Merge pull request #893 from cure53/main

Getting 3.x branch ready for 3.0.7 release
cure53 · Jan 3, 2024 · aa2c561 · aa2c561
2 parents db73dd7 + ab2c081
commit aa2c561
Show file tree

Hide file tree

Showing 18 changed files with 156 additions and 29 deletions.
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -17,7 +17,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [16.x, 17.x, 18.x, 19.x]
+        node-version: [16.x, 17.x, 18.x, 19.x, 20.x, 21.x]
 
     steps:
       - name: Checkout
@@ -38,7 +38,7 @@ jobs:
         with:
           run: npm run test:ci
         env:
-          TEST_BROWSERSTACK: ${{ startsWith(matrix.node-version, '19') }}
+          TEST_BROWSERSTACK: ${{ startsWith(matrix.node-version, '21') }}
           TEST_PROBE_ONLY: ${{ github.ref != 'refs/heads/main' }}
           BS_USERNAME: ${{ secrets.BS_USERNAME }}
           BS_ACCESSKEY: ${{ secrets.BS_ACCESSKEY }}
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -38,14 +38,14 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       with:
          languages: ${{ matrix.language }}
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -59,4 +59,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3
diff --git a/README.md b/README.md
@@ -6,7 +6,7 @@
 
 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
 
-It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.6**.
+It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.7**.
 
 DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
 

diff --git a/bower.json b/bower.json
@@ -1,6 +1,6 @@
 {
   "name": "DOMPurify",
-  "version": "3.0.6",
+  "version": "3.0.7",
   "homepage": "https://github.com/cure53/DOMPurify",
   "author": "Cure53 <info@cure53.de>",
   "description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",

diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.mjs b/dist/purify.es.mjs
@@ -1,4 +1,4 @@
-/*! @license DOMPurify 3.0.6 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.6/LICENSE */
+/*! @license DOMPurify 3.0.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.7/LICENSE */
 
 const {
   entries,
@@ -112,6 +112,21 @@ function addToSet(set, array) {
   return set;
 }
 
+/**
+ * Clean up an array to harden against CSPP
+ *
+ * @param {Array} array - The array to be cleaned.
+ * @returns {Array} The cleaned version of the array
+ */
+function cleanArray(array) {
+  for (let index = 0; index < array.length; index++) {
+    if (getOwnPropertyDescriptor(array, index) === undefined) {
+      array[index] = null;
+    }
+  }
+  return array;
+}
+
 /**
  * Shallow clone an object
  *
@@ -122,7 +137,13 @@ function clone(object) {
   const newObject = create(null);
   for (const [property, value] of entries(object)) {
     if (getOwnPropertyDescriptor(object, property) !== undefined) {
-      newObject[property] = value;
+      if (Array.isArray(value)) {
+        newObject[property] = cleanArray(value);
+      } else if (typeof value === 'object' && value.constructor === Object) {
+        newObject[property] = clone(value);
+      } else {
+        newObject[property] = value;
+      }
     }
   }
   return newObject;
@@ -257,7 +278,7 @@ function createDOMPurify() {
    * Version label, exposed for easier checks
    * if DOMPurify is up to date or not
    */
-  DOMPurify.version = '3.0.6';
+  DOMPurify.version = '3.0.7';
 
   /**
    * Array of elements that DOMPurify removed during sanitation.

diff --git a/dist/purify.es.mjs.map b/dist/purify.es.mjs.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -105,7 +105,7 @@
   },
   "name": "dompurify",
   "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
-  "version": "3.0.6",
+  "version": "3.0.7",
   "directories": {
     "test": "test"
   },

diff --git a/src/purify.js b/src/purify.js
@@ -784,6 +784,7 @@ function createDOMPurify(window = getGlobal()) {
    */
   const _forceRemove = function (node) {
     arrayPush(DOMPurify.removed, { element: node });
+
     try {
       // eslint-disable-next-line unicorn/prefer-dom-node-remove
       node.parentNode.removeChild(node);

diff --git a/src/utils.js b/src/utils.js
@@ -107,18 +107,40 @@ function addToSet(set, array, transformCaseFunc = stringToLowerCase) {
   return set;
 }
 
+/**
+ * Clean up an array to harden against CSPP
+ *
+ * @param {Array} array - The array to be cleaned.
+ * @returns {Array} The cleaned version of the array
+ */
+function cleanArray(array) {
+  for (let index = 0; index < array.length; index++) {
+    if (getOwnPropertyDescriptor(array, index) === undefined) {
+      array[index] = null;
+    }
+  }
+
+  return array;
+}
+
 /**
  * Shallow clone an object
  *
  * @param {Object} object - The object to be cloned.
  * @returns {Object} A new object that copies the original.
  */
-export function clone(object) {
+function clone(object) {
   const newObject = create(null);
 
   for (const [property, value] of entries(object)) {
     if (getOwnPropertyDescriptor(object, property) !== undefined) {
-      newObject[property] = value;
+      if (Array.isArray(value)) {
+        newObject[property] = cleanArray(value);
+      } else if (typeof value === 'object' && value.constructor === Object) {
+        newObject[property] = clone(value);
+      } else {
+        newObject[property] = value;
+      }
     }
   }
 
@@ -172,6 +194,7 @@ export {
   isFrozen,
   setPrototypeOf,
   seal,
+  clone,
   create,
   // RegExp
   regExpTest,

diff --git a/test/karma.custom-launchers.config.js b/test/karma.custom-launchers.config.js
@@ -42,6 +42,30 @@ const customLaunchers = {
     browser: 'safari',
     os_version: 'Big Sur',
   },
+  bs_monterey_safari_15: {
+    base: 'BrowserStack',
+    device: null,
+    os: 'OS X',
+    browser_version: '15.6',
+    browser: 'safari',
+    os_version: 'Monterey',
+  },
+  bs_ventura_safari_16: {
+    base: 'BrowserStack',
+    device: null,
+    os: 'OS X',
+    browser_version: '16.5',
+    browser: 'safari',
+    os_version: 'Ventura',
+  },
+  bs_sonoma_safari_17: {
+    base: 'BrowserStack',
+    device: null,
+    os: 'OS X',
+    browser_version: '17.0',
+    browser: 'safari',
+    os_version: 'Sonoma',
+  },
   bs_win10_edge_84: {
     base: 'BrowserStack',
     device: null,
@@ -98,6 +122,14 @@ const customLaunchers = {
     browser: 'firefox',
     os_version: '10',
   },
+  bs_win10_firefox_120: {
+    base: 'BrowserStack',
+    device: null,
+    os: 'Windows',
+    browser_version: '120.0',
+    browser: 'firefox',
+    os_version: '11',
+  },
   bs_win10_chrome_60: {
     base: 'BrowserStack',
     device: null,
@@ -146,6 +178,14 @@ const customLaunchers = {
     browser: 'chrome',
     os_version: '10',
   },
+  bs_win10_chrome_120: {
+    base: 'BrowserStack',
+    device: null,
+    os: 'Windows',
+    browser_version: '120.0',
+    browser: 'chrome',
+    os_version: '11',
+  },
 };
 
 const getAllBrowsers = () => Object.keys(customLaunchers);

diff --git a/website/index.html b/website/index.html
@@ -2,7 +2,7 @@
 <html>
     <head>
         <meta charset="UTF-8">
-        <title>DOMPurify 3.0.6 "Factory Reset"</title>
+        <title>DOMPurify 3.0.7 "High Noon"</title>
         <script src="../dist/purify.min.js"></script>
         <!-- we don't actually need it - just to demo and test the $(html) sanitation -->
         <script src="//code.jquery.com/jquery-3.2.0.min.js"></script>
@@ -23,7 +23,7 @@
         </script>
     </head>
     <body>
-        <h4>DOMPurify 3.0.6 "Factory Reset"</h4>
+        <h4>DOMPurify 3.0.7 "High Noon"</h4>
         <p>
             <a href="http://badge.fury.io/js/dompurify" rel="nofollow"><img alt="npm version" src="https://badge.fury.io/js/dompurify.svg"></a>  
             <a target="_blank" rel="noopener noreferrer" href="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main"><img src="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main" alt="Build and Test"></a>