Skip to content

Commit

Permalink
Merge pull request #801 from dejang/refactor-policy-creation-order
Browse files Browse the repository at this point in the history
create internal trustedTypes policy only if not specified via config object
  • Loading branch information
cure53 authored May 6, 2023
2 parents e7895b4 + 2377fc5 commit ad1bdd4
Show file tree
Hide file tree
Showing 10 changed files with 248 additions and 159 deletions.
28 changes: 19 additions & 9 deletions dist/purify.cjs.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.cjs.js.map

Large diffs are not rendered by default.

28 changes: 19 additions & 9 deletions dist/purify.es.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.es.js.map

Large diffs are not rendered by default.

28 changes: 19 additions & 9 deletions dist/purify.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.js.map

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js.map

Large diffs are not rendered by default.

37 changes: 23 additions & 14 deletions src/purify.js
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,11 @@ const getGlobal = () => (typeof window === 'undefined' ? null : window);
* Creates a no-op policy for internal use only.
* Don't export this function outside this module!
* @param {?TrustedTypePolicyFactory} trustedTypes The policy factory.
* @param {Document} document The document object (to determine policy name suffix)
* @param {HTMLScriptElement} purifyHostElement The Script element used to load DOMPurify (to determine policy name suffix).
* @return {?TrustedTypePolicy} The policy created (or null, if Trusted Types
* are not supported).
* are not supported or creating the policy failed).
*/
const _createTrustedTypesPolicy = function (trustedTypes, document) {
const _createTrustedTypesPolicy = function (trustedTypes, purifyHostElement) {
if (
typeof trustedTypes !== 'object' ||
typeof trustedTypes.createPolicy !== 'function'
Expand All @@ -43,11 +43,8 @@ const _createTrustedTypesPolicy = function (trustedTypes, document) {
// Policy creation with duplicate names throws in Trusted Types.
let suffix = null;
const ATTR_NAME = 'data-tt-policy-suffix';
if (
document.currentScript &&
document.currentScript.hasAttribute(ATTR_NAME)
) {
suffix = document.currentScript.getAttribute(ATTR_NAME);
if (purifyHostElement && purifyHostElement.hasAttribute(ATTR_NAME)) {
suffix = purifyHostElement.getAttribute(ATTR_NAME);
}

const policyName = 'dompurify' + (suffix ? '#' + suffix : '');
Expand Down Expand Up @@ -96,6 +93,7 @@ function createDOMPurify(window = getGlobal()) {
}

const originalDocument = window.document;
const currentScript = originalDocument.currentScript;

let { document } = window;
const {
Expand Down Expand Up @@ -130,11 +128,8 @@ function createDOMPurify(window = getGlobal()) {
}
}

let trustedTypesPolicy = _createTrustedTypesPolicy(
trustedTypes,
originalDocument
);
let emptyHTML = trustedTypesPolicy ? trustedTypesPolicy.createHTML('') : '';
let trustedTypesPolicy;
let emptyHTML = '';

const {
implementation,
Expand Down Expand Up @@ -603,8 +598,22 @@ function createDOMPurify(window = getGlobal()) {

// Overwrite existing TrustedTypes policy.
trustedTypesPolicy = cfg.TRUSTED_TYPES_POLICY;
// Sign local variables in case using the internal policy did not succeed.

// Sign local variables required by `sanitize`.
emptyHTML = trustedTypesPolicy.createHTML('');
} else {
// Uninitialized policy, attempt to initialize the internal dompurify policy.
if (trustedTypesPolicy === undefined) {
trustedTypesPolicy = _createTrustedTypesPolicy(
trustedTypes,
currentScript
);
}

// If creating the internal policy succeeded sign internal variables.
if (trustedTypesPolicy !== null && typeof emptyHTML === 'string') {
emptyHTML = trustedTypesPolicy.createHTML('');
}
}

// Prevent further manipulation of configuration.
Expand Down
Loading

0 comments on commit ad1bdd4

Please sign in to comment.