Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: cure53/DOMPurify
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 3.1.5
Choose a base ref
...
head repository: cure53/DOMPurify
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: 3.1.6
Choose a head ref
  • 19 commits
  • 17 files changed
  • 3 contributors

Commits on Jun 16, 2024

  1. build(deps): bump braces from 3.0.2 to 3.0.3 

    Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
    @dependabot
    dependabot[bot] authored Jun 16, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    b694896 View commit details

Commits on Jun 17, 2024

  1. feat(docs): add removed options 

    Make it easier to migrate from older versions.
    @Rotzbua
    Rotzbua committed Jun 17, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    b0e2592 View commit details

  2. feat(website): add lang attribute to declare language

    @Rotzbua
    Rotzbua committed Jun 17, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    da6d639 View commit details

  3. fix(typo): found by codespell

    @Rotzbua
    Rotzbua committed Jun 17, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    bb69e53 View commit details

Commits on Jun 20, 2024

  1. Merge pull request #970 from cure53/dependabot/npm_and_yarn/braces-3.0.3 

    build(deps): bump braces from 3.0.2 to 3.0.3
    @cure53
    cure53 authored Jun 20, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    5a7a70a View commit details

  2. Merge pull request #972 from Rotzbua/feat_docs_removed_options 

    feat(docs): add removed options
    @cure53
    cure53 authored Jun 20, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    9518bba View commit details

  3. build(deps): bump ws and socket.io 

    Bumps [ws](https://github.com/websockets/ws) and [socket.io](https://github.com/socketio/socket.io). These dependencies needed to be updated together.

Updates `ws` from 8.11.0 to 8.17.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.11.0...8.17.1)

Updates `socket.io` from 4.6.1 to 4.7.5
- [Release notes](https://github.com/socketio/socket.io/releases)
- [Changelog](https://github.com/socketio/socket.io/blob/main/CHANGELOG.md)
- [Commits](socketio/socket.io@4.6.1...4.7.5)

---
updated-dependencies:
- dependency-name: ws
  dependency-type: indirect
- dependency-name: socket.io
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
    @dependabot
    dependabot[bot] authored Jun 20, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    082bc00 View commit details

  4. Merge pull request #973 from Rotzbua/fix_typos 

    fix(typo): found by `codespell`
    @cure53
    cure53 authored Jun 20, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    3bff1af View commit details

  5. Merge pull request #974 from Rotzbua/feat_website_lang 

    feat(website): add lang attribute to declare language
    @cure53
    cure53 authored Jun 20, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    d0d93ec View commit details

  6. Merge pull request #975 from cure53/dependabot/npm_and_yarn/multi-2d3… 

    …aef8690

build(deps): bump ws and socket.io
    @cure53
    cure53 authored Jun 20, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    b8b552c View commit details

Commits on Jun 25, 2024

  1. fix: Changed the order for attribute checks slightly for safer hooks

    @cure53
    cure53 committed Jun 25, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    fa542df View commit details

  2. docs: Added better security warning about SAFE_FOR_XML to README

    @cure53
    cure53 committed Jun 25, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    9978cec View commit details

Commits on Jul 2, 2024

  1. build(deps): bump ws and socket.io-adapter 

    Bumps [ws](https://github.com/websockets/ws) and [socket.io-adapter](https://github.com/socketio/socket.io-adapter). These dependencies needed to be updated together.

Updates `ws` from 8.11.0 to 8.17.1
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.11.0...8.17.1)

Updates `socket.io-adapter` from 2.5.2 to 2.5.5
- [Release notes](https://github.com/socketio/socket.io-adapter/releases)
- [Changelog](https://github.com/socketio/socket.io-adapter/blob/main/CHANGELOG.md)
- [Commits](socketio/socket.io-adapter@2.5.2...2.5.5)

---
updated-dependencies:
- dependency-name: ws
  dependency-type: indirect
- dependency-name: socket.io-adapter
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
    @dependabot
    dependabot[bot] authored Jul 2, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    e5112ec View commit details

  2. Merge pull request #977 from cure53/dependabot/npm_and_yarn/multi-99c… 

    …a4f73d8

build(deps): bump ws and socket.io-adapter
    @cure53
    cure53 authored Jul 2, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    f8c2ef5 View commit details

Commits on Jul 4, 2024

  1. fix: Fixed a DOM clobbering issue leading to an error being thrown

    @cure53
    cure53 committed Jul 4, 2024
    Loading
    Loading status checks…
    Copy the full SHA
    00fc06c View commit details

  2. fix: Made sure that remove() is not called directly from node

    @cure53
    cure53 committed Jul 4, 2024
    Copy the full SHA
    6e03334 View commit details

Commits on Jul 5, 2024

  1. chore: Preparing 3.1.6 release

    @cure53
    cure53 committed Jul 5, 2024
    Copy the full SHA
    65df042 View commit details

  2. fix: Fixed a typo on the README

    @cure53
    cure53 committed Jul 5, 2024
    Copy the full SHA
    90a10a1 View commit details

  3. Merge pull request #978 from cure53/main 

    Getting 3.x branch ready for 3.1.6 release
    @cure53
    cure53 authored Jul 5, 2024
    Copy the full SHA
    4083a90 View commit details
Showing with 221 additions and 157 deletions.
  1. +11 −2 README.md
  2. +1 −1 bower.json
  3. +13 −14 dist/purify.cjs.js
  4. +1 −1 dist/purify.cjs.js.map
  5. +13 −14 dist/purify.es.mjs
  6. +1 −1 dist/purify.es.mjs.map
  7. +13 −14 dist/purify.js
  8. +1 −1 dist/purify.js.map
  9. +2 −2 dist/purify.min.js
  10. +1 −1 dist/purify.min.js.map
  11. +141 −85 package-lock.json
  12. +1 −1 package.json
  13. +11 −9 src/purify.js
  14. +3 −3 test/fixtures/expect.mjs
  15. +1 −1 test/karma.custom-launchers.config.js
  16. +4 −4 test/test-suite.js
  17. +3 −3 website/index.html
13 changes: 11 additions & 2 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -6,11 +6,11 @@

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.

It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.1.5**.
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.1.6**.

DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.

**Note that [DOMPurify v2.5.5](https://github.com/cure53/DOMPurify/releases/tag/2.5.5) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
**Note that [DOMPurify v2.5.6](https://github.com/cure53/DOMPurify/releases/tag/2.5.6) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**

Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v16.x, v17.x, v18.x and v19.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.

@@ -181,6 +181,9 @@ const clean = DOMPurify.sanitize(dirty, {SAFE_FOR_TEMPLATES: true});


// change how e.g. comments containing risky HTML characters are treated.
// be very careful, this setting should only be set to `false` if you really only handle
// HTML and nothing else, no SVG, MathML or the like.
// Otherwise, changing from `true` to `false` will lead to XSS in this or some other way.
const clean = DOMPurify.sanitize(dirty, {SAFE_FOR_XML: false});
```

@@ -378,6 +381,12 @@ DOMPurify.addHook(
);
```
## Removed Configuration
| Option | Since | Note |
|-----------------|-------|--------------------------|
| SAFE_FOR_JQUERY | 2.1.0 | No replacement required. |
## Continuous Integration
We are currently using Github Actions in combination with BrowserStack. This gives us the possibility to confirm for each and every commit that all is going according to plan in all supported browsers. Check out the build logs here: https://github.com/cure53/DOMPurify/actions
2 changes: 1 addition & 1 deletion bower.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "dompurify",
"version": "3.1.5",
"version": "3.1.6",
"homepage": "https://github.com/cure53/DOMPurify",
"author": "Cure53 <info@cure53.de>",
"description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",
27 changes: 13 additions & 14 deletions dist/purify.cjs.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.cjs.js.map
View file

Large diffs are not rendered by default.

27 changes: 13 additions & 14 deletions dist/purify.es.mjs
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/*! @license DOMPurify 3.1.5 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.5/LICENSE */
/*! @license DOMPurify 3.1.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.6/LICENSE */

const {
entries,
@@ -209,11 +209,9 @@ const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]/); // eslint-disable-line no-
const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
const IS_ALLOWED_URI = seal(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
);

const IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i);
const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
);

const DOCTYPE_NAME = seal(/^html$/i);
const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);

@@ -248,7 +246,6 @@ const NODE_TYPE = {
documentFragment: 11,
notation: 12 // Deprecated
};

const getGlobal = function getGlobal() {
return typeof window === 'undefined' ? null : window;
};
@@ -300,7 +297,7 @@ function createDOMPurify() {
* Version label, exposed for easier checks
* if DOMPurify is up to date or not
*/
DOMPurify.version = '3.1.5';
DOMPurify.version = '3.1.6';

/**
* Array of elements that DOMPurify removed during sanitation.
@@ -331,6 +328,7 @@ function createDOMPurify() {
} = window;
const ElementPrototype = Element.prototype;
const cloneNode = lookupGetter(ElementPrototype, 'cloneNode');
const remove = lookupGetter(ElementPrototype, 'remove');
const getNextSibling = lookupGetter(ElementPrototype, 'nextSibling');
const getChildNodes = lookupGetter(ElementPrototype, 'childNodes');
const getParentNode = lookupGetter(ElementPrototype, 'parentNode');
@@ -831,9 +829,9 @@ function createDOMPurify() {
});
try {
// eslint-disable-next-line unicorn/prefer-dom-node-remove
node.parentNode.removeChild(node);
getParentNode(node).removeChild(node);
} catch (_) {
node.remove();
remove(node);
}
};

@@ -1010,7 +1008,7 @@ function createDOMPurify() {
return true;
}

/* Remove any ocurrence of processing instructions */
/* Remove any occurrence of processing instructions */
if (currentNode.nodeType === NODE_TYPE.progressingInstruction) {
_forceRemove(currentNode);
return true;
@@ -1179,6 +1177,13 @@ function createDOMPurify() {
hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
value = hookEvent.attrValue;

/* Work around a security issue with comments inside attributes */
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
_removeAttribute(name, currentNode);
continue;
}

/* Did the hooks approve of the attribute? */
if (hookEvent.forceKeepAttr) {
continue;
@@ -1198,12 +1203,6 @@ function createDOMPurify() {
continue;
}

/* Work around a security issue with comments inside attributes */
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
_removeAttribute(name, currentNode);
continue;
}

/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
2 changes: 1 addition & 1 deletion dist/purify.es.mjs.map
View file

Large diffs are not rendered by default.

27 changes: 13 additions & 14 deletions dist/purify.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.js.map
View file

Large diffs are not rendered by default.

Loading