fix: Made the NodeFilter see CDATA sections as well, thanks @Ry0taK

cure53 · Mar 21, 2024 · c60a4df · c60a4df
1 parent dce81a5
commit c60a4df
Show file tree

Hide file tree

Showing 11 changed files with 28 additions and 27 deletions.
diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.mjs b/dist/purify.es.mjs
@@ -229,10 +229,10 @@ const svg = freeze(['accent-height', 'accumulate', 'additive', 'alignment-baseli
 const mathMl = freeze(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']);
 const xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']);
 
-const MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*?\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
+const MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
 
-const ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*?%>/gm);
-const TMPLIT_EXPR = seal(/\${[\w\W]*?}/gm);
+const ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);
+const TMPLIT_EXPR = seal(/\${[\w\W]*}/gm);
 const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]/); // eslint-disable-line no-useless-escape
 
 const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
@@ -243,7 +243,7 @@ const IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i);
 const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
 );
 const DOCTYPE_NAME = seal(/^html$/i);
-const CUSTOM_ELEMENT = seal(/^[a-z][a-z\d]*(-[a-z\d]+)+$/i);
+const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);
 
 var EXPRESSIONS = /*#__PURE__*/Object.freeze({
   __proto__: null,
@@ -1003,7 +1003,7 @@ function createDOMPurify() {
 
   const _createNodeIterator = function _createNodeIterator(root) {
     return createNodeIterator.call(root.ownerDocument || root, root, // eslint-disable-next-line no-bitwise
-    NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION, null);
+    NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION | NodeFilter.SHOW_CDATA_SECTION, null);
   };
   /**
    * _isClobbered

diff --git a/dist/purify.es.mjs.map b/dist/purify.es.mjs.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/src/purify.js b/src/purify.js
@@ -913,7 +913,8 @@ function createDOMPurify(window = getGlobal()) {
       NodeFilter.SHOW_ELEMENT |
         NodeFilter.SHOW_COMMENT |
         NodeFilter.SHOW_TEXT |
-        NodeFilter.SHOW_PROCESSING_INSTRUCTION,
+        NodeFilter.SHOW_PROCESSING_INSTRUCTION |
+        NodeFilter.SHOW_CDATA_SECTION,
       null
     );
   };

diff --git a/src/regexp.js b/src/regexp.js
@@ -1,9 +1,9 @@
 import { seal } from './utils.js';
 
 // eslint-disable-next-line unicorn/better-regex
-export const MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*?\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
-export const ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*?%>/gm);
-export const TMPLIT_EXPR = seal(/\${[\w\W]*?}/gm);
+export const MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
+export const ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);
+export const TMPLIT_EXPR = seal(/\${[\w\W]*}/gm);
 export const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]/); // eslint-disable-line no-useless-escape
 export const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
 export const IS_ALLOWED_URI = seal(
@@ -14,4 +14,4 @@ export const ATTR_WHITESPACE = seal(
   /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
 );
 export const DOCTYPE_NAME = seal(/^html$/i);
-export const CUSTOM_ELEMENT = seal(/^[a-z][a-z\d]*(-[a-z\d]+)+$/i);
+export const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);
diff --git a/test/test-suite.js b/test/test-suite.js
@@ -378,7 +378,7 @@
           '<a>123{{45}}6}}<b><style><% <%alert(1) %></style>456</b></a>',
           { SAFE_FOR_TEMPLATES: true }
         ),
-        '<a>  <b><style> </style>456</b></a>'
+        '<a> <b><style> </style>456</b></a>'
       );
       assert.equal(
         DOMPurify.sanitize(
@@ -2105,4 +2105,4 @@
       assert.contains(clean, expected);
     });
   };
-});
+});