Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: cure53/DOMPurify
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 3.0.9
Choose a base ref
...
head repository: cure53/DOMPurify
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 3.0.10
Choose a head ref
  • 6 commits
  • 15 files changed
  • 2 contributors

Commits on Mar 3, 2024

  1. fix: Fixed a possible issue with XML processing instructions deployed… 

    … in HTML
    @cure53
    cure53 committed Mar 3, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    1b59639 View commit details

Commits on Mar 4, 2024

  1. fix: added a fix to handle invalid HTML Custom Element tagNames better

    @cure53
    cure53 committed Mar 4, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    fcb9dbd View commit details

Commits on Mar 16, 2024

  1. build(deps-dev): bump follow-redirects from 1.15.4 to 1.15.6 

    Bumps [follow-redirects](https://github.com/follow-redirects/follow-redirects) from 1.15.4 to 1.15.6.
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.4...v1.15.6)

---
updated-dependencies:
- dependency-name: follow-redirects
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
    @dependabot
    dependabot[bot] authored Mar 16, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    aaa6da1 View commit details

Commits on Mar 17, 2024

  1. Merge pull request #915 from cure53/dependabot/npm_and_yarn/follow-re… 

    …directs-1.15.6

build(deps-dev): bump follow-redirects from 1.15.4 to 1.15.6
    @cure53
    cure53 authored Mar 17, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    dbc1d26 View commit details

Commits on Mar 19, 2024

  1. chore: Preparing 3.0.10 release

    @cure53
    cure53 committed Mar 19, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    51eea81 View commit details

  2. Merge pull request #917 from cure53/main 

     Getting 3.x branch ready for 3.0.10 release
    @cure53
    cure53 authored Mar 19, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    f2b637f View commit details
Showing with 54 additions and 40 deletions.
  1. +2 −2 README.md
  2. +1 −1 bower.json
  3. +9 −6 dist/purify.cjs.js
  4. +1 −1 dist/purify.cjs.js.map
  5. +9 −6 dist/purify.es.mjs
  6. +1 −1 dist/purify.es.mjs.map
  7. +9 −6 dist/purify.js
  8. +1 −1 dist/purify.js.map
  9. +2 −2 dist/purify.min.js
  10. +1 −1 dist/purify.min.js.map
  11. +8 −8 package-lock.json
  12. +1 −1 package.json
  13. +6 −2 src/purify.js
  14. +1 −0 src/regexp.js
  15. +2 −2 website/index.html
4 changes: 2 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -6,11 +6,11 @@

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.

It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.9**.
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.10**.

DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.

**Note that [DOMPurify v2.4.7](https://github.com/cure53/DOMPurify/releases/tag/2.4.6) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
**Note that [DOMPurify v2.4.8](https://github.com/cure53/DOMPurify/releases/tag/2.4.8) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**

Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v16.x, v17.x, v18.x and v19.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.

2 changes: 1 addition & 1 deletion bower.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "DOMPurify",
"version": "3.0.9",
"version": "3.0.10",
"homepage": "https://github.com/cure53/DOMPurify",
"author": "Cure53 <info@cure53.de>",
"description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",
15 changes: 9 additions & 6 deletions dist/purify.cjs.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.cjs.js.map
View file

Large diffs are not rendered by default.

15 changes: 9 additions & 6 deletions dist/purify.es.mjs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/*! @license DOMPurify 3.0.9 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.9/LICENSE */
/*! @license DOMPurify 3.0.10 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.10/LICENSE */

const {
entries,
@@ -215,6 +215,7 @@ const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205
);

const DOCTYPE_NAME = seal(/^html$/i);
const CUSTOM_ELEMENT = seal(/^[a-z][a-z\d]*(-[a-z\d]+)+$/i);

var EXPRESSIONS = /*#__PURE__*/Object.freeze({
__proto__: null,
@@ -226,7 +227,8 @@ var EXPRESSIONS = /*#__PURE__*/Object.freeze({
IS_ALLOWED_URI: IS_ALLOWED_URI,
IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,
ATTR_WHITESPACE: ATTR_WHITESPACE,
DOCTYPE_NAME: DOCTYPE_NAME
DOCTYPE_NAME: DOCTYPE_NAME,
CUSTOM_ELEMENT: CUSTOM_ELEMENT
});

const getGlobal = function getGlobal() {
@@ -280,7 +282,7 @@ function createDOMPurify() {
* Version label, exposed for easier checks
* if DOMPurify is up to date or not
*/
DOMPurify.version = '3.0.9';
DOMPurify.version = '3.0.10';

/**
* Array of elements that DOMPurify removed during sanitation.
@@ -351,7 +353,8 @@ function createDOMPurify() {
DATA_ATTR,
ARIA_ATTR,
IS_SCRIPT_OR_DATA,
ATTR_WHITESPACE
ATTR_WHITESPACE,
CUSTOM_ELEMENT
} = EXPRESSIONS;
let {
IS_ALLOWED_URI: IS_ALLOWED_URI$1
@@ -906,7 +909,7 @@ function createDOMPurify() {
const _createNodeIterator = function _createNodeIterator(root) {
return createNodeIterator.call(root.ownerDocument || root, root,
// eslint-disable-next-line no-bitwise
NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT, null);
NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION, null);
};

/**
@@ -1088,7 +1091,7 @@ function createDOMPurify() {
* @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
*/
const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
return tagName !== 'annotation-xml' && tagName.indexOf('-') > 0;
return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
};

/**
2 changes: 1 addition & 1 deletion dist/purify.es.mjs.map
View file

Large diffs are not rendered by default.

15 changes: 9 additions & 6 deletions dist/purify.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.js.map
View file

Large diffs are not rendered by default.

Loading