dompurify
Advanced tools
Comparing version 2.0.17 to 2.1.0
@@ -9,4 +9,3 @@ /*! @license DOMPurify | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.0.8/LICENSE */ | ||
setPrototypeOf = Object.setPrototypeOf, | ||
isFrozen = Object.isFrozen, | ||
objectKeys = Object.keys; | ||
isFrozen = Object.isFrozen; | ||
var freeze = Object.freeze, | ||
@@ -46,3 +45,2 @@ seal = Object.seal, | ||
var arrayIndexOf = unapply(Array.prototype.indexOf); | ||
var arrayJoin = unapply(Array.prototype.join); | ||
var arrayPop = unapply(Array.prototype.pop); | ||
@@ -59,3 +57,2 @@ var arrayPush = unapply(Array.prototype.push); | ||
var regExpTest = unapply(RegExp.prototype.test); | ||
var regExpCreate = unconstruct(RegExp); | ||
@@ -216,3 +213,3 @@ var typeErrorCreate = unconstruct(TypeError); | ||
*/ | ||
DOMPurify.version = '2.0.17'; | ||
DOMPurify.version = '2.1.0'; | ||
@@ -322,5 +319,2 @@ /** | ||
/* Output should be safe for jQuery's $() factory? */ | ||
var SAFE_FOR_JQUERY = false; | ||
/* Output should be safe for common template engines. | ||
@@ -423,3 +417,2 @@ * This means, DOMPurify removes data attributes, mustaches and ERB | ||
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false | ||
SAFE_FOR_JQUERY = cfg.SAFE_FOR_JQUERY || false; // Default false | ||
SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false | ||
@@ -682,3 +675,2 @@ WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false | ||
*/ | ||
// eslint-disable-next-line complexity | ||
var _sanitizeElements = function _sanitizeElements(currentNode) { | ||
@@ -711,4 +703,4 @@ var content = void 0; | ||
/* Take care of an mXSS pattern using p, br inside svg, math */ | ||
if ((tagName === 'svg' || tagName === 'math') && currentNode.querySelectorAll('p, br, form, table').length !== 0) { | ||
/* Detect mXSS attempts abusing namespace confusion */ | ||
if (!_isNode(currentNode.firstElementChild) && (!_isNode(currentNode.content) || !_isNode(currentNode.content.firstElementChild)) && regExpTest(/<[!/\w]/g, currentNode.innerHTML) && regExpTest(/<[!/\w]/g, currentNode.textContent)) { | ||
_forceRemove(currentNode); | ||
@@ -733,3 +725,3 @@ return true; | ||
/* Remove in case a noscript/noembed XSS is suspected */ | ||
if (tagName === 'noscript' && regExpTest(/<\/noscript/i, currentNode.innerHTML)) { | ||
if ((tagName === 'noscript' || tagName === 'noembed') && regExpTest(/<\/no(script|embed)/i, currentNode.innerHTML)) { | ||
_forceRemove(currentNode); | ||
@@ -739,17 +731,2 @@ return true; | ||
if (tagName === 'noembed' && regExpTest(/<\/noembed/i, currentNode.innerHTML)) { | ||
_forceRemove(currentNode); | ||
return true; | ||
} | ||
/* Convert markup to cover jQuery behavior */ | ||
if (SAFE_FOR_JQUERY && !_isNode(currentNode.firstElementChild) && (!_isNode(currentNode.content) || !_isNode(currentNode.content.firstElementChild)) && regExpTest(/</g, currentNode.textContent)) { | ||
arrayPush(DOMPurify.removed, { element: currentNode.cloneNode() }); | ||
if (currentNode.innerHTML) { | ||
currentNode.innerHTML = stringReplace(currentNode.innerHTML, /</g, '<'); | ||
} else { | ||
currentNode.innerHTML = stringReplace(currentNode.textContent, /</g, '<'); | ||
} | ||
} | ||
/* Sanitize element content to be template-safe */ | ||
@@ -813,3 +790,2 @@ if (SAFE_FOR_TEMPLATES && currentNode.nodeType === 3) { | ||
*/ | ||
// eslint-disable-next-line complexity | ||
var _sanitizeAttributes = function _sanitizeAttributes(currentNode) { | ||
@@ -896,3 +872,3 @@ var attr = void 0; | ||
/* Work around a security issue in jQuery 3.0 */ | ||
if (SAFE_FOR_JQUERY && regExpTest(/\/>/i, value)) { | ||
if (regExpTest(/\/>/i, value)) { | ||
_removeAttribute(name, currentNode); | ||
@@ -902,8 +878,2 @@ continue; | ||
/* Take care of an mXSS pattern using namespace switches */ | ||
if (regExpTest(/svg|math/i, currentNode.namespaceURI) && regExpTest(regExpCreate('</(' + arrayJoin(objectKeys(FORBID_CONTENTS), '|') + ')', 'i'), value)) { | ||
_removeAttribute(name, currentNode); | ||
continue; | ||
} | ||
/* Sanitize attribute content to be template-safe */ | ||
@@ -910,0 +880,0 @@ if (SAFE_FOR_TEMPLATES) { |
@@ -7,4 +7,3 @@ /*! @license DOMPurify | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.0.8/LICENSE */ | ||
setPrototypeOf = Object.setPrototypeOf, | ||
isFrozen = Object.isFrozen, | ||
objectKeys = Object.keys; | ||
isFrozen = Object.isFrozen; | ||
var freeze = Object.freeze, | ||
@@ -44,3 +43,2 @@ seal = Object.seal, | ||
var arrayIndexOf = unapply(Array.prototype.indexOf); | ||
var arrayJoin = unapply(Array.prototype.join); | ||
var arrayPop = unapply(Array.prototype.pop); | ||
@@ -57,3 +55,2 @@ var arrayPush = unapply(Array.prototype.push); | ||
var regExpTest = unapply(RegExp.prototype.test); | ||
var regExpCreate = unconstruct(RegExp); | ||
@@ -214,3 +211,3 @@ var typeErrorCreate = unconstruct(TypeError); | ||
*/ | ||
DOMPurify.version = '2.0.17'; | ||
DOMPurify.version = '2.1.0'; | ||
@@ -320,5 +317,2 @@ /** | ||
/* Output should be safe for jQuery's $() factory? */ | ||
var SAFE_FOR_JQUERY = false; | ||
/* Output should be safe for common template engines. | ||
@@ -421,3 +415,2 @@ * This means, DOMPurify removes data attributes, mustaches and ERB | ||
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false | ||
SAFE_FOR_JQUERY = cfg.SAFE_FOR_JQUERY || false; // Default false | ||
SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false | ||
@@ -680,3 +673,2 @@ WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false | ||
*/ | ||
// eslint-disable-next-line complexity | ||
var _sanitizeElements = function _sanitizeElements(currentNode) { | ||
@@ -709,4 +701,4 @@ var content = void 0; | ||
/* Take care of an mXSS pattern using p, br inside svg, math */ | ||
if ((tagName === 'svg' || tagName === 'math') && currentNode.querySelectorAll('p, br, form, table').length !== 0) { | ||
/* Detect mXSS attempts abusing namespace confusion */ | ||
if (!_isNode(currentNode.firstElementChild) && (!_isNode(currentNode.content) || !_isNode(currentNode.content.firstElementChild)) && regExpTest(/<[!/\w]/g, currentNode.innerHTML) && regExpTest(/<[!/\w]/g, currentNode.textContent)) { | ||
_forceRemove(currentNode); | ||
@@ -731,3 +723,3 @@ return true; | ||
/* Remove in case a noscript/noembed XSS is suspected */ | ||
if (tagName === 'noscript' && regExpTest(/<\/noscript/i, currentNode.innerHTML)) { | ||
if ((tagName === 'noscript' || tagName === 'noembed') && regExpTest(/<\/no(script|embed)/i, currentNode.innerHTML)) { | ||
_forceRemove(currentNode); | ||
@@ -737,17 +729,2 @@ return true; | ||
if (tagName === 'noembed' && regExpTest(/<\/noembed/i, currentNode.innerHTML)) { | ||
_forceRemove(currentNode); | ||
return true; | ||
} | ||
/* Convert markup to cover jQuery behavior */ | ||
if (SAFE_FOR_JQUERY && !_isNode(currentNode.firstElementChild) && (!_isNode(currentNode.content) || !_isNode(currentNode.content.firstElementChild)) && regExpTest(/</g, currentNode.textContent)) { | ||
arrayPush(DOMPurify.removed, { element: currentNode.cloneNode() }); | ||
if (currentNode.innerHTML) { | ||
currentNode.innerHTML = stringReplace(currentNode.innerHTML, /</g, '<'); | ||
} else { | ||
currentNode.innerHTML = stringReplace(currentNode.textContent, /</g, '<'); | ||
} | ||
} | ||
/* Sanitize element content to be template-safe */ | ||
@@ -811,3 +788,2 @@ if (SAFE_FOR_TEMPLATES && currentNode.nodeType === 3) { | ||
*/ | ||
// eslint-disable-next-line complexity | ||
var _sanitizeAttributes = function _sanitizeAttributes(currentNode) { | ||
@@ -894,3 +870,3 @@ var attr = void 0; | ||
/* Work around a security issue in jQuery 3.0 */ | ||
if (SAFE_FOR_JQUERY && regExpTest(/\/>/i, value)) { | ||
if (regExpTest(/\/>/i, value)) { | ||
_removeAttribute(name, currentNode); | ||
@@ -900,8 +876,2 @@ continue; | ||
/* Take care of an mXSS pattern using namespace switches */ | ||
if (regExpTest(/svg|math/i, currentNode.namespaceURI) && regExpTest(regExpCreate('</(' + arrayJoin(objectKeys(FORBID_CONTENTS), '|') + ')', 'i'), value)) { | ||
_removeAttribute(name, currentNode); | ||
continue; | ||
} | ||
/* Sanitize attribute content to be template-safe */ | ||
@@ -908,0 +878,0 @@ if (SAFE_FOR_TEMPLATES) { |
@@ -13,4 +13,3 @@ /*! @license DOMPurify | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.0.8/LICENSE */ | ||
setPrototypeOf = Object.setPrototypeOf, | ||
isFrozen = Object.isFrozen, | ||
objectKeys = Object.keys; | ||
isFrozen = Object.isFrozen; | ||
var freeze = Object.freeze, | ||
@@ -50,3 +49,2 @@ seal = Object.seal, | ||
var arrayIndexOf = unapply(Array.prototype.indexOf); | ||
var arrayJoin = unapply(Array.prototype.join); | ||
var arrayPop = unapply(Array.prototype.pop); | ||
@@ -63,3 +61,2 @@ var arrayPush = unapply(Array.prototype.push); | ||
var regExpTest = unapply(RegExp.prototype.test); | ||
var regExpCreate = unconstruct(RegExp); | ||
@@ -220,3 +217,3 @@ var typeErrorCreate = unconstruct(TypeError); | ||
*/ | ||
DOMPurify.version = '2.0.17'; | ||
DOMPurify.version = '2.1.0'; | ||
@@ -326,5 +323,2 @@ /** | ||
/* Output should be safe for jQuery's $() factory? */ | ||
var SAFE_FOR_JQUERY = false; | ||
/* Output should be safe for common template engines. | ||
@@ -427,3 +421,2 @@ * This means, DOMPurify removes data attributes, mustaches and ERB | ||
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false | ||
SAFE_FOR_JQUERY = cfg.SAFE_FOR_JQUERY || false; // Default false | ||
SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false | ||
@@ -686,3 +679,2 @@ WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false | ||
*/ | ||
// eslint-disable-next-line complexity | ||
var _sanitizeElements = function _sanitizeElements(currentNode) { | ||
@@ -715,4 +707,4 @@ var content = void 0; | ||
/* Take care of an mXSS pattern using p, br inside svg, math */ | ||
if ((tagName === 'svg' || tagName === 'math') && currentNode.querySelectorAll('p, br, form, table').length !== 0) { | ||
/* Detect mXSS attempts abusing namespace confusion */ | ||
if (!_isNode(currentNode.firstElementChild) && (!_isNode(currentNode.content) || !_isNode(currentNode.content.firstElementChild)) && regExpTest(/<[!/\w]/g, currentNode.innerHTML) && regExpTest(/<[!/\w]/g, currentNode.textContent)) { | ||
_forceRemove(currentNode); | ||
@@ -737,3 +729,3 @@ return true; | ||
/* Remove in case a noscript/noembed XSS is suspected */ | ||
if (tagName === 'noscript' && regExpTest(/<\/noscript/i, currentNode.innerHTML)) { | ||
if ((tagName === 'noscript' || tagName === 'noembed') && regExpTest(/<\/no(script|embed)/i, currentNode.innerHTML)) { | ||
_forceRemove(currentNode); | ||
@@ -743,17 +735,2 @@ return true; | ||
if (tagName === 'noembed' && regExpTest(/<\/noembed/i, currentNode.innerHTML)) { | ||
_forceRemove(currentNode); | ||
return true; | ||
} | ||
/* Convert markup to cover jQuery behavior */ | ||
if (SAFE_FOR_JQUERY && !_isNode(currentNode.firstElementChild) && (!_isNode(currentNode.content) || !_isNode(currentNode.content.firstElementChild)) && regExpTest(/</g, currentNode.textContent)) { | ||
arrayPush(DOMPurify.removed, { element: currentNode.cloneNode() }); | ||
if (currentNode.innerHTML) { | ||
currentNode.innerHTML = stringReplace(currentNode.innerHTML, /</g, '<'); | ||
} else { | ||
currentNode.innerHTML = stringReplace(currentNode.textContent, /</g, '<'); | ||
} | ||
} | ||
/* Sanitize element content to be template-safe */ | ||
@@ -817,3 +794,2 @@ if (SAFE_FOR_TEMPLATES && currentNode.nodeType === 3) { | ||
*/ | ||
// eslint-disable-next-line complexity | ||
var _sanitizeAttributes = function _sanitizeAttributes(currentNode) { | ||
@@ -900,3 +876,3 @@ var attr = void 0; | ||
/* Work around a security issue in jQuery 3.0 */ | ||
if (SAFE_FOR_JQUERY && regExpTest(/\/>/i, value)) { | ||
if (regExpTest(/\/>/i, value)) { | ||
_removeAttribute(name, currentNode); | ||
@@ -906,8 +882,2 @@ continue; | ||
/* Take care of an mXSS pattern using namespace switches */ | ||
if (regExpTest(/svg|math/i, currentNode.namespaceURI) && regExpTest(regExpCreate('</(' + arrayJoin(objectKeys(FORBID_CONTENTS), '|') + ')', 'i'), value)) { | ||
_removeAttribute(name, currentNode); | ||
continue; | ||
} | ||
/* Sanitize attribute content to be template-safe */ | ||
@@ -914,0 +884,0 @@ if (SAFE_FOR_TEMPLATES) { |
/*! @license DOMPurify | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/2.0.8/LICENSE */ | ||
!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e=e||self).DOMPurify=t()}(this,(function(){"use strict";var e=Object.hasOwnProperty,t=Object.setPrototypeOf,n=Object.isFrozen,r=Object.keys,o=Object.freeze,i=Object.seal,a=Object.create,l="undefined"!=typeof Reflect&&Reflect,c=l.apply,s=l.construct;c||(c=function(e,t,n){return e.apply(t,n)}),o||(o=function(e){return e}),i||(i=function(e){return e}),s||(s=function(e,t){return new(Function.prototype.bind.apply(e,[null].concat(function(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t<e.length;t++)n[t]=e[t];return n}return Array.from(e)}(t))))});var u=k(Array.prototype.forEach),d=k(Array.prototype.indexOf),f=k(Array.prototype.join),p=k(Array.prototype.pop),m=k(Array.prototype.push),y=k(Array.prototype.slice),g=k(String.prototype.toLowerCase),h=k(String.prototype.match),v=k(String.prototype.replace),b=k(String.prototype.indexOf),T=k(String.prototype.trim),A=k(RegExp.prototype.test),x=L(RegExp),S=L(TypeError);function k(e){return function(t){for(var n=arguments.length,r=Array(n>1?n-1:0),o=1;o<n;o++)r[o-1]=arguments[o];return c(e,t,r)}}function L(e){return function(){for(var t=arguments.length,n=Array(t),r=0;r<t;r++)n[r]=arguments[r];return s(e,n)}}function _(e,r){t&&t(e,null);for(var o=r.length;o--;){var i=r[o];if("string"==typeof i){var a=g(i);a!==i&&(n(r)||(r[o]=a),i=a)}e[i]=!0}return e}function E(t){var n=a(null),r=void 0;for(r in t)c(e,t,[r])&&(n[r]=t[r]);return n}var M=o(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","picture","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),D=o(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","audio","canvas","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","video","view","vkern"]),N=o(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),O=o(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"]),R=o(["#text"]),w=o(["accept","action","align","alt","autocapitalize","autocomplete","autopictureinpicture","autoplay","background","bgcolor","border","capture","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","controls","controlslist","coords","crossorigin","datetime","decoding","default","dir","disabled","disablepictureinpicture","disableremoteplayback","download","draggable","enctype","enterkeyhint","face","for","headers","height","hidden","high","href","hreflang","id","inputmode","integrity","ismap","kind","label","lang","list","loading","loop","low","max","maxlength","media","method","min","minlength","multiple","muted","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","playsinline","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","translate","type","usemap","valign","value","width","xmlns"]),F=o(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clippathunits","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","filterunits","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","primitiveunits","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","startoffset","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","systemlanguage","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","version","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),H=o(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","encoding","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),C=o(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),z=i(/\{\{[\s\S]*|[\s\S]*\}\}/gm),I=i(/<%[\s\S]*|[\s\S]*%>/gm),U=i(/^data-[\-\w.\u00B7-\uFFFF]/),j=i(/^aria-[\-\w]+$/),P=i(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),G=i(/^(?:\w+script|data):/i),W=i(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g),B="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e};function q(e){if(Array.isArray(e)){for(var t=0,n=Array(e.length);t<e.length;t++)n[t]=e[t];return n}return Array.from(e)}var K=function(){return"undefined"==typeof window?null:window},V=function(e,t){if("object"!==(void 0===e?"undefined":B(e))||"function"!=typeof e.createPolicy)return null;var n=null;t.currentScript&&t.currentScript.hasAttribute("data-tt-policy-suffix")&&(n=t.currentScript.getAttribute("data-tt-policy-suffix"));var r="dompurify"+(n?"#"+n:"");try{return e.createPolicy(r,{createHTML:function(e){return e}})}catch(e){return console.warn("TrustedTypes policy "+r+" could not be created."),null}};return function e(){var t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:K(),n=function(t){return e(t)};if(n.version="2.0.17",n.removed=[],!t||!t.document||9!==t.document.nodeType)return n.isSupported=!1,n;var i=t.document,a=!1,l=t.document,c=t.DocumentFragment,s=t.HTMLTemplateElement,k=t.Node,L=t.NodeFilter,Y=t.NamedNodeMap,X=void 0===Y?t.NamedNodeMap||t.MozNamedAttrMap:Y,$=t.Text,J=t.Comment,Q=t.DOMParser,Z=t.trustedTypes;if("function"==typeof s){var ee=l.createElement("template");ee.content&&ee.content.ownerDocument&&(l=ee.content.ownerDocument)}var te=V(Z,i),ne=te&&He?te.createHTML(""):"",re=l,oe=re.implementation,ie=re.createNodeIterator,ae=re.getElementsByTagName,le=re.createDocumentFragment,ce=i.importNode,se={};try{se=E(l).documentMode?l.documentMode:{}}catch(e){}var ue={};n.isSupported=oe&&void 0!==oe.createHTMLDocument&&9!==se;var de=z,fe=I,pe=U,me=j,ye=G,ge=W,he=P,ve=null,be=_({},[].concat(q(M),q(D),q(N),q(O),q(R))),Te=null,Ae=_({},[].concat(q(w),q(F),q(H),q(C))),xe=null,Se=null,ke=!0,Le=!0,_e=!1,Ee=!1,Me=!1,De=!1,Ne=!1,Oe=!1,Re=!1,we=!1,Fe=!1,He=!1,Ce=!0,ze=!0,Ie=!1,Ue={},je=_({},["annotation-xml","audio","colgroup","desc","foreignobject","head","iframe","math","mi","mn","mo","ms","mtext","noembed","noframes","plaintext","script","style","svg","template","thead","title","video","xmp"]),Pe=null,Ge=_({},["audio","video","img","source","image","track"]),We=null,Be=_({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]),qe=null,Ke=l.createElement("form"),Ve=function(e){qe&&qe===e||(e&&"object"===(void 0===e?"undefined":B(e))||(e={}),e=E(e),ve="ALLOWED_TAGS"in e?_({},e.ALLOWED_TAGS):be,Te="ALLOWED_ATTR"in e?_({},e.ALLOWED_ATTR):Ae,We="ADD_URI_SAFE_ATTR"in e?_(E(Be),e.ADD_URI_SAFE_ATTR):Be,Pe="ADD_DATA_URI_TAGS"in e?_(E(Ge),e.ADD_DATA_URI_TAGS):Ge,xe="FORBID_TAGS"in e?_({},e.FORBID_TAGS):{},Se="FORBID_ATTR"in e?_({},e.FORBID_ATTR):{},Ue="USE_PROFILES"in e&&e.USE_PROFILES,ke=!1!==e.ALLOW_ARIA_ATTR,Le=!1!==e.ALLOW_DATA_ATTR,_e=e.ALLOW_UNKNOWN_PROTOCOLS||!1,Ee=e.SAFE_FOR_JQUERY||!1,Me=e.SAFE_FOR_TEMPLATES||!1,De=e.WHOLE_DOCUMENT||!1,Re=e.RETURN_DOM||!1,we=e.RETURN_DOM_FRAGMENT||!1,Fe=e.RETURN_DOM_IMPORT||!1,He=e.RETURN_TRUSTED_TYPE||!1,Oe=e.FORCE_BODY||!1,Ce=!1!==e.SANITIZE_DOM,ze=!1!==e.KEEP_CONTENT,Ie=e.IN_PLACE||!1,he=e.ALLOWED_URI_REGEXP||he,Me&&(Le=!1),we&&(Re=!0),Ue&&(ve=_({},[].concat(q(R))),Te=[],!0===Ue.html&&(_(ve,M),_(Te,w)),!0===Ue.svg&&(_(ve,D),_(Te,F),_(Te,C)),!0===Ue.svgFilters&&(_(ve,N),_(Te,F),_(Te,C)),!0===Ue.mathMl&&(_(ve,O),_(Te,H),_(Te,C))),e.ADD_TAGS&&(ve===be&&(ve=E(ve)),_(ve,e.ADD_TAGS)),e.ADD_ATTR&&(Te===Ae&&(Te=E(Te)),_(Te,e.ADD_ATTR)),e.ADD_URI_SAFE_ATTR&&_(We,e.ADD_URI_SAFE_ATTR),ze&&(ve["#text"]=!0),De&&_(ve,["html","head","body"]),ve.table&&(_(ve,["tbody"]),delete xe.tbody),o&&o(e),qe=e)},Ye=function(e){m(n.removed,{element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=ne}},Xe=function(e,t){try{m(n.removed,{attribute:t.getAttributeNode(e),from:t})}catch(e){m(n.removed,{attribute:null,from:t})}t.removeAttribute(e)},$e=function(e){var t=void 0,n=void 0;if(Oe)e="<remove></remove>"+e;else{var r=h(e,/^[\r\n\t ]+/);n=r&&r[0]}var o=te?te.createHTML(e):e;try{t=(new Q).parseFromString(o,"text/html")}catch(e){}if(a&&_(xe,["title"]),!t||!t.documentElement){var i=(t=oe.createHTMLDocument("")).body;i.parentNode.removeChild(i.parentNode.firstElementChild),i.outerHTML=o}return e&&n&&t.body.insertBefore(l.createTextNode(n),t.body.childNodes[0]||null),ae.call(t,De?"html":"body")[0]};n.isSupported&&function(){try{var e=$e("<x/><title></title><img>");A(/<\/title/,e.querySelector("title").innerHTML)&&(a=!0)}catch(e){}}();var Je=function(e){return ie.call(e.ownerDocument||e,e,L.SHOW_ELEMENT|L.SHOW_COMMENT|L.SHOW_TEXT,(function(){return L.FILTER_ACCEPT}),!1)},Qe=function(e){return!(e instanceof $||e instanceof J)&&!("string"==typeof e.nodeName&&"string"==typeof e.textContent&&"function"==typeof e.removeChild&&e.attributes instanceof X&&"function"==typeof e.removeAttribute&&"function"==typeof e.setAttribute&&"string"==typeof e.namespaceURI)},Ze=function(e){return"object"===(void 0===k?"undefined":B(k))?e instanceof k:e&&"object"===(void 0===e?"undefined":B(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},et=function(e,t,r){ue[e]&&u(ue[e],(function(e){e.call(n,t,r,qe)}))},tt=function(e){var t=void 0;if(et("beforeSanitizeElements",e,null),Qe(e))return Ye(e),!0;if(h(e.nodeName,/[\u0080-\uFFFF]/))return Ye(e),!0;var r=g(e.nodeName);if(et("uponSanitizeElement",e,{tagName:r,allowedTags:ve}),("svg"===r||"math"===r)&&0!==e.querySelectorAll("p, br, form, table").length)return Ye(e),!0;if(!ve[r]||xe[r]){if(ze&&!je[r]&&"function"==typeof e.insertAdjacentHTML)try{var o=e.innerHTML;e.insertAdjacentHTML("AfterEnd",te?te.createHTML(o):o)}catch(e){}return Ye(e),!0}return"noscript"===r&&A(/<\/noscript/i,e.innerHTML)||"noembed"===r&&A(/<\/noembed/i,e.innerHTML)?(Ye(e),!0):(!Ee||Ze(e.firstElementChild)||Ze(e.content)&&Ze(e.content.firstElementChild)||!A(/</g,e.textContent)||(m(n.removed,{element:e.cloneNode()}),e.innerHTML?e.innerHTML=v(e.innerHTML,/</g,"<"):e.innerHTML=v(e.textContent,/</g,"<")),Me&&3===e.nodeType&&(t=e.textContent,t=v(t,de," "),t=v(t,fe," "),e.textContent!==t&&(m(n.removed,{element:e.cloneNode()}),e.textContent=t)),et("afterSanitizeElements",e,null),!1)},nt=function(e,t,n){if(Ce&&("id"===t||"name"===t)&&(n in l||n in Ke))return!1;if(Le&&A(pe,t));else if(ke&&A(me,t));else{if(!Te[t]||Se[t])return!1;if(We[t]);else if(A(he,v(n,ge,"")));else if("src"!==t&&"xlink:href"!==t&&"href"!==t||"script"===e||0!==b(n,"data:")||!Pe[e]){if(_e&&!A(ye,v(n,ge,"")));else if(n)return!1}else;}return!0},rt=function(e){var t=void 0,o=void 0,i=void 0,a=void 0,l=void 0;et("beforeSanitizeAttributes",e,null);var c=e.attributes;if(c){var s={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:Te};for(l=c.length;l--;){var u=t=c[l],m=u.name,h=u.namespaceURI;if(o=T(t.value),i=g(m),s.attrName=i,s.attrValue=o,s.keepAttr=!0,s.forceKeepAttr=void 0,et("uponSanitizeAttribute",e,s),o=s.attrValue,!s.forceKeepAttr){if("name"===i&&"IMG"===e.nodeName&&c.id)a=c.id,c=y(c,[]),Xe("id",e),Xe(m,e),d(c,a)>l&&e.setAttribute("id",a.value);else{if("INPUT"===e.nodeName&&"type"===i&&"file"===o&&s.keepAttr&&(Te[i]||!Se[i]))continue;"id"===m&&e.setAttribute(m,""),Xe(m,e)}if(s.keepAttr)if(Ee&&A(/\/>/i,o))Xe(m,e);else if(A(/svg|math/i,e.namespaceURI)&&A(x("</("+f(r(je),"|")+")","i"),o))Xe(m,e);else{Me&&(o=v(o,de," "),o=v(o,fe," "));var b=e.nodeName.toLowerCase();if(nt(b,i,o))try{h?e.setAttributeNS(h,m,o):e.setAttribute(m,o),p(n.removed)}catch(e){}}}}et("afterSanitizeAttributes",e,null)}},ot=function e(t){var n=void 0,r=Je(t);for(et("beforeSanitizeShadowDOM",t,null);n=r.nextNode();)et("uponSanitizeShadowNode",n,null),tt(n)||(n.content instanceof c&&e(n.content),rt(n));et("afterSanitizeShadowDOM",t,null)};return n.sanitize=function(e,r){var o=void 0,a=void 0,l=void 0,s=void 0,u=void 0;if(e||(e="\x3c!--\x3e"),"string"!=typeof e&&!Ze(e)){if("function"!=typeof e.toString)throw S("toString is not a function");if("string"!=typeof(e=e.toString()))throw S("dirty is not a string, aborting")}if(!n.isSupported){if("object"===B(t.toStaticHTML)||"function"==typeof t.toStaticHTML){if("string"==typeof e)return t.toStaticHTML(e);if(Ze(e))return t.toStaticHTML(e.outerHTML)}return e}if(Ne||Ve(r),n.removed=[],"string"==typeof e&&(Ie=!1),Ie);else if(e instanceof k)1===(a=(o=$e("\x3c!--\x3e")).ownerDocument.importNode(e,!0)).nodeType&&"BODY"===a.nodeName||"HTML"===a.nodeName?o=a:o.appendChild(a);else{if(!Re&&!Me&&!De&&-1===e.indexOf("<"))return te&&He?te.createHTML(e):e;if(!(o=$e(e)))return Re?null:ne}o&&Oe&&Ye(o.firstChild);for(var d=Je(Ie?e:o);l=d.nextNode();)3===l.nodeType&&l===s||tt(l)||(l.content instanceof c&&ot(l.content),rt(l),s=l);if(s=null,Ie)return e;if(Re){if(we)for(u=le.call(o.ownerDocument);o.firstChild;)u.appendChild(o.firstChild);else u=o;return Fe&&(u=ce.call(i,u,!0)),u}var f=De?o.outerHTML:o.innerHTML;return Me&&(f=v(f,de," "),f=v(f,fe," ")),te&&He?te.createHTML(f):f},n.setConfig=function(e){Ve(e),Ne=!0},n.clearConfig=function(){qe=null,Ne=!1},n.isValidAttribute=function(e,t,n){qe||Ve({});var r=g(e),o=g(t);return nt(r,o,n)},n.addHook=function(e,t){"function"==typeof t&&(ue[e]=ue[e]||[],m(ue[e],t))},n.removeHook=function(e){ue[e]&&p(ue[e])},n.removeHooks=function(e){ue[e]&&(ue[e]=[])},n.removeAllHooks=function(){ue={}},n}()})); | ||
!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?module.exports=t():"function"==typeof define&&define.amd?define(t):(e=e||self).DOMPurify=t()}(this,(function(){"use strict";var e=Object.hasOwnProperty,t=Object.setPrototypeOf,r=Object.isFrozen,n=Object.freeze,o=Object.seal,i=Object.create,a="undefined"!=typeof Reflect&&Reflect,l=a.apply,c=a.construct;l||(l=function(e,t,r){return e.apply(t,r)}),n||(n=function(e){return e}),o||(o=function(e){return e}),c||(c=function(e,t){return new(Function.prototype.bind.apply(e,[null].concat(function(e){if(Array.isArray(e)){for(var t=0,r=Array(e.length);t<e.length;t++)r[t]=e[t];return r}return Array.from(e)}(t))))});var s,u=x(Array.prototype.forEach),d=x(Array.prototype.indexOf),f=x(Array.prototype.pop),p=x(Array.prototype.push),m=x(Array.prototype.slice),y=x(String.prototype.toLowerCase),h=x(String.prototype.match),g=x(String.prototype.replace),v=x(String.prototype.indexOf),b=x(String.prototype.trim),T=x(RegExp.prototype.test),A=(s=TypeError,function(){for(var e=arguments.length,t=Array(e),r=0;r<e;r++)t[r]=arguments[r];return c(s,t)});function x(e){return function(t){for(var r=arguments.length,n=Array(r>1?r-1:0),o=1;o<r;o++)n[o-1]=arguments[o];return l(e,t,n)}}function S(e,n){t&&t(e,null);for(var o=n.length;o--;){var i=n[o];if("string"==typeof i){var a=y(i);a!==i&&(r(n)||(n[o]=a),i=a)}e[i]=!0}return e}function k(t){var r=i(null),n=void 0;for(n in t)l(e,t,[n])&&(r[n]=t[n]);return r}var _=n(["a","abbr","acronym","address","area","article","aside","audio","b","bdi","bdo","big","blink","blockquote","body","br","button","canvas","caption","center","cite","code","col","colgroup","content","data","datalist","dd","decorator","del","details","dfn","dir","div","dl","dt","element","em","fieldset","figcaption","figure","font","footer","form","h1","h2","h3","h4","h5","h6","head","header","hgroup","hr","html","i","img","input","ins","kbd","label","legend","li","main","map","mark","marquee","menu","menuitem","meter","nav","nobr","ol","optgroup","option","output","p","picture","pre","progress","q","rp","rt","ruby","s","samp","section","select","shadow","small","source","spacer","span","strike","strong","style","sub","summary","sup","table","tbody","td","template","textarea","tfoot","th","thead","time","tr","track","tt","u","ul","var","video","wbr"]),D=n(["svg","a","altglyph","altglyphdef","altglyphitem","animatecolor","animatemotion","animatetransform","audio","canvas","circle","clippath","defs","desc","ellipse","filter","font","g","glyph","glyphref","hkern","image","line","lineargradient","marker","mask","metadata","mpath","path","pattern","polygon","polyline","radialgradient","rect","stop","style","switch","symbol","text","textpath","title","tref","tspan","video","view","vkern"]),E=n(["feBlend","feColorMatrix","feComponentTransfer","feComposite","feConvolveMatrix","feDiffuseLighting","feDisplacementMap","feDistantLight","feFlood","feFuncA","feFuncB","feFuncG","feFuncR","feGaussianBlur","feMerge","feMergeNode","feMorphology","feOffset","fePointLight","feSpecularLighting","feSpotLight","feTile","feTurbulence"]),L=n(["math","menclose","merror","mfenced","mfrac","mglyph","mi","mlabeledtr","mmultiscripts","mn","mo","mover","mpadded","mphantom","mroot","mrow","ms","mspace","msqrt","mstyle","msub","msup","msubsup","mtable","mtd","mtext","mtr","munder","munderover"]),M=n(["#text"]),w=n(["accept","action","align","alt","autocapitalize","autocomplete","autopictureinpicture","autoplay","background","bgcolor","border","capture","cellpadding","cellspacing","checked","cite","class","clear","color","cols","colspan","controls","controlslist","coords","crossorigin","datetime","decoding","default","dir","disabled","disablepictureinpicture","disableremoteplayback","download","draggable","enctype","enterkeyhint","face","for","headers","height","hidden","high","href","hreflang","id","inputmode","integrity","ismap","kind","label","lang","list","loading","loop","low","max","maxlength","media","method","min","minlength","multiple","muted","name","noshade","novalidate","nowrap","open","optimum","pattern","placeholder","playsinline","poster","preload","pubdate","radiogroup","readonly","rel","required","rev","reversed","role","rows","rowspan","spellcheck","scope","selected","shape","size","sizes","span","srclang","start","src","srcset","step","style","summary","tabindex","title","translate","type","usemap","valign","value","width","xmlns"]),N=n(["accent-height","accumulate","additive","alignment-baseline","ascent","attributename","attributetype","azimuth","basefrequency","baseline-shift","begin","bias","by","class","clip","clippathunits","clip-path","clip-rule","color","color-interpolation","color-interpolation-filters","color-profile","color-rendering","cx","cy","d","dx","dy","diffuseconstant","direction","display","divisor","dur","edgemode","elevation","end","fill","fill-opacity","fill-rule","filter","filterunits","flood-color","flood-opacity","font-family","font-size","font-size-adjust","font-stretch","font-style","font-variant","font-weight","fx","fy","g1","g2","glyph-name","glyphref","gradientunits","gradienttransform","height","href","id","image-rendering","in","in2","k","k1","k2","k3","k4","kerning","keypoints","keysplines","keytimes","lang","lengthadjust","letter-spacing","kernelmatrix","kernelunitlength","lighting-color","local","marker-end","marker-mid","marker-start","markerheight","markerunits","markerwidth","maskcontentunits","maskunits","max","mask","media","method","mode","min","name","numoctaves","offset","operator","opacity","order","orient","orientation","origin","overflow","paint-order","path","pathlength","patterncontentunits","patterntransform","patternunits","points","preservealpha","preserveaspectratio","primitiveunits","r","rx","ry","radius","refx","refy","repeatcount","repeatdur","restart","result","rotate","scale","seed","shape-rendering","specularconstant","specularexponent","spreadmethod","startoffset","stddeviation","stitchtiles","stop-color","stop-opacity","stroke-dasharray","stroke-dashoffset","stroke-linecap","stroke-linejoin","stroke-miterlimit","stroke-opacity","stroke","stroke-width","style","surfacescale","systemlanguage","tabindex","targetx","targety","transform","text-anchor","text-decoration","text-rendering","textlength","type","u1","u2","unicode","values","viewbox","visibility","version","vert-adv-y","vert-origin-x","vert-origin-y","width","word-spacing","wrap","writing-mode","xchannelselector","ychannelselector","x","x1","x2","xmlns","y","y1","y2","z","zoomandpan"]),O=n(["accent","accentunder","align","bevelled","close","columnsalign","columnlines","columnspan","denomalign","depth","dir","display","displaystyle","encoding","fence","frame","height","href","id","largeop","length","linethickness","lspace","lquote","mathbackground","mathcolor","mathsize","mathvariant","maxsize","minsize","movablelimits","notation","numalign","open","rowalign","rowlines","rowspacing","rowspan","rspace","rquote","scriptlevel","scriptminsize","scriptsizemultiplier","selection","separator","separators","stretchy","subscriptshift","supscriptshift","symmetric","voffset","width","xmlns"]),R=n(["xlink:href","xml:id","xlink:title","xml:space","xmlns:xlink"]),F=o(/\{\{[\s\S]*|[\s\S]*\}\}/gm),C=o(/<%[\s\S]*|[\s\S]*%>/gm),H=o(/^data-[\-\w.\u00B7-\uFFFF]/),z=o(/^aria-[\-\w]+$/),I=o(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i),U=o(/^(?:\w+script|data):/i),j=o(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g),P="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e};function G(e){if(Array.isArray(e)){for(var t=0,r=Array(e.length);t<e.length;t++)r[t]=e[t];return r}return Array.from(e)}var W=function(){return"undefined"==typeof window?null:window},B=function(e,t){if("object"!==(void 0===e?"undefined":P(e))||"function"!=typeof e.createPolicy)return null;var r=null;t.currentScript&&t.currentScript.hasAttribute("data-tt-policy-suffix")&&(r=t.currentScript.getAttribute("data-tt-policy-suffix"));var n="dompurify"+(r?"#"+r:"");try{return e.createPolicy(n,{createHTML:function(e){return e}})}catch(e){return console.warn("TrustedTypes policy "+n+" could not be created."),null}};return function e(){var t=arguments.length>0&&void 0!==arguments[0]?arguments[0]:W(),r=function(t){return e(t)};if(r.version="2.1.0",r.removed=[],!t||!t.document||9!==t.document.nodeType)return r.isSupported=!1,r;var o=t.document,i=!1,a=t.document,l=t.DocumentFragment,c=t.HTMLTemplateElement,s=t.Node,x=t.NodeFilter,q=t.NamedNodeMap,K=void 0===q?t.NamedNodeMap||t.MozNamedAttrMap:q,V=t.Text,Y=t.Comment,X=t.DOMParser,$=t.trustedTypes;if("function"==typeof c){var Z=a.createElement("template");Z.content&&Z.content.ownerDocument&&(a=Z.content.ownerDocument)}var J=B($,o),Q=J&&Ne?J.createHTML(""):"",ee=a,te=ee.implementation,re=ee.createNodeIterator,ne=ee.getElementsByTagName,oe=ee.createDocumentFragment,ie=o.importNode,ae={};try{ae=k(a).documentMode?a.documentMode:{}}catch(e){}var le={};r.isSupported=te&&void 0!==te.createHTMLDocument&&9!==ae;var ce=F,se=C,ue=H,de=z,fe=U,pe=j,me=I,ye=null,he=S({},[].concat(G(_),G(D),G(E),G(L),G(M))),ge=null,ve=S({},[].concat(G(w),G(N),G(O),G(R))),be=null,Te=null,Ae=!0,xe=!0,Se=!1,ke=!1,_e=!1,De=!1,Ee=!1,Le=!1,Me=!1,we=!1,Ne=!1,Oe=!0,Re=!0,Fe=!1,Ce={},He=S({},["annotation-xml","audio","colgroup","desc","foreignobject","head","iframe","math","mi","mn","mo","ms","mtext","noembed","noframes","plaintext","script","style","svg","template","thead","title","video","xmp"]),ze=null,Ie=S({},["audio","video","img","source","image","track"]),Ue=null,je=S({},["alt","class","for","id","label","name","pattern","placeholder","summary","title","value","style","xmlns"]),Pe=null,Ge=a.createElement("form"),We=function(e){Pe&&Pe===e||(e&&"object"===(void 0===e?"undefined":P(e))||(e={}),e=k(e),ye="ALLOWED_TAGS"in e?S({},e.ALLOWED_TAGS):he,ge="ALLOWED_ATTR"in e?S({},e.ALLOWED_ATTR):ve,Ue="ADD_URI_SAFE_ATTR"in e?S(k(je),e.ADD_URI_SAFE_ATTR):je,ze="ADD_DATA_URI_TAGS"in e?S(k(Ie),e.ADD_DATA_URI_TAGS):Ie,be="FORBID_TAGS"in e?S({},e.FORBID_TAGS):{},Te="FORBID_ATTR"in e?S({},e.FORBID_ATTR):{},Ce="USE_PROFILES"in e&&e.USE_PROFILES,Ae=!1!==e.ALLOW_ARIA_ATTR,xe=!1!==e.ALLOW_DATA_ATTR,Se=e.ALLOW_UNKNOWN_PROTOCOLS||!1,ke=e.SAFE_FOR_TEMPLATES||!1,_e=e.WHOLE_DOCUMENT||!1,Le=e.RETURN_DOM||!1,Me=e.RETURN_DOM_FRAGMENT||!1,we=e.RETURN_DOM_IMPORT||!1,Ne=e.RETURN_TRUSTED_TYPE||!1,Ee=e.FORCE_BODY||!1,Oe=!1!==e.SANITIZE_DOM,Re=!1!==e.KEEP_CONTENT,Fe=e.IN_PLACE||!1,me=e.ALLOWED_URI_REGEXP||me,ke&&(xe=!1),Me&&(Le=!0),Ce&&(ye=S({},[].concat(G(M))),ge=[],!0===Ce.html&&(S(ye,_),S(ge,w)),!0===Ce.svg&&(S(ye,D),S(ge,N),S(ge,R)),!0===Ce.svgFilters&&(S(ye,E),S(ge,N),S(ge,R)),!0===Ce.mathMl&&(S(ye,L),S(ge,O),S(ge,R))),e.ADD_TAGS&&(ye===he&&(ye=k(ye)),S(ye,e.ADD_TAGS)),e.ADD_ATTR&&(ge===ve&&(ge=k(ge)),S(ge,e.ADD_ATTR)),e.ADD_URI_SAFE_ATTR&&S(Ue,e.ADD_URI_SAFE_ATTR),Re&&(ye["#text"]=!0),_e&&S(ye,["html","head","body"]),ye.table&&(S(ye,["tbody"]),delete be.tbody),n&&n(e),Pe=e)},Be=function(e){p(r.removed,{element:e});try{e.parentNode.removeChild(e)}catch(t){e.outerHTML=Q}},qe=function(e,t){try{p(r.removed,{attribute:t.getAttributeNode(e),from:t})}catch(e){p(r.removed,{attribute:null,from:t})}t.removeAttribute(e)},Ke=function(e){var t=void 0,r=void 0;if(Ee)e="<remove></remove>"+e;else{var n=h(e,/^[\r\n\t ]+/);r=n&&n[0]}var o=J?J.createHTML(e):e;try{t=(new X).parseFromString(o,"text/html")}catch(e){}if(i&&S(be,["title"]),!t||!t.documentElement){var l=(t=te.createHTMLDocument("")).body;l.parentNode.removeChild(l.parentNode.firstElementChild),l.outerHTML=o}return e&&r&&t.body.insertBefore(a.createTextNode(r),t.body.childNodes[0]||null),ne.call(t,_e?"html":"body")[0]};r.isSupported&&function(){try{var e=Ke("<x/><title></title><img>");T(/<\/title/,e.querySelector("title").innerHTML)&&(i=!0)}catch(e){}}();var Ve=function(e){return re.call(e.ownerDocument||e,e,x.SHOW_ELEMENT|x.SHOW_COMMENT|x.SHOW_TEXT,(function(){return x.FILTER_ACCEPT}),!1)},Ye=function(e){return!(e instanceof V||e instanceof Y)&&!("string"==typeof e.nodeName&&"string"==typeof e.textContent&&"function"==typeof e.removeChild&&e.attributes instanceof K&&"function"==typeof e.removeAttribute&&"function"==typeof e.setAttribute&&"string"==typeof e.namespaceURI)},Xe=function(e){return"object"===(void 0===s?"undefined":P(s))?e instanceof s:e&&"object"===(void 0===e?"undefined":P(e))&&"number"==typeof e.nodeType&&"string"==typeof e.nodeName},$e=function(e,t,n){le[e]&&u(le[e],(function(e){e.call(r,t,n,Pe)}))},Ze=function(e){var t=void 0;if($e("beforeSanitizeElements",e,null),Ye(e))return Be(e),!0;if(h(e.nodeName,/[\u0080-\uFFFF]/))return Be(e),!0;var n=y(e.nodeName);if($e("uponSanitizeElement",e,{tagName:n,allowedTags:ye}),!Xe(e.firstElementChild)&&(!Xe(e.content)||!Xe(e.content.firstElementChild))&&T(/<[!/\w]/g,e.innerHTML)&&T(/<[!/\w]/g,e.textContent))return Be(e),!0;if(!ye[n]||be[n]){if(Re&&!He[n]&&"function"==typeof e.insertAdjacentHTML)try{var o=e.innerHTML;e.insertAdjacentHTML("AfterEnd",J?J.createHTML(o):o)}catch(e){}return Be(e),!0}return"noscript"!==n&&"noembed"!==n||!T(/<\/no(script|embed)/i,e.innerHTML)?(ke&&3===e.nodeType&&(t=e.textContent,t=g(t,ce," "),t=g(t,se," "),e.textContent!==t&&(p(r.removed,{element:e.cloneNode()}),e.textContent=t)),$e("afterSanitizeElements",e,null),!1):(Be(e),!0)},Je=function(e,t,r){if(Oe&&("id"===t||"name"===t)&&(r in a||r in Ge))return!1;if(xe&&T(ue,t));else if(Ae&&T(de,t));else{if(!ge[t]||Te[t])return!1;if(Ue[t]);else if(T(me,g(r,pe,"")));else if("src"!==t&&"xlink:href"!==t&&"href"!==t||"script"===e||0!==v(r,"data:")||!ze[e]){if(Se&&!T(fe,g(r,pe,"")));else if(r)return!1}else;}return!0},Qe=function(e){var t=void 0,n=void 0,o=void 0,i=void 0,a=void 0;$e("beforeSanitizeAttributes",e,null);var l=e.attributes;if(l){var c={attrName:"",attrValue:"",keepAttr:!0,allowedAttributes:ge};for(a=l.length;a--;){var s=t=l[a],u=s.name,p=s.namespaceURI;if(n=b(t.value),o=y(u),c.attrName=o,c.attrValue=n,c.keepAttr=!0,c.forceKeepAttr=void 0,$e("uponSanitizeAttribute",e,c),n=c.attrValue,!c.forceKeepAttr){if("name"===o&&"IMG"===e.nodeName&&l.id)i=l.id,l=m(l,[]),qe("id",e),qe(u,e),d(l,i)>a&&e.setAttribute("id",i.value);else{if("INPUT"===e.nodeName&&"type"===o&&"file"===n&&c.keepAttr&&(ge[o]||!Te[o]))continue;"id"===u&&e.setAttribute(u,""),qe(u,e)}if(c.keepAttr)if(T(/\/>/i,n))qe(u,e);else{ke&&(n=g(n,ce," "),n=g(n,se," "));var h=e.nodeName.toLowerCase();if(Je(h,o,n))try{p?e.setAttributeNS(p,u,n):e.setAttribute(u,n),f(r.removed)}catch(e){}}}}$e("afterSanitizeAttributes",e,null)}},et=function e(t){var r=void 0,n=Ve(t);for($e("beforeSanitizeShadowDOM",t,null);r=n.nextNode();)$e("uponSanitizeShadowNode",r,null),Ze(r)||(r.content instanceof l&&e(r.content),Qe(r));$e("afterSanitizeShadowDOM",t,null)};return r.sanitize=function(e,n){var i=void 0,a=void 0,c=void 0,u=void 0,d=void 0;if(e||(e="\x3c!--\x3e"),"string"!=typeof e&&!Xe(e)){if("function"!=typeof e.toString)throw A("toString is not a function");if("string"!=typeof(e=e.toString()))throw A("dirty is not a string, aborting")}if(!r.isSupported){if("object"===P(t.toStaticHTML)||"function"==typeof t.toStaticHTML){if("string"==typeof e)return t.toStaticHTML(e);if(Xe(e))return t.toStaticHTML(e.outerHTML)}return e}if(De||We(n),r.removed=[],"string"==typeof e&&(Fe=!1),Fe);else if(e instanceof s)1===(a=(i=Ke("\x3c!--\x3e")).ownerDocument.importNode(e,!0)).nodeType&&"BODY"===a.nodeName||"HTML"===a.nodeName?i=a:i.appendChild(a);else{if(!Le&&!ke&&!_e&&-1===e.indexOf("<"))return J&&Ne?J.createHTML(e):e;if(!(i=Ke(e)))return Le?null:Q}i&&Ee&&Be(i.firstChild);for(var f=Ve(Fe?e:i);c=f.nextNode();)3===c.nodeType&&c===u||Ze(c)||(c.content instanceof l&&et(c.content),Qe(c),u=c);if(u=null,Fe)return e;if(Le){if(Me)for(d=oe.call(i.ownerDocument);i.firstChild;)d.appendChild(i.firstChild);else d=i;return we&&(d=ie.call(o,d,!0)),d}var p=_e?i.outerHTML:i.innerHTML;return ke&&(p=g(p,ce," "),p=g(p,se," ")),J&&Ne?J.createHTML(p):p},r.setConfig=function(e){We(e),De=!0},r.clearConfig=function(){Pe=null,De=!1},r.isValidAttribute=function(e,t,r){Pe||We({});var n=y(e),o=y(t);return Je(n,o,r)},r.addHook=function(e,t){"function"==typeof t&&(le[e]=le[e]||[],p(le[e],t))},r.removeHook=function(e){le[e]&&f(le[e])},r.removeHooks=function(e){le[e]&&(le[e]=[])},r.removeAllHooks=function(){le={}},r}()})); | ||
//# sourceMappingURL=purify.min.js.map |
@@ -109,3 +109,3 @@ { | ||
"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.", | ||
"version": "2.0.17", | ||
"version": "2.1.0", | ||
"directories": { | ||
@@ -112,0 +112,0 @@ "test": "test" |
@@ -9,7 +9,7 @@ # DOMPurify | ||
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.0.17. | ||
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 2.1.0. | ||
DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing. | ||
Our automated tests cover [26 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v12.0.0 and v13.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom). Older Node.js versions are known to work as well. | ||
Our automated tests cover [15 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v12.0.0 and v13.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom). Older Node.js versions are known to work as well. | ||
@@ -44,3 +44,3 @@ DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model). Please, read it. Like, really. | ||
The resulting HTML can be written into a DOM element using `innerHTML` or the DOM using `document.write()`. That is fully up to you. But keep in mind, if you use the sanitized HTML with jQuery's very insecure `elm.html()` method, then the `SAFE_FOR_JQUERY` flag has to be set to make sure it's safe! Other than that, all is fine. | ||
The resulting HTML can be written into a DOM element using `innerHTML` or the DOM using `document.write()`. That is fully up to you. | ||
@@ -120,3 +120,3 @@ ### Is there any foot-gun potential? | ||
DOMPurify currently supports HTML5, SVG and MathML. DOMPurify per default allows CSS, HTML custom data attributes. DOMPurify also supports the Shadow DOM - and sanitizes DOM templates recursively. DOMPurify also allows you to sanitize HTML for being used with the jQuery `$()` and `elm.html()` methods but requires the `SAFE_FOR_JQUERY` flag for that - see below. | ||
DOMPurify currently supports HTML5, SVG and MathML. DOMPurify per default allows CSS, HTML custom data attributes. DOMPurify also supports the Shadow DOM - and sanitizes DOM templates recursively. DOMPurify also allows you to sanitize HTML for being used with the jQuery `$()` and `elm.html()` API without any known problems. | ||
@@ -146,4 +146,2 @@ ## What about older browsers like MSIE8? | ||
*/ | ||
// make output safe for usage in jQuery's $()/html() method (default is false) | ||
var clean = DOMPurify.sanitize(dirty, {SAFE_FOR_JQUERY: true}); | ||
@@ -150,0 +148,0 @@ // strip {{ ... }} and <% ... %> to make output safe for template systems |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
505960
3115
335