else {
return false;
}
return true;
};
/**
* _sanitizeAttributes

@@ -555,4 +623,3 @@ *

*
* @param node to sanitize
* @return void
* @param {Node} node to sanitize
*/

@@ -633,49 +700,8 @@ // eslint-disable-next-line complexity

/* Make sure attribute cannot clobber */
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
/* Is `value` valid for this attribute? */
var lcTag = currentNode.nodeName.toLowerCase();
if (!_isValidAttribute(lcTag, lcName, value)) {
continue;
}
/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
value = value.replace(MUSTACHE_EXPR$$1, ' ');
value = value.replace(ERB_EXPR$$1, ' ');
}
/* Allow valid data-* attributes: At least one character after "-"
(https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
We don't need to check the value; it's always URI safe. */
if (ALLOW_DATA_ATTR && DATA_ATTR$$1.test(lcName)) {
// This attribute is safe
} else if (ALLOW_ARIA_ATTR && ARIA_ATTR$$1.test(lcName)) {
// This attribute is safe
/* Otherwise, check the name is permitted */
} else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) {
continue;
/* Check value is safe. First, is attr inert? If so, is safe */
} else if (URI_SAFE_ATTRIBUTES[lcName]) {
// This attribute is safe
/* Check no script, data or unknown possibly unsafe URI
unless we know URI values are safe for that attribute */
} else if (IS_ALLOWED_URI$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Keep image data URIs alive if src/xlink:href is allowed */
} else if ((lcName === 'src' || lcName === 'xlink:href') && value.indexOf('data:') === 0 && DATA_URI_TAGS[currentNode.nodeName.toLowerCase()]) {
// This attribute is safe
/* Allow unknown protocols: This provides support for links that
are handled by protocol handlers which may be unknown ahead of
time, e.g. fb:, spotify: */
} else if (ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Check for binary attributes */
// eslint-disable-next-line no-negated-condition
} else if (!value) {
// Binary attributes are safe at this point
/* Anything else, presume unsafe, do not add it back */
} else {
continue;
}
/* Handle invalid data-* attribute set by try-catching it */

@@ -781,3 +807,5 @@ try {

if (dirty instanceof Node) {
if (IN_PLACE) {
/* No special handling necessary for in-place sanitization */
} else if (dirty instanceof Node) {
/* If dirty is a DOM element, append to an empty document to avoid

@@ -809,3 +837,3 @@ elements being stripped by the parser */

/* Remove first element node (ours) if FORCE_BODY is set */
if (FORCE_BODY) {
if (body && FORCE_BODY) {
_forceRemove(body.firstChild);

@@ -815,3 +843,3 @@ }

/* Get node iterator */
var nodeIterator = _createIterator(body);
var nodeIterator = _createIterator(IN_PLACE ? dirty : body);

@@ -841,2 +869,7 @@ /* Now start iterating over the created document */

/* If we sanitized `dirty` in-place, return it. */
if (IN_PLACE) {
return dirty;
}
/* Return sanitized string or DOM */

@@ -891,2 +924,22 @@ if (RETURN_DOM) {

/**
* Public method to check if an attribute value is valid.
* Uses last set config, if any. Otherwise, uses config defaults.
* isValidAttribute
*
* @param {string} tag Tag name of containing element.
* @param {string} attr Attribute name.
* @param {string} value Attribute value.
* @return {Boolean} Returns true if `value` is valid. Otherwise, returns false.
*/
DOMPurify.isValidAttribute = function (tag, attr, value) {
/* Initialize shared config vars if necessary. */
if (!CONFIG) {
_parseConfig({});
}
var lcTag = tag.toLowerCase();
var lcName = attr.toLowerCase();
return _isValidAttribute(lcTag, lcName, value);
};
/**
* AddHook

@@ -893,0 +946,0 @@ * Public method to add DOMPurify hooks

153

dist/purify.es.js

@@ -71,3 +71,3 @@ var html = ['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr'];

*/
DOMPurify.version = '1.0.5';
DOMPurify.version = '1.0.6';

@@ -205,2 +205,6 @@ /**

/* If a `Node` is passed to sanitize(), then performs sanitization in-place instead
* of importing it into a new Document and returning a sanitized copy */
var IN_PLACE = false;
/* Allow usage of profiles like html, svg and mathMl */

@@ -255,2 +259,3 @@ var USE_PROFILES = {};

KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true
IN_PLACE = cfg.IN_PLACE || false; // Default false

@@ -319,2 +324,7 @@ IS_ALLOWED_URI$$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$$1;

/* Add tbody to ALLOWED_TAGS in case tables are permitted, see #286 */
if (ALLOWED_TAGS.table) {
addToSet(ALLOWED_TAGS, ['tbody']);
}
// Prevent further manipulation of configuration.

@@ -545,2 +555,60 @@ // Not available in IE8, Safari 5, etc.

/**
* _isValidAttribute
*
* @param {string} lcTag Lowercase tag name of containing element.
* @param {string} lcName Lowercase attribute name.
* @param {string} value Attribute value.
* @return {Boolean} Returns true if `value` is valid, otherwise false.
*/
var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
/* Make sure attribute cannot clobber */
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
return false;
}
/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
value = value.replace(MUSTACHE_EXPR$$1, ' ');
value = value.replace(ERB_EXPR$$1, ' ');
}
/* Allow valid data-* attributes: At least one character after "-"
(https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
We don't need to check the value; it's always URI safe. */
if (ALLOW_DATA_ATTR && DATA_ATTR$$1.test(lcName)) {
// This attribute is safe
} else if (ALLOW_ARIA_ATTR && ARIA_ATTR$$1.test(lcName)) {
// This attribute is safe
/* Otherwise, check the name is permitted */
} else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) {
return false;
/* Check value is safe. First, is attr inert? If so, is safe */
} else if (URI_SAFE_ATTRIBUTES[lcName]) {
// This attribute is safe
/* Check no script, data or unknown possibly unsafe URI
unless we know URI values are safe for that attribute */
} else if (IS_ALLOWED_URI$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Keep image data URIs alive if src/xlink:href is allowed */
} else if ((lcName === 'src' || lcName === 'xlink:href') && value.indexOf('data:') === 0 && DATA_URI_TAGS[lcTag]) {
// This attribute is safe
/* Allow unknown protocols: This provides support for links that
are handled by protocol handlers which may be unknown ahead of
time, e.g. fb:, spotify: */
} else if (ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Check for binary attributes */
// eslint-disable-next-line no-negated-condition
} else if (!value) {
// Binary attributes are safe at this point
/* Anything else, presume unsafe, do not add it back */
} else {
return false;
}
return true;
};
/**
* _sanitizeAttributes

@@ -553,4 +621,3 @@ *

*
* @param node to sanitize
* @return void
* @param {Node} node to sanitize
*/

@@ -631,49 +698,8 @@ // eslint-disable-next-line complexity

/* Make sure attribute cannot clobber */
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
/* Is `value` valid for this attribute? */
var lcTag = currentNode.nodeName.toLowerCase();
if (!_isValidAttribute(lcTag, lcName, value)) {
continue;
}
/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
value = value.replace(MUSTACHE_EXPR$$1, ' ');
value = value.replace(ERB_EXPR$$1, ' ');
}
/* Allow valid data-* attributes: At least one character after "-"
(https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
We don't need to check the value; it's always URI safe. */
if (ALLOW_DATA_ATTR && DATA_ATTR$$1.test(lcName)) {
// This attribute is safe
} else if (ALLOW_ARIA_ATTR && ARIA_ATTR$$1.test(lcName)) {
// This attribute is safe
/* Otherwise, check the name is permitted */
} else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) {
continue;
/* Check value is safe. First, is attr inert? If so, is safe */
} else if (URI_SAFE_ATTRIBUTES[lcName]) {
// This attribute is safe
/* Check no script, data or unknown possibly unsafe URI
unless we know URI values are safe for that attribute */
} else if (IS_ALLOWED_URI$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Keep image data URIs alive if src/xlink:href is allowed */
} else if ((lcName === 'src' || lcName === 'xlink:href') && value.indexOf('data:') === 0 && DATA_URI_TAGS[currentNode.nodeName.toLowerCase()]) {
// This attribute is safe
/* Allow unknown protocols: This provides support for links that
are handled by protocol handlers which may be unknown ahead of
time, e.g. fb:, spotify: */
} else if (ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Check for binary attributes */
// eslint-disable-next-line no-negated-condition
} else if (!value) {
// Binary attributes are safe at this point
/* Anything else, presume unsafe, do not add it back */
} else {
continue;
}
/* Handle invalid data-* attribute set by try-catching it */

@@ -779,3 +805,5 @@ try {

if (dirty instanceof Node) {
if (IN_PLACE) {
/* No special handling necessary for in-place sanitization */
} else if (dirty instanceof Node) {
/* If dirty is a DOM element, append to an empty document to avoid

@@ -807,3 +835,3 @@ elements being stripped by the parser */

/* Remove first element node (ours) if FORCE_BODY is set */
if (FORCE_BODY) {
if (body && FORCE_BODY) {
_forceRemove(body.firstChild);

@@ -813,3 +841,3 @@ }

/* Get node iterator */
var nodeIterator = _createIterator(body);
var nodeIterator = _createIterator(IN_PLACE ? dirty : body);

@@ -839,2 +867,7 @@ /* Now start iterating over the created document */

/* If we sanitized `dirty` in-place, return it. */
if (IN_PLACE) {
return dirty;
}
/* Return sanitized string or DOM */

@@ -889,2 +922,22 @@ if (RETURN_DOM) {

/**
* Public method to check if an attribute value is valid.
* Uses last set config, if any. Otherwise, uses config defaults.
* isValidAttribute
*
* @param {string} tag Tag name of containing element.
* @param {string} attr Attribute name.
* @param {string} value Attribute value.
* @return {Boolean} Returns true if `value` is valid. Otherwise, returns false.
*/
DOMPurify.isValidAttribute = function (tag, attr, value) {
/* Initialize shared config vars if necessary. */
if (!CONFIG) {
_parseConfig({});
}
var lcTag = tag.toLowerCase();
var lcName = attr.toLowerCase();
return _isValidAttribute(lcTag, lcName, value);
};
/**
* AddHook

@@ -891,0 +944,0 @@ * Public method to add DOMPurify hooks

153

dist/purify.js

@@ -77,3 +77,3 @@ (function (global, factory) {

*/
DOMPurify.version = '1.0.5';
DOMPurify.version = '1.0.6';

@@ -211,2 +211,6 @@ /**

/* If a `Node` is passed to sanitize(), then performs sanitization in-place instead
* of importing it into a new Document and returning a sanitized copy */
var IN_PLACE = false;
/* Allow usage of profiles like html, svg and mathMl */

@@ -261,2 +265,3 @@ var USE_PROFILES = {};

KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true
IN_PLACE = cfg.IN_PLACE || false; // Default false

@@ -325,2 +330,7 @@ IS_ALLOWED_URI$$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$$1;

/* Add tbody to ALLOWED_TAGS in case tables are permitted, see #286 */
if (ALLOWED_TAGS.table) {
addToSet(ALLOWED_TAGS, ['tbody']);
}
// Prevent further manipulation of configuration.

@@ -551,2 +561,60 @@ // Not available in IE8, Safari 5, etc.

/**
* _isValidAttribute
*
* @param {string} lcTag Lowercase tag name of containing element.
* @param {string} lcName Lowercase attribute name.
* @param {string} value Attribute value.
* @return {Boolean} Returns true if `value` is valid, otherwise false.
*/
var _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
/* Make sure attribute cannot clobber */
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
return false;
}
/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
value = value.replace(MUSTACHE_EXPR$$1, ' ');
value = value.replace(ERB_EXPR$$1, ' ');
}
/* Allow valid data-* attributes: At least one character after "-"
(https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
We don't need to check the value; it's always URI safe. */
if (ALLOW_DATA_ATTR && DATA_ATTR$$1.test(lcName)) {
// This attribute is safe
} else if (ALLOW_ARIA_ATTR && ARIA_ATTR$$1.test(lcName)) {
// This attribute is safe
/* Otherwise, check the name is permitted */
} else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) {
return false;
/* Check value is safe. First, is attr inert? If so, is safe */
} else if (URI_SAFE_ATTRIBUTES[lcName]) {
// This attribute is safe
/* Check no script, data or unknown possibly unsafe URI
unless we know URI values are safe for that attribute */
} else if (IS_ALLOWED_URI$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Keep image data URIs alive if src/xlink:href is allowed */
} else if ((lcName === 'src' || lcName === 'xlink:href') && value.indexOf('data:') === 0 && DATA_URI_TAGS[lcTag]) {
// This attribute is safe
/* Allow unknown protocols: This provides support for links that
are handled by protocol handlers which may be unknown ahead of
time, e.g. fb:, spotify: */
} else if (ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Check for binary attributes */
// eslint-disable-next-line no-negated-condition
} else if (!value) {
// Binary attributes are safe at this point
/* Anything else, presume unsafe, do not add it back */
} else {
return false;
}
return true;
};
/**
* _sanitizeAttributes

@@ -559,4 +627,3 @@ *

*
* @param node to sanitize
* @return void
* @param {Node} node to sanitize
*/

@@ -637,49 +704,8 @@ // eslint-disable-next-line complexity

/* Make sure attribute cannot clobber */
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
/* Is `value` valid for this attribute? */
var lcTag = currentNode.nodeName.toLowerCase();
if (!_isValidAttribute(lcTag, lcName, value)) {
continue;
}
/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
value = value.replace(MUSTACHE_EXPR$$1, ' ');
value = value.replace(ERB_EXPR$$1, ' ');
}
/* Allow valid data-* attributes: At least one character after "-"
(https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
We don't need to check the value; it's always URI safe. */
if (ALLOW_DATA_ATTR && DATA_ATTR$$1.test(lcName)) {
// This attribute is safe
} else if (ALLOW_ARIA_ATTR && ARIA_ATTR$$1.test(lcName)) {
// This attribute is safe
/* Otherwise, check the name is permitted */
} else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) {
continue;
/* Check value is safe. First, is attr inert? If so, is safe */
} else if (URI_SAFE_ATTRIBUTES[lcName]) {
// This attribute is safe
/* Check no script, data or unknown possibly unsafe URI
unless we know URI values are safe for that attribute */
} else if (IS_ALLOWED_URI$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Keep image data URIs alive if src/xlink:href is allowed */
} else if ((lcName === 'src' || lcName === 'xlink:href') && value.indexOf('data:') === 0 && DATA_URI_TAGS[currentNode.nodeName.toLowerCase()]) {
// This attribute is safe
/* Allow unknown protocols: This provides support for links that
are handled by protocol handlers which may be unknown ahead of
time, e.g. fb:, spotify: */
} else if (ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) {
// This attribute is safe
/* Check for binary attributes */
// eslint-disable-next-line no-negated-condition
} else if (!value) {
// Binary attributes are safe at this point
/* Anything else, presume unsafe, do not add it back */
} else {
continue;
}
/* Handle invalid data-* attribute set by try-catching it */

@@ -785,3 +811,5 @@ try {

if (dirty instanceof Node) {
if (IN_PLACE) {
/* No special handling necessary for in-place sanitization */
} else if (dirty instanceof Node) {
/* If dirty is a DOM element, append to an empty document to avoid

@@ -813,3 +841,3 @@ elements being stripped by the parser */

/* Remove first element node (ours) if FORCE_BODY is set */
if (FORCE_BODY) {
if (body && FORCE_BODY) {
_forceRemove(body.firstChild);

@@ -819,3 +847,3 @@ }

/* Get node iterator */
var nodeIterator = _createIterator(body);
var nodeIterator = _createIterator(IN_PLACE ? dirty : body);

@@ -845,2 +873,7 @@ /* Now start iterating over the created document */

/* If we sanitized `dirty` in-place, return it. */
if (IN_PLACE) {
return dirty;
}
/* Return sanitized string or DOM */

@@ -895,2 +928,22 @@ if (RETURN_DOM) {

/**
* Public method to check if an attribute value is valid.
* Uses last set config, if any. Otherwise, uses config defaults.
* isValidAttribute
*
* @param {string} tag Tag name of containing element.
* @param {string} attr Attribute name.
* @param {string} value Attribute value.
* @return {Boolean} Returns true if `value` is valid. Otherwise, returns false.
*/
DOMPurify.isValidAttribute = function (tag, attr, value) {
/* Initialize shared config vars if necessary. */
if (!CONFIG) {
_parseConfig({});
}
var lcTag = tag.toLowerCase();
var lcName = attr.toLowerCase();
return _isValidAttribute(lcTag, lcName, value);
};
/**
* AddHook

@@ -897,0 +950,0 @@ * Public method to add DOMPurify hooks

2

dist/purify.min.js

@@ -1,2 +0,2 @@

!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):e.DOMPurify=t()}(this,function(){"use strict";function e(e,t){for(var n=t.length;n--;)"string"==typeof t[n]&&(t[n]=t[n].toLowerCase()),e[t[n]]=!0;return e}function t(e){var t={},n=void 0;for(n in e)Object.prototype.hasOwnProperty.call(e,n)&&(t[n]=e[n]);return t}function n(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t<e.length;t++)n[t]=e[t];return n}return Array.from(e)}function o(){var x=arguments.length>0&&void 0!==arguments[0]?arguments[0]:A(),S=function(e){return o(e)};if(S.version="1.0.5",S.removed=[],!x||!x.document||9!==x.document.nodeType)return S.isSupported=!1,S;var k=x.document,w=!1,E=x.document,L=x.DocumentFragment,O=x.HTMLTemplateElement,M=x.Node,D=x.NodeFilter,N=x.NamedNodeMap,_=void 0===N?x.NamedNodeMap||x.MozNamedAttrMap:N,R=x.Text,C=x.Comment,F=x.DOMParser;if("function"==typeof O){var z=E.createElement("template");z.content&&z.content.ownerDocument&&(E=z.content.ownerDocument)}var H=E,I=H.implementation,j=H.createNodeIterator,P=H.getElementsByTagName,W=H.createDocumentFragment,U=k.importNode,B={};S.isSupported=I&&void 0!==I.createHTMLDocument&&9!==E.documentMode;var G=f,q=p,V=h,Y=g,K=v,X=b,$=y,J=null,Q=e({},[].concat(n(r),n(i),n(a),n(l),n(s))),Z=null,ee=e({},[].concat(n(c),n(d),n(u),n(m))),te=null,ne=null,oe=!0,re=!0,ie=!1,ae=!1,le=!1,se=!1,ce=!1,de=!1,ue=!1,me=!1,fe=!1,pe=!0,he=!0,ge={},ye=e({},["audio","head","math","script","style","template","svg","video"]),ve=e({},["audio","video","img","source","image"]),be=e({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]),Te=null,Ae=E.createElement("form"),xe=function(o){"object"!==(void 0===o?"undefined":T(o))&&(o={}),J="ALLOWED_TAGS"in o?e({},o.ALLOWED_TAGS):Q,Z="ALLOWED_ATTR"in o?e({},o.ALLOWED_ATTR):ee,te="FORBID_TAGS"in o?e({},o.FORBID_TAGS):{},ne="FORBID_ATTR"in o?e({},o.FORBID_ATTR):{},ge="USE_PROFILES"in o&&o.USE_PROFILES,oe=!1!==o.ALLOW_ARIA_ATTR,re=!1!==o.ALLOW_DATA_ATTR,ie=o.ALLOW_UNKNOWN_PROTOCOLS||!1,ae=o.SAFE_FOR_JQUERY||!1,le=o.SAFE_FOR_TEMPLATES||!1,se=o.WHOLE_DOCUMENT||!1,ue=o.RETURN_DOM||!1,me=o.RETURN_DOM_FRAGMENT||!1,fe=o.RETURN_DOM_IMPORT||!1,de=o.FORCE_BODY||!1,pe=!1!==o.SANITIZE_DOM,he=!1!==o.KEEP_CONTENT,$=o.ALLOWED_URI_REGEXP||$,le&&(re=!1),me&&(ue=!0),ge&&(J=e({},[].concat(n(s))),Z=[],!0===ge.html&&(e(J,r),e(Z,c)),!0===ge.svg&&(e(J,i),e(Z,d),e(Z,m)),!0===ge.svgFilters&&(e(J,a),e(Z,d),e(Z,m)),!0===ge.mathMl&&(e(J,l),e(Z,u),e(Z,m))),o.ADD_TAGS&&(J===Q&&(J=t(J)),e(J,o.ADD_TAGS)),o.ADD_ATTR&&(Z===ee&&(Z=t(Z)),e(Z,o.ADD_ATTR)),o.ADD_URI_SAFE_ATTR&&e(be,o.ADD_URI_SAFE_ATTR),he&&(J["#text"]=!0),se&&e(J,["html","head","body"]),Object&&"freeze"in Object&&Object.freeze(o),Te=o},Se=function(e){S.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}},ke=function(e,t){try{S.removed.push({attribute:t.getAttributeNode(e),from:t})}catch(e){S.removed.push({attribute:null,from:t})}t.removeAttribute(e)},we=function(e){var t=void 0;if(de&&(e="<remove></remove>"+e),w)try{t=(new F).parseFromString(e,"text/html")}catch(e){}if(!t||!t.documentElement){var n=(t=I.createHTMLDocument("")).body;n.parentNode.removeChild(n.parentNode.firstElementChild),n.outerHTML=e}return P.call(t,se?"html":"body")[0]};S.isSupported&&function(){try{we('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">').querySelector("svg img")&&(w=!0)}catch(e){}}();var Ee=function(e){return j.call(e.ownerDocument||e,e,D.SHOW_ELEMENT|D.SHOW_COMMENT|D.SHOW_TEXT,function(){return D.FILTER_ACCEPT},!1)},Le=function(e){return!(e instanceof R||e instanceof C)&&!("string"==typeof e.nodeName&&"string"==typeof e.textContent&&"function"==typeof e.removeChild&&e.attributes instanceof _&&"function"==typeof e.removeAttribute&&"function"==typeof e.setAttribute)},Oe=function(e){return"object"===(void 0===M?"undefined":T(M))?e instanceof M:e&&"object"===(void 0===e?"undefined":T(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},Me=function(e,t,n){B[e]&&B[e].forEach(function(e){e.call(S,t,n,Te)})},De=function(e){var t=void 0;if(Me("beforeSanitizeElements",e,null),Le(e))return Se(e),!0;var n=e.nodeName.toLowerCase();if(Me("uponSanitizeElement",e,{tagName:n,allowedTags:J}),!J[n]||te[n]){if(he&&!ye[n]&&"function"==typeof e.insertAdjacentHTML)try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(e){}return Se(e),!0}return!ae||e.firstElementChild||e.content&&e.content.firstElementChild||!/</g.test(e.textContent)||(S.removed.push({element:e.cloneNode()}),e.innerHTML?e.innerHTML=e.innerHTML.replace(/</g,"&lt;"):e.innerHTML=e.textContent.replace(/</g,"&lt;")),le&&3===e.nodeType&&(t=(t=(t=e.textContent).replace(G," ")).replace(q," "),e.textContent!==t&&(S.removed.push({element:e.cloneNode()}),e.textContent=t)),Me("afterSanitizeElements",e,null),!1},Ne=function(e){var t=void 0,n=void 0,o=void 0,r=void 0,i=void 0;Me("beforeSanitizeAttributes",e,null);var a=e.attributes;if(a){var l={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:Z};for(i=a.length;i--;){var s=(t=a[i]).name;if(n=t.value.trim(),o=s.toLowerCase(),l.attrName=o,l.attrValue=n,l.keepAttr=!0,Me("uponSanitizeAttribute",e,l),n=l.attrValue,"name"===o&&"IMG"===e.nodeName&&a.id)r=a.id,a=Array.prototype.slice.apply(a),ke("id",e),ke(s,e),a.indexOf(r)>i&&e.setAttribute("id",r.value);else{if("INPUT"===e.nodeName&&"type"===o&&"file"===n&&(Z[o]||!ne[o]))continue;"id"===s&&e.setAttribute(s,""),ke(s,e)}if(l.keepAttr&&(!pe||"id"!==o&&"name"!==o||!(n in E||n in Ae))){if(le&&(n=(n=n.replace(G," ")).replace(q," ")),re&&V.test(o));else if(oe&&Y.test(o));else{if(!Z[o]||ne[o])continue;if(be[o]);else if($.test(n.replace(X,"")));else if("src"!==o&&"xlink:href"!==o||0!==n.indexOf("data:")||!ve[e.nodeName.toLowerCase()]){if(ie&&!K.test(n.replace(X,"")));else if(n)continue}else;}try{e.setAttribute(s,n),S.removed.pop()}catch(e){}}}Me("afterSanitizeAttributes",e,null)}},_e=function e(t){var n=void 0,o=Ee(t);for(Me("beforeSanitizeShadowDOM",t,null);n=o.nextNode();)Me("uponSanitizeShadowNode",n,null),De(n)||(n.content instanceof L&&e(n.content),Ne(n));Me("afterSanitizeShadowDOM",t,null)};return S.sanitize=function(e,t){var n=void 0,o=void 0,r=void 0,i=void 0,a=void 0;if(e||(e="\x3c!--\x3e"),"string"!=typeof e&&!Oe(e)){if("function"!=typeof e.toString)throw new TypeError("toString is not a function");if("string"!=typeof(e=e.toString()))throw new TypeError("dirty is not a string, aborting")}if(!S.isSupported){if("object"===T(x.toStaticHTML)||"function"==typeof x.toStaticHTML){if("string"==typeof e)return x.toStaticHTML(e);if(Oe(e))return x.toStaticHTML(e.outerHTML)}return e}if(ce||xe(t),S.removed=[],e instanceof M)1===(o=(n=we("\x3c!--\x3e")).ownerDocument.importNode(e,!0)).nodeType&&"BODY"===o.nodeName?n=o:n.appendChild(o);else{if(!ue&&!se&&-1===e.indexOf("<"))return e;if(!(n=we(e)))return ue?null:""}de&&Se(n.firstChild);for(var l=Ee(n);r=l.nextNode();)3===r.nodeType&&r===i||De(r)||(r.content instanceof L&&_e(r.content),Ne(r),i=r);if(ue){if(me)for(a=W.call(n.ownerDocument);n.firstChild;)a.appendChild(n.firstChild);else a=n;return fe&&(a=U.call(k,a,!0)),a}return se?n.outerHTML:n.innerHTML},S.setConfig=function(e){xe(e),ce=!0},S.clearConfig=function(){Te=null,ce=!1},S.addHook=function(e,t){"function"==typeof t&&(B[e]=B[e]||[],B[e].push(t))},S.removeHook=function(e){B[e]&&B[e].pop()},S.removeHooks=function(e){B[e]&&(B[e]=[])},S.removeAllHooks=function(){B={}},S}var r=["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"],i=["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","audio","canvas","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","video","view","vkern"],a=["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"],l=["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"],s=["#text"],c=["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","crossorigin","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","integrity","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns"],d=["accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"],u=["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"],m=["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"],f=/\{\{[\s\S]*|[\s\S]*\}\}/gm,p=/<%[\s\S]*|[\s\S]*%>/gm,h=/^data-[\-\w.\u00B7-\uFFFF]/,g=/^aria-[\-\w]+$/,y=/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,v=/^(?:\w+script|data):/i,b=/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g,T="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},A=function(){return"undefined"==typeof window?null:window};return o()});
!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):e.DOMPurify=t()}(this,function(){"use strict";function e(e,t){for(var n=t.length;n--;)"string"==typeof t[n]&&(t[n]=t[n].toLowerCase()),e[t[n]]=!0;return e}function t(e){var t={},n=void 0;for(n in e)Object.prototype.hasOwnProperty.call(e,n)&&(t[n]=e[n]);return t}function n(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t<e.length;t++)n[t]=e[t];return n}return Array.from(e)}function r(){var x=arguments.length>0&&void 0!==arguments[0]?arguments[0]:A(),S=function(e){return r(e)};if(S.version="1.0.6",S.removed=[],!x||!x.document||9!==x.document.nodeType)return S.isSupported=!1,S;var k=x.document,w=!1,L=x.document,E=x.DocumentFragment,O=x.HTMLTemplateElement,M=x.Node,N=x.NodeFilter,_=x.NamedNodeMap,D=void 0===_?x.NamedNodeMap||x.MozNamedAttrMap:_,C=x.Text,R=x.Comment,F=x.DOMParser;if("function"==typeof O){var z=L.createElement("template");z.content&&z.content.ownerDocument&&(L=z.content.ownerDocument)}var H=L,I=H.implementation,j=H.createNodeIterator,P=H.getElementsByTagName,W=H.createDocumentFragment,U=k.importNode,B={};S.isSupported=I&&void 0!==I.createHTMLDocument&&9!==L.documentMode;var G=m,q=p,V=h,Y=g,K=v,X=b,$=y,J=null,Q=e({},[].concat(n(o),n(i),n(a),n(l),n(s))),Z=null,ee=e({},[].concat(n(c),n(d),n(u),n(f))),te=null,ne=null,re=!0,oe=!0,ie=!1,ae=!1,le=!1,se=!1,ce=!1,de=!1,ue=!1,fe=!1,me=!1,pe=!0,he=!0,ge=!1,ye={},ve=e({},["audio","head","math","script","style","template","svg","video"]),be=e({},["audio","video","img","source","image"]),Te=e({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]),Ae=null,xe=L.createElement("form"),Se=function(r){"object"!==(void 0===r?"undefined":T(r))&&(r={}),J="ALLOWED_TAGS"in r?e({},r.ALLOWED_TAGS):Q,Z="ALLOWED_ATTR"in r?e({},r.ALLOWED_ATTR):ee,te="FORBID_TAGS"in r?e({},r.FORBID_TAGS):{},ne="FORBID_ATTR"in r?e({},r.FORBID_ATTR):{},ye="USE_PROFILES"in r&&r.USE_PROFILES,re=!1!==r.ALLOW_ARIA_ATTR,oe=!1!==r.ALLOW_DATA_ATTR,ie=r.ALLOW_UNKNOWN_PROTOCOLS||!1,ae=r.SAFE_FOR_JQUERY||!1,le=r.SAFE_FOR_TEMPLATES||!1,se=r.WHOLE_DOCUMENT||!1,ue=r.RETURN_DOM||!1,fe=r.RETURN_DOM_FRAGMENT||!1,me=r.RETURN_DOM_IMPORT||!1,de=r.FORCE_BODY||!1,pe=!1!==r.SANITIZE_DOM,he=!1!==r.KEEP_CONTENT,ge=r.IN_PLACE||!1,$=r.ALLOWED_URI_REGEXP||$,le&&(oe=!1),fe&&(ue=!0),ye&&(J=e({},[].concat(n(s))),Z=[],!0===ye.html&&(e(J,o),e(Z,c)),!0===ye.svg&&(e(J,i),e(Z,d),e(Z,f)),!0===ye.svgFilters&&(e(J,a),e(Z,d),e(Z,f)),!0===ye.mathMl&&(e(J,l),e(Z,u),e(Z,f))),r.ADD_TAGS&&(J===Q&&(J=t(J)),e(J,r.ADD_TAGS)),r.ADD_ATTR&&(Z===ee&&(Z=t(Z)),e(Z,r.ADD_ATTR)),r.ADD_URI_SAFE_ATTR&&e(Te,r.ADD_URI_SAFE_ATTR),he&&(J["#text"]=!0),se&&e(J,["html","head","body"]),J.table&&e(J,["tbody"]),Object&&"freeze"in Object&&Object.freeze(r),Ae=r},ke=function(e){S.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=""}},we=function(e,t){try{S.removed.push({attribute:t.getAttributeNode(e),from:t})}catch(e){S.removed.push({attribute:null,from:t})}t.removeAttribute(e)},Le=function(e){var t=void 0;if(de&&(e="<remove></remove>"+e),w)try{t=(new F).parseFromString(e,"text/html")}catch(e){}if(!t||!t.documentElement){var n=(t=I.createHTMLDocument("")).body;n.parentNode.removeChild(n.parentNode.firstElementChild),n.outerHTML=e}return P.call(t,se?"html":"body")[0]};S.isSupported&&function(){try{Le('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">').querySelector("svg img")&&(w=!0)}catch(e){}}();var Ee=function(e){return j.call(e.ownerDocument||e,e,N.SHOW_ELEMENT|N.SHOW_COMMENT|N.SHOW_TEXT,function(){return N.FILTER_ACCEPT},!1)},Oe=function(e){return!(e instanceof C||e instanceof R)&&!("string"==typeof e.nodeName&&"string"==typeof e.textContent&&"function"==typeof e.removeChild&&e.attributes instanceof D&&"function"==typeof e.removeAttribute&&"function"==typeof e.setAttribute)},Me=function(e){return"object"===(void 0===M?"undefined":T(M))?e instanceof M:e&&"object"===(void 0===e?"undefined":T(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},Ne=function(e,t,n){B[e]&&B[e].forEach(function(e){e.call(S,t,n,Ae)})},_e=function(e){var t=void 0;if(Ne("beforeSanitizeElements",e,null),Oe(e))return ke(e),!0;var n=e.nodeName.toLowerCase();if(Ne("uponSanitizeElement",e,{tagName:n,allowedTags:J}),!J[n]||te[n]){if(he&&!ve[n]&&"function"==typeof e.insertAdjacentHTML)try{e.insertAdjacentHTML("AfterEnd",e.innerHTML)}catch(e){}return ke(e),!0}return!ae||e.firstElementChild||e.content&&e.content.firstElementChild||!/</g.test(e.textContent)||(S.removed.push({element:e.cloneNode()}),e.innerHTML?e.innerHTML=e.innerHTML.replace(/</g,"&lt;"):e.innerHTML=e.textContent.replace(/</g,"&lt;")),le&&3===e.nodeType&&(t=(t=(t=e.textContent).replace(G," ")).replace(q," "),e.textContent!==t&&(S.removed.push({element:e.cloneNode()}),e.textContent=t)),Ne("afterSanitizeElements",e,null),!1},De=function(e,t,n){if(pe&&("id"===t||"name"===t)&&(n in L||n in xe))return!1;if(le&&(n=(n=n.replace(G," ")).replace(q," ")),oe&&V.test(t));else if(re&&Y.test(t));else{if(!Z[t]||ne[t])return!1;if(Te[t]);else if($.test(n.replace(X,"")));else if("src"!==t&&"xlink:href"!==t||0!==n.indexOf("data:")||!be[e]){if(ie&&!K.test(n.replace(X,"")));else if(n)return!1}else;}return!0},Ce=function(e){var t=void 0,n=void 0,r=void 0,o=void 0,i=void 0;Ne("beforeSanitizeAttributes",e,null);var a=e.attributes;if(a){var l={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:Z};for(i=a.length;i--;){var s=(t=a[i]).name;if(n=t.value.trim(),r=s.toLowerCase(),l.attrName=r,l.attrValue=n,l.keepAttr=!0,Ne("uponSanitizeAttribute",e,l),n=l.attrValue,"name"===r&&"IMG"===e.nodeName&&a.id)o=a.id,a=Array.prototype.slice.apply(a),we("id",e),we(s,e),a.indexOf(o)>i&&e.setAttribute("id",o.value);else{if("INPUT"===e.nodeName&&"type"===r&&"file"===n&&(Z[r]||!ne[r]))continue;"id"===s&&e.setAttribute(s,""),we(s,e)}if(l.keepAttr){var c=e.nodeName.toLowerCase();if(De(c,r,n))try{e.setAttribute(s,n),S.removed.pop()}catch(e){}}}Ne("afterSanitizeAttributes",e,null)}},Re=function e(t){var n=void 0,r=Ee(t);for(Ne("beforeSanitizeShadowDOM",t,null);n=r.nextNode();)Ne("uponSanitizeShadowNode",n,null),_e(n)||(n.content instanceof E&&e(n.content),Ce(n));Ne("afterSanitizeShadowDOM",t,null)};return S.sanitize=function(e,t){var n=void 0,r=void 0,o=void 0,i=void 0,a=void 0;if(e||(e="\x3c!--\x3e"),"string"!=typeof e&&!Me(e)){if("function"!=typeof e.toString)throw new TypeError("toString is not a function");if("string"!=typeof(e=e.toString()))throw new TypeError("dirty is not a string, aborting")}if(!S.isSupported){if("object"===T(x.toStaticHTML)||"function"==typeof x.toStaticHTML){if("string"==typeof e)return x.toStaticHTML(e);if(Me(e))return x.toStaticHTML(e.outerHTML)}return e}if(ce||Se(t),S.removed=[],ge);else if(e instanceof M)1===(r=(n=Le("\x3c!--\x3e")).ownerDocument.importNode(e,!0)).nodeType&&"BODY"===r.nodeName?n=r:n.appendChild(r);else{if(!ue&&!se&&-1===e.indexOf("<"))return e;if(!(n=Le(e)))return ue?null:""}n&&de&&ke(n.firstChild);for(var l=Ee(ge?e:n);o=l.nextNode();)3===o.nodeType&&o===i||_e(o)||(o.content instanceof E&&Re(o.content),Ce(o),i=o);if(ge)return e;if(ue){if(fe)for(a=W.call(n.ownerDocument);n.firstChild;)a.appendChild(n.firstChild);else a=n;return me&&(a=U.call(k,a,!0)),a}return se?n.outerHTML:n.innerHTML},S.setConfig=function(e){Se(e),ce=!0},S.clearConfig=function(){Ae=null,ce=!1},S.isValidAttribute=function(e,t,n){Ae||Se({});var r=e.toLowerCase(),o=t.toLowerCase();return De(r,o,n)},S.addHook=function(e,t){"function"==typeof t&&(B[e]=B[e]||[],B[e].push(t))},S.removeHook=function(e){B[e]&&B[e].pop()},S.removeHooks=function(e){B[e]&&(B[e]=[])},S.removeAllHooks=function(){B={}},S}var o=["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"],i=["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","audio","canvas","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","video","view","vkern"],a=["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"],l=["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmuliscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mpspace","msqrt","mystyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"],s=["#text"],c=["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","coords","crossorigin","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","integrity","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns"],d=["accent-height","accumulate","additivive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"],u=["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"],f=["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"],m=/\{\{[\s\S]*|[\s\S]*\}\}/gm,p=/<%[\s\S]*|[\s\S]*%>/gm,h=/^data-[\-\w.\u00B7-\uFFFF]/,g=/^aria-[\-\w]+$/,y=/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i,v=/^(?:\w+script|data):/i,b=/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g,T="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},A=function(){return"undefined"==typeof window?null:window};return r()});
//# sourceMappingURL=purify.min.js.map

2

package.json

@@ -108,3 +108,3 @@ {

"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
"version": "1.0.5",
"version": "1.0.6",
"directories": {

@@ -111,0 +111,0 @@ "test": "test"

7

README.md

@@ -7,3 +7,3 @@ # DOMPurify [![Bower version](https://badge.fury.io/bo/dompurify.svg)](http://badge.fury.io/bo/dompurify) · [![npm version](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js/dompurify) · [![Build Status](https://travis-ci.org/cure53/DOMPurify.svg)](https://travis-ci.org/cure53/DOMPurify) · [![Downloads](https://img.shields.io/npm/dm/dompurify.svg)](https://www.npmjs.com/package/dompurify)

It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 1.0.5.
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 1.0.6.

@@ -186,2 +186,7 @@ DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.

var clean = DOMPurify.sanitize(dirty, {FORCE_BODY: true});
// use the IN_PLACE mode to sanitize a node "in place", which is much faster depending on how you use DOMpurify
var dirty = document.createElement('a');
dirty.setAttribute('href', 'javascript:alert(1)');
var clean = DOMPurify.sanitize(dirty, {IN_PLACE: true}); // see https://github.com/cure53/DOMPurify/issues/288 for more info
```

@@ -188,0 +193,0 @@ There is even [more examples here](https://github.com/cure53/DOMPurify/tree/master/demos#what-is-this), showing how you can run, customize and configure DOMPurify to fit your needs.

dist/purify.cjs.js.map

Sorry, the diff of this file is not supported yet

dist/purify.es.js.map

Sorry, the diff of this file is not supported yet

dist/purify.js.map

Sorry, the diff of this file is not supported yet

dist/purify.min.js.map

Sorry, the diff of this file is not supported yet

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc