Skip to content

Commit 848463b

Browse files
cure53cure53
committed
chore: removed unused test server script
fix: hardened more config properties against prototype pollution
1 parent b0e0ebb commit 848463b

File tree

10 files changed

+17
-63
lines changed

10 files changed

+17
-63
lines changed

dist/purify.cjs.js

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.cjs.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.es.mjs

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -538,8 +538,8 @@ function createDOMPurify() {
538538
URI_SAFE_ATTRIBUTES = objectHasOwnProperty(cfg, 'ADD_URI_SAFE_ATTR') ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), cfg.ADD_URI_SAFE_ATTR, transformCaseFunc) : DEFAULT_URI_SAFE_ATTRIBUTES;
539539
DATA_URI_TAGS = objectHasOwnProperty(cfg, 'ADD_DATA_URI_TAGS') ? addToSet(clone(DEFAULT_DATA_URI_TAGS), cfg.ADD_DATA_URI_TAGS, transformCaseFunc) : DEFAULT_DATA_URI_TAGS;
540540
FORBID_CONTENTS = objectHasOwnProperty(cfg, 'FORBID_CONTENTS') ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
541-
FORBID_TAGS = objectHasOwnProperty(cfg, 'FORBID_TAGS') ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
542-
FORBID_ATTR = objectHasOwnProperty(cfg, 'FORBID_ATTR') ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
541+
FORBID_TAGS = objectHasOwnProperty(cfg, 'FORBID_TAGS') ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : clone({});
542+
FORBID_ATTR = objectHasOwnProperty(cfg, 'FORBID_ATTR') ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : clone({});
543543
USE_PROFILES = objectHasOwnProperty(cfg, 'USE_PROFILES') ? cfg.USE_PROFILES : false;
544544
ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
545545
ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false; // Default true
@@ -904,7 +904,7 @@ function createDOMPurify() {
904904
allowedTags: ALLOWED_TAGS
905905
});
906906
/* Detect mXSS attempts abusing namespace confusion */
907-
if (currentNode.hasChildNodes() && !_isNode(currentNode.firstElementChild) && regExpTest(/<[/\w!]/g, currentNode.innerHTML) && regExpTest(/<[/\w!]/g, currentNode.textContent)) {
907+
if (SAFE_FOR_XML && currentNode.hasChildNodes() && !_isNode(currentNode.firstElementChild) && regExpTest(/<[/\w!]/g, currentNode.innerHTML) && regExpTest(/<[/\w!]/g, currentNode.textContent)) {
908908
_forceRemove(currentNode);
909909
return true;
910910
}

dist/purify.es.mjs.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.js

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.min.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.min.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

scripts/server.js

Lines changed: 0 additions & 47 deletions
This file was deleted.

src/purify.ts

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -523,10 +523,10 @@ function createDOMPurify(window: WindowLike = getGlobal()): DOMPurify {
523523
: DEFAULT_FORBID_CONTENTS;
524524
FORBID_TAGS = objectHasOwnProperty(cfg, 'FORBID_TAGS')
525525
? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc)
526-
: {};
526+
: clone({});
527527
FORBID_ATTR = objectHasOwnProperty(cfg, 'FORBID_ATTR')
528528
? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc)
529-
: {};
529+
: clone({});
530530
USE_PROFILES = objectHasOwnProperty(cfg, 'USE_PROFILES')
531531
? cfg.USE_PROFILES
532532
: false;
@@ -1045,6 +1045,7 @@ function createDOMPurify(window: WindowLike = getGlobal()): DOMPurify {
10451045

10461046
/* Detect mXSS attempts abusing namespace confusion */
10471047
if (
1048+
SAFE_FOR_XML &&
10481049
currentNode.hasChildNodes() &&
10491050
!_isNode(currentNode.firstElementChild) &&
10501051
regExpTest(/<[/\w!]/g, currentNode.innerHTML) &&

0 commit comments

Comments
 (0)