Elgato_dark/bunkerweb
1
0
Fork 0
mirror of https://github.com/bunkerity/bunkerweb synced 2026-05-24 09:28:37 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: Update DOMPurify to version 3.1.6

Browse source
This commit is contained in:
Théophile Diot 2024-07-05 14:31:28 +01:00
parent 969561c619
commit 3033fbd474
No known key found for this signature in database
GPG key ID: FA995104A0BA376A
2 changed files with 13 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/ui/static/js/utils/purify/purify.min.js vendored
View file

File diff suppressed because one or more lines are too long

20
src/ui/static/js/utils/purify/src/purify.js vendored
View file

@ -135,6 +135,7 @@ function createDOMPurify(window = getGlobal()) {
const ElementPrototype = Element.prototype;
const cloneNode = lookupGetter(ElementPrototype, 'cloneNode');
const remove = lookupGetter(ElementPrototype, 'remove');
const getNextSibling = lookupGetter(ElementPrototype, 'nextSibling');
const getChildNodes = lookupGetter(ElementPrototype, 'childNodes');
const getParentNode = lookupGetter(ElementPrototype, 'parentNode');
@ -807,9 +808,9 @@ function createDOMPurify(window = getGlobal()) {
try {
// eslint-disable-next-line unicorn/prefer-dom-node-remove
node.parentNode.removeChild(node);
getParentNode(node).removeChild(node);
} catch (_) {
node.remove();
remove(node);
}
};
@ -1034,7 +1035,7 @@ function createDOMPurify(window = getGlobal()) {
return true;
}
/* Remove any ocurrence of processing instructions */
/* Remove any occurrence of processing instructions */
if (currentNode.nodeType === NODE_TYPE.progressingInstruction) {
_forceRemove(currentNode);
return true;
@ -1280,6 +1281,13 @@ function createDOMPurify(window = getGlobal()) {
hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
value = hookEvent.attrValue;
/* Work around a security issue with comments inside attributes */
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
_removeAttribute(name, currentNode);
continue;
}
/* Did the hooks approve of the attribute? */
if (hookEvent.forceKeepAttr) {
continue;
@ -1299,12 +1307,6 @@ function createDOMPurify(window = getGlobal()) {
continue;
}
/* Work around a security issue with comments inside attributes */
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
_removeAttribute(name, currentNode);
continue;
}
/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], (expr) => {