Merge pull request #801 from dejang/refactor-policy-creation-order

create internal trustedTypes policy only if not specified via config object
cure53 · May 6, 2023 · ad1bdd4 · ad1bdd4
2 parents e7895b4 + 2377fc5
commit ad1bdd4
Show file tree

Hide file tree

Showing 10 changed files with 248 additions and 159 deletions.
diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.js b/dist/purify.es.js
diff --git a/dist/purify.es.js.map b/dist/purify.es.js.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/src/purify.js b/src/purify.js
@@ -26,11 +26,11 @@ const getGlobal = () => (typeof window === 'undefined' ? null : window);
  * Creates a no-op policy for internal use only.
  * Don't export this function outside this module!
  * @param {?TrustedTypePolicyFactory} trustedTypes The policy factory.
- * @param {Document} document The document object (to determine policy name suffix)
+ * @param {HTMLScriptElement} purifyHostElement The Script element used to load DOMPurify (to determine policy name suffix).
  * @return {?TrustedTypePolicy} The policy created (or null, if Trusted Types
- * are not supported).
+ * are not supported or creating the policy failed).
  */
-const _createTrustedTypesPolicy = function (trustedTypes, document) {
+const _createTrustedTypesPolicy = function (trustedTypes, purifyHostElement) {
   if (
     typeof trustedTypes !== 'object' ||
     typeof trustedTypes.createPolicy !== 'function'
@@ -43,11 +43,8 @@ const _createTrustedTypesPolicy = function (trustedTypes, document) {
   // Policy creation with duplicate names throws in Trusted Types.
   let suffix = null;
   const ATTR_NAME = 'data-tt-policy-suffix';
-  if (
-    document.currentScript &&
-    document.currentScript.hasAttribute(ATTR_NAME)
-  ) {
-    suffix = document.currentScript.getAttribute(ATTR_NAME);
+  if (purifyHostElement && purifyHostElement.hasAttribute(ATTR_NAME)) {
+    suffix = purifyHostElement.getAttribute(ATTR_NAME);
   }
 
   const policyName = 'dompurify' + (suffix ? '#' + suffix : '');
@@ -96,6 +93,7 @@ function createDOMPurify(window = getGlobal()) {
   }
 
   const originalDocument = window.document;
+  const currentScript = originalDocument.currentScript;
 
   let { document } = window;
   const {
@@ -130,11 +128,8 @@ function createDOMPurify(window = getGlobal()) {
     }
   }
 
-  let trustedTypesPolicy = _createTrustedTypesPolicy(
-    trustedTypes,
-    originalDocument
-  );
-  let emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : '';
+  let trustedTypesPolicy;
+  let emptyHTML = '';
 
   const {
     implementation,
@@ -603,8 +598,22 @@ function createDOMPurify(window = getGlobal()) {
 
       // Overwrite existing TrustedTypes policy.
       trustedTypesPolicy = cfg.TRUSTED_TYPES_POLICY;
-      // Sign local variables in case using the internal policy did not succeed.
+
+      // Sign local variables required by `sanitize`.
       emptyHTML = trustedTypesPolicy.createHTML('');
+    } else {
+      // Uninitialized policy, attempt to initialize the internal dompurify policy.
+      if (trustedTypesPolicy === undefined) {
+        trustedTypesPolicy = _createTrustedTypesPolicy(
+          trustedTypes,
+          currentScript
+        );
+      }
+
+      // If creating the internal policy succeeded sign internal variables.
+      if (trustedTypesPolicy !== null && typeof emptyHTML === 'string') {
+        emptyHTML = trustedTypesPolicy.createHTML('');
+      }
     }
 
     // Prevent further manipulation of configuration.