cure53
diff --git a/‎dist/purify.cjs.js‎
Lines changed: 20 additions & 15 deletions b/‎dist/purify.cjs.js‎
Lines changed: 20 additions & 15 deletions
diff --git a/‎dist/purify.cjs.js.map‎
Lines changed: 1 addition & 1 deletion b/‎dist/purify.cjs.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/purify.es.mjs‎
Lines changed: 20 additions & 15 deletions b/‎dist/purify.es.mjs‎
Lines changed: 20 additions & 15 deletions
diff --git a/‎dist/purify.es.mjs.map‎
Lines changed: 1 addition & 1 deletion b/‎dist/purify.es.mjs.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/purify.js‎
Lines changed: 20 additions & 15 deletions b/‎dist/purify.js‎
Lines changed: 20 additions & 15 deletions
diff --git a/‎dist/purify.js.map‎
Lines changed: 1 addition & 1 deletion b/‎dist/purify.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/purify.min.js‎
Lines changed: 1 addition & 1 deletion b/‎dist/purify.min.js‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎dist/purify.min.js.map‎
Lines changed: 1 addition & 1 deletion b/‎dist/purify.min.js.map‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/purify.ts‎
Lines changed: 20 additions & 16 deletions b/‎src/purify.ts‎
Lines changed: 20 additions & 16 deletions
@@ -1056,7 +1056,8 @@ function createDOMPurify() {
         value: attrValue
       } = attr;
       const lcName = transformCaseFunc(name);
-      let value = name === 'value' ? attrValue : stringTrim(attrValue);
+      const initValue = attrValue;
+      let value = name === 'value' ? initValue : stringTrim(initValue);
       /* Execute a hook if present */
       hookEvent.attrName = lcName;
       hookEvent.attrValue = value;
@@ -1082,10 +1083,9 @@ function createDOMPurify() {
       if (hookEvent.forceKeepAttr) {
         continue;
       }
-      /* Remove attribute */
-      _removeAttribute(name, currentNode);
       /* Did the hooks approve of the attribute? */
       if (!hookEvent.keepAttr) {
+        _removeAttribute(name, currentNode);
         continue;
       }
       /* Work around a security issue in jQuery 3.0 */
@@ -1102,6 +1102,7 @@ function createDOMPurify() {
       /* Is `value` valid for this attribute? */
       const lcTag = transformCaseFunc(currentNode.nodeName);
       if (!_isValidAttribute(lcTag, lcName, value)) {
+        _removeAttribute(name, currentNode);
         continue;
       }
       /* Handle attributes that require Trusted Types */
@@ -1122,19 +1123,23 @@ function createDOMPurify() {
         }
       }
       /* Handle invalid data-* attribute set by try-catching it */
-      try {
-        if (namespaceURI) {
-          currentNode.setAttributeNS(namespaceURI, name, value);
-        } else {
-          /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
-          currentNode.setAttribute(name, value);
-        }
-        if (_isClobbered(currentNode)) {
-          _forceRemove(currentNode);
-        } else {
-          arrayPop(DOMPurify.removed);
+      if (value !== initValue) {
+        try {
+          if (namespaceURI) {
+            currentNode.setAttributeNS(namespaceURI, name, value);
+          } else {
+            /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
+            currentNode.setAttribute(name, value);
+          }
+          if (_isClobbered(currentNode)) {
+            _forceRemove(currentNode);
+          } else {
+            arrayPop(DOMPurify.removed);
+          }
+        } catch (_) {
+          _removeAttribute(name, currentNode);
         }
-      } catch (_) {}
+      }
     }
     /* Execute a hook if present */
     _executeHooks(hooks.afterSanitizeAttributes, currentNode, null);
 
@@ -1296,7 +1296,8 @@ function createDOMPurify(window: WindowLike = getGlobal()): DOMPurify {
       const { name, namespaceURI, value: attrValue } = attr;
       const lcName = transformCaseFunc(name);
 
-      let value = name === 'value' ? attrValue : stringTrim(attrValue);
+      const initValue = attrValue;
+      let value = name === 'value' ? initValue : stringTrim(initValue);
 
       /* Execute a hook if present */
       hookEvent.attrName = lcName;
@@ -1328,11 +1329,9 @@ function createDOMPurify(window: WindowLike = getGlobal()): DOMPurify {
         continue;
       }
 
-      /* Remove attribute */
-      _removeAttribute(name, currentNode);
-
       /* Did the hooks approve of the attribute? */
       if (!hookEvent.keepAttr) {
+        _removeAttribute(name, currentNode);
         continue;
       }
 
@@ -1352,6 +1351,7 @@ function createDOMPurify(window: WindowLike = getGlobal()): DOMPurify {
       /* Is `value` valid for this attribute? */
       const lcTag = transformCaseFunc(currentNode.nodeName);
       if (!_isValidAttribute(lcTag, lcName, value)) {
+        _removeAttribute(name, currentNode);
         continue;
       }
 
@@ -1383,20 +1383,24 @@ function createDOMPurify(window: WindowLike = getGlobal()): DOMPurify {
       }
 
       /* Handle invalid data-* attribute set by try-catching it */
-      try {
-        if (namespaceURI) {
-          currentNode.setAttributeNS(namespaceURI, name, value);
-        } else {
-          /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
-          currentNode.setAttribute(name, value);
-        }
+      if (value !== initValue) {
+        try {
+          if (namespaceURI) {
+            currentNode.setAttributeNS(namespaceURI, name, value);
+          } else {
+            /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
+            currentNode.setAttribute(name, value);
+          }
 
-        if (_isClobbered(currentNode)) {
-          _forceRemove(currentNode);
-        } else {
-          arrayPop(DOMPurify.removed);
+          if (_isClobbered(currentNode)) {
+            _forceRemove(currentNode);
+          } else {
+            arrayPop(DOMPurify.removed);
+          }
+        } catch (_) {
+          _removeAttribute(name, currentNode);
         }
-      } catch (_) {}
+      }
     }
 
     /* Execute a hook if present */