Skip to content

Commit

Permalink
Merge pull request #944 from cure53/main
Browse files Browse the repository at this point in the history
 Getting 3.x branch ready for 3.1.1 release
  • Loading branch information
cure53 authored Apr 26, 2024
2 parents 6ea80cd + 7bbd12b commit 7a0a984
Show file tree
Hide file tree
Showing 15 changed files with 42 additions and 42 deletions.
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.

It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.1.0**.
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.1.1**.

DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.

**Note that [DOMPurify v2.5.0](https://github.com/cure53/DOMPurify/releases/tag/2.5.0) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
**Note that [DOMPurify v2.5.1](https://github.com/cure53/DOMPurify/releases/tag/2.5.1) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**

Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v16.x, v17.x, v18.x and v19.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.

Expand Down
2 changes: 1 addition & 1 deletion bower.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "DOMPurify",
"version": "3.1.0",
"version": "3.1.1",
"homepage": "https://github.com/cure53/DOMPurify",
"author": "Cure53 <[email protected]>",
"description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",
Expand Down
6 changes: 3 additions & 3 deletions dist/purify.cjs.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.cjs.js.map

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions dist/purify.es.mjs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
/*! @license DOMPurify 3.1.0 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.0/LICENSE */
/*! @license DOMPurify 3.1.1 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.1.1/LICENSE */

const {
entries,
Expand Down Expand Up @@ -282,7 +282,7 @@ function createDOMPurify() {
* Version label, exposed for easier checks
* if DOMPurify is up to date or not
*/
DOMPurify.version = '3.1.0';
DOMPurify.version = '3.1.1';

/**
* Array of elements that DOMPurify removed during sanitation.
Expand Down Expand Up @@ -516,7 +516,7 @@ function createDOMPurify() {
let CONFIG = null;

/* Specify the maximum element nesting depth to prevent mXSS */
const MAX_NESTING_DEPTH = 500;
const MAX_NESTING_DEPTH = 255;

/* Ideally, do not touch anything below this line */
/* ______________________________________________ */
Expand Down
2 changes: 1 addition & 1 deletion dist/purify.es.mjs.map

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions dist/purify.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.js.map

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions dist/purify.min.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js.map

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@
},
"name": "dompurify",
"description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
"version": "3.1.0",
"version": "3.1.1",
"directories": {
"test": "test"
},
Expand Down
2 changes: 1 addition & 1 deletion src/purify.js
Original file line number Diff line number Diff line change
Expand Up @@ -389,7 +389,7 @@ function createDOMPurify(window = getGlobal()) {
let CONFIG = null;

/* Specify the maximum element nesting depth to prevent mXSS */
const MAX_NESTING_DEPTH = 500;
const MAX_NESTING_DEPTH = 255;

/* Ideally, do not touch anything below this line */
/* ______________________________________________ */
Expand Down
36 changes: 18 additions & 18 deletions test/test-suite.js
Original file line number Diff line number Diff line change
Expand Up @@ -2107,28 +2107,28 @@

QUnit.test('Test proper handling of nesting-based mXSS 1/3', function (assert) {

let dirty = `${`<div>`.repeat(496)}${`</div>`.repeat(496)}<img>`;
let expected = `${`<div>`.repeat(496)}${`</div>`.repeat(496)}<img>`;
let dirty = `${`<div>`.repeat(250)}${`</div>`.repeat(250)}<img>`;
let expected = `${`<div>`.repeat(250)}${`</div>`.repeat(250)}<img>`;
let clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);

dirty = `${`<div>`.repeat(500)}${`</div>`.repeat(500)}<img>`;
expected = `${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`;
dirty = `${`<div>`.repeat(255)}${`</div>`.repeat(255)}<img>`;
expected = `${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`;
clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);

dirty = `${`<div>`.repeat(502)}${`</div>`.repeat(502)}<img>`;
expected = `${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`;
dirty = `${`<div>`.repeat(257)}${`</div>`.repeat(257)}<img>`;
expected = `${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`;
clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);

dirty = `<template>${`<div>`.repeat(502)}${`</div>`.repeat(502)}<img>`;
expected = `<template>${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`;
dirty = `<div><template>${`<div>`.repeat(257)}${`</div>`.repeat(257)}<img>`;
expected = `<div><template>${`<div>`.repeat(251)}${`</div>`.repeat(251)}<img></template></div>`;
clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);

dirty = `<div><template>${`<r>`.repeat(497)}<img>${`</r>`.repeat(
497
dirty = `<div><template>${`<r>`.repeat(255)}<img>${`</r>`.repeat(
255
)}</template></div><img>`;
expected = `<div><template></template></div><img>`;
clean = DOMPurify.sanitize(dirty);
Expand All @@ -2141,15 +2141,15 @@
let dirty = `<form><input name="__depth">${`<div>`.repeat(500)}${`</div>`.repeat(500)}<img>`;
let expected = [
``,
`<form><input name="__depth">${`<div>`.repeat(497)}${`</div>`.repeat(497)}<img></form>`,
`<form><input name="__depth">${`<div>`.repeat(252)}${`</div>`.repeat(252)}<img></form>`,
];
let clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);

dirty = `<form><input name="__depth"></form>${`<div>`.repeat(500)}${`</div>`.repeat(500)}<img>`;
expected = [
`${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`,
`<form><input name="__depth"></form>${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`
`${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`,
`<form><input name="__depth"></form>${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`
];
clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);
Expand All @@ -2160,8 +2160,8 @@
expected = [
``,
`<form><input name="__removalCount">${`<div>`.repeat(
497
)}${`</div>`.repeat(497)}<img></form>`,
252
)}${`</div>`.repeat(252)}<img></form>`,
];
clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);
Expand All @@ -2170,10 +2170,10 @@
500
)}${`</div>`.repeat(500)}<img>`;
expected = [
`${`<div>`.repeat(498)}${`</div>`.repeat(498)}<img>`,
`${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`,
`<form><input name="__removalCount"></form>${`<div>`.repeat(
498
)}${`</div>`.repeat(498)}<img>`,
253
)}${`</div>`.repeat(253)}<img>`,
];
clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);
Expand Down
4 changes: 2 additions & 2 deletions website/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
<html>
<head>
<meta charset="UTF-8">
<title>DOMPurify 3.1.0 "Time Traveler"</title>
<title>DOMPurify 3.1.1 "For Workgroups"</title>
<script src="../dist/purify.min.js"></script>
<!-- we don't actually need it - just to demo and test the $(html) sanitation -->
<script src="//code.jquery.com/jquery-3.2.0.min.js"></script>
Expand All @@ -23,7 +23,7 @@
</script>
</head>
<body>
<h4>DOMPurify 3.1.0 "Time Traveler"</h4>
<h4>DOMPurify 3.1.1 "For Workgroups"</h4>
<p>
<a href="http://badge.fury.io/js/dompurify" rel="nofollow"><img alt="npm version" src="https://badge.fury.io/js/dompurify.svg"></a>
<a target="_blank" rel="noopener noreferrer" href="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main"><img src="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main" alt="Build and Test"></a>
Expand Down

0 comments on commit 7a0a984

Please sign in to comment.