Skip to content

Commit f1c9a64

Browse files
cure53cure53
committed
fix: Added better check for animated href attributes, thanks @llamakko 
1 parent 9a1c6e5 commit f1c9a64

File tree

9 files changed

+26
-5
lines changed

9 files changed

+26
-5
lines changed

dist/purify.cjs.js

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.cjs.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.es.mjs

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1079,6 +1079,11 @@ function createDOMPurify() {
10791079
_removeAttribute(name, currentNode);
10801080
continue;
10811081
}
1082+
/* Make sure we cannot easily use animated hrefs, even if animations are allowed */
1083+
if (lcName === 'attributename' && stringMatch(value, 'href')) {
1084+
_removeAttribute(name, currentNode);
1085+
continue;
1086+
}
10821087
/* Did the hooks approve of the attribute? */
10831088
if (hookEvent.forceKeepAttr) {
10841089
continue;

dist/purify.es.mjs.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.js

Lines changed: 5 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.min.js

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/purify.min.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

src/purify.ts

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1325,6 +1325,12 @@ function createDOMPurify(window: WindowLike = getGlobal()): DOMPurify {
13251325
continue;
13261326
}
13271327

1328+
/* Make sure we cannot easily use animated hrefs, even if animations are allowed */
1329+
if (lcName === 'attributename' && stringMatch(value, 'href')) {
1330+
_removeAttribute(name, currentNode);
1331+
continue;
1332+
}
1333+
13281334
/* Did the hooks approve of the attribute? */
13291335
if (hookEvent.forceKeepAttr) {
13301336
continue;

0 commit comments

Comments
 (0)