Skip to content

Commit

Permalink
Merge pull request #964 from cure53/main
Browse files Browse the repository at this point in the history
Getting 3.x branch ready for 3.1.5 release
  • Loading branch information
cure53 authored May 31, 2024
2 parents 7517e9c + 16a46de commit 6676133
Show file tree
Hide file tree
Showing 15 changed files with 29 additions and 276 deletions.
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.

It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.1.4**.
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.1.5**.

DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.

**Note that [DOMPurify v2.5.4](https://github.com/cure53/DOMPurify/releases/tag/2.5.4) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
**Note that [DOMPurify v2.5.5](https://github.com/cure53/DOMPurify/releases/tag/2.5.5) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**

Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v16.x, v17.x, v18.x and v19.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.

Expand Down
4 changes: 2 additions & 2 deletions bower.json
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
{
"name": "dompurify",
"version": "3.1.4",
"version": "3.1.5",
"homepage": "https://github.com/cure53/DOMPurify",
"author": "Cure53 <[email protected]>",
"description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",
"main": "src/purify.js",
"main": "dist/purify.min.js",
"keywords": [
"dom",
"xss",
Expand Down
65 changes: 4 additions & 61 deletions dist/purify.cjs.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.cjs.js.map

Large diffs are not rendered by default.

65 changes: 4 additions & 61 deletions dist/purify.es.mjs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/*! @license DOMPurify 3.1.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.4/LICENSE */
/*! @license DOMPurify 3.1.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.5/LICENSE */

const {
entries,
Expand Down Expand Up @@ -48,10 +48,6 @@ const stringTrim = unapply(String.prototype.trim);
const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
const regExpTest = unapply(RegExp.prototype.test);
const typeErrorCreate = unconstruct(TypeError);
function numberIsNaN(x) {
// eslint-disable-next-line unicorn/prefer-number-properties
return typeof x === 'number' && isNaN(x);
}

/**
* Creates a new function that calls the given function with a specified thisArg and arguments.
Expand Down Expand Up @@ -304,7 +300,7 @@ function createDOMPurify() {
* Version label, exposed for easier checks
* if DOMPurify is up to date or not
*/
DOMPurify.version = '3.1.4';
DOMPurify.version = '3.1.5';

/**
* Array of elements that DOMPurify removed during sanitation.
Expand Down Expand Up @@ -537,9 +533,6 @@ function createDOMPurify() {
/* Keep a reference to config to pass to hooks */
let CONFIG = null;

/* Specify the maximum element nesting depth to prevent mXSS */
const MAX_NESTING_DEPTH = 255;

/* Ideally, do not touch anything below this line */
/* ______________________________________________ */

Expand Down Expand Up @@ -950,11 +943,7 @@ function createDOMPurify() {
* @return {Boolean} true if clobbered, false if safe
*/
const _isClobbered = function _isClobbered(elm) {
return elm instanceof HTMLFormElement && (
// eslint-disable-next-line unicorn/no-typeof-undefined
typeof elm.__depth !== 'undefined' && typeof elm.__depth !== 'number' ||
// eslint-disable-next-line unicorn/no-typeof-undefined
typeof elm.__removalCount !== 'undefined' && typeof elm.__removalCount !== 'number' || typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' || typeof elm.textContent !== 'string' || typeof elm.removeChild !== 'function' || !(elm.attributes instanceof NamedNodeMap) || typeof elm.removeAttribute !== 'function' || typeof elm.setAttribute !== 'function' || typeof elm.namespaceURI !== 'string' || typeof elm.insertBefore !== 'function' || typeof elm.hasChildNodes !== 'function');
};

/**
Expand Down Expand Up @@ -1105,7 +1094,7 @@ function createDOMPurify() {
// eslint-disable-next-line complexity
const _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
/* Make sure attribute cannot clobber */
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement || value === '__depth' || value === '__removalCount')) {
if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
return false;
}

Expand Down Expand Up @@ -1296,32 +1285,9 @@ function createDOMPurify() {
if (_sanitizeElements(shadowNode)) {
continue;
}
const parentNode = getParentNode(shadowNode);

/* Set the nesting depth of an element */
if (shadowNode.nodeType === NODE_TYPE.element) {
if (parentNode && parentNode.__depth) {
/*
We want the depth of the node in the original tree, which can
change when it's removed from its parent.
*/
shadowNode.__depth = (shadowNode.__removalCount || 0) + parentNode.__depth + 1;
} else {
shadowNode.__depth = 1;
}
}

/*
* Remove an element if nested too deeply to avoid mXSS
* or if the __depth might have been tampered with
*/
if (shadowNode.__depth >= MAX_NESTING_DEPTH || shadowNode.__depth < 0 || numberIsNaN(shadowNode.__depth)) {
_forceRemove(shadowNode);
}

/* Deep shadow DOM detected */
if (shadowNode.content instanceof DocumentFragment) {
shadowNode.content.__depth = shadowNode.__depth;
_sanitizeShadowDOM(shadowNode.content);
}

Expand Down Expand Up @@ -1437,32 +1403,9 @@ function createDOMPurify() {
if (_sanitizeElements(currentNode)) {
continue;
}
const parentNode = getParentNode(currentNode);

/* Set the nesting depth of an element */
if (currentNode.nodeType === NODE_TYPE.element) {
if (parentNode && parentNode.__depth) {
/*
We want the depth of the node in the original tree, which can
change when it's removed from its parent.
*/
currentNode.__depth = (currentNode.__removalCount || 0) + parentNode.__depth + 1;
} else {
currentNode.__depth = 1;
}
}

/*
* Remove an element if nested too deeply to avoid mXSS
* or if the __depth might have been tampered with
*/
if (currentNode.__depth >= MAX_NESTING_DEPTH || currentNode.__depth < 0 || numberIsNaN(currentNode.__depth)) {
_forceRemove(currentNode);
}

/* Shadow DOM detected, sanitize it */
if (currentNode.content instanceof DocumentFragment) {
currentNode.content.__depth = currentNode.__depth;
_sanitizeShadowDOM(currentNode.content);
}

Expand Down
2 changes: 1 addition & 1 deletion dist/purify.es.mjs.map

Large diffs are not rendered by default.

65 changes: 4 additions & 61 deletions dist/purify.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.js.map

Large diffs are not rendered by default.

Loading

0 comments on commit 6676133

Please sign in to comment.