Merge pull request #729 from kevin-deyoungster/kdeyoungster/xml

Add ADD_NAMESPACES option to support strict XML documents
cure53 · Nov 10, 2022 · 5f77429 · 5f77429
2 parents 00ad011 + 36fc276
commit 5f77429
Show file tree

Hide file tree

Showing 11 changed files with 203 additions and 39 deletions.
diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.js b/dist/purify.es.js
diff --git a/dist/purify.es.js.map b/dist/purify.es.js.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/src/purify.js b/src/purify.js
@@ -11,6 +11,7 @@ import {
   stringMatch,
   stringReplace,
   stringToLowerCase,
+  stringToString,
   stringIndexOf,
   stringTrim,
   regExpTest,
@@ -365,6 +366,14 @@ function createDOMPurify(window = getGlobal()) {
   let NAMESPACE = HTML_NAMESPACE;
   let IS_EMPTY_INPUT = false;
 
+  /* Allowed XHTML+XML namespaces */
+  let ALLOWED_NAMESPACES = null;
+  const DEFAULT_ALLOWED_NAMESPACES = addToSet(
+    {},
+    [MATHML_NAMESPACE, SVG_NAMESPACE, HTML_NAMESPACE],
+    stringToString
+  );
+
   /* Parsing of strict XHTML documents */
   let PARSER_MEDIA_TYPE;
   const SUPPORTED_PARSER_MEDIA_TYPES = ['application/xhtml+xml', 'text/html'];
@@ -411,7 +420,7 @@ function createDOMPurify(window = getGlobal()) {
     // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
     transformCaseFunc =
       PARSER_MEDIA_TYPE === 'application/xhtml+xml'
-        ? (x) => x
+        ? stringToString
         : stringToLowerCase;
 
     /* Set configuration parameters */
@@ -423,6 +432,10 @@ function createDOMPurify(window = getGlobal()) {
       'ALLOWED_ATTR' in cfg
         ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc)
         : DEFAULT_ALLOWED_ATTR;
+    ALLOWED_NAMESPACES =
+      'ALLOWED_NAMESPACES' in cfg
+        ? addToSet({}, cfg.ALLOWED_NAMESPACES, stringToString)
+        : DEFAULT_ALLOWED_NAMESPACES;
     URI_SAFE_ATTRIBUTES =
       'ADD_URI_SAFE_ATTR' in cfg
         ? addToSet(
@@ -634,14 +647,18 @@ function createDOMPurify(window = getGlobal()) {
     // can be null. We just simulate parent in this case.
     if (!parent || !parent.tagName) {
       parent = {
-        namespaceURI: HTML_NAMESPACE,
+        namespaceURI: NAMESPACE,
         tagName: 'template',
       };
     }
 
     const tagName = stringToLowerCase(element.tagName);
     const parentTagName = stringToLowerCase(parent.tagName);
 
+    if (!ALLOWED_NAMESPACES[element.namespaceURI]) {
+      return false;
+    }
+
     if (element.namespaceURI === SVG_NAMESPACE) {
       // The only way to switch from HTML namespace to SVG
       // is via <svg>. If it happens via any other tag, then
@@ -650,7 +667,7 @@ function createDOMPurify(window = getGlobal()) {
         return tagName === 'svg';
       }
 
-      // The only way to switch from MathML to SVG is via
+      // The only way to switch from MathML to SVG is via`
       // svg if parent is either <annotation-xml> or MathML
       // text integration points.
       if (parent.namespaceURI === MATHML_NAMESPACE) {
@@ -711,9 +728,18 @@ function createDOMPurify(window = getGlobal()) {
       );
     }
 
+    // For XHTML and XML documents that support custom namespaces
+    if (
+      PARSER_MEDIA_TYPE === 'application/xhtml+xml' &&
+      ALLOWED_NAMESPACES[element.namespaceURI]
+    ) {
+      return true;
+    }
+
     // The code should never reach this place (this means
     // that the element somehow got namespace that is not
-    // HTML, SVG or MathML). Return false just in case.
+    // HTML, SVG, MathML or allowed via ALLOWED_NAMESPACES).
+    // Return false just in case.
     return false;
   };
 
@@ -790,7 +816,10 @@ function createDOMPurify(window = getGlobal()) {
       leadingWhitespace = matches && matches[0];
     }
 
-    if (PARSER_MEDIA_TYPE === 'application/xhtml+xml') {
+    if (
+      PARSER_MEDIA_TYPE === 'application/xhtml+xml' &&
+      NAMESPACE === HTML_NAMESPACE
+    ) {
       // Root of XHTML doc must contain xmlns declaration (see https://www.w3.org/TR/xhtml1/normative.html#strict)
       dirty =
         '<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>' +