Skip to content

Commit

Permalink
See #761
Browse files Browse the repository at this point in the history
feat: added ALLOW_SELF_CLOSE_IN_ATTR tag
test: added test case
  • Loading branch information
cure53 committed Feb 7, 2023
1 parent 90326ef commit 5f766bc
Show file tree
Hide file tree
Showing 10 changed files with 47 additions and 9 deletions.
8 changes: 7 additions & 1 deletion dist/purify.cjs.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.cjs.js.map

Large diffs are not rendered by default.

8 changes: 7 additions & 1 deletion dist/purify.es.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.es.js.map

Large diffs are not rendered by default.

8 changes: 7 additions & 1 deletion dist/purify.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.js.map

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js.map

Large diffs are not rendered by default.

7 changes: 6 additions & 1 deletion src/purify.js
Original file line number Diff line number Diff line change
Expand Up @@ -239,6 +239,10 @@ function createDOMPurify(window = getGlobal()) {
/* Decide if unknown protocols are okay */
let ALLOW_UNKNOWN_PROTOCOLS = false;

/* Decide if self-closing tags in attributes are allowed.
* Usually removed due to a mXSS issue in jQuery 3.0 */
let ALLOW_SELF_CLOSE_IN_ATTR = true;

/* Output should be safe for common template engines.
* This means, DOMPurify removes data attributes, mustaches and ERB
*/
Expand Down Expand Up @@ -468,6 +472,7 @@ function createDOMPurify(window = getGlobal()) {
ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false; // Default true
ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
RETURN_DOM = cfg.RETURN_DOM || false; // Default false
Expand Down Expand Up @@ -1241,7 +1246,7 @@ function createDOMPurify(window = getGlobal()) {
}

/* Work around a security issue in jQuery 3.0 */
if (regExpTest(/\/>/i, value)) {
if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
_removeAttribute(name, currentNode);
continue;
}
Expand Down
15 changes: 15 additions & 0 deletions test/test-suite.js
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,21 @@
);
}
);
QUnit.test('Config-Flag tests: ALLOW_SELF_CLOSE_IN_ATTR', function (assert) {
// ALLOW_SELF_CLOSE_IN_ATTR
assert.equal(
DOMPurify.sanitize('<a href="#" class="foo <br/>">abc</a>', {
ALLOW_SELF_CLOSE_IN_ATTR: false,
}),
'<a href="#">abc</a>'
);
assert.equal(
DOMPurify.sanitize('<a href="#" class="foo <br/>">abc</a>', {
ALLOW_SELF_CLOSE_IN_ATTR: true,
}),
'<a class="foo <br/>" href="#">abc</a>'
);
});
QUnit.test('Config-Flag tests: ALLOW_DATA_ATTR', function (assert) {
// ALLOW_DATA_ATTR
assert.equal(
Expand Down

0 comments on commit 5f766bc

Please sign in to comment.