Update DOMPurify to version 3.1.0 in static ui utils

2026-05-24 09:28:37 +00:00 · 2024-04-23 12:04:46 +02:00 · 2024-04-23 12:04:46 +02:00 · ab4b07601d
commit ab4b07601d
parent 63c7fbe02c
4 changed files with 28 additions and 4 deletions
--- a/src/ui/static/js/utils/purify/purify.min.js
+++ b/src/ui/static/js/utils/purify/purify.min.js
--- a/src/ui/static/js/utils/purify/src/attrs.js
+++ b/src/ui/static/js/utils/purify/src/attrs.js
@ -108,6 +108,7 @@ export const html = freeze([
  'valign',
  'value',
  'width',
+  'wrap',
  'xmlns',
  'slot',
 ]);
--- a/src/ui/static/js/utils/purify/src/purify.js
+++ b/src/ui/static/js/utils/purify/src/purify.js
@ -244,6 +244,11 @@ function createDOMPurify(window = getGlobal()) {
   */
  let SAFE_FOR_TEMPLATES = false;

+  /* Output should be safe even for XML used within HTML and alike.
+   * This means, DOMPurify removes comments when containing risky content.
+   */
+  let SAFE_FOR_XML = true;
+
  /* Decide if document with <html>... should be returned */
  let WHOLE_DOCUMENT = false;

@ -464,6 +469,7 @@ function createDOMPurify(window = getGlobal()) {
    ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
    ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
    SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
+    SAFE_FOR_XML = cfg.SAFE_FOR_XML !== false; // Default true
    WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
    RETURN_DOM = cfg.RETURN_DOM || false; // Default false
    RETURN_DOM_FRAGMENT = cfg.RETURN_DOM_FRAGMENT || false; // Default false
@ -913,7 +919,8 @@ function createDOMPurify(window = getGlobal()) {
      NodeFilter.SHOW_ELEMENT |
        NodeFilter.SHOW_COMMENT |
        NodeFilter.SHOW_TEXT |
-        NodeFilter.SHOW_PROCESSING_INSTRUCTION,
+        NodeFilter.SHOW_PROCESSING_INSTRUCTION |
+        NodeFilter.SHOW_CDATA_SECTION,
      null
    );
  };
@ -1009,6 +1016,22 @@ function createDOMPurify(window = getGlobal()) {
      return true;
    }

+    /* Remove any ocurrence of processing instructions */
+    if (currentNode.nodeType === 7) {
+      _forceRemove(currentNode);
+      return true;
+    }
+
+    /* Remove any kind of possibly harmful comments */
+    if (
+      SAFE_FOR_XML &&
+      currentNode.nodeType === 8 &&
+      regExpTest(/<[/\w]/g, currentNode.data)
+    ) {
+      _forceRemove(currentNode);
+      return true;
+    }
+
    /* Remove element if anything forbids its presence */
    if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {
      /* Check if we have a custom element to handle */
--- a/src/ui/static/js/utils/purify/src/regexp.js
+++ b/src/ui/static/js/utils/purify/src/regexp.js
@ -14,4 +14,4 @@ export const ATTR_WHITESPACE = seal(
  /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
 );
 export const DOCTYPE_NAME = seal(/^html$/i);
-export const CUSTOM_ELEMENT = seal(/^[a-z][a-z\d]*(-[a-z\d]+)+$/i);
+export const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);