fix: Added changes to 2.x regarding attribute value checks

cure53 · Jun 25, 2024 · 38e8410 · 38e8410
1 parent 9a7cd98
commit 38e8410
Show file tree

Hide file tree

Showing 9 changed files with 33 additions and 29 deletions.
diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.js b/dist/purify.es.js
diff --git a/dist/purify.es.js.map b/dist/purify.es.js.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/src/purify.js b/src/purify.js
@@ -1259,6 +1259,13 @@ function createDOMPurify(window = getGlobal()) {
       hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
       _executeHook('uponSanitizeAttribute', currentNode, hookEvent);
       value = hookEvent.attrValue;
+
+      /* Work around a security issue with comments inside attributes */
+      if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
+        _removeAttribute(name, currentNode);
+        continue;
+      }
+
       /* Did the hooks approve of the attribute? */
       if (hookEvent.forceKeepAttr) {
         continue;
@@ -1278,12 +1285,6 @@ function createDOMPurify(window = getGlobal()) {
         continue;
       }
 
-      /* Work around a security issue with comments inside attributes */
-      if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
-        _removeAttribute(name, currentNode);
-        continue;
-      }
-
       /* Sanitize attribute content to be template-safe */
       if (SAFE_FOR_TEMPLATES) {
         value = stringReplace(value, MUSTACHE_EXPR, ' ');