Merge pull request #899 from cure53/main

Update 3.x to be in sync with main

README.md

@@ -6,7 +6,7 @@
 
 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
 
-It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.7**.
+It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.8**.
 
 DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
 

bower.json

@@ -1,6 +1,6 @@
 {
   "name": "DOMPurify",
-  "version": "3.0.7",
+  "version": "3.0.8",
   "homepage": "https://github.com/cure53/DOMPurify",
   "author": "Cure53 <info@cure53.de>",
   "description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",

dist/purify.es.mjs

@@ -1,4 +1,4 @@
-/*! @license DOMPurify 3.0.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.7/LICENSE */
+/*! @license DOMPurify 3.0.8 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.8/LICENSE */
 
 const {
   entries,
@@ -139,7 +139,7 @@ function clone(object) {
     if (getOwnPropertyDescriptor(object, property) !== undefined) {
       if (Array.isArray(value)) {
         newObject[property] = cleanArray(value);
-      } else if (typeof value === 'object' && value.constructor === Object) {
+      } else if (value && typeof value === 'object' && value.constructor === Object) {
         newObject[property] = clone(value);
       } else {
         newObject[property] = value;
@@ -278,7 +278,7 @@ function createDOMPurify() {
    * Version label, exposed for easier checks
    * if DOMPurify is up to date or not
    */
-  DOMPurify.version = '3.0.7';
+  DOMPurify.version = '3.0.8';
 
   /**
    * Array of elements that DOMPurify removed during sanitation.

package.json

@@ -17,13 +17,6 @@
     "test:ci": "cross-env NODE_ENV=test BABEL_ENV=rollup npm run test:jsdom && npm run test:karma -- --log-level error --reporters dots --single-run --shouldTestOnBrowserStack=\"${TEST_BROWSERSTACK}\" --shouldProbeOnly=\"${TEST_PROBE_ONLY}\"",
     "test": "cross-env NODE_ENV=test BABEL_ENV=rollup npm run lint &&  npm run test:jsdom && npm run test:karma -- --browsers Chrome"
   },
-  "exports": {
-    ".": {
-      "require": "./dist/purify.cjs.js",
-      "import": "./dist/purify.es.mjs"
-    },
-    "./package.json": "./package.json"
-  },
   "main": "./dist/purify.cjs.js",
   "module": "./dist/purify.es.mjs",
   "browser": "./dist/purify.js",
@@ -105,7 +98,7 @@
   },
   "name": "dompurify",
   "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
-  "version": "3.0.7",
+  "version": "3.0.8",
   "directories": {
     "test": "test"
   },

src/utils.js

@@ -136,7 +136,11 @@ function clone(object) {
     if (getOwnPropertyDescriptor(object, property) !== undefined) {
       if (Array.isArray(value)) {
         newObject[property] = cleanArray(value);
-      } else if (typeof value === 'object' && value.constructor === Object) {
+      } else if (
+        value &&
+        typeof value === 'object' &&
+        value.constructor === Object
+      ) {
         newObject[property] = clone(value);
       } else {
         newObject[property] = value;

test/test-suite.js

@@ -804,6 +804,21 @@
         );
       }
     );
+    QUnit.test(
+      'CUSTOM_ELEMENT_HANDLING config values of null do not throw a TypeError.',
+      function (assert) {
+        DOMPurify.sanitize('', {
+          CUSTOM_ELEMENT_HANDLING: {
+            tagNameCheck: null,
+            attributeNameCheck: null,
+            allowCustomizedBuiltInElements: null,
+          },
+        });
+
+        // Don't see a great way to assert NOT throws...
+        assert.ok(true);
+      }
+    );
     QUnit.test('Test dirty being an array', function (assert) {
       assert.equal(
         DOMPurify.sanitize(['<a>123<b>456</b></a>']),

website/index.html

@@ -2,7 +2,7 @@
 <html>
     <head>
         <meta charset="UTF-8">
-        <title>DOMPurify 3.0.7 "High Noon"</title>
+        <title>DOMPurify 3.0.8 "Higher Noon"</title>
         <script src="../dist/purify.min.js"></script>
         <!-- we don't actually need it - just to demo and test the $(html) sanitation -->
         <script src="//code.jquery.com/jquery-3.2.0.min.js"></script>
@@ -23,7 +23,7 @@
         </script>
     </head>
     <body>
-        <h4>DOMPurify 3.0.7 "High Noon"</h4>
+        <h4>DOMPurify 3.0.8 "Higher Noon"</h4>
         <p>
             <a href="http://badge.fury.io/js/dompurify" rel="nofollow"><img alt="npm version" src="https://badge.fury.io/js/dompurify.svg"></a>  
             <a target="_blank" rel="noopener noreferrer" href="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main"><img src="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main" alt="Build and Test"></a>