fix: Started to set new MAX_NESTING_DEPTH limits as well

cure53 · Apr 26, 2024 · 8589191 · 8589191
1 parent 2076d1b
commit 8589191
Show file tree

Hide file tree

Showing 10 changed files with 11 additions and 11 deletions.
diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.js b/dist/purify.es.js
diff --git a/dist/purify.es.js.map b/dist/purify.es.js.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/src/purify.js b/src/purify.js
@@ -394,7 +394,7 @@ function createDOMPurify(window = getGlobal()) {
   let CONFIG = null;
 
   /* Specify the maximum element nesting depth to prevent mXSS */
-  const MAX_NESTING_DEPTH = 500;
+  const MAX_NESTING_DEPTH = 255;
 
   /* Ideally, do not touch anything below this line */
   /* ______________________________________________ */

diff --git a/test/test-suite.js b/test/test-suite.js
@@ -2112,8 +2112,8 @@
       clean = DOMPurify.sanitize(dirty);
       assert.contains(clean, expected);
 
-      dirty = `<template>${`<div>`.repeat(502)}${`</div>`.repeat(502)}<img>`;
-      expected = `<template>${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`;
+      dirty = `<div><template>${`<div>`.repeat(502)}${`</div>`.repeat(502)}<img>`;
+      expected = `<div><template>${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img></template></div>`;
       clean = DOMPurify.sanitize(dirty);
       assert.contains(clean, expected);