dompurify
Advanced tools
dompurify - npm Package Compare versions
Comparing version 2.0.7 to 2.0.8
| 'use strict'; | ||
| var freeze$1 = Object.freeze || function (x) { | ||
| return x; | ||
| }; | ||
| function _toConsumableArray$1(arr) { if (Array.isArray(arr)) { for (var i = 0, arr2 = Array(arr.length); i < arr.length; i++) { arr2[i] = arr[i]; } return arr2; } else { return Array.from(arr); } } | ||
| var html = freeze$1(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']); | ||
| var hasOwnProperty = Object.hasOwnProperty; | ||
| var setPrototypeOf = Object.setPrototypeOf; | ||
| var isFrozen = Object.isFrozen; | ||
| var objectKeys = Object.keys; | ||
| var freeze = Object.freeze; | ||
| var seal = Object.seal; // eslint-disable-line import/no-mutable-exports | ||
| // SVG | ||
| var svg = freeze$1(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'audio', 'canvas', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'video', 'view', 'vkern']); | ||
| var _ref = typeof Reflect !== 'undefined' && Reflect; | ||
| var apply = _ref.apply; | ||
| var construct = _ref.construct; | ||
| var svgFilters = freeze$1(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']); | ||
| if (!apply) { | ||
| apply = function apply(fun, thisValue, args) { | ||
| return fun.apply(thisValue, args); | ||
| }; | ||
| } | ||
| var mathMl = freeze$1(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover']); | ||
| if (!freeze) { | ||
| freeze = function freeze(x) { | ||
| return x; | ||
| }; | ||
| } | ||
| var text = freeze$1(['#text']); | ||
| if (!seal) { | ||
| seal = function seal(x) { | ||
| return x; | ||
| }; | ||
| } | ||
| var freeze$2 = Object.freeze || function (x) { | ||
| return x; | ||
| }; | ||
| if (!construct) { | ||
| construct = function construct(Func, args) { | ||
| return new (Function.prototype.bind.apply(Func, [null].concat(_toConsumableArray$1(args))))(); | ||
| }; | ||
| } | ||
| var html$1 = freeze$2(['accept', 'action', 'align', 'alt', 'autocomplete', 'background', 'bgcolor', 'border', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'coords', 'crossorigin', 'datetime', 'default', 'dir', 'disabled', 'download', 'enctype', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'integrity', 'ismap', 'label', 'lang', 'list', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'name', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'type', 'usemap', 'valign', 'value', 'width', 'xmlns']); | ||
| var arrayForEach = unapply(Array.prototype.forEach); | ||
| var arrayIndexOf = unapply(Array.prototype.indexOf); | ||
| var arrayJoin = unapply(Array.prototype.join); | ||
| var arrayPop = unapply(Array.prototype.pop); | ||
| var arrayPush = unapply(Array.prototype.push); | ||
| var arraySlice = unapply(Array.prototype.slice); | ||
| var svg$1 = freeze$2(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
| var stringToLowerCase = unapply(String.prototype.toLowerCase); | ||
| var stringMatch = unapply(String.prototype.match); | ||
| var stringReplace = unapply(String.prototype.replace); | ||
| var stringIndexOf = unapply(String.prototype.indexOf); | ||
| var stringTrim = unapply(String.prototype.trim); | ||
| var mathMl$1 = freeze$2(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']); | ||
| var regExpTest = unapply(RegExp.prototype.test); | ||
| var regExpCreate = unconstruct(RegExp); | ||
| var xml = freeze$2(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']); | ||
| var typeErrorCreate = unconstruct(TypeError); | ||
| var hasOwnProperty = Object.hasOwnProperty; | ||
| var setPrototypeOf = Object.setPrototypeOf; | ||
| function unapply(func) { | ||
| return function (thisArg) { | ||
| for (var _len = arguments.length, args = Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) { | ||
| args[_key - 1] = arguments[_key]; | ||
| } | ||
| var _ref$1 = typeof Reflect !== 'undefined' && Reflect; | ||
| var apply$1 = _ref$1.apply; | ||
| return apply(func, thisArg, args); | ||
| }; | ||
| } | ||
| if (!apply$1) { | ||
| apply$1 = function apply(fun, thisValue, args) { | ||
| return fun.apply(thisValue, args); | ||
| function unconstruct(func) { | ||
| return function () { | ||
| for (var _len2 = arguments.length, args = Array(_len2), _key2 = 0; _key2 < _len2; _key2++) { | ||
| args[_key2] = arguments[_key2]; | ||
| } | ||
| return construct(func, args); | ||
| }; | ||
@@ -55,6 +91,6 @@ } | ||
| if (typeof element === 'string') { | ||
| var lcElement = element.toLowerCase(); | ||
| var lcElement = stringToLowerCase(element); | ||
| if (lcElement !== element) { | ||
| // Config presets (e.g. tags.js, attrs.js) are immutable. | ||
| if (!Object.isFrozen(array)) { | ||
| if (!isFrozen(array)) { | ||
| array[l] = lcElement; | ||
@@ -79,3 +115,3 @@ } | ||
| for (property in object) { | ||
| if (apply$1(hasOwnProperty, object, [property])) { | ||
| if (apply(hasOwnProperty, object, [property])) { | ||
| newObject[property] = object[property]; | ||
@@ -88,6 +124,21 @@ } | ||
| var seal = Object.seal || function (x) { | ||
| return x; | ||
| }; | ||
| var html = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']); | ||
| // SVG | ||
| var svg = freeze(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'audio', 'canvas', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'video', 'view', 'vkern']); | ||
| var svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']); | ||
| var mathMl = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover']); | ||
| var text = freeze(['#text']); | ||
| var html$1 = freeze(['accept', 'action', 'align', 'alt', 'autocomplete', 'background', 'bgcolor', 'border', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'coords', 'crossorigin', 'datetime', 'default', 'dir', 'disabled', 'download', 'enctype', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'integrity', 'ismap', 'label', 'lang', 'list', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'name', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'type', 'usemap', 'valign', 'value', 'width', 'xmlns']); | ||
| var svg$1 = freeze(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
| var mathMl$1 = freeze(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']); | ||
| var xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']); | ||
| var MUSTACHE_EXPR = seal(/\{\{[\s\S]*|[\s\S]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode | ||
@@ -107,8 +158,2 @@ var ERB_EXPR = seal(/<%[\s\S]*|[\s\S]*%>/gm); | ||
| var _ref = typeof Reflect !== 'undefined' && Reflect; | ||
| var apply = _ref.apply; | ||
| var arraySlice = Array.prototype.slice; | ||
| var freeze = Object.freeze; | ||
| var getGlobal = function getGlobal() { | ||
@@ -118,8 +163,2 @@ return typeof window === 'undefined' ? null : window; | ||
| if (!apply) { | ||
| apply = function apply(fun, thisValue, args) { | ||
| return fun.apply(thisValue, args); | ||
| }; | ||
| } | ||
| /** | ||
@@ -175,3 +214,3 @@ * Creates a no-op policy for internal use only. | ||
| */ | ||
| DOMPurify.version = '2.0.7'; | ||
| DOMPurify.version = '2.0.8'; | ||
@@ -206,3 +245,3 @@ /** | ||
| DOMParser = window.DOMParser, | ||
| TrustedTypes = window.TrustedTypes; | ||
| trustedTypes = window.trustedTypes; | ||
@@ -223,3 +262,3 @@ // As per issue #47, the web-components registry is inherited by a | ||
| var trustedTypesPolicy = _createTrustedTypesPolicy(TrustedTypes, originalDocument); | ||
| var trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, originalDocument); | ||
| var emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : ''; | ||
@@ -385,5 +424,3 @@ | ||
| IN_PLACE = cfg.IN_PLACE || false; // Default false | ||
| IS_ALLOWED_URI$$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$$1; | ||
| if (SAFE_FOR_TEMPLATES) { | ||
@@ -477,3 +514,3 @@ ALLOW_DATA_ATTR = false; | ||
| var _forceRemove = function _forceRemove(node) { | ||
| DOMPurify.removed.push({ element: node }); | ||
| arrayPush(DOMPurify.removed, { element: node }); | ||
| try { | ||
@@ -494,3 +531,3 @@ node.parentNode.removeChild(node); | ||
| try { | ||
| DOMPurify.removed.push({ | ||
| arrayPush(DOMPurify.removed, { | ||
| attribute: node.getAttributeNode(name), | ||
@@ -500,3 +537,3 @@ from: node | ||
| } catch (error) { | ||
| DOMPurify.removed.push({ | ||
| arrayPush(DOMPurify.removed, { | ||
| attribute: null, | ||
@@ -525,13 +562,11 @@ from: node | ||
| /* If FORCE_BODY isn't used, leading whitespace needs to be preserved manually */ | ||
| var matches = dirty.match(/^[\s]+/); | ||
| var matches = stringMatch(dirty, /^[\s]+/); | ||
| leadingWhitespace = matches && matches[0]; | ||
| if (leadingWhitespace) { | ||
| dirty = dirty.slice(leadingWhitespace.length); | ||
| } | ||
| } | ||
| var dirtyPayload = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty; | ||
| /* Use DOMParser to workaround Firefox bug (see comment below) */ | ||
| if (useDOMParser) { | ||
| try { | ||
| doc = new DOMParser().parseFromString(dirty, 'text/html'); | ||
| doc = new DOMParser().parseFromString(dirtyPayload, 'text/html'); | ||
| } catch (error) {} | ||
@@ -553,3 +588,3 @@ } | ||
| body.parentNode.removeChild(body.parentNode.firstElementChild); | ||
| body.outerHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty; | ||
| body.outerHTML = dirtyPayload; | ||
| } | ||
@@ -587,3 +622,3 @@ | ||
| var doc = _initDocument('<x/><title></title><img>'); | ||
| if (/<\/title/.test(doc.querySelector('title').innerHTML)) { | ||
| if (regExpTest(/<\/title/, doc.querySelector('title').innerHTML)) { | ||
| removeTitle = true; | ||
@@ -648,3 +683,3 @@ } | ||
| hooks[entryPoint].forEach(function (hook) { | ||
| arrayForEach(hooks[entryPoint], function (hook) { | ||
| hook.call(DOMPurify, currentNode, data, CONFIG); | ||
@@ -678,3 +713,3 @@ }); | ||
| /* Now let's check the element's type and name */ | ||
| var tagName = currentNode.nodeName.toLowerCase(); | ||
| var tagName = stringToLowerCase(currentNode.nodeName); | ||
@@ -708,3 +743,3 @@ /* Execute a hook if present */ | ||
| /* Remove in case a noscript/noembed XSS is suspected */ | ||
| if (tagName === 'noscript' && /<\/noscript/i.test(currentNode.innerHTML)) { | ||
| if (tagName === 'noscript' && regExpTest(/<\/noscript/i, currentNode.innerHTML)) { | ||
| _forceRemove(currentNode); | ||
@@ -714,3 +749,3 @@ return true; | ||
| if (tagName === 'noembed' && /<\/noembed/i.test(currentNode.innerHTML)) { | ||
| if (tagName === 'noembed' && regExpTest(/<\/noembed/i, currentNode.innerHTML)) { | ||
| _forceRemove(currentNode); | ||
@@ -721,8 +756,8 @@ return true; | ||
| /* Convert markup to cover jQuery behavior */ | ||
| if (SAFE_FOR_JQUERY && !currentNode.firstElementChild && (!currentNode.content || !currentNode.content.firstElementChild) && /</g.test(currentNode.textContent)) { | ||
| DOMPurify.removed.push({ element: currentNode.cloneNode() }); | ||
| if (SAFE_FOR_JQUERY && !currentNode.firstElementChild && (!currentNode.content || !currentNode.content.firstElementChild) && regExpTest(/</g, currentNode.textContent)) { | ||
| arrayPush(DOMPurify.removed, { element: currentNode.cloneNode() }); | ||
| if (currentNode.innerHTML) { | ||
| currentNode.innerHTML = currentNode.innerHTML.replace(/</g, '<'); | ||
| currentNode.innerHTML = stringReplace(currentNode.innerHTML, /</g, '<'); | ||
| } else { | ||
| currentNode.innerHTML = currentNode.textContent.replace(/</g, '<'); | ||
| currentNode.innerHTML = stringReplace(currentNode.textContent, /</g, '<'); | ||
| } | ||
@@ -735,6 +770,6 @@ } | ||
| content = currentNode.textContent; | ||
| content = content.replace(MUSTACHE_EXPR$$1, ' '); | ||
| content = content.replace(ERB_EXPR$$1, ' '); | ||
| content = stringReplace(content, MUSTACHE_EXPR$$1, ' '); | ||
| content = stringReplace(content, ERB_EXPR$$1, ' '); | ||
| if (currentNode.textContent !== content) { | ||
| DOMPurify.removed.push({ element: currentNode.cloneNode() }); | ||
| arrayPush(DOMPurify.removed, { element: currentNode.cloneNode() }); | ||
| currentNode.textContent = content; | ||
@@ -769,5 +804,5 @@ } | ||
| We don't need to check the value; it's always URI safe. */ | ||
| if (ALLOW_DATA_ATTR && DATA_ATTR$$1.test(lcName)) { | ||
| if (ALLOW_DATA_ATTR && regExpTest(DATA_ATTR$$1, lcName)) { | ||
| // This attribute is safe | ||
| } else if (ALLOW_ARIA_ATTR && ARIA_ATTR$$1.test(lcName)) { | ||
| } else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR$$1, lcName)) { | ||
| // This attribute is safe | ||
@@ -783,7 +818,7 @@ /* Otherwise, check the name is permitted */ | ||
| unless we know URI values are safe for that attribute */ | ||
| } else if (IS_ALLOWED_URI$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) { | ||
| } else if (regExpTest(IS_ALLOWED_URI$$1, stringReplace(value, ATTR_WHITESPACE$$1, ''))) { | ||
| // This attribute is safe | ||
| /* Keep image data URIs alive if src/xlink:href is allowed */ | ||
| /* Further prevent gadget XSS for dynamically built script tags */ | ||
| } else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && value.indexOf('data:') === 0 && DATA_URI_TAGS[lcTag]) { | ||
| } else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) { | ||
| // This attribute is safe | ||
@@ -793,3 +828,3 @@ /* Allow unknown protocols: This provides support for links that | ||
| time, e.g. fb:, spotify: */ | ||
| } else if (ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) { | ||
| } else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$$1, stringReplace(value, ATTR_WHITESPACE$$1, ''))) { | ||
| // This attribute is safe | ||
@@ -851,4 +886,4 @@ /* Check for binary attributes */ | ||
| value = attr.value.trim(); | ||
| lcName = name.toLowerCase(); | ||
| value = stringTrim(attr.value); | ||
| lcName = stringToLowerCase(name); | ||
@@ -859,4 +894,9 @@ /* Execute a hook if present */ | ||
| hookEvent.keepAttr = true; | ||
| hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set | ||
| _executeHook('uponSanitizeAttribute', currentNode, hookEvent); | ||
| value = hookEvent.attrValue; | ||
| /* Did the hooks approve of the attribute? */ | ||
| if (hookEvent.forceKeepAttr) { | ||
| continue; | ||
| } | ||
@@ -869,6 +909,6 @@ /* Remove attribute */ | ||
| idAttr = attributes.id; | ||
| attributes = apply(arraySlice, attributes, []); | ||
| attributes = arraySlice(attributes, []); | ||
| _removeAttribute('id', currentNode); | ||
| _removeAttribute(name, currentNode); | ||
| if (attributes.indexOf(idAttr) > l) { | ||
| if (arrayIndexOf(attributes, idAttr) > l) { | ||
| currentNode.setAttribute('id', idAttr.value); | ||
@@ -897,4 +937,10 @@ } | ||
| /* Work around a security issue in jQuery 3.0 */ | ||
| if (SAFE_FOR_JQUERY && regExpTest(/\/>/i, value)) { | ||
| _removeAttribute(name, currentNode); | ||
| continue; | ||
| } | ||
| /* Take care of an mXSS pattern using namespace switches */ | ||
| if (/svg|math/i.test(currentNode.namespaceURI) && new RegExp('</(' + Object.keys(FORBID_CONTENTS).join('|') + ')', 'i').test(value)) { | ||
| if (regExpTest(/svg|math/i, currentNode.namespaceURI) && regExpTest(regExpCreate('</(' + arrayJoin(objectKeys(FORBID_CONTENTS), '|') + ')', 'i'), value)) { | ||
| _removeAttribute(name, currentNode); | ||
@@ -906,4 +952,4 @@ continue; | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| value = value.replace(MUSTACHE_EXPR$$1, ' '); | ||
| value = value.replace(ERB_EXPR$$1, ' '); | ||
| value = stringReplace(value, MUSTACHE_EXPR$$1, ' '); | ||
| value = stringReplace(value, ERB_EXPR$$1, ' '); | ||
| } | ||
@@ -926,3 +972,3 @@ | ||
| DOMPurify.removed.pop(); | ||
| arrayPop(DOMPurify.removed); | ||
| } catch (error) {} | ||
@@ -994,7 +1040,7 @@ } | ||
| if (typeof dirty.toString !== 'function') { | ||
| throw new TypeError('toString is not a function'); | ||
| throw typeErrorCreate('toString is not a function'); | ||
| } else { | ||
| dirty = dirty.toString(); | ||
| if (typeof dirty !== 'string') { | ||
| throw new TypeError('dirty is not a string, aborting'); | ||
| throw typeErrorCreate('dirty is not a string, aborting'); | ||
| } | ||
@@ -1027,2 +1073,7 @@ } | ||
| /* Check if dirty is correctly typed for IN_PLACE */ | ||
| if (typeof dirty === 'string') { | ||
| IN_PLACE = false; | ||
| } | ||
| if (IN_PLACE) { | ||
@@ -1126,4 +1177,4 @@ /* No special handling necessary for in-place sanitization */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| serializedHTML = serializedHTML.replace(MUSTACHE_EXPR$$1, ' '); | ||
| serializedHTML = serializedHTML.replace(ERB_EXPR$$1, ' '); | ||
| serializedHTML = stringReplace(serializedHTML, MUSTACHE_EXPR$$1, ' '); | ||
| serializedHTML = stringReplace(serializedHTML, ERB_EXPR$$1, ' '); | ||
| } | ||
@@ -1171,4 +1222,4 @@ | ||
| var lcTag = tag.toLowerCase(); | ||
| var lcName = attr.toLowerCase(); | ||
| var lcTag = stringToLowerCase(tag); | ||
| var lcName = stringToLowerCase(attr); | ||
| return _isValidAttribute(lcTag, lcName, value); | ||
@@ -1190,3 +1241,3 @@ }; | ||
| hooks[entryPoint] = hooks[entryPoint] || []; | ||
| hooks[entryPoint].push(hookFunction); | ||
| arrayPush(hooks[entryPoint], hookFunction); | ||
| }; | ||
@@ -1203,3 +1254,3 @@ | ||
| if (hooks[entryPoint]) { | ||
| hooks[entryPoint].pop(); | ||
| arrayPop(hooks[entryPoint]); | ||
| } | ||
@@ -1206,0 +1257,0 @@ }; |
@@ -1,37 +0,73 @@ | ||
| var freeze$1 = Object.freeze || function (x) { | ||
| return x; | ||
| }; | ||
| function _toConsumableArray$1(arr) { if (Array.isArray(arr)) { for (var i = 0, arr2 = Array(arr.length); i < arr.length; i++) { arr2[i] = arr[i]; } return arr2; } else { return Array.from(arr); } } | ||
| var html = freeze$1(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']); | ||
| var hasOwnProperty = Object.hasOwnProperty; | ||
| var setPrototypeOf = Object.setPrototypeOf; | ||
| var isFrozen = Object.isFrozen; | ||
| var objectKeys = Object.keys; | ||
| var freeze = Object.freeze; | ||
| var seal = Object.seal; // eslint-disable-line import/no-mutable-exports | ||
| // SVG | ||
| var svg = freeze$1(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'audio', 'canvas', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'video', 'view', 'vkern']); | ||
| var _ref = typeof Reflect !== 'undefined' && Reflect; | ||
| var apply = _ref.apply; | ||
| var construct = _ref.construct; | ||
| var svgFilters = freeze$1(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']); | ||
| if (!apply) { | ||
| apply = function apply(fun, thisValue, args) { | ||
| return fun.apply(thisValue, args); | ||
| }; | ||
| } | ||
| var mathMl = freeze$1(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover']); | ||
| if (!freeze) { | ||
| freeze = function freeze(x) { | ||
| return x; | ||
| }; | ||
| } | ||
| var text = freeze$1(['#text']); | ||
| if (!seal) { | ||
| seal = function seal(x) { | ||
| return x; | ||
| }; | ||
| } | ||
| var freeze$2 = Object.freeze || function (x) { | ||
| return x; | ||
| }; | ||
| if (!construct) { | ||
| construct = function construct(Func, args) { | ||
| return new (Function.prototype.bind.apply(Func, [null].concat(_toConsumableArray$1(args))))(); | ||
| }; | ||
| } | ||
| var html$1 = freeze$2(['accept', 'action', 'align', 'alt', 'autocomplete', 'background', 'bgcolor', 'border', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'coords', 'crossorigin', 'datetime', 'default', 'dir', 'disabled', 'download', 'enctype', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'integrity', 'ismap', 'label', 'lang', 'list', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'name', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'type', 'usemap', 'valign', 'value', 'width', 'xmlns']); | ||
| var arrayForEach = unapply(Array.prototype.forEach); | ||
| var arrayIndexOf = unapply(Array.prototype.indexOf); | ||
| var arrayJoin = unapply(Array.prototype.join); | ||
| var arrayPop = unapply(Array.prototype.pop); | ||
| var arrayPush = unapply(Array.prototype.push); | ||
| var arraySlice = unapply(Array.prototype.slice); | ||
| var svg$1 = freeze$2(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
| var stringToLowerCase = unapply(String.prototype.toLowerCase); | ||
| var stringMatch = unapply(String.prototype.match); | ||
| var stringReplace = unapply(String.prototype.replace); | ||
| var stringIndexOf = unapply(String.prototype.indexOf); | ||
| var stringTrim = unapply(String.prototype.trim); | ||
| var mathMl$1 = freeze$2(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']); | ||
| var regExpTest = unapply(RegExp.prototype.test); | ||
| var regExpCreate = unconstruct(RegExp); | ||
| var xml = freeze$2(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']); | ||
| var typeErrorCreate = unconstruct(TypeError); | ||
| var hasOwnProperty = Object.hasOwnProperty; | ||
| var setPrototypeOf = Object.setPrototypeOf; | ||
| function unapply(func) { | ||
| return function (thisArg) { | ||
| for (var _len = arguments.length, args = Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) { | ||
| args[_key - 1] = arguments[_key]; | ||
| } | ||
| var _ref$1 = typeof Reflect !== 'undefined' && Reflect; | ||
| var apply$1 = _ref$1.apply; | ||
| return apply(func, thisArg, args); | ||
| }; | ||
| } | ||
| if (!apply$1) { | ||
| apply$1 = function apply(fun, thisValue, args) { | ||
| return fun.apply(thisValue, args); | ||
| function unconstruct(func) { | ||
| return function () { | ||
| for (var _len2 = arguments.length, args = Array(_len2), _key2 = 0; _key2 < _len2; _key2++) { | ||
| args[_key2] = arguments[_key2]; | ||
| } | ||
| return construct(func, args); | ||
| }; | ||
@@ -53,6 +89,6 @@ } | ||
| if (typeof element === 'string') { | ||
| var lcElement = element.toLowerCase(); | ||
| var lcElement = stringToLowerCase(element); | ||
| if (lcElement !== element) { | ||
| // Config presets (e.g. tags.js, attrs.js) are immutable. | ||
| if (!Object.isFrozen(array)) { | ||
| if (!isFrozen(array)) { | ||
| array[l] = lcElement; | ||
@@ -77,3 +113,3 @@ } | ||
| for (property in object) { | ||
| if (apply$1(hasOwnProperty, object, [property])) { | ||
| if (apply(hasOwnProperty, object, [property])) { | ||
| newObject[property] = object[property]; | ||
@@ -86,6 +122,21 @@ } | ||
| var seal = Object.seal || function (x) { | ||
| return x; | ||
| }; | ||
| var html = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']); | ||
| // SVG | ||
| var svg = freeze(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'audio', 'canvas', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'video', 'view', 'vkern']); | ||
| var svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']); | ||
| var mathMl = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover']); | ||
| var text = freeze(['#text']); | ||
| var html$1 = freeze(['accept', 'action', 'align', 'alt', 'autocomplete', 'background', 'bgcolor', 'border', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'coords', 'crossorigin', 'datetime', 'default', 'dir', 'disabled', 'download', 'enctype', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'integrity', 'ismap', 'label', 'lang', 'list', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'name', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'type', 'usemap', 'valign', 'value', 'width', 'xmlns']); | ||
| var svg$1 = freeze(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
| var mathMl$1 = freeze(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']); | ||
| var xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']); | ||
| var MUSTACHE_EXPR = seal(/\{\{[\s\S]*|[\s\S]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode | ||
@@ -105,8 +156,2 @@ var ERB_EXPR = seal(/<%[\s\S]*|[\s\S]*%>/gm); | ||
| var _ref = typeof Reflect !== 'undefined' && Reflect; | ||
| var apply = _ref.apply; | ||
| var arraySlice = Array.prototype.slice; | ||
| var freeze = Object.freeze; | ||
| var getGlobal = function getGlobal() { | ||
@@ -116,8 +161,2 @@ return typeof window === 'undefined' ? null : window; | ||
| if (!apply) { | ||
| apply = function apply(fun, thisValue, args) { | ||
| return fun.apply(thisValue, args); | ||
| }; | ||
| } | ||
| /** | ||
@@ -173,3 +212,3 @@ * Creates a no-op policy for internal use only. | ||
| */ | ||
| DOMPurify.version = '2.0.7'; | ||
| DOMPurify.version = '2.0.8'; | ||
@@ -204,3 +243,3 @@ /** | ||
| DOMParser = window.DOMParser, | ||
| TrustedTypes = window.TrustedTypes; | ||
| trustedTypes = window.trustedTypes; | ||
@@ -221,3 +260,3 @@ // As per issue #47, the web-components registry is inherited by a | ||
| var trustedTypesPolicy = _createTrustedTypesPolicy(TrustedTypes, originalDocument); | ||
| var trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, originalDocument); | ||
| var emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : ''; | ||
@@ -383,5 +422,3 @@ | ||
| IN_PLACE = cfg.IN_PLACE || false; // Default false | ||
| IS_ALLOWED_URI$$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$$1; | ||
| if (SAFE_FOR_TEMPLATES) { | ||
@@ -475,3 +512,3 @@ ALLOW_DATA_ATTR = false; | ||
| var _forceRemove = function _forceRemove(node) { | ||
| DOMPurify.removed.push({ element: node }); | ||
| arrayPush(DOMPurify.removed, { element: node }); | ||
| try { | ||
@@ -492,3 +529,3 @@ node.parentNode.removeChild(node); | ||
| try { | ||
| DOMPurify.removed.push({ | ||
| arrayPush(DOMPurify.removed, { | ||
| attribute: node.getAttributeNode(name), | ||
@@ -498,3 +535,3 @@ from: node | ||
| } catch (error) { | ||
| DOMPurify.removed.push({ | ||
| arrayPush(DOMPurify.removed, { | ||
| attribute: null, | ||
@@ -523,13 +560,11 @@ from: node | ||
| /* If FORCE_BODY isn't used, leading whitespace needs to be preserved manually */ | ||
| var matches = dirty.match(/^[\s]+/); | ||
| var matches = stringMatch(dirty, /^[\s]+/); | ||
| leadingWhitespace = matches && matches[0]; | ||
| if (leadingWhitespace) { | ||
| dirty = dirty.slice(leadingWhitespace.length); | ||
| } | ||
| } | ||
| var dirtyPayload = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty; | ||
| /* Use DOMParser to workaround Firefox bug (see comment below) */ | ||
| if (useDOMParser) { | ||
| try { | ||
| doc = new DOMParser().parseFromString(dirty, 'text/html'); | ||
| doc = new DOMParser().parseFromString(dirtyPayload, 'text/html'); | ||
| } catch (error) {} | ||
@@ -551,3 +586,3 @@ } | ||
| body.parentNode.removeChild(body.parentNode.firstElementChild); | ||
| body.outerHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty; | ||
| body.outerHTML = dirtyPayload; | ||
| } | ||
@@ -585,3 +620,3 @@ | ||
| var doc = _initDocument('<x/><title></title><img>'); | ||
| if (/<\/title/.test(doc.querySelector('title').innerHTML)) { | ||
| if (regExpTest(/<\/title/, doc.querySelector('title').innerHTML)) { | ||
| removeTitle = true; | ||
@@ -646,3 +681,3 @@ } | ||
| hooks[entryPoint].forEach(function (hook) { | ||
| arrayForEach(hooks[entryPoint], function (hook) { | ||
| hook.call(DOMPurify, currentNode, data, CONFIG); | ||
@@ -676,3 +711,3 @@ }); | ||
| /* Now let's check the element's type and name */ | ||
| var tagName = currentNode.nodeName.toLowerCase(); | ||
| var tagName = stringToLowerCase(currentNode.nodeName); | ||
@@ -706,3 +741,3 @@ /* Execute a hook if present */ | ||
| /* Remove in case a noscript/noembed XSS is suspected */ | ||
| if (tagName === 'noscript' && /<\/noscript/i.test(currentNode.innerHTML)) { | ||
| if (tagName === 'noscript' && regExpTest(/<\/noscript/i, currentNode.innerHTML)) { | ||
| _forceRemove(currentNode); | ||
@@ -712,3 +747,3 @@ return true; | ||
| if (tagName === 'noembed' && /<\/noembed/i.test(currentNode.innerHTML)) { | ||
| if (tagName === 'noembed' && regExpTest(/<\/noembed/i, currentNode.innerHTML)) { | ||
| _forceRemove(currentNode); | ||
@@ -719,8 +754,8 @@ return true; | ||
| /* Convert markup to cover jQuery behavior */ | ||
| if (SAFE_FOR_JQUERY && !currentNode.firstElementChild && (!currentNode.content || !currentNode.content.firstElementChild) && /</g.test(currentNode.textContent)) { | ||
| DOMPurify.removed.push({ element: currentNode.cloneNode() }); | ||
| if (SAFE_FOR_JQUERY && !currentNode.firstElementChild && (!currentNode.content || !currentNode.content.firstElementChild) && regExpTest(/</g, currentNode.textContent)) { | ||
| arrayPush(DOMPurify.removed, { element: currentNode.cloneNode() }); | ||
| if (currentNode.innerHTML) { | ||
| currentNode.innerHTML = currentNode.innerHTML.replace(/</g, '<'); | ||
| currentNode.innerHTML = stringReplace(currentNode.innerHTML, /</g, '<'); | ||
| } else { | ||
| currentNode.innerHTML = currentNode.textContent.replace(/</g, '<'); | ||
| currentNode.innerHTML = stringReplace(currentNode.textContent, /</g, '<'); | ||
| } | ||
@@ -733,6 +768,6 @@ } | ||
| content = currentNode.textContent; | ||
| content = content.replace(MUSTACHE_EXPR$$1, ' '); | ||
| content = content.replace(ERB_EXPR$$1, ' '); | ||
| content = stringReplace(content, MUSTACHE_EXPR$$1, ' '); | ||
| content = stringReplace(content, ERB_EXPR$$1, ' '); | ||
| if (currentNode.textContent !== content) { | ||
| DOMPurify.removed.push({ element: currentNode.cloneNode() }); | ||
| arrayPush(DOMPurify.removed, { element: currentNode.cloneNode() }); | ||
| currentNode.textContent = content; | ||
@@ -767,5 +802,5 @@ } | ||
| We don't need to check the value; it's always URI safe. */ | ||
| if (ALLOW_DATA_ATTR && DATA_ATTR$$1.test(lcName)) { | ||
| if (ALLOW_DATA_ATTR && regExpTest(DATA_ATTR$$1, lcName)) { | ||
| // This attribute is safe | ||
| } else if (ALLOW_ARIA_ATTR && ARIA_ATTR$$1.test(lcName)) { | ||
| } else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR$$1, lcName)) { | ||
| // This attribute is safe | ||
@@ -781,7 +816,7 @@ /* Otherwise, check the name is permitted */ | ||
| unless we know URI values are safe for that attribute */ | ||
| } else if (IS_ALLOWED_URI$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) { | ||
| } else if (regExpTest(IS_ALLOWED_URI$$1, stringReplace(value, ATTR_WHITESPACE$$1, ''))) { | ||
| // This attribute is safe | ||
| /* Keep image data URIs alive if src/xlink:href is allowed */ | ||
| /* Further prevent gadget XSS for dynamically built script tags */ | ||
| } else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && value.indexOf('data:') === 0 && DATA_URI_TAGS[lcTag]) { | ||
| } else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) { | ||
| // This attribute is safe | ||
@@ -791,3 +826,3 @@ /* Allow unknown protocols: This provides support for links that | ||
| time, e.g. fb:, spotify: */ | ||
| } else if (ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) { | ||
| } else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$$1, stringReplace(value, ATTR_WHITESPACE$$1, ''))) { | ||
| // This attribute is safe | ||
@@ -849,4 +884,4 @@ /* Check for binary attributes */ | ||
| value = attr.value.trim(); | ||
| lcName = name.toLowerCase(); | ||
| value = stringTrim(attr.value); | ||
| lcName = stringToLowerCase(name); | ||
@@ -857,4 +892,9 @@ /* Execute a hook if present */ | ||
| hookEvent.keepAttr = true; | ||
| hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set | ||
| _executeHook('uponSanitizeAttribute', currentNode, hookEvent); | ||
| value = hookEvent.attrValue; | ||
| /* Did the hooks approve of the attribute? */ | ||
| if (hookEvent.forceKeepAttr) { | ||
| continue; | ||
| } | ||
@@ -867,6 +907,6 @@ /* Remove attribute */ | ||
| idAttr = attributes.id; | ||
| attributes = apply(arraySlice, attributes, []); | ||
| attributes = arraySlice(attributes, []); | ||
| _removeAttribute('id', currentNode); | ||
| _removeAttribute(name, currentNode); | ||
| if (attributes.indexOf(idAttr) > l) { | ||
| if (arrayIndexOf(attributes, idAttr) > l) { | ||
| currentNode.setAttribute('id', idAttr.value); | ||
@@ -895,4 +935,10 @@ } | ||
| /* Work around a security issue in jQuery 3.0 */ | ||
| if (SAFE_FOR_JQUERY && regExpTest(/\/>/i, value)) { | ||
| _removeAttribute(name, currentNode); | ||
| continue; | ||
| } | ||
| /* Take care of an mXSS pattern using namespace switches */ | ||
| if (/svg|math/i.test(currentNode.namespaceURI) && new RegExp('</(' + Object.keys(FORBID_CONTENTS).join('|') + ')', 'i').test(value)) { | ||
| if (regExpTest(/svg|math/i, currentNode.namespaceURI) && regExpTest(regExpCreate('</(' + arrayJoin(objectKeys(FORBID_CONTENTS), '|') + ')', 'i'), value)) { | ||
| _removeAttribute(name, currentNode); | ||
@@ -904,4 +950,4 @@ continue; | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| value = value.replace(MUSTACHE_EXPR$$1, ' '); | ||
| value = value.replace(ERB_EXPR$$1, ' '); | ||
| value = stringReplace(value, MUSTACHE_EXPR$$1, ' '); | ||
| value = stringReplace(value, ERB_EXPR$$1, ' '); | ||
| } | ||
@@ -924,3 +970,3 @@ | ||
| DOMPurify.removed.pop(); | ||
| arrayPop(DOMPurify.removed); | ||
| } catch (error) {} | ||
@@ -992,7 +1038,7 @@ } | ||
| if (typeof dirty.toString !== 'function') { | ||
| throw new TypeError('toString is not a function'); | ||
| throw typeErrorCreate('toString is not a function'); | ||
| } else { | ||
| dirty = dirty.toString(); | ||
| if (typeof dirty !== 'string') { | ||
| throw new TypeError('dirty is not a string, aborting'); | ||
| throw typeErrorCreate('dirty is not a string, aborting'); | ||
| } | ||
@@ -1025,2 +1071,7 @@ } | ||
| /* Check if dirty is correctly typed for IN_PLACE */ | ||
| if (typeof dirty === 'string') { | ||
| IN_PLACE = false; | ||
| } | ||
| if (IN_PLACE) { | ||
@@ -1124,4 +1175,4 @@ /* No special handling necessary for in-place sanitization */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| serializedHTML = serializedHTML.replace(MUSTACHE_EXPR$$1, ' '); | ||
| serializedHTML = serializedHTML.replace(ERB_EXPR$$1, ' '); | ||
| serializedHTML = stringReplace(serializedHTML, MUSTACHE_EXPR$$1, ' '); | ||
| serializedHTML = stringReplace(serializedHTML, ERB_EXPR$$1, ' '); | ||
| } | ||
@@ -1169,4 +1220,4 @@ | ||
| var lcTag = tag.toLowerCase(); | ||
| var lcName = attr.toLowerCase(); | ||
| var lcTag = stringToLowerCase(tag); | ||
| var lcName = stringToLowerCase(attr); | ||
| return _isValidAttribute(lcTag, lcName, value); | ||
@@ -1188,3 +1239,3 @@ }; | ||
| hooks[entryPoint] = hooks[entryPoint] || []; | ||
| hooks[entryPoint].push(hookFunction); | ||
| arrayPush(hooks[entryPoint], hookFunction); | ||
| }; | ||
@@ -1201,3 +1252,3 @@ | ||
| if (hooks[entryPoint]) { | ||
| hooks[entryPoint].pop(); | ||
| arrayPop(hooks[entryPoint]); | ||
| } | ||
@@ -1204,0 +1255,0 @@ }; |
@@ -7,38 +7,74 @@ (function (global, factory) { | ||
| var freeze$1 = Object.freeze || function (x) { | ||
| return x; | ||
| }; | ||
| function _toConsumableArray$1(arr) { if (Array.isArray(arr)) { for (var i = 0, arr2 = Array(arr.length); i < arr.length; i++) { arr2[i] = arr[i]; } return arr2; } else { return Array.from(arr); } } | ||
| var html = freeze$1(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']); | ||
| var hasOwnProperty = Object.hasOwnProperty; | ||
| var setPrototypeOf = Object.setPrototypeOf; | ||
| var isFrozen = Object.isFrozen; | ||
| var objectKeys = Object.keys; | ||
| var freeze = Object.freeze; | ||
| var seal = Object.seal; // eslint-disable-line import/no-mutable-exports | ||
| // SVG | ||
| var svg = freeze$1(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'audio', 'canvas', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'video', 'view', 'vkern']); | ||
| var _ref = typeof Reflect !== 'undefined' && Reflect; | ||
| var apply = _ref.apply; | ||
| var construct = _ref.construct; | ||
| var svgFilters = freeze$1(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']); | ||
| if (!apply) { | ||
| apply = function apply(fun, thisValue, args) { | ||
| return fun.apply(thisValue, args); | ||
| }; | ||
| } | ||
| var mathMl = freeze$1(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover']); | ||
| if (!freeze) { | ||
| freeze = function freeze(x) { | ||
| return x; | ||
| }; | ||
| } | ||
| var text = freeze$1(['#text']); | ||
| if (!seal) { | ||
| seal = function seal(x) { | ||
| return x; | ||
| }; | ||
| } | ||
| var freeze$2 = Object.freeze || function (x) { | ||
| return x; | ||
| }; | ||
| if (!construct) { | ||
| construct = function construct(Func, args) { | ||
| return new (Function.prototype.bind.apply(Func, [null].concat(_toConsumableArray$1(args))))(); | ||
| }; | ||
| } | ||
| var html$1 = freeze$2(['accept', 'action', 'align', 'alt', 'autocomplete', 'background', 'bgcolor', 'border', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'coords', 'crossorigin', 'datetime', 'default', 'dir', 'disabled', 'download', 'enctype', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'integrity', 'ismap', 'label', 'lang', 'list', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'name', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'type', 'usemap', 'valign', 'value', 'width', 'xmlns']); | ||
| var arrayForEach = unapply(Array.prototype.forEach); | ||
| var arrayIndexOf = unapply(Array.prototype.indexOf); | ||
| var arrayJoin = unapply(Array.prototype.join); | ||
| var arrayPop = unapply(Array.prototype.pop); | ||
| var arrayPush = unapply(Array.prototype.push); | ||
| var arraySlice = unapply(Array.prototype.slice); | ||
| var svg$1 = freeze$2(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
| var stringToLowerCase = unapply(String.prototype.toLowerCase); | ||
| var stringMatch = unapply(String.prototype.match); | ||
| var stringReplace = unapply(String.prototype.replace); | ||
| var stringIndexOf = unapply(String.prototype.indexOf); | ||
| var stringTrim = unapply(String.prototype.trim); | ||
| var mathMl$1 = freeze$2(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']); | ||
| var regExpTest = unapply(RegExp.prototype.test); | ||
| var regExpCreate = unconstruct(RegExp); | ||
| var xml = freeze$2(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']); | ||
| var typeErrorCreate = unconstruct(TypeError); | ||
| var hasOwnProperty = Object.hasOwnProperty; | ||
| var setPrototypeOf = Object.setPrototypeOf; | ||
| function unapply(func) { | ||
| return function (thisArg) { | ||
| for (var _len = arguments.length, args = Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) { | ||
| args[_key - 1] = arguments[_key]; | ||
| } | ||
| var _ref$1 = typeof Reflect !== 'undefined' && Reflect; | ||
| var apply$1 = _ref$1.apply; | ||
| return apply(func, thisArg, args); | ||
| }; | ||
| } | ||
| if (!apply$1) { | ||
| apply$1 = function apply(fun, thisValue, args) { | ||
| return fun.apply(thisValue, args); | ||
| function unconstruct(func) { | ||
| return function () { | ||
| for (var _len2 = arguments.length, args = Array(_len2), _key2 = 0; _key2 < _len2; _key2++) { | ||
| args[_key2] = arguments[_key2]; | ||
| } | ||
| return construct(func, args); | ||
| }; | ||
@@ -60,6 +96,6 @@ } | ||
| if (typeof element === 'string') { | ||
| var lcElement = element.toLowerCase(); | ||
| var lcElement = stringToLowerCase(element); | ||
| if (lcElement !== element) { | ||
| // Config presets (e.g. tags.js, attrs.js) are immutable. | ||
| if (!Object.isFrozen(array)) { | ||
| if (!isFrozen(array)) { | ||
| array[l] = lcElement; | ||
@@ -84,3 +120,3 @@ } | ||
| for (property in object) { | ||
| if (apply$1(hasOwnProperty, object, [property])) { | ||
| if (apply(hasOwnProperty, object, [property])) { | ||
| newObject[property] = object[property]; | ||
@@ -93,6 +129,21 @@ } | ||
| var seal = Object.seal || function (x) { | ||
| return x; | ||
| }; | ||
| var html = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']); | ||
| // SVG | ||
| var svg = freeze(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'audio', 'canvas', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'video', 'view', 'vkern']); | ||
| var svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']); | ||
| var mathMl = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover']); | ||
| var text = freeze(['#text']); | ||
| var html$1 = freeze(['accept', 'action', 'align', 'alt', 'autocomplete', 'background', 'bgcolor', 'border', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'coords', 'crossorigin', 'datetime', 'default', 'dir', 'disabled', 'download', 'enctype', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'integrity', 'ismap', 'label', 'lang', 'list', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'name', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'type', 'usemap', 'valign', 'value', 'width', 'xmlns']); | ||
| var svg$1 = freeze(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'tabindex', 'targetx', 'targety', 'transform', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']); | ||
| var mathMl$1 = freeze(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']); | ||
| var xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']); | ||
| var MUSTACHE_EXPR = seal(/\{\{[\s\S]*|[\s\S]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode | ||
@@ -112,8 +163,2 @@ var ERB_EXPR = seal(/<%[\s\S]*|[\s\S]*%>/gm); | ||
| var _ref = typeof Reflect !== 'undefined' && Reflect; | ||
| var apply = _ref.apply; | ||
| var arraySlice = Array.prototype.slice; | ||
| var freeze = Object.freeze; | ||
| var getGlobal = function getGlobal() { | ||
@@ -123,8 +168,2 @@ return typeof window === 'undefined' ? null : window; | ||
| if (!apply) { | ||
| apply = function apply(fun, thisValue, args) { | ||
| return fun.apply(thisValue, args); | ||
| }; | ||
| } | ||
| /** | ||
@@ -180,3 +219,3 @@ * Creates a no-op policy for internal use only. | ||
| */ | ||
| DOMPurify.version = '2.0.7'; | ||
| DOMPurify.version = '2.0.8'; | ||
@@ -211,3 +250,3 @@ /** | ||
| DOMParser = window.DOMParser, | ||
| TrustedTypes = window.TrustedTypes; | ||
| trustedTypes = window.trustedTypes; | ||
@@ -228,3 +267,3 @@ // As per issue #47, the web-components registry is inherited by a | ||
| var trustedTypesPolicy = _createTrustedTypesPolicy(TrustedTypes, originalDocument); | ||
| var trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, originalDocument); | ||
| var emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : ''; | ||
@@ -390,5 +429,3 @@ | ||
| IN_PLACE = cfg.IN_PLACE || false; // Default false | ||
| IS_ALLOWED_URI$$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI$$1; | ||
| if (SAFE_FOR_TEMPLATES) { | ||
@@ -482,3 +519,3 @@ ALLOW_DATA_ATTR = false; | ||
| var _forceRemove = function _forceRemove(node) { | ||
| DOMPurify.removed.push({ element: node }); | ||
| arrayPush(DOMPurify.removed, { element: node }); | ||
| try { | ||
@@ -499,3 +536,3 @@ node.parentNode.removeChild(node); | ||
| try { | ||
| DOMPurify.removed.push({ | ||
| arrayPush(DOMPurify.removed, { | ||
| attribute: node.getAttributeNode(name), | ||
@@ -505,3 +542,3 @@ from: node | ||
| } catch (error) { | ||
| DOMPurify.removed.push({ | ||
| arrayPush(DOMPurify.removed, { | ||
| attribute: null, | ||
@@ -530,13 +567,11 @@ from: node | ||
| /* If FORCE_BODY isn't used, leading whitespace needs to be preserved manually */ | ||
| var matches = dirty.match(/^[\s]+/); | ||
| var matches = stringMatch(dirty, /^[\s]+/); | ||
| leadingWhitespace = matches && matches[0]; | ||
| if (leadingWhitespace) { | ||
| dirty = dirty.slice(leadingWhitespace.length); | ||
| } | ||
| } | ||
| var dirtyPayload = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty; | ||
| /* Use DOMParser to workaround Firefox bug (see comment below) */ | ||
| if (useDOMParser) { | ||
| try { | ||
| doc = new DOMParser().parseFromString(dirty, 'text/html'); | ||
| doc = new DOMParser().parseFromString(dirtyPayload, 'text/html'); | ||
| } catch (error) {} | ||
@@ -558,3 +593,3 @@ } | ||
| body.parentNode.removeChild(body.parentNode.firstElementChild); | ||
| body.outerHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty; | ||
| body.outerHTML = dirtyPayload; | ||
| } | ||
@@ -592,3 +627,3 @@ | ||
| var doc = _initDocument('<x/><title></title><img>'); | ||
| if (/<\/title/.test(doc.querySelector('title').innerHTML)) { | ||
| if (regExpTest(/<\/title/, doc.querySelector('title').innerHTML)) { | ||
| removeTitle = true; | ||
@@ -653,3 +688,3 @@ } | ||
| hooks[entryPoint].forEach(function (hook) { | ||
| arrayForEach(hooks[entryPoint], function (hook) { | ||
| hook.call(DOMPurify, currentNode, data, CONFIG); | ||
@@ -683,3 +718,3 @@ }); | ||
| /* Now let's check the element's type and name */ | ||
| var tagName = currentNode.nodeName.toLowerCase(); | ||
| var tagName = stringToLowerCase(currentNode.nodeName); | ||
@@ -713,3 +748,3 @@ /* Execute a hook if present */ | ||
| /* Remove in case a noscript/noembed XSS is suspected */ | ||
| if (tagName === 'noscript' && /<\/noscript/i.test(currentNode.innerHTML)) { | ||
| if (tagName === 'noscript' && regExpTest(/<\/noscript/i, currentNode.innerHTML)) { | ||
| _forceRemove(currentNode); | ||
@@ -719,3 +754,3 @@ return true; | ||
| if (tagName === 'noembed' && /<\/noembed/i.test(currentNode.innerHTML)) { | ||
| if (tagName === 'noembed' && regExpTest(/<\/noembed/i, currentNode.innerHTML)) { | ||
| _forceRemove(currentNode); | ||
@@ -726,8 +761,8 @@ return true; | ||
| /* Convert markup to cover jQuery behavior */ | ||
| if (SAFE_FOR_JQUERY && !currentNode.firstElementChild && (!currentNode.content || !currentNode.content.firstElementChild) && /</g.test(currentNode.textContent)) { | ||
| DOMPurify.removed.push({ element: currentNode.cloneNode() }); | ||
| if (SAFE_FOR_JQUERY && !currentNode.firstElementChild && (!currentNode.content || !currentNode.content.firstElementChild) && regExpTest(/</g, currentNode.textContent)) { | ||
| arrayPush(DOMPurify.removed, { element: currentNode.cloneNode() }); | ||
| if (currentNode.innerHTML) { | ||
| currentNode.innerHTML = currentNode.innerHTML.replace(/</g, '<'); | ||
| currentNode.innerHTML = stringReplace(currentNode.innerHTML, /</g, '<'); | ||
| } else { | ||
| currentNode.innerHTML = currentNode.textContent.replace(/</g, '<'); | ||
| currentNode.innerHTML = stringReplace(currentNode.textContent, /</g, '<'); | ||
| } | ||
@@ -740,6 +775,6 @@ } | ||
| content = currentNode.textContent; | ||
| content = content.replace(MUSTACHE_EXPR$$1, ' '); | ||
| content = content.replace(ERB_EXPR$$1, ' '); | ||
| content = stringReplace(content, MUSTACHE_EXPR$$1, ' '); | ||
| content = stringReplace(content, ERB_EXPR$$1, ' '); | ||
| if (currentNode.textContent !== content) { | ||
| DOMPurify.removed.push({ element: currentNode.cloneNode() }); | ||
| arrayPush(DOMPurify.removed, { element: currentNode.cloneNode() }); | ||
| currentNode.textContent = content; | ||
@@ -774,5 +809,5 @@ } | ||
| We don't need to check the value; it's always URI safe. */ | ||
| if (ALLOW_DATA_ATTR && DATA_ATTR$$1.test(lcName)) { | ||
| if (ALLOW_DATA_ATTR && regExpTest(DATA_ATTR$$1, lcName)) { | ||
| // This attribute is safe | ||
| } else if (ALLOW_ARIA_ATTR && ARIA_ATTR$$1.test(lcName)) { | ||
| } else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR$$1, lcName)) { | ||
| // This attribute is safe | ||
@@ -788,7 +823,7 @@ /* Otherwise, check the name is permitted */ | ||
| unless we know URI values are safe for that attribute */ | ||
| } else if (IS_ALLOWED_URI$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) { | ||
| } else if (regExpTest(IS_ALLOWED_URI$$1, stringReplace(value, ATTR_WHITESPACE$$1, ''))) { | ||
| // This attribute is safe | ||
| /* Keep image data URIs alive if src/xlink:href is allowed */ | ||
| /* Further prevent gadget XSS for dynamically built script tags */ | ||
| } else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && value.indexOf('data:') === 0 && DATA_URI_TAGS[lcTag]) { | ||
| } else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) { | ||
| // This attribute is safe | ||
@@ -798,3 +833,3 @@ /* Allow unknown protocols: This provides support for links that | ||
| time, e.g. fb:, spotify: */ | ||
| } else if (ALLOW_UNKNOWN_PROTOCOLS && !IS_SCRIPT_OR_DATA$$1.test(value.replace(ATTR_WHITESPACE$$1, ''))) { | ||
| } else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA$$1, stringReplace(value, ATTR_WHITESPACE$$1, ''))) { | ||
| // This attribute is safe | ||
@@ -856,4 +891,4 @@ /* Check for binary attributes */ | ||
| value = attr.value.trim(); | ||
| lcName = name.toLowerCase(); | ||
| value = stringTrim(attr.value); | ||
| lcName = stringToLowerCase(name); | ||
@@ -864,4 +899,9 @@ /* Execute a hook if present */ | ||
| hookEvent.keepAttr = true; | ||
| hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set | ||
| _executeHook('uponSanitizeAttribute', currentNode, hookEvent); | ||
| value = hookEvent.attrValue; | ||
| /* Did the hooks approve of the attribute? */ | ||
| if (hookEvent.forceKeepAttr) { | ||
| continue; | ||
| } | ||
@@ -874,6 +914,6 @@ /* Remove attribute */ | ||
| idAttr = attributes.id; | ||
| attributes = apply(arraySlice, attributes, []); | ||
| attributes = arraySlice(attributes, []); | ||
| _removeAttribute('id', currentNode); | ||
| _removeAttribute(name, currentNode); | ||
| if (attributes.indexOf(idAttr) > l) { | ||
| if (arrayIndexOf(attributes, idAttr) > l) { | ||
| currentNode.setAttribute('id', idAttr.value); | ||
@@ -902,4 +942,10 @@ } | ||
| /* Work around a security issue in jQuery 3.0 */ | ||
| if (SAFE_FOR_JQUERY && regExpTest(/\/>/i, value)) { | ||
| _removeAttribute(name, currentNode); | ||
| continue; | ||
| } | ||
| /* Take care of an mXSS pattern using namespace switches */ | ||
| if (/svg|math/i.test(currentNode.namespaceURI) && new RegExp('</(' + Object.keys(FORBID_CONTENTS).join('|') + ')', 'i').test(value)) { | ||
| if (regExpTest(/svg|math/i, currentNode.namespaceURI) && regExpTest(regExpCreate('</(' + arrayJoin(objectKeys(FORBID_CONTENTS), '|') + ')', 'i'), value)) { | ||
| _removeAttribute(name, currentNode); | ||
@@ -911,4 +957,4 @@ continue; | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| value = value.replace(MUSTACHE_EXPR$$1, ' '); | ||
| value = value.replace(ERB_EXPR$$1, ' '); | ||
| value = stringReplace(value, MUSTACHE_EXPR$$1, ' '); | ||
| value = stringReplace(value, ERB_EXPR$$1, ' '); | ||
| } | ||
@@ -931,3 +977,3 @@ | ||
| DOMPurify.removed.pop(); | ||
| arrayPop(DOMPurify.removed); | ||
| } catch (error) {} | ||
@@ -999,7 +1045,7 @@ } | ||
| if (typeof dirty.toString !== 'function') { | ||
| throw new TypeError('toString is not a function'); | ||
| throw typeErrorCreate('toString is not a function'); | ||
| } else { | ||
| dirty = dirty.toString(); | ||
| if (typeof dirty !== 'string') { | ||
| throw new TypeError('dirty is not a string, aborting'); | ||
| throw typeErrorCreate('dirty is not a string, aborting'); | ||
| } | ||
@@ -1032,2 +1078,7 @@ } | ||
| /* Check if dirty is correctly typed for IN_PLACE */ | ||
| if (typeof dirty === 'string') { | ||
| IN_PLACE = false; | ||
| } | ||
| if (IN_PLACE) { | ||
@@ -1131,4 +1182,4 @@ /* No special handling necessary for in-place sanitization */ | ||
| if (SAFE_FOR_TEMPLATES) { | ||
| serializedHTML = serializedHTML.replace(MUSTACHE_EXPR$$1, ' '); | ||
| serializedHTML = serializedHTML.replace(ERB_EXPR$$1, ' '); | ||
| serializedHTML = stringReplace(serializedHTML, MUSTACHE_EXPR$$1, ' '); | ||
| serializedHTML = stringReplace(serializedHTML, ERB_EXPR$$1, ' '); | ||
| } | ||
@@ -1176,4 +1227,4 @@ | ||
| var lcTag = tag.toLowerCase(); | ||
| var lcName = attr.toLowerCase(); | ||
| var lcTag = stringToLowerCase(tag); | ||
| var lcName = stringToLowerCase(attr); | ||
| return _isValidAttribute(lcTag, lcName, value); | ||
@@ -1195,3 +1246,3 @@ }; | ||
| hooks[entryPoint] = hooks[entryPoint] || []; | ||
| hooks[entryPoint].push(hookFunction); | ||
| arrayPush(hooks[entryPoint], hookFunction); | ||
| }; | ||
@@ -1208,3 +1259,3 @@ | ||
| if (hooks[entryPoint]) { | ||
| hooks[entryPoint].pop(); | ||
| arrayPop(hooks[entryPoint]); | ||
| } | ||
@@ -1211,0 +1262,0 @@ }; |
@@ -1,2 +0,2 @@ | ||
| !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):e.DOMPurify=t()}(this,function(){"use strict";function e(e,t){y&&y(e,null);for(var n=t.length;n--;){var r=t[n];if("string"==typeof r){var o=r.toLowerCase();o!==r&&(Object.isFrozen(t)||(t[n]=o),r=o)}e[r]=!0}return e}function t(e){var t={},n=void 0;for(n in e)g(h,e,[n])&&(t[n]=e[n]);return t}function n(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t<e.length;t++)n[t]=e[t];return n}return Array.from(e)}function r(){var o=arguments.length>0&&void 0!==arguments[0]?arguments[0]:O(),u=function(e){return r(e)};if(u.version="2.0.7",u.removed=[],!o||!o.document||9!==o.document.nodeType)return u.isSupported=!1,u;var h=o.document,y=!1,g=!1,v=o.document,R=o.DocumentFragment,D=o.HTMLTemplateElement,C=o.Node,H=o.NodeFilter,F=o.NamedNodeMap,z=void 0===F?o.NamedNodeMap||o.MozNamedAttrMap:F,I=o.Text,j=o.Comment,U=o.DOMParser,P=o.TrustedTypes;if("function"==typeof D){var W=v.createElement("template");W.content&&W.content.ownerDocument&&(v=W.content.ownerDocument)}var B=N(P,h),q=B?B.createHTML(""):"",G=v,V=G.implementation,Y=G.createNodeIterator,K=G.getElementsByTagName,X=G.createDocumentFragment,$=h.importNode,J={};u.isSupported=V&&void 0!==V.createHTMLDocument&&9!==v.documentMode;var Q=b,Z=T,ee=A,te=x,ne=L,re=E,oe=S,ie=null,ae=e({},[].concat(n(i),n(a),n(l),n(s),n(c))),le=null,se=e({},[].concat(n(d),n(f),n(m),n(p))),ce=null,ue=null,de=!0,fe=!0,me=!1,pe=!1,he=!1,ye=!1,ge=!1,ve=!1,be=!1,Te=!1,Ae=!1,xe=!1,Se=!0,Le=!0,Ee=!1,Me={},ke=e({},["annotation-xml","audio","colgroup","desc","foreignobject","head","iframe","math","mi","mn","mo","ms","mtext","noembed","noframes","plaintext","script","style","svg","template","thead","title","video","xmp"]),we=e({},["audio","video","img","source","image"]),_e=null,Oe=e({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]),Ne=null,Re=v.createElement("form"),De=function(r){Ne&&Ne===r||(r&&"object"===(void 0===r?"undefined":M(r))||(r={}),ie="ALLOWED_TAGS"in r?e({},r.ALLOWED_TAGS):ae,le="ALLOWED_ATTR"in r?e({},r.ALLOWED_ATTR):se,_e="ADD_URI_SAFE_ATTR"in r?e(t(Oe),r.ADD_URI_SAFE_ATTR):Oe,ce="FORBID_TAGS"in r?e({},r.FORBID_TAGS):{},ue="FORBID_ATTR"in r?e({},r.FORBID_ATTR):{},Me="USE_PROFILES"in r&&r.USE_PROFILES,de=!1!==r.ALLOW_ARIA_ATTR,fe=!1!==r.ALLOW_DATA_ATTR,me=r.ALLOW_UNKNOWN_PROTOCOLS||!1,pe=r.SAFE_FOR_JQUERY||!1,he=r.SAFE_FOR_TEMPLATES||!1,ye=r.WHOLE_DOCUMENT||!1,be=r.RETURN_DOM||!1,Te=r.RETURN_DOM_FRAGMENT||!1,Ae=r.RETURN_DOM_IMPORT||!1,xe=r.RETURN_TRUSTED_TYPE||!1,ve=r.FORCE_BODY||!1,Se=!1!==r.SANITIZE_DOM,Le=!1!==r.KEEP_CONTENT,Ee=r.IN_PLACE||!1,oe=r.ALLOWED_URI_REGEXP||oe,he&&(fe=!1),Te&&(be=!0),Me&&(ie=e({},[].concat(n(c))),le=[],!0===Me.html&&(e(ie,i),e(le,d)),!0===Me.svg&&(e(ie,a),e(le,f),e(le,p)),!0===Me.svgFilters&&(e(ie,l),e(le,f),e(le,p)),!0===Me.mathMl&&(e(ie,s),e(le,m),e(le,p))),r.ADD_TAGS&&(ie===ae&&(ie=t(ie)),e(ie,r.ADD_TAGS)),r.ADD_ATTR&&(le===se&&(le=t(le)),e(le,r.ADD_ATTR)),r.ADD_URI_SAFE_ATTR&&e(_e,r.ADD_URI_SAFE_ATTR),Le&&(ie["#text"]=!0),ye&&e(ie,["html","head","body"]),ie.table&&(e(ie,["tbody"]),delete ce.tbody),_&&_(r),Ne=r)},Ce=function(e){u.removed.push({element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=q}},He=function(e,t){try{u.removed.push({attribute:t.getAttributeNode(e),from:t})}catch(e){u.removed.push({attribute:null,from:t})}t.removeAttribute(e)},Fe=function(t){var n=void 0,r=void 0;if(ve)t="<remove></remove>"+t;else{var o=t.match(/^[\s]+/);(r=o&&o[0])&&(t=t.slice(r.length))}if(y)try{n=(new U).parseFromString(t,"text/html")}catch(e){}if(g&&e(ce,["title"]),!n||!n.documentElement){var i=(n=V.createHTMLDocument("")).body;i.parentNode.removeChild(i.parentNode.firstElementChild),i.outerHTML=B?B.createHTML(t):t}return t&&r&&n.body.insertBefore(v.createTextNode(r),n.body.childNodes[0]||null),K.call(n,ye?"html":"body")[0]};u.isSupported&&(function(){try{Fe('<svg><p><textarea><img src="</textarea><img src=x abc=1//">').querySelector("svg img")&&(y=!0)}catch(e){}}(),function(){try{var e=Fe("<x/><title></title><img>");/<\/title/.test(e.querySelector("title").innerHTML)&&(g=!0)}catch(e){}}());var ze=function(e){return Y.call(e.ownerDocument||e,e,H.SHOW_ELEMENT|H.SHOW_COMMENT|H.SHOW_TEXT,function(){return H.FILTER_ACCEPT},!1)},Ie=function(e){return!(e instanceof I||e instanceof j)&&!("string"==typeof e.nodeName&&"string"==typeof e.textContent&&"function"==typeof e.removeChild&&e.attributes instanceof z&&"function"==typeof e.removeAttribute&&"function"==typeof e.setAttribute&&"string"==typeof e.namespaceURI)},je=function(e){return"object"===(void 0===C?"undefined":M(C))?e instanceof C:e&&"object"===(void 0===e?"undefined":M(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},Ue=function(e,t,n){J[e]&&J[e].forEach(function(e){e.call(u,t,n,Ne)})},Pe=function(e){var t=void 0;if(Ue("beforeSanitizeElements",e,null),Ie(e))return Ce(e),!0;var n=e.nodeName.toLowerCase();if(Ue("uponSanitizeElement",e,{tagName:n,allowedTags:ie}),("svg"===n||"math"===n)&&0!==e.querySelectorAll("p, br").length)return Ce(e),!0;if(!ie[n]||ce[n]){if(Le&&!ke[n]&&"function"==typeof e.insertAdjacentHTML)try{var r=e.innerHTML;e.insertAdjacentHTML("AfterEnd",B?B.createHTML(r):r)}catch(e){}return Ce(e),!0}return"noscript"===n&&/<\/noscript/i.test(e.innerHTML)?(Ce(e),!0):"noembed"===n&&/<\/noembed/i.test(e.innerHTML)?(Ce(e),!0):(!pe||e.firstElementChild||e.content&&e.content.firstElementChild||!/</g.test(e.textContent)||(u.removed.push({element:e.cloneNode()}),e.innerHTML?e.innerHTML=e.innerHTML.replace(/</g,"<"):e.innerHTML=e.textContent.replace(/</g,"<")),he&&3===e.nodeType&&(t=(t=(t=e.textContent).replace(Q," ")).replace(Z," "),e.textContent!==t&&(u.removed.push({element:e.cloneNode()}),e.textContent=t)),Ue("afterSanitizeElements",e,null),!1)},We=function(e,t,n){if(Se&&("id"===t||"name"===t)&&(n in v||n in Re))return!1;if(fe&&ee.test(t));else if(de&&te.test(t));else{if(!le[t]||ue[t])return!1;if(_e[t]);else if(oe.test(n.replace(re,"")));else if("src"!==t&&"xlink:href"!==t&&"href"!==t||"script"===e||0!==n.indexOf("data:")||!we[e]){if(me&&!ne.test(n.replace(re,"")));else if(n)return!1}else;}return!0},Be=function(e){var t=void 0,n=void 0,r=void 0,o=void 0,i=void 0;Ue("beforeSanitizeAttributes",e,null);var a=e.attributes;if(a){var l={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:le};for(i=a.length;i--;){var s=t=a[i],c=s.name,d=s.namespaceURI;if(n=t.value.trim(),r=c.toLowerCase(),l.attrName=r,l.attrValue=n,l.keepAttr=!0,Ue("uponSanitizeAttribute",e,l),n=l.attrValue,"name"===r&&"IMG"===e.nodeName&&a.id)o=a.id,a=k(w,a,[]),He("id",e),He(c,e),a.indexOf(o)>i&&e.setAttribute("id",o.value);else{if("INPUT"===e.nodeName&&"type"===r&&"file"===n&&l.keepAttr&&(le[r]||!ue[r]))continue;"id"===c&&e.setAttribute(c,""),He(c,e)}if(l.keepAttr)if(/svg|math/i.test(e.namespaceURI)&&new RegExp("</("+Object.keys(ke).join("|")+")","i").test(n))He(c,e);else{he&&(n=(n=n.replace(Q," ")).replace(Z," "));var f=e.nodeName.toLowerCase();if(We(f,r,n))try{d?e.setAttributeNS(d,c,n):e.setAttribute(c,n),u.removed.pop()}catch(e){}}}Ue("afterSanitizeAttributes",e,null)}},qe=function e(t){var n=void 0,r=ze(t);for(Ue("beforeSanitizeShadowDOM",t,null);n=r.nextNode();)Ue("uponSanitizeShadowNode",n,null),Pe(n)||(n.content instanceof R&&e(n.content),Be(n));Ue("afterSanitizeShadowDOM",t,null)};return u.sanitize=function(e,t){var n=void 0,r=void 0,i=void 0,a=void 0,l=void 0;if(e||(e="\x3c!--\x3e"),"string"!=typeof e&&!je(e)){if("function"!=typeof e.toString)throw new TypeError("toString is not a function");if("string"!=typeof(e=e.toString()))throw new TypeError("dirty is not a string, aborting")}if(!u.isSupported){if("object"===M(o.toStaticHTML)||"function"==typeof o.toStaticHTML){if("string"==typeof e)return o.toStaticHTML(e);if(je(e))return o.toStaticHTML(e.outerHTML)}return e}if(ge||De(t),u.removed=[],Ee);else if(e instanceof C)1===(r=(n=Fe("\x3c!--\x3e")).ownerDocument.importNode(e,!0)).nodeType&&"BODY"===r.nodeName?n=r:"HTML"===r.nodeName?n=r:n.appendChild(r);else{if(!be&&!he&&!ye&&xe&&-1===e.indexOf("<"))return B?B.createHTML(e):e;if(!(n=Fe(e)))return be?null:q}n&&ve&&Ce(n.firstChild);for(var s=ze(Ee?e:n);i=s.nextNode();)3===i.nodeType&&i===a||Pe(i)||(i.content instanceof R&&qe(i.content),Be(i),a=i);if(a=null,Ee)return e;if(be){if(Te)for(l=X.call(n.ownerDocument);n.firstChild;)l.appendChild(n.firstChild);else l=n;return Ae&&(l=$.call(h,l,!0)),l}var c=ye?n.outerHTML:n.innerHTML;return he&&(c=(c=c.replace(Q," ")).replace(Z," ")),B&&xe?B.createHTML(c):c},u.setConfig=function(e){De(e),ge=!0},u.clearConfig=function(){Ne=null,ge=!1},u.isValidAttribute=function(e,t,n){Ne||De({});var r=e.toLowerCase(),o=t.toLowerCase();return We(r,o,n)},u.addHook=function(e,t){"function"==typeof t&&(J[e]=J[e]||[],J[e].push(t))},u.removeHook=function(e){J[e]&&J[e].pop()},u.removeHooks=function(e){J[e]&&(J[e]=[])},u.removeAllHooks=function(){J={}},u}var o=Object.freeze||function(e){return e},i=o(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),a=o(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","audio","canvas","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","video","view","vkern"]),l=o(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),s=o(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"]),c=o(["#text"]),u=Object.freeze||function(e){return e},d=u(["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","controls","coords","crossorigin","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","integrity","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","minlength","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns"]),f=u(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","filterunits","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","primitiveunits","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","version","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),m=u(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","encoding","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),p=u(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),h=Object.hasOwnProperty,y=Object.setPrototypeOf,g=("undefined"!=typeof Reflect&&Reflect).apply;g||(g=function(e,t,n){return e.apply(t,n)});var v=Object.seal||function(e){return e},b=v(/\{\{[\s\S]*|[\s\S]*\}\}/gm),T=v(/<%[\s\S]*|[\s\S]*%>/gm),A=v(/^data-[\-\w.\u00B7-\uFFFF]/),x=v(/^aria-[\-\w]+$/),S=v(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),L=v(/^(?:\w+script|data):/i),E=v(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g),M="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},k=("undefined"!=typeof Reflect&&Reflect).apply,w=Array.prototype.slice,_=Object.freeze,O=function(){return"undefined"==typeof window?null:window};k||(k=function(e,t,n){return e.apply(t,n)});var N=function(e,t){if("object"!==(void 0===e?"undefined":M(e))||"function"!=typeof e.createPolicy)return null;var n=null;t.currentScript&&t.currentScript.hasAttribute("data-tt-policy-suffix")&&(n=t.currentScript.getAttribute("data-tt-policy-suffix"));var r="dompurify"+(n?"#"+n:"");try{return e.createPolicy(r,{createHTML:function(e){return e}})}catch(e){return console.warn("TrustedTypes policy "+r+" could not be created."),null}};return r()}); | ||
| !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):e.DOMPurify=t()}(this,function(){"use strict";function e(e){if(Array.isArray(e)){for(var t=0,r=Array(e.length);t<e.length;t++)r[t]=e[t];return r}return Array.from(e)}function t(e){return function(t){for(var r=arguments.length,n=Array(r>1?r-1:0),o=1;o<r;o++)n[o-1]=arguments[o];return m(e,t,n)}}function r(e){return function(){for(var t=arguments.length,r=Array(t),n=0;n<t;n++)r[n]=arguments[n];return y(e,r)}}function n(e,t){c&&c(e,null);for(var r=t.length;r--;){var n=t[r];if("string"==typeof n){var o=x(n);o!==n&&(s(t)||(t[r]=o),n=o)}e[n]=!0}return e}function o(e){var t={},r=void 0;for(r in e)m(l,e,[r])&&(t[r]=e[r]);return t}function i(e){if(Array.isArray(e)){for(var t=0,r=Array(e.length);t<e.length;t++)r[t]=e[t];return r}return Array.from(e)}function a(){var e=arguments.length>0&&void 0!==arguments[0]?arguments[0]:V(),t=function(e){return a(e)};if(t.version="2.0.8",t.removed=[],!e||!e.document||9!==e.document.nodeType)return t.isSupported=!1,t;var r=e.document,l=!1,c=!1,s=e.document,f=e.DocumentFragment,p=e.HTMLTemplateElement,m=e.Node,y=e.NodeFilter,X=e.NamedNodeMap,$=void 0===X?e.NamedNodeMap||e.MozNamedAttrMap:X,J=e.Text,Q=e.Comment,Z=e.DOMParser,ee=e.trustedTypes;if("function"==typeof p){var te=s.createElement("template");te.content&&te.content.ownerDocument&&(s=te.content.ownerDocument)}var re=Y(ee,r),ne=re?re.createHTML(""):"",oe=s,ie=oe.implementation,ae=oe.createNodeIterator,le=oe.getElementsByTagName,ce=oe.createDocumentFragment,se=r.importNode,ue={};t.isSupported=ie&&void 0!==ie.createHTMLDocument&&9!==s.documentMode;var de=j,fe=U,pe=P,me=W,ye=q,ge=G,he=B,ve=null,be=n({},[].concat(i(O),i(w),i(D),i(R),i(H))),Te=null,Ae=n({},[].concat(i(C),i(F),i(z),i(I))),xe=null,Se=null,Le=!0,Ee=!0,Me=!1,ke=!1,_e=!1,Ne=!1,Oe=!1,we=!1,De=!1,Re=!1,He=!1,Ce=!1,Fe=!0,ze=!0,Ie=!1,je={},Ue=n({},["annotation-xml","audio","colgroup","desc","foreignobject","head","iframe","math","mi","mn","mo","ms","mtext","noembed","noframes","plaintext","script","style","svg","template","thead","title","video","xmp"]),Pe=n({},["audio","video","img","source","image"]),We=null,Be=n({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]),qe=null,Ge=s.createElement("form"),Ke=function(e){qe&&qe===e||(e&&"object"===(void 0===e?"undefined":K(e))||(e={}),ve="ALLOWED_TAGS"in e?n({},e.ALLOWED_TAGS):be,Te="ALLOWED_ATTR"in e?n({},e.ALLOWED_ATTR):Ae,We="ADD_URI_SAFE_ATTR"in e?n(o(Be),e.ADD_URI_SAFE_ATTR):Be,xe="FORBID_TAGS"in e?n({},e.FORBID_TAGS):{},Se="FORBID_ATTR"in e?n({},e.FORBID_ATTR):{},je="USE_PROFILES"in e&&e.USE_PROFILES,Le=!1!==e.ALLOW_ARIA_ATTR,Ee=!1!==e.ALLOW_DATA_ATTR,Me=e.ALLOW_UNKNOWN_PROTOCOLS||!1,ke=e.SAFE_FOR_JQUERY||!1,_e=e.SAFE_FOR_TEMPLATES||!1,Ne=e.WHOLE_DOCUMENT||!1,De=e.RETURN_DOM||!1,Re=e.RETURN_DOM_FRAGMENT||!1,He=e.RETURN_DOM_IMPORT||!1,Ce=e.RETURN_TRUSTED_TYPE||!1,we=e.FORCE_BODY||!1,Fe=!1!==e.SANITIZE_DOM,ze=!1!==e.KEEP_CONTENT,Ie=e.IN_PLACE||!1,he=e.ALLOWED_URI_REGEXP||he,_e&&(Ee=!1),Re&&(De=!0),je&&(ve=n({},[].concat(i(H))),Te=[],!0===je.html&&(n(ve,O),n(Te,C)),!0===je.svg&&(n(ve,w),n(Te,F),n(Te,I)),!0===je.svgFilters&&(n(ve,D),n(Te,F),n(Te,I)),!0===je.mathMl&&(n(ve,R),n(Te,z),n(Te,I))),e.ADD_TAGS&&(ve===be&&(ve=o(ve)),n(ve,e.ADD_TAGS)),e.ADD_ATTR&&(Te===Ae&&(Te=o(Te)),n(Te,e.ADD_ATTR)),e.ADD_URI_SAFE_ATTR&&n(We,e.ADD_URI_SAFE_ATTR),ze&&(ve["#text"]=!0),Ne&&n(ve,["html","head","body"]),ve.table&&(n(ve,["tbody"]),delete xe.tbody),d&&d(e),qe=e)},Ve=function(e){T(t.removed,{element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=ne}},Ye=function(e,r){try{T(t.removed,{attribute:r.getAttributeNode(e),from:r})}catch(e){T(t.removed,{attribute:null,from:r})}r.removeAttribute(e)},Xe=function(e){var t=void 0,r=void 0;if(we)e="<remove></remove>"+e;else{var o=S(e,/^[\s]+/);r=o&&o[0]}var i=re?re.createHTML(e):e;if(l)try{t=(new Z).parseFromString(i,"text/html")}catch(e){}if(c&&n(xe,["title"]),!t||!t.documentElement){var a=(t=ie.createHTMLDocument("")).body;a.parentNode.removeChild(a.parentNode.firstElementChild),a.outerHTML=i}return e&&r&&t.body.insertBefore(s.createTextNode(r),t.body.childNodes[0]||null),le.call(t,Ne?"html":"body")[0]};t.isSupported&&(function(){try{Xe('<svg><p><textarea><img src="</textarea><img src=x abc=1//">').querySelector("svg img")&&(l=!0)}catch(e){}}(),function(){try{var e=Xe("<x/><title></title><img>");k(/<\/title/,e.querySelector("title").innerHTML)&&(c=!0)}catch(e){}}());var $e=function(e){return ae.call(e.ownerDocument||e,e,y.SHOW_ELEMENT|y.SHOW_COMMENT|y.SHOW_TEXT,function(){return y.FILTER_ACCEPT},!1)},Je=function(e){return!(e instanceof J||e instanceof Q)&&!("string"==typeof e.nodeName&&"string"==typeof e.textContent&&"function"==typeof e.removeChild&&e.attributes instanceof $&&"function"==typeof e.removeAttribute&&"function"==typeof e.setAttribute&&"string"==typeof e.namespaceURI)},Qe=function(e){return"object"===(void 0===m?"undefined":K(m))?e instanceof m:e&&"object"===(void 0===e?"undefined":K(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},Ze=function(e,r,n){ue[e]&&g(ue[e],function(e){e.call(t,r,n,qe)})},et=function(e){var r=void 0;if(Ze("beforeSanitizeElements",e,null),Je(e))return Ve(e),!0;var n=x(e.nodeName);if(Ze("uponSanitizeElement",e,{tagName:n,allowedTags:ve}),("svg"===n||"math"===n)&&0!==e.querySelectorAll("p, br").length)return Ve(e),!0;if(!ve[n]||xe[n]){if(ze&&!Ue[n]&&"function"==typeof e.insertAdjacentHTML)try{var o=e.innerHTML;e.insertAdjacentHTML("AfterEnd",re?re.createHTML(o):o)}catch(e){}return Ve(e),!0}return"noscript"===n&&k(/<\/noscript/i,e.innerHTML)?(Ve(e),!0):"noembed"===n&&k(/<\/noembed/i,e.innerHTML)?(Ve(e),!0):(!ke||e.firstElementChild||e.content&&e.content.firstElementChild||!k(/</g,e.textContent)||(T(t.removed,{element:e.cloneNode()}),e.innerHTML?e.innerHTML=L(e.innerHTML,/</g,"<"):e.innerHTML=L(e.textContent,/</g,"<")),_e&&3===e.nodeType&&(r=e.textContent,r=L(r,de," "),r=L(r,fe," "),e.textContent!==r&&(T(t.removed,{element:e.cloneNode()}),e.textContent=r)),Ze("afterSanitizeElements",e,null),!1)},tt=function(e,t,r){if(Fe&&("id"===t||"name"===t)&&(r in s||r in Ge))return!1;if(Ee&&k(pe,t));else if(Le&&k(me,t));else{if(!Te[t]||Se[t])return!1;if(We[t]);else if(k(he,L(r,ge,"")));else if("src"!==t&&"xlink:href"!==t&&"href"!==t||"script"===e||0!==E(r,"data:")||!Pe[e]){if(Me&&!k(ye,L(r,ge,"")));else if(r)return!1}else;}return!0},rt=function(e){var r=void 0,n=void 0,o=void 0,i=void 0,a=void 0;Ze("beforeSanitizeAttributes",e,null);var l=e.attributes;if(l){var c={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:Te};for(a=l.length;a--;){var s=r=l[a],d=s.name,f=s.namespaceURI;if(n=M(r.value),o=x(d),c.attrName=o,c.attrValue=n,c.keepAttr=!0,c.forceKeepAttr=void 0,Ze("uponSanitizeAttribute",e,c),n=c.attrValue,!c.forceKeepAttr){if("name"===o&&"IMG"===e.nodeName&&l.id)i=l.id,l=A(l,[]),Ye("id",e),Ye(d,e),h(l,i)>a&&e.setAttribute("id",i.value);else{if("INPUT"===e.nodeName&&"type"===o&&"file"===n&&c.keepAttr&&(Te[o]||!Se[o]))continue;"id"===d&&e.setAttribute(d,""),Ye(d,e)}if(c.keepAttr)if(ke&&k(/\/>/i,n))Ye(d,e);else if(k(/svg|math/i,e.namespaceURI)&&k(_("</("+v(u(Ue),"|")+")","i"),n))Ye(d,e);else{_e&&(n=L(n,de," "),n=L(n,fe," "));var p=e.nodeName.toLowerCase();if(tt(p,o,n))try{f?e.setAttributeNS(f,d,n):e.setAttribute(d,n),b(t.removed)}catch(e){}}}}Ze("afterSanitizeAttributes",e,null)}},nt=function e(t){var r=void 0,n=$e(t);for(Ze("beforeSanitizeShadowDOM",t,null);r=n.nextNode();)Ze("uponSanitizeShadowNode",r,null),et(r)||(r.content instanceof f&&e(r.content),rt(r));Ze("afterSanitizeShadowDOM",t,null)};return t.sanitize=function(n,o){var i=void 0,a=void 0,l=void 0,c=void 0,s=void 0;if(n||(n="\x3c!--\x3e"),"string"!=typeof n&&!Qe(n)){if("function"!=typeof n.toString)throw N("toString is not a function");if("string"!=typeof(n=n.toString()))throw N("dirty is not a string, aborting")}if(!t.isSupported){if("object"===K(e.toStaticHTML)||"function"==typeof e.toStaticHTML){if("string"==typeof n)return e.toStaticHTML(n);if(Qe(n))return e.toStaticHTML(n.outerHTML)}return n}if(Oe||Ke(o),t.removed=[],"string"==typeof n&&(Ie=!1),Ie);else if(n instanceof m)1===(a=(i=Xe("\x3c!--\x3e")).ownerDocument.importNode(n,!0)).nodeType&&"BODY"===a.nodeName?i=a:"HTML"===a.nodeName?i=a:i.appendChild(a);else{if(!De&&!_e&&!Ne&&Ce&&-1===n.indexOf("<"))return re?re.createHTML(n):n;if(!(i=Xe(n)))return De?null:ne}i&&we&&Ve(i.firstChild);for(var u=$e(Ie?n:i);l=u.nextNode();)3===l.nodeType&&l===c||et(l)||(l.content instanceof f&&nt(l.content),rt(l),c=l);if(c=null,Ie)return n;if(De){if(Re)for(s=ce.call(i.ownerDocument);i.firstChild;)s.appendChild(i.firstChild);else s=i;return He&&(s=se.call(r,s,!0)),s}var d=Ne?i.outerHTML:i.innerHTML;return _e&&(d=L(d,de," "),d=L(d,fe," ")),re&&Ce?re.createHTML(d):d},t.setConfig=function(e){Ke(e),Oe=!0},t.clearConfig=function(){qe=null,Oe=!1},t.isValidAttribute=function(e,t,r){qe||Ke({});var n=x(e),o=x(t);return tt(n,o,r)},t.addHook=function(e,t){"function"==typeof t&&(ue[e]=ue[e]||[],T(ue[e],t))},t.removeHook=function(e){ue[e]&&b(ue[e])},t.removeHooks=function(e){ue[e]&&(ue[e]=[])},t.removeAllHooks=function(){ue={}},t}var l=Object.hasOwnProperty,c=Object.setPrototypeOf,s=Object.isFrozen,u=Object.keys,d=Object.freeze,f=Object.seal,p="undefined"!=typeof Reflect&&Reflect,m=p.apply,y=p.construct;m||(m=function(e,t,r){return e.apply(t,r)}),d||(d=function(e){return e}),f||(f=function(e){return e}),y||(y=function(t,r){return new(Function.prototype.bind.apply(t,[null].concat(e(r))))});var g=t(Array.prototype.forEach),h=t(Array.prototype.indexOf),v=t(Array.prototype.join),b=t(Array.prototype.pop),T=t(Array.prototype.push),A=t(Array.prototype.slice),x=t(String.prototype.toLowerCase),S=t(String.prototype.match),L=t(String.prototype.replace),E=t(String.prototype.indexOf),M=t(String.prototype.trim),k=t(RegExp.prototype.test),_=r(RegExp),N=r(TypeError),O=d(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","picture","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),w=d(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","audio","canvas","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","video","view","vkern"]),D=d(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),R=d(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"]),H=d(["#text"]),C=d(["accept","action","align","alt","autocomplete","background","bgcolor","border","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","controls","coords","crossorigin","datetime","default","dir","disabled","download","enctype","face","for","headers","height","hidden","high","href","hreflang","id","integrity","ismap","label","lang","list","loop","low","max","maxlength","media","method","min","minlength","multiple","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","type","usemap","valign","value","width","xmlns"]),F=d(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","filterunits","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","primitiveunits","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","version","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),z=d(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","encoding","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),I=d(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),j=f(/\{\{[\s\S]*|[\s\S]*\}\}/gm),U=f(/<%[\s\S]*|[\s\S]*%>/gm),P=f(/^data-[\-\w.\u00B7-\uFFFF]/),W=f(/^aria-[\-\w]+$/),B=f(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),q=f(/^(?:\w+script|data):/i),G=f(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205f\u3000]/g),K="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e},V=function(){return"undefined"==typeof window?null:window},Y=function(e,t){if("object"!==(void 0===e?"undefined":K(e))||"function"!=typeof e.createPolicy)return null;var r=null;t.currentScript&&t.currentScript.hasAttribute("data-tt-policy-suffix")&&(r=t.currentScript.getAttribute("data-tt-policy-suffix"));var n="dompurify"+(r?"#"+r:"");try{return e.createPolicy(n,{createHTML:function(e){return e}})}catch(e){return console.warn("TrustedTypes policy "+n+" could not be created."),null}};return a()}); | ||
| //# sourceMappingURL=purify.min.js.map |
@@ -71,6 +71,6 @@ { | ||
| "jsdom": "8.x.x", | ||
| "karma": "^4.3.0", | ||
| "karma": "^4.4.1", | ||
| "karma-browserstack-launcher": "^1.5.1", | ||
| "karma-chrome-launcher": "^2.2.0", | ||
| "karma-firefox-launcher": "^1.2.0", | ||
| "karma-firefox-launcher": "^1.3.0", | ||
| "karma-fixture": "^0.2.6", | ||
@@ -86,3 +86,3 @@ "karma-html2js-preprocessor": "^1.0.0", | ||
| "pre-commit": "^1.1.2", | ||
| "prettier": "^1.18.2", | ||
| "prettier": "^1.19.1", | ||
| "qunit-parameterize": "^0.4.0", | ||
@@ -107,3 +107,3 @@ "qunit-tap": "^1.5.0", | ||
| "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.", | ||
| "version": "2.0.7", | ||
| "version": "2.0.8", | ||
| "directories": { | ||
@@ -110,0 +110,0 @@ "test": "test" |
@@ -9,3 +9,3 @@ # DOMPurify | ||
| It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.0.7. | ||
| It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.0.8. | ||
@@ -52,7 +52,7 @@ DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing. | ||
| require(['dompurify'], function(DOMPurify) { | ||
| var clean = DOMPurify.sanitize(dirty); | ||
| var clean = DOMPurify.sanitize(dirty); | ||
| }); | ||
| ``` | ||
| DOMPurify also works server-side with node.js as well as client-side via [Browserify](http://browserify.org/) or similar translators. Node.js 0.x is not supported; either [io.js](https://iojs.org) or Node.js 4.x or newer is required. | ||
| DOMPurify also works server-side with node.js as well as client-side via [Browserify](http://browserify.org/) or similar translators. Node.js 0.x is not supported; either [io.js](https://iojs.org) or Node.js 4.x or newer is required. | ||
@@ -62,3 +62,5 @@ ```bash | ||
| ``` | ||
| For JSDOM v10 or newer | ||
| ```javascript | ||
@@ -68,3 +70,3 @@ const createDOMPurify = require('dompurify'); | ||
| const window = (new JSDOM('')).window; | ||
| const window = new JSDOM('').window; | ||
| const DOMPurify = createDOMPurify(window); | ||
@@ -76,2 +78,3 @@ | ||
| For JSDOM versions older than v10 | ||
| ```javascript | ||
@@ -104,3 +107,3 @@ const createDOMPurify = require('dompurify'); | ||
| DOMPurify.sanitize('<svg><g/onload=alert(2)//<p>'); // becomes <svg><g></g></svg> | ||
| DOMPurify.sanitize('<p>abc<iframe/\/src=jAva	script:alert(3)>def'); // becomes <p>abcdef</p> | ||
| DOMPurify.sanitize('<p>abc<iframe//src=jAva	script:alert(3)>def'); // becomes <p>abcdef</p> | ||
| DOMPurify.sanitize('<math><mi//xlink:href="data:x,<script>alert(4)</script>">'); // becomes <math><mi></mi></math> | ||
@@ -123,3 +126,3 @@ DOMPurify.sanitize('<TABLE><tr><td>HELLO</tr></TABL>'); // becomes <table><tbody><tr><td>HELLO</td></tr></tbody></table> | ||
| In version 1.0.9, support for [Trusted Types API](https://github.com/WICG/trusted-types) was added to DOMPurify. | ||
| In version 1.0.9, support for [Trusted Types API](https://github.com/WICG/trusted-types) was added to DOMPurify. | ||
| In version 2.0.0, a config flag was added to control DOMPurify's behavior regarding this. | ||
@@ -215,2 +218,3 @@ | ||
| ``` | ||
| There is even [more examples here](https://github.com/cure53/DOMPurify/tree/master/demos#what-is-this), showing how you can run, customize and configure DOMPurify to fit your needs. | ||
@@ -227,3 +231,3 @@ | ||
| - `beforeSanitizeElements` | ||
| - `uponSanitizeElement` | ||
| - `uponSanitizeElement` (No 's' - called for every element) | ||
| - `afterSanitizeElements` | ||
@@ -242,5 +246,10 @@ - `beforeSanitizeAttributes` | ||
| ```javascript | ||
| DOMPurify.addHook('beforeSanitizeElements', function(currentNode, data, config) { | ||
| // Do something with the current node and return it | ||
| return currentNode; | ||
| DOMPurify.addHook('beforeSanitizeElements', function( | ||
| currentNode, | ||
| hookEvent, | ||
| config | ||
| ) { | ||
| // Do something with the current node and return it | ||
| // You can also mutate hookEvent (i.e. set hookEvent.forceKeepAttr = true) | ||
| return currentNode; | ||
| }); | ||
@@ -293,6 +302,6 @@ ``` | ||
| Many people helped DOMPurify become what it is and need to be acknowledged here! | ||
| Many people helped and help DOMPurify become what it is and need to be acknowledged here! | ||
| @tdeekens, @neilj, @fhemberger, @Joris-van-der-Wel, @ydaniv, @filedescriptor, @ConradIrwin, @gibson042, @choumx, @0xSobky, @styfle, @koto, @tlau88, @strugee, @oparoz, @mathiasbynens, @edg2s, @dnkolegov, @dhardtke, @wirehead, @thorn0, @styu, @mozfreddyb, @mikesamuel, @jorangreef, @jimmyhchan, @jameydeorio, @jameskraus, @hyderali, @hansottowirtz, @hackvertor, @freddyb, @flavorjones, @djfarrelly, @devd, @camerondunford, @buu700, @buildog, @alabiaga, @Vector919, @Robbert, @GreLI, @FuzzySockets, @ArtemBernatskyy, [@garethheyes](https://twitter.com/garethheyes), [@filedescriptor](https://twitter.com/filedescriptor), [@shafigullin](https://twitter.com/shafigullin), [@mmrupp](https://twitter.com/mmrupp), [@irsdl](https://twitter.com/irsdl), @ShikariSenpai, @ansjdnakjdnajkd, [@asutherland](https://twitter.com/asutherland), [@mathias](https://twitter.com/mathias), [@cgvwzq](https://twitter.com/cgvwzq), [@robbertatwork](https://twitter.com/robbertatwork), [@giutro](https://twitter.com/giutro) and especially @masatokinugawa | ||
| [oreoshake 💸](https://github.com/oreoshake), [dcramer 💸](https://github.com/dcramer),[tdeekens](https://github.com/tdeekens), [neilj](https://github.com/neilj), [fhemberger](https://github.com/fhemberger), [Joris-van-der-Wel](https://github.com/Joris-van-der-Wel), [ydaniv](https://github.com/ydaniv), [filedescriptor](https://github.com/filedescriptor), [ConradIrwin](https://github.com/ConradIrwin), [gibson042](https://github.com/gibson042), [choumx](https://github.com/choumx), [0xSobky](https://github.com/0xSobky), [styfle](https://github.com/styfle), [koto](https://github.com/koto), [tlau88](https://github.com/tlau88), [strugee](https://github.com/strugee), [oparoz](https://github.com/oparoz), [mathiasbynens](https://github.com/mathiasbynens), [edg2s](https://github.com/edg2s), [dnkolegov](https://github.com/dnkolegov), [dhardtke](https://github.com/dhardtke), [wirehead](https://github.com/wirehead), [thorn0](https://github.com/thorn0), [styu](https://github.com/styu), [mozfreddyb](https://github.com/mozfreddyb), [mikesamuel](https://github.com/mikesamuel), [jorangreef](https://github.com/jorangreef), [jimmyhchan](https://github.com/jimmyhchan), [jameydeorio](https://github.com/jameydeorio), [jameskraus](https://github.com/jameskraus), [hyderali](https://github.com/hyderali), [hansottowirtz](https://github.com/hansottowirtz), [hackvertor](https://github.com/hackvertor), [freddyb](https://github.com/freddyb), [flavorjones](https://github.com/flavorjones), [djfarrelly](https://github.com/djfarrelly), [devd](https://github.com/devd), [camerondunford](https://github.com/camerondunford), [buu700](https://github.com/buu700), [buildog](https://github.com/buildog), [alabiaga](https://github.com/alabiaga), [Vector919](https://github.com/Vector919), [Robbert](https://github.com/Robbert), [GreLI](https://github.com/GreLI), [FuzzySockets](https://github.com/FuzzySockets), [ArtemBernatskyy](https://github.com/ArtemBernatskyy), [@garethheyes](https://twitter.com/garethheyes), [@filedescriptor](https://twitter.com/filedescriptor), [@shafigullin](https://twitter.com/shafigullin), [@mmrupp](https://twitter.com/mmrupp), [@irsdl](https://twitter.com/irsdl),[ShikariSenpai](https://github.com/ShikariSenpai), [ansjdnakjdnajkd](https://github.com/ansjdnakjdnajkd), [@asutherland](https://twitter.com/asutherland), [@mathias](https://twitter.com/mathias), [@cgvwzq](https://twitter.com/cgvwzq), [@robbertatwork](https://twitter.com/robbertatwork), [@giutro](https://twitter.com/giutro) and especially [@masatokinugawa](https://twitter.com/masatokinugawa) | ||
| And last but not least, thanks to [BrowserStack](https://browserstack.com) for supporting this project with their services for free and delivering excellent, dedicated and very professional support on top of that. |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by4.83%
508693
- Lines of code
- increased by4.38%
3267
- Number of lines in readme file
- increased by3.13%
297
No dependency changes