Skip to content

Commit

Permalink
chore: Getting 2.x branch up to date with main
Browse files Browse the repository at this point in the history
  • Loading branch information
@cure53
cure53 committed May 5, 2024
1 parent d299fcc commit b81a576
Show file tree
Hide file tree
Showing 11 changed files with 63 additions and 19 deletions.
14 changes: 12 additions & 2 deletions dist/purify.cjs.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.cjs.js.map
View file

Large diffs are not rendered by default.

14 changes: 12 additions & 2 deletions dist/purify.es.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.es.js.map
View file

Large diffs are not rendered by default.

14 changes: 12 additions & 2 deletions dist/purify.js
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.js.map
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js.map
View file

Large diffs are not rendered by default.

17 changes: 15 additions & 2 deletions src/purify.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1126,7 +1126,10 @@ function createDOMPurify(window = getGlobal()) {
if (
SANITIZE_DOM &&
(lcName === 'id' || lcName === 'name') &&
(value in document || value in formElement)
(value in document ||
value in formElement ||
value === '__depth' ||
value === '__removalCount')
) {
return false;
}
Expand Down Expand Up @@ -1285,6 +1288,12 @@ function createDOMPurify(window = getGlobal()) {
continue;
}

/* Work around a security issue with comments inside attribites */
if (regExpTest(/(--!?|])>/i, value)) {
_removeAttribute(name, currentNode);
continue;
}

/* Sanitize attribute content to be template-safe */
if (SAFE_FOR_TEMPLATES) {
value = stringReplace(value, MUSTACHE_EXPR, ' ');
Expand Down Expand Up @@ -1345,7 +1354,11 @@ function createDOMPurify(window = getGlobal()) {
currentNode.setAttribute(name, value);
}

arrayPop(DOMPurify.removed);
if (_isClobbered(currentNode)) {
_forceRemove(currentNode);
} else {
arrayPop(DOMPurify.removed);
}
} catch (_) {}
}

Expand Down
1 change: 1 addition & 0 deletions test/fixtures/expect.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -458,6 +458,7 @@ module.exports = [
}, {
"payload": "<![><img src=\"]><img src=x onerror=alert(39)//\">",
"expected": [
"<img>",
"<img src=\"]&gt;&lt;img src=x onerror=alert(39)//\">",
"<img src=\"]><img src=x onerror=alert(39)//\">",
"<img src=\"]%3E%3Cimg%20src=x%20onerror=alert%2839%29//\">"
Expand Down
12 changes: 6 additions & 6 deletions test/test-suite.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2131,15 +2131,15 @@
let dirty = `<form><input name="__depth">${`<div>`.repeat(500)}${`</div>`.repeat(500)}<img>`;
let expected = [
``,
`<form><input name="__depth">${`<div>`.repeat(252)}${`</div>`.repeat(252)}<img></form>`,
`<form><input>${`<div>`.repeat(252)}${`</div>`.repeat(252)}<img></form>`,
];
let clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);

dirty = `<form><input name="__depth"></form>${`<div>`.repeat(500)}${`</div>`.repeat(500)}<img>`;
expected = [
`${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`,
`<form><input name="__depth"></form>${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`
`<form><input></form>${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`
];
clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);
Expand All @@ -2149,7 +2149,7 @@
)}${`</div>`.repeat(500)}<img>`;
expected = [
``,
`<form><input name="__removalCount">${`<div>`.repeat(
`<form><input>${`<div>`.repeat(
252
)}${`</div>`.repeat(252)}<img></form>`,
];
Expand All @@ -2161,7 +2161,7 @@
)}${`</div>`.repeat(500)}<img>`;
expected = [
`${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`,
`<form><input name="__removalCount"></form>${`<div>`.repeat(
`<form><input></form>${`<div>`.repeat(
253
)}${`</div>`.repeat(253)}<img>`,
];
Expand All @@ -2172,12 +2172,12 @@
QUnit.test('Test proper handling of nesting-based mXSS 3/3', function (assert) {

let dirty = `<form><input name="__depth">`;
let expected = [``, `<form><input name="__depth"></form>`];
let expected = [``, `<form><input></form>`];
let clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);

dirty = `<form><input name="__removalCount">`;
expected = [``, `<form><input name="__removalCount"></form>`];
expected = [``, `<form><input></form>`];
clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);
});
Expand Down

0 comments on commit b81a576

Please sign in to comment.