.babelrc

@@ -4,11 +4,11 @@
       "@babel/preset-env",
       {
         "targets": {
-          "chrome": 22,
-          "firefox": 15,
-          "opera": 31,
-          "safari": 8,
-          "edge": 13
+          "chrome": 51,
+          "firefox": 53,
+          "opera": 38,
+          "safari": 11,
+          "edge": 51
         },
         "modules": false
       }

README.md

@@ -6,7 +6,7 @@
 
 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
 
-It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 3.0.1.
+It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.2**.
 
 DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
 
@@ -271,13 +271,13 @@ var clean = DOMPurify.sanitize(dirty, {ADD_URI_SAFE_ATTR: ['my-attr']});
  * Control permitted attribute values
  */
 // allow external protocol handlers in URL attributes (default is false, be careful, XSS risk)
-// by default only http, https, ftp, ftps, tel, mailto, callto, cid and xmpp are allowed.
+// by default only http, https, ftp, ftps, tel, mailto, callto, sms, cid and xmpp are allowed.
 var clean = DOMPurify.sanitize(dirty, {ALLOW_UNKNOWN_PROTOCOLS: true});
 
 // allow specific protocols handlers in URL attributes via regex (default is false, be careful, XSS risk)
-// by default only http, https, ftp, ftps, tel, mailto, callto, cid and xmpp are allowed.
-// Default RegExp: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;
-var clean = DOMPurify.sanitize(dirty, {ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp|xxx):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;});
+// by default only http, https, ftp, ftps, tel, mailto, callto, sms, cid and xmpp are allowed.
+// Default RegExp: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;
+var clean = DOMPurify.sanitize(dirty, {ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|xxx):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;});
 
 /**
  * Influence the return-type

bower.json

@@ -1,6 +1,6 @@
 {
   "name": "DOMPurify",
-  "version": "3.0.1",
+  "version": "3.0.2",
   "homepage": "https://github.com/cure53/DOMPurify",
   "author": "Cure53 <info@cure53.de>",
   "description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",

package.json

@@ -64,7 +64,6 @@
     "@babel/core": "^7.17.8",
     "@babel/preset-env": "^7.16.11",
     "@rollup/plugin-babel": "^5.3.1",
-    "@rollup/plugin-commonjs": "^21.0.3",
     "@rollup/plugin-node-resolve": "^13.1.3",
     "@rollup/plugin-replace": "^4.0.0",
     "@types/dompurify": "^2.3.3",
@@ -98,7 +97,7 @@
   },
   "name": "dompurify",
   "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
-  "version": "3.0.1",
+  "version": "3.0.2",
   "directories": {
     "test": "test"
   },

src/purify.js

@@ -479,7 +479,7 @@ function createDOMPurify(window = getGlobal()) {
     SANITIZE_NAMED_PROPS = cfg.SANITIZE_NAMED_PROPS || false; // Default false
     KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true
     IN_PLACE = cfg.IN_PLACE || false; // Default false
-    IS_ALLOWED_URI = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI;
+    IS_ALLOWED_URI = cfg.ALLOWED_URI_REGEXP || EXPRESSIONS.IS_ALLOWED_URI;
     NAMESPACE = cfg.NAMESPACE || HTML_NAMESPACE;
     CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING || {};
     if (

src/regexp.js

@@ -7,7 +7,7 @@ export const TMPLIT_EXPR = seal(/\${[\w\W]*}/gm);
 export const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]/); // eslint-disable-line no-useless-escape
 export const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
 export const IS_ALLOWED_URI = seal(
-  /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
+  /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
 );
 export const IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i);
 export const ATTR_WHITESPACE = seal(

src/tags.js

@@ -254,6 +254,7 @@ export const mathMl = freeze([
   'mtr',
   'munder',
   'munderover',
+  'mprescripts',
 ]);
 
 // Similarly to SVG, we want to know all MathML elements,

test/fixtures/expect.js → test/fixtures/expect.mjs

@@ -1,4 +1,4 @@
-module.exports = [
+export default [
   {
       "title": "Don't remove data URIs from SVG images (see #205)",
       "payload": "<svg><image id=\"v-146\" width=\"500\" height=\"500\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" xlink:href=\"data:image/svg+xml;utf8,%3Csvg%20viewBox%3D%220%200%20100%20100%22%20height%3D%22100%22%20width%3D%22100%22%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20data-name%3D%22Layer%201%22%20id%3D%22Layer_1%22%3E%0A%20%20%3Ctitle%3ECompute%3C%2Ftitle%3E%0A%20%20%3Cg%3E%0A%20%20%20%20%3Crect%20fill%3D%22%239d5025%22%20ry%3D%229.12%22%20rx%3D%229.12%22%20height%3D%2253%22%20width%3D%2253%22%20y%3D%2224.74%22%20x%3D%2223.5%22%3E%3C%2Frect%3E%0A%20%20%20%20%3Crect%20fill%3D%22%23f58536%22%20ry%3D%229.12%22%20rx%3D%229.12%22%20height%3D%2253%22%20width%3D%2253%22%20y%3D%2222.26%22%20x%3D%2223.5%22%3E%3C%2Frect%3E%0A%20%20%3C%2Fg%3E%0A%3C%2Fsvg%3E\" preserveratio=\"true\" style=\"border-color: rgb(51, 51, 51); box-sizing: border-box; color: rgb(51, 51, 51); cursor: move; font-family: sans-serif; font-size: 14px; line-height: 20px; outline-color: rgb(51, 51, 51); text-size-adjust: 100%; column-rule-color: rgb(51, 51, 51); -webkit-font-smoothing: antialiased; -webkit-tap-highlight-color: rgba(0, 0, 0, 0); -webkit-text-emphasis-color: rgb(51, 51, 51); -webkit-text-fill-color: rgb(51, 51, 51); -webkit-text-stroke-color: rgb(51, 51, 51); user-select: none; vector-effect: non-scaling-stroke;\"></image></svg>",

test/jsdom-node-runner.js

@@ -20,6 +20,5 @@ qunitTap(QUnit, (line) => {
   console.log(line);
 });
 
-require('./jsdom-node');
-
-QUnit.load();
+const startQUnit = require('./jsdom-node');
+startQUnit().then(() => QUnit.load());

test/jsdom-node.js

@@ -15,39 +15,44 @@ require('jquery')(window);
 
 const sanitizeTestSuite = require('./test-suite');
 const bootstrapTestSuite = require('./bootstrap-test-suite');
-const tests = require('./fixtures/expect');
-const xssTests = tests.filter((element) => /alert/.test(element.payload));
 
-QUnit.assert.contains = function (actual, expected, message) {
-  const result = expected.indexOf(actual) > -1;
-  // Ref: https://api.qunitjs.com/assert/pushResult/
-  this.pushResult({
-    result: result,
-    actual: actual,
-    expected: expected,
-    message: message,
-  });
-};
+async function startQUnit() {
+  const { default: tests } = await import('./fixtures/expect.mjs');
+  const xssTests = tests.filter((element) => /alert/.test(element.payload));
 
-QUnit.config.autostart = false;
+  QUnit.assert.contains = function (actual, expected, message) {
+    const result = expected.indexOf(actual) > -1;
+    // Ref: https://api.qunitjs.com/assert/pushResult/
+    this.pushResult({
+      result: result,
+      actual: actual,
+      expected: expected,
+      message: message,
+    });
+  };
 
-QUnit.module('DOMPurify - bootstrap', bootstrapTestSuite(JSDOM));
+  QUnit.config.autostart = false;
 
-QUnit.module('DOMPurify in jsdom');
+  QUnit.module('DOMPurify - bootstrap', bootstrapTestSuite(JSDOM));
 
-if (!window.jQuery) {
-  console.warn('Unable to load jQuery');
-}
+  QUnit.module('DOMPurify in jsdom');
 
-const DOMPurify = createDOMPurify(window);
-if (!DOMPurify.isSupported) {
-  console.error('Unexpected error returned by jsdom.env():', err, err.stack);
-  process.exit(1);
-}
+  if (!window.jQuery) {
+    console.warn('Unable to load jQuery');
+  }
+
+  const DOMPurify = createDOMPurify(window);
+  if (!DOMPurify.isSupported) {
+    console.error('Unexpected error returned by jsdom.env():', err, err.stack);
+    process.exit(1);
+  }
 
-window.alert = () => {
-  window.xssed = true;
-};
+  window.alert = () => {
+    window.xssed = true;
+  };
+
+  sanitizeTestSuite(DOMPurify, window, tests, xssTests);
+  QUnit.start();
+}
 
-sanitizeTestSuite(DOMPurify, window, tests, xssTests);
-QUnit.start();
+module.exports = startQUnit;

test/karma.conf.js

@@ -1,12 +1,10 @@
-const commonjs = require('@rollup/plugin-commonjs');
 const includePaths = require('rollup-plugin-includepaths');
 const rollupConfig = require('../rollup.config.js');
 const customLaunchers =
   require('./karma.custom-launchers.config.js').customLaunchers;
 const browsers = require('./karma.custom-launchers.config.js').browsers;
 
 rollupConfig.plugins.push(
-  commonjs(),
   includePaths({
     include: {
       purify: 'dist/purify.js',

test/purify.min.spec.js

@@ -1,6 +1,6 @@
 import 'purify.min';
 import './test-suite';
-import tests from './fixtures/expect';
+import tests from './fixtures/expect.mjs';
 
 const xssTests = tests.filter(function (element) {
   if (/alert/.test(element.payload)) {

test/purify.spec.js

@@ -1,6 +1,6 @@
 import 'purify';
 import './test-suite';
-import tests from './fixtures/expect';
+import tests from './fixtures/expect.mjs';
 
 const xssTests = tests.filter(function (element) {
   if (/alert/.test(element.payload)) {

test/test-suite.js

@@ -1416,6 +1416,21 @@
         assert.equal(str, test.expected);
       });
     });
+    QUnit.test('Ensure ALLOWED_URI_REGEXP is not cached', function(assert) {
+      const 
+        dirty = '<img src="https://different.com">',
+        expected = '<img src="https://different.com">';
+
+      assert.equal(DOMPurify.sanitize(dirty), expected);
+
+      // sanitize with a custom URI regexp
+      assert.equal(DOMPurify.sanitize('<img src="https://test.com">', {
+        ALLOWED_URI_REGEXP: /test\.com/i
+      }), '<img src="https://test.com">');
+
+      // ensure that the previous regexp does not affect future santize calls
+      assert.equal(DOMPurify.sanitize(dirty), expected);
+    });
     QUnit.test(
       'Avoid freeze when using tables and ALLOW_TAGS',
       function (assert) {
@@ -2059,6 +2074,9 @@
       // set the same hook
       DOMPurify.addHook(entryPoint, hookFunction);
       assert.equal(DOMPurify.sanitize(dirty), expected);
+
+      // cleanup hook
+      DOMPurify.removeHook(entryPoint);
     });
   };
 });

website/index.html

@@ -2,7 +2,7 @@
 <html>
     <head>
         <meta charset="UTF-8">
-        <title>DOMPurify 3.0.1 "Lemon Juice"</title>
+        <title>DOMPurify 3.0.2 "Green Island"</title>
         <script src="../dist/purify.min.js"></script>
         <!-- we don't actually need it - just to demo and test the $(html) sanitation -->
         <script src="//code.jquery.com/jquery-3.2.0.min.js"></script>
@@ -23,7 +23,7 @@
         </script>
     </head>
     <body>
-        <h4>DOMPurify 3.0.1 "Lemon Juice"</h4>
+        <h4>DOMPurify 3.0.2 "Green Island"</h4>
         <p>
             <a href="http://badge.fury.io/js/dompurify" rel="nofollow"><img alt="npm version" src="https://badge.fury.io/js/dompurify.svg"></a>  
             <a target="_blank" rel="noopener noreferrer" href="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main"><img src="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main" alt="Build and Test"></a>