Skip to content

Commit

Permalink
fix: Changed the order for attribute checks slightly for safer hooks
Browse files Browse the repository at this point in the history
  • Loading branch information
cure53 committed Jun 25, 2024
1 parent b8b552c commit fa542df
Show file tree
Hide file tree
Showing 9 changed files with 36 additions and 41 deletions.
18 changes: 8 additions & 10 deletions dist/purify.cjs.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.cjs.js.map

Large diffs are not rendered by default.

18 changes: 8 additions & 10 deletions dist/purify.es.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -209,11 +209,9 @@ const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]/); // eslint-disable-line no-
const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
const IS_ALLOWED_URI = seal(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
);

const IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i);
const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
);

const DOCTYPE_NAME = seal(/^html$/i);
const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);

Expand Down Expand Up @@ -248,7 +246,6 @@ const NODE_TYPE = {
documentFragment: 11,
notation: 12 // Deprecated
};

const getGlobal = function getGlobal() {
return typeof window === 'undefined' ? null : window;
};
Expand Down Expand Up @@ -1010,7 +1007,7 @@ function createDOMPurify() {
return true;
}

/* Remove any ocurrence of processing instructions */
/* Remove any occurrence of processing instructions */
if (currentNode.nodeType === NODE_TYPE.progressingInstruction) {
_forceRemove(currentNode);
return true;
Expand Down Expand Up @@ -1179,6 +1176,13 @@ function createDOMPurify() {
hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
value = hookEvent.attrValue;

/* Work around a security issue with comments inside attributes */
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
_removeAttribute(name, currentNode);
continue;
}

/* Did the hooks approve of the attribute? */
if (hookEvent.forceKeepAttr) {
continue;
Expand All @@ -1198,12 +1202,6 @@ function createDOMPurify() {
continue;
}

/* Work around a security issue with comments inside attributes */
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
_removeAttribute(name, currentNode);
continue;
}

/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
Expand Down
2 changes: 1 addition & 1 deletion dist/purify.es.mjs.map

Large diffs are not rendered by default.

18 changes: 8 additions & 10 deletions dist/purify.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.js.map

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js.map

Large diffs are not rendered by default.

13 changes: 7 additions & 6 deletions src/purify.js
Original file line number Diff line number Diff line change
Expand Up @@ -1280,6 +1280,13 @@ function createDOMPurify(window = getGlobal()) {
hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
value = hookEvent.attrValue;

/* Work around a security issue with comments inside attributes */
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
_removeAttribute(name, currentNode);
continue;
}

/* Did the hooks approve of the attribute? */
if (hookEvent.forceKeepAttr) {
continue;
Expand All @@ -1299,12 +1306,6 @@ function createDOMPurify(window = getGlobal()) {
continue;
}

/* Work around a security issue with comments inside attributes */
if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
_removeAttribute(name, currentNode);
continue;
}

/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], (expr) => {
Expand Down

0 comments on commit fa542df

Please sign in to comment.