Skip to content

Commit

Permalink
fix: should split DANGEROUS_OR_OBSOLETE_TAG_NAMES
Browse files Browse the repository at this point in the history
  • Loading branch information
@JounQin
JounQin committed Dec 14, 2023
1 parent e1c0755 commit 71a9af1
Show file tree
Hide file tree
Showing 4 changed files with 9 additions and 49 deletions.
2 changes: 1 addition & 1 deletion src/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ const MathML_TAG_NAMES =
.split(',')
.map(it => `m${it}`)

const DANGEROUS_OR_OBSOLETE_TAG_NAMES = 'event-source,listing'
const DANGEROUS_OR_OBSOLETE_TAG_NAMES = 'event-source,listing'.split(',')

function sanitizeNode(el: Document): Document
function sanitizeNode(el: DocumentFragment): DocumentFragment
Expand Down
44 changes: 2 additions & 42 deletions test/__snapshots__/dompurify.spec.ts.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,6 @@ exports[`dompurify compatibility > >style< > >style< 1`] = `
}
`;

exports[`dompurify compatibility > 65 > 65 1`] = `
{
"expected": "<div id="11"><svg xmlns="http://www.w3.org/2000/svg"><g></g></svg>//["'\`--&gt;]]&gt;]</div>",
"payload": "<div id="11"><svg xmlns="http://www.w3.org/2000/svg"><g onload="javascript:alert(11)"></g></svg>//["'\`-->]]>]</div>",
"result": "<div id="11"><svg xmlns="http://www.w3.org/2000/svg"></svg>//["'\`--&gt;]]&gt;]</div>",
}
`;

exports[`dompurify compatibility > 81 > 81 1`] = `
{
"expected": "<div id="27"><style>p[foo=bar{}*{-o-link:'javascript:alert(27)'}{}*{-o-link-source:current}*{background:red}]{background:green};</style>//["'\`--&gt;]]&gt;]</div><div id="28">1&gt;//["'\`--&gt;]]&gt;]</div>",
Expand All @@ -24,14 +16,6 @@ exports[`dompurify compatibility > 81 > 81 1`] = `
}
`;
exports[`dompurify compatibility > 95 > 95 1`] = `
{
"expected": "<div id="41"><li style="list-style:url()"></li></div>",
"payload": "<div id="41"><li style=list-style:url() onerror=alert(41)></li>",
"result": "<div id="41"></div>",
}
`;
exports[`dompurify compatibility > 99 > 99 1`] = `
{
"expected": "Hello
Expand Down Expand Up @@ -61,22 +45,6 @@ exports[`dompurify compatibility > 100 > 100 1`] = `
}
`;
exports[`dompurify compatibility > 111 > 111 1`] = `
{
"expected": "<div id="55"><video><source>//["'\`--&gt;]]&gt;]</video></div>",
"payload": "<div id="55"><video><source onerror="alert(55)">//["'\`-->]]>]</div>",
"result": "<div id="55"><video>//["'\`--&gt;]]&gt;]</video></div>",
}
`;
exports[`dompurify compatibility > 112 > 112 1`] = `
{
"expected": "<div id="56"><video><source></video>//["'\`--&gt;]]&gt;]</div>",
"payload": "<div id="56"><video onerror="alert(56)"><source></source></video>//["'\`-->]]>]</div>",
"result": "<div id="56"><video></video>//["'\`--&gt;]]&gt;]</div>",
}
`;
exports[`dompurify compatibility > 121 > 121 1`] = `
{
"expected": "//["'\`--&gt;]]&gt;]
Expand Down Expand Up @@ -490,7 +458,7 @@ exports[`dompurify compatibility > Don't remove ARIA attributes if not prohibite
{
"expected": "<div class="msg" role="dialog" aria-labelledby="msg--title"><button type="button" aria-label="close" class="modal-close"><i class="icon-close"></i>some button</button></div>",
"payload": "<div aria-labelledby="msg--title" role="dialog" class="msg"><button class="modal-close" aria-label="close" type="button"><i class="icon-close"></i>some button</button></div>",
"result": "<div aria-labelledby="msg--title" role="dialog" class="msg"><button class="modal-close" aria-label="close" type="button">some button</button></div>",
"result": "<div aria-labelledby="msg--title" role="dialog" class="msg"><button class="modal-close" aria-label="close" type="button"><i class="icon-close"></i>some button</button></div>",
}
`;
Expand Down Expand Up @@ -567,14 +535,6 @@ exports[`dompurify compatibility > Img element inside noscript terminated inside
}
`;
exports[`dompurify compatibility > Img element inside shadow DOM template > Img element inside shadow DOM template 1`] = `
{
"expected": "<template><s><template><s><img src="x">@shafigullin</s></template></s></template>",
"payload": "<body><template><s><template><s><img src=x onerror=alert(1)>@shafigullin</s></template></s></template>",
"result": "<template></template>",
}
`;
exports[`dompurify compatibility > Inline SVG (data-uri) > Inline SVG (data-uri) 1`] = `
{
"expected": [
Expand Down Expand Up @@ -889,6 +849,6 @@ exports[`dompurify compatibility > src Attributes for IMG, AUDIO, VIDEO and SOUR
{
"expected": "<img src="data:,123"><audio src="data:,456"></audio><video src="data:,789"></video><source src="data:,012"><div></div>",
"payload": "<img src="data:,123"><audio src="data:,456"></audio><video src="data:,789"></video><source src="data:,012"><div src="data:,345">",
"result": "<img><audio></audio><video></video><div src="data:,345"></div>",
"result": "<img><audio></audio><video></video><source><div></div>",
}
`;
10 changes: 5 additions & 5 deletions test/__snapshots__/fixtures.spec.ts.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ exports[`fixtures > fragment > style.html 1`] = `
exports[`fixtures > fragment > svg-g.html 1`] = `
"<div id="11">
<svg xmlns="http://www.w3.org/2000/svg">
</svg>//["'\\\`--&gt;]]&gt;]
<g></g></svg>//["'\\\`--&gt;]]&gt;]
</div>
"
`;
Expand Down Expand Up @@ -57,14 +57,14 @@ exports[`fixtures > svg > basic.svg 1`] = `
exports[`fixtures > svg > image-href.svg 1`] = `
"<svg width="24" height="16" viewBox="0 0 24 16" xmlns="http://www.w3.org/2000/svg">
<g fill="none" fill-rule="evenodd">
<g transform="translate(3 4)" fill-rule="nonzero">
11111
</g>
</g>
</svg>"
`;
Expand Down
2 changes: 1 addition & 1 deletion test/dompurify.spec.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,6 @@ describe('dompurify compatibility', () => {
}

test('mismatches', () => {
expect(mismatches).toMatchInlineSnapshot(`72`)
expect(mismatches).toMatchInlineSnapshot(`67`)
})
})

0 comments on commit 71a9af1

Please sign in to comment.