fix: added a fix to handle invalid HTML Custom Element tagNames better

cure53 · Mar 4, 2024 · fcb9dbd · fcb9dbd
1 parent 1b59639
commit fcb9dbd
Show file tree

Hide file tree

Showing 10 changed files with 26 additions and 15 deletions.
diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.mjs b/dist/purify.es.mjs
@@ -215,6 +215,7 @@ const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205
 );
 
 const DOCTYPE_NAME = seal(/^html$/i);
+const CUSTOM_ELEMENT = seal(/^[a-z][a-z\d]*(-[a-z\d]+)+$/i);
 
 var EXPRESSIONS = /*#__PURE__*/Object.freeze({
   __proto__: null,
@@ -226,7 +227,8 @@ var EXPRESSIONS = /*#__PURE__*/Object.freeze({
   IS_ALLOWED_URI: IS_ALLOWED_URI,
   IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,
   ATTR_WHITESPACE: ATTR_WHITESPACE,
-  DOCTYPE_NAME: DOCTYPE_NAME
+  DOCTYPE_NAME: DOCTYPE_NAME,
+  CUSTOM_ELEMENT: CUSTOM_ELEMENT
 });
 
 const getGlobal = function getGlobal() {
@@ -351,7 +353,8 @@ function createDOMPurify() {
     DATA_ATTR,
     ARIA_ATTR,
     IS_SCRIPT_OR_DATA,
-    ATTR_WHITESPACE
+    ATTR_WHITESPACE,
+    CUSTOM_ELEMENT
   } = EXPRESSIONS;
   let {
     IS_ALLOWED_URI: IS_ALLOWED_URI$1
@@ -1088,7 +1091,7 @@ function createDOMPurify() {
    * @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
    */
   const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
-    return tagName !== 'annotation-xml' && tagName.indexOf('-') > 0;
+    return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
   };
 
   /**

diff --git a/dist/purify.es.mjs.map b/dist/purify.es.mjs.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/src/purify.js b/src/purify.js
@@ -162,6 +162,7 @@ function createDOMPurify(window = getGlobal()) {
     ARIA_ATTR,
     IS_SCRIPT_OR_DATA,
     ATTR_WHITESPACE,
+    CUSTOM_ELEMENT,
   } = EXPRESSIONS;
 
   let { IS_ALLOWED_URI } = EXPRESSIONS;
@@ -1192,7 +1193,7 @@ function createDOMPurify(window = getGlobal()) {
    * @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
    */
   const _isBasicCustomElement = function (tagName) {
-    return tagName !== 'annotation-xml' && tagName.indexOf('-') > 0;
+    return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
   };
 
   /**

diff --git a/src/regexp.js b/src/regexp.js
@@ -14,3 +14,4 @@ export const ATTR_WHITESPACE = seal(
   /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
 );
 export const DOCTYPE_NAME = seal(/^html$/i);
+export const CUSTOM_ELEMENT = seal(/^[a-z][a-z\d]*(-[a-z\d]+)+$/i);