fix: Fixed an issue with comment detection and possible bypasses with…

… specific config settings, thanks @masatokinugawa fix: Removed the foreeignObject element from the lost of HTML entrypoints, thanks @masatokinugawa chore: Updated build and test dependencies
cure53 · Sep 26, 2024 · 4a9ec1f · 4a9ec1f
1 parent 50ea515
commit 4a9ec1f
Show file tree

Hide file tree

Showing 10 changed files with 55 additions and 58 deletions.
diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.mjs b/dist/purify.es.mjs
@@ -720,7 +720,7 @@ function createDOMPurify() {
     CONFIG = cfg;
   };
   const MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
-  const HTML_INTEGRATION_POINTS = addToSet({}, ['foreignobject', 'annotation-xml']);
+  const HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
 
   // Certain elements are allowed in both SVG and HTML
   // namespace. We need to specify them explicitly
@@ -1181,12 +1181,6 @@ function createDOMPurify() {
       _executeHook('uponSanitizeAttribute', currentNode, hookEvent);
       value = hookEvent.attrValue;
 
-      /* Work around a security issue with comments inside attributes */
-      if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
-        _removeAttribute(name, currentNode);
-        continue;
-      }
-
       /* Did the hooks approve of the attribute? */
       if (hookEvent.forceKeepAttr) {
         continue;
@@ -1230,6 +1224,12 @@ function createDOMPurify() {
         value = SANITIZE_NAMED_PROPS_PREFIX + value;
       }
 
+      /* Work around a security issue with comments inside attributes */
+      if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
+        _removeAttribute(name, currentNode);
+        continue;
+      }
+
       /* Handle attributes that require Trusted Types */
       if (trustedTypesPolicy && typeof trustedTypes === 'object' && typeof trustedTypes.getAttributeType === 'function') {
         if (namespaceURI) ; else {

diff --git a/dist/purify.es.mjs.map b/dist/purify.es.mjs.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/purify.js b/src/purify.js
@@ -659,10 +659,7 @@ function createDOMPurify(window = getGlobal()) {
     'mtext',
   ]);
 
-  const HTML_INTEGRATION_POINTS = addToSet({}, [
-    'foreignobject',
-    'annotation-xml',
-  ]);
+  const HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
 
   // Certain elements are allowed in both SVG and HTML
   // namespace. We need to specify them explicitly
@@ -1282,12 +1279,6 @@ function createDOMPurify(window = getGlobal()) {
       _executeHook('uponSanitizeAttribute', currentNode, hookEvent);
       value = hookEvent.attrValue;
 
-      /* Work around a security issue with comments inside attributes */
-      if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
-        _removeAttribute(name, currentNode);
-        continue;
-      }
-
       /* Did the hooks approve of the attribute? */
       if (hookEvent.forceKeepAttr) {
         continue;
@@ -1331,6 +1322,12 @@ function createDOMPurify(window = getGlobal()) {
         value = SANITIZE_NAMED_PROPS_PREFIX + value;
       }
 
+      /* Work around a security issue with comments inside attributes */
+      if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
+        _removeAttribute(name, currentNode);
+        continue;
+      }
+
       /* Handle attributes that require Trusted Types */
       if (
         trustedTypesPolicy &&