Diff: STRATO-apps/wordpress_03/app/wp-content/plugins/fluent-smtp/assets/libs/purify/purify.js

Keine Baseline-Datei – Diff nur gegen leer.
Baseline Vorherige Version
Zur Liste
1 -
1 + /*! @license DOMPurify 3.2.4 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.4/LICENSE */
2 +
3 + (function (global, factory) {
4 + typeof exports === 'object' && typeof module !== 'undefined' ? module.exports = factory() :
5 + typeof define === 'function' && define.amd ? define(factory) :
6 + (global = typeof globalThis !== 'undefined' ? globalThis : global || self, global.DOMPurify = factory());
7 + })(this, (function () { 'use strict';
8 +
9 + const {
10 + entries,
11 + setPrototypeOf,
12 + isFrozen,
13 + getPrototypeOf,
14 + getOwnPropertyDescriptor
15 + } = Object;
16 + let {
17 + freeze,
18 + seal,
19 + create
20 + } = Object; // eslint-disable-line import/no-mutable-exports
21 + let {
22 + apply,
23 + construct
24 + } = typeof Reflect !== 'undefined' && Reflect;
25 + if (!freeze) {
26 + freeze = function freeze(x) {
27 + return x;
28 + };
29 + }
30 + if (!seal) {
31 + seal = function seal(x) {
32 + return x;
33 + };
34 + }
35 + if (!apply) {
36 + apply = function apply(fun, thisValue, args) {
37 + return fun.apply(thisValue, args);
38 + };
39 + }
40 + if (!construct) {
41 + construct = function construct(Func, args) {
42 + return new Func(...args);
43 + };
44 + }
45 + const arrayForEach = unapply(Array.prototype.forEach);
46 + const arrayLastIndexOf = unapply(Array.prototype.lastIndexOf);
47 + const arrayPop = unapply(Array.prototype.pop);
48 + const arrayPush = unapply(Array.prototype.push);
49 + const arraySplice = unapply(Array.prototype.splice);
50 + const stringToLowerCase = unapply(String.prototype.toLowerCase);
51 + const stringToString = unapply(String.prototype.toString);
52 + const stringMatch = unapply(String.prototype.match);
53 + const stringReplace = unapply(String.prototype.replace);
54 + const stringIndexOf = unapply(String.prototype.indexOf);
55 + const stringTrim = unapply(String.prototype.trim);
56 + const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);
57 + const regExpTest = unapply(RegExp.prototype.test);
58 + const typeErrorCreate = unconstruct(TypeError);
59 + /**
60 + * Creates a new function that calls the given function with a specified thisArg and arguments.
61 + *
62 + * @param func - The function to be wrapped and called.
63 + * @returns A new function that calls the given function with a specified thisArg and arguments.
64 + */
65 + function unapply(func) {
66 + return function (thisArg) {
67 + for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
68 + args[_key - 1] = arguments[_key];
69 + }
70 + return apply(func, thisArg, args);
71 + };
72 + }
73 + /**
74 + * Creates a new function that constructs an instance of the given constructor function with the provided arguments.
75 + *
76 + * @param func - The constructor function to be wrapped and called.
77 + * @returns A new function that constructs an instance of the given constructor function with the provided arguments.
78 + */
79 + function unconstruct(func) {
80 + return function () {
81 + for (var _len2 = arguments.length, args = new Array(_len2), _key2 = 0; _key2 < _len2; _key2++) {
82 + args[_key2] = arguments[_key2];
83 + }
84 + return construct(func, args);
85 + };
86 + }
87 + /**
88 + * Add properties to a lookup table
89 + *
90 + * @param set - The set to which elements will be added.
91 + * @param array - The array containing elements to be added to the set.
92 + * @param transformCaseFunc - An optional function to transform the case of each element before adding to the set.
93 + * @returns The modified set with added elements.
94 + */
95 + function addToSet(set, array) {
96 + let transformCaseFunc = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : stringToLowerCase;
97 + if (setPrototypeOf) {
98 + // Make 'in' and truthy checks like Boolean(set.constructor)
99 + // independent of any properties defined on Object.prototype.
100 + // Prevent prototype setters from intercepting set as a this value.
101 + setPrototypeOf(set, null);
102 + }
103 + let l = array.length;
104 + while (l--) {
105 + let element = array[l];
106 + if (typeof element === 'string') {
107 + const lcElement = transformCaseFunc(element);
108 + if (lcElement !== element) {
109 + // Config presets (e.g. tags.js, attrs.js) are immutable.
110 + if (!isFrozen(array)) {
111 + array[l] = lcElement;
112 + }
113 + element = lcElement;
114 + }
115 + }
116 + set[element] = true;
117 + }
118 + return set;
119 + }
120 + /**
121 + * Clean up an array to harden against CSPP
122 + *
123 + * @param array - The array to be cleaned.
124 + * @returns The cleaned version of the array
125 + */
126 + function cleanArray(array) {
127 + for (let index = 0; index < array.length; index++) {
128 + const isPropertyExist = objectHasOwnProperty(array, index);
129 + if (!isPropertyExist) {
130 + array[index] = null;
131 + }
132 + }
133 + return array;
134 + }
135 + /**
136 + * Shallow clone an object
137 + *
138 + * @param object - The object to be cloned.
139 + * @returns A new object that copies the original.
140 + */
141 + function clone(object) {
142 + const newObject = create(null);
143 + for (const [property, value] of entries(object)) {
144 + const isPropertyExist = objectHasOwnProperty(object, property);
145 + if (isPropertyExist) {
146 + if (Array.isArray(value)) {
147 + newObject[property] = cleanArray(value);
148 + } else if (value && typeof value === 'object' && value.constructor === Object) {
149 + newObject[property] = clone(value);
150 + } else {
151 + newObject[property] = value;
152 + }
153 + }
154 + }
155 + return newObject;
156 + }
157 + /**
158 + * This method automatically checks if the prop is function or getter and behaves accordingly.
159 + *
160 + * @param object - The object to look up the getter function in its prototype chain.
161 + * @param prop - The property name for which to find the getter function.
162 + * @returns The getter function found in the prototype chain or a fallback function.
163 + */
164 + function lookupGetter(object, prop) {
165 + while (object !== null) {
166 + const desc = getOwnPropertyDescriptor(object, prop);
167 + if (desc) {
168 + if (desc.get) {
169 + return unapply(desc.get);
170 + }
171 + if (typeof desc.value === 'function') {
172 + return unapply(desc.value);
173 + }
174 + }
175 + object = getPrototypeOf(object);
176 + }
177 + function fallbackValue() {
178 + return null;
179 + }
180 + return fallbackValue;
181 + }
182 +
183 + const html$1 = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dialog', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']);
184 + const svg$1 = freeze(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'view', 'vkern']);
185 + const svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feDropShadow', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']);
186 + // List of SVG elements that are disallowed by default.
187 + // We still need to know them so that we can do namespace
188 + // checks properly in case one wants to add them to
189 + // allow-list.
190 + const svgDisallowed = freeze(['animate', 'color-profile', 'cursor', 'discard', 'font-face', 'font-face-format', 'font-face-name', 'font-face-src', 'font-face-uri', 'foreignobject', 'hatch', 'hatchpath', 'mesh', 'meshgradient', 'meshpatch', 'meshrow', 'missing-glyph', 'script', 'set', 'solidcolor', 'unknown', 'use']);
191 + const mathMl$1 = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover', 'mprescripts']);
192 + // Similarly to SVG, we want to know all MathML elements,
193 + // even those that we disallow by default.
194 + const mathMlDisallowed = freeze(['maction', 'maligngroup', 'malignmark', 'mlongdiv', 'mscarries', 'mscarry', 'msgroup', 'mstack', 'msline', 'msrow', 'semantics', 'annotation', 'annotation-xml', 'mprescripts', 'none']);
195 + const text = freeze(['#text']);
196 +
197 + const html = freeze(['accept', 'action', 'align', 'alt', 'autocapitalize', 'autocomplete', 'autopictureinpicture', 'autoplay', 'background', 'bgcolor', 'border', 'capture', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'controlslist', 'coords', 'crossorigin', 'datetime', 'decoding', 'default', 'dir', 'disabled', 'disablepictureinpicture', 'disableremoteplayback', 'download', 'draggable', 'enctype', 'enterkeyhint', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'inputmode', 'integrity', 'ismap', 'kind', 'label', 'lang', 'list', 'loading', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'muted', 'name', 'nonce', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'playsinline', 'popover', 'popovertarget', 'popovertargetaction', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'translate', 'type', 'usemap', 'valign', 'value', 'width', 'wrap', 'xmlns', 'slot']);
198 + const svg = freeze(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'amplitude', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clippathunits', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'exponent', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'intercept', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'slope', 'specularconstant', 'specularexponent', 'spreadmethod', 'startoffset', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'systemlanguage', 'tabindex', 'tablevalues', 'targetx', 'targety', 'transform', 'transform-origin', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']);
199 + const mathMl = freeze(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']);
200 + const xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']);
201 +
202 + // eslint-disable-next-line unicorn/better-regex
203 + const MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
204 + const ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);
205 + const TMPLIT_EXPR = seal(/\$\{[\w\W]*/gm); // eslint-disable-line unicorn/better-regex
206 + const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]+$/); // eslint-disable-line no-useless-escape
207 + const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
208 + const IS_ALLOWED_URI = seal(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape
209 + );
210 + const IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i);
211 + const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
212 + );
213 + const DOCTYPE_NAME = seal(/^html$/i);
214 + const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);
215 +
216 + var EXPRESSIONS = /*#__PURE__*/Object.freeze({
217 + __proto__: null,
218 + ARIA_ATTR: ARIA_ATTR,
219 + ATTR_WHITESPACE: ATTR_WHITESPACE,
220 + CUSTOM_ELEMENT: CUSTOM_ELEMENT,
221 + DATA_ATTR: DATA_ATTR,
222 + DOCTYPE_NAME: DOCTYPE_NAME,
223 + ERB_EXPR: ERB_EXPR,
224 + IS_ALLOWED_URI: IS_ALLOWED_URI,
225 + IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,
226 + MUSTACHE_EXPR: MUSTACHE_EXPR,
227 + TMPLIT_EXPR: TMPLIT_EXPR
228 + });
229 +
230 + /* eslint-disable @typescript-eslint/indent */
231 + // https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeType
232 + const NODE_TYPE = {
233 + element: 1,
234 + attribute: 2,
235 + text: 3,
236 + cdataSection: 4,
237 + entityReference: 5,
238 + // Deprecated
239 + entityNode: 6,
240 + // Deprecated
241 + progressingInstruction: 7,
242 + comment: 8,
243 + document: 9,
244 + documentType: 10,
245 + documentFragment: 11,
246 + notation: 12 // Deprecated
247 + };
248 + const getGlobal = function getGlobal() {
249 + return typeof window === 'undefined' ? null : window;
250 + };
251 + /**
252 + * Creates a no-op policy for internal use only.
253 + * Don't export this function outside this module!
254 + * @param trustedTypes The policy factory.
255 + * @param purifyHostElement The Script element used to load DOMPurify (to determine policy name suffix).
256 + * @return The policy created (or null, if Trusted Types
257 + * are not supported or creating the policy failed).
258 + */
259 + const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes, purifyHostElement) {
260 + if (typeof trustedTypes !== 'object' || typeof trustedTypes.createPolicy !== 'function') {
261 + return null;
262 + }
263 + // Allow the callers to control the unique policy name
264 + // by adding a data-tt-policy-suffix to the script element with the DOMPurify.
265 + // Policy creation with duplicate names throws in Trusted Types.
266 + let suffix = null;
267 + const ATTR_NAME = 'data-tt-policy-suffix';
268 + if (purifyHostElement && purifyHostElement.hasAttribute(ATTR_NAME)) {
269 + suffix = purifyHostElement.getAttribute(ATTR_NAME);
270 + }
271 + const policyName = 'dompurify' + (suffix ? '#' + suffix : '');
272 + try {
273 + return trustedTypes.createPolicy(policyName, {
274 + createHTML(html) {
275 + return html;
276 + },
277 + createScriptURL(scriptUrl) {
278 + return scriptUrl;
279 + }
280 + });
281 + } catch (_) {
282 + // Policy creation failed (most likely another DOMPurify script has
283 + // already run). Skip creating the policy, as this will only cause errors
284 + // if TT are enforced.
285 + console.warn('TrustedTypes policy ' + policyName + ' could not be created.');
286 + return null;
287 + }
288 + };
289 + const _createHooksMap = function _createHooksMap() {
290 + return {
291 + afterSanitizeAttributes: [],
292 + afterSanitizeElements: [],
293 + afterSanitizeShadowDOM: [],
294 + beforeSanitizeAttributes: [],
295 + beforeSanitizeElements: [],
296 + beforeSanitizeShadowDOM: [],
297 + uponSanitizeAttribute: [],
298 + uponSanitizeElement: [],
299 + uponSanitizeShadowNode: []
300 + };
301 + };
302 + function createDOMPurify() {
303 + let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
304 + const DOMPurify = root => createDOMPurify(root);
305 + DOMPurify.version = '3.2.4';
306 + DOMPurify.removed = [];
307 + if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {
308 + // Not running in a browser, provide a factory function
309 + // so that you can pass your own Window
310 + DOMPurify.isSupported = false;
311 + return DOMPurify;
312 + }
313 + let {
314 + document
315 + } = window;
316 + const originalDocument = document;
317 + const currentScript = originalDocument.currentScript;
318 + const {
319 + DocumentFragment,
320 + HTMLTemplateElement,
321 + Node,
322 + Element,
323 + NodeFilter,
324 + NamedNodeMap = window.NamedNodeMap || window.MozNamedAttrMap,
325 + HTMLFormElement,
326 + DOMParser,
327 + trustedTypes
328 + } = window;
329 + const ElementPrototype = Element.prototype;
330 + const cloneNode = lookupGetter(ElementPrototype, 'cloneNode');
331 + const remove = lookupGetter(ElementPrototype, 'remove');
332 + const getNextSibling = lookupGetter(ElementPrototype, 'nextSibling');
333 + const getChildNodes = lookupGetter(ElementPrototype, 'childNodes');
334 + const getParentNode = lookupGetter(ElementPrototype, 'parentNode');
335 + // As per issue #47, the web-components registry is inherited by a
336 + // new document created via createHTMLDocument. As per the spec
337 + // (http://w3c.github.io/webcomponents/spec/custom/#creating-and-passing-registries)
338 + // a new empty registry is used when creating a template contents owner
339 + // document, so we use that as our parent document to ensure nothing
340 + // is inherited.
341 + if (typeof HTMLTemplateElement === 'function') {
342 + const template = document.createElement('template');
343 + if (template.content && template.content.ownerDocument) {
344 + document = template.content.ownerDocument;
345 + }
346 + }
347 + let trustedTypesPolicy;
348 + let emptyHTML = '';
349 + const {
350 + implementation,
351 + createNodeIterator,
352 + createDocumentFragment,
353 + getElementsByTagName
354 + } = document;
355 + const {
356 + importNode
357 + } = originalDocument;
358 + let hooks = _createHooksMap();
359 + /**
360 + * Expose whether this browser supports running the full DOMPurify.
361 + */
362 + DOMPurify.isSupported = typeof entries === 'function' && typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined;
363 + const {
364 + MUSTACHE_EXPR,
365 + ERB_EXPR,
366 + TMPLIT_EXPR,
367 + DATA_ATTR,
368 + ARIA_ATTR,
369 + IS_SCRIPT_OR_DATA,
370 + ATTR_WHITESPACE,
371 + CUSTOM_ELEMENT
372 + } = EXPRESSIONS;
373 + let {
374 + IS_ALLOWED_URI: IS_ALLOWED_URI$1
375 + } = EXPRESSIONS;
376 + /**
377 + * We consider the elements and attributes below to be safe. Ideally
378 + * don't add any new ones but feel free to remove unwanted ones.
379 + */
380 + /* allowed element names */
381 + let ALLOWED_TAGS = null;
382 + const DEFAULT_ALLOWED_TAGS = addToSet({}, [...html$1, ...svg$1, ...svgFilters, ...mathMl$1, ...text]);
383 + /* Allowed attribute names */
384 + let ALLOWED_ATTR = null;
385 + const DEFAULT_ALLOWED_ATTR = addToSet({}, [...html, ...svg, ...mathMl, ...xml]);
386 + /*
387 + * Configure how DOMPurify should handle custom elements and their attributes as well as customized built-in elements.
388 + * @property {RegExp|Function|null} tagNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any custom elements)
389 + * @property {RegExp|Function|null} attributeNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any attributes not on the allow list)
390 + * @property {boolean} allowCustomizedBuiltInElements allow custom elements derived from built-ins if they pass CUSTOM_ELEMENT_HANDLING.tagNameCheck. Default: `false`.
391 + */
392 + let CUSTOM_ELEMENT_HANDLING = Object.seal(create(null, {
393 + tagNameCheck: {
394 + writable: true,
395 + configurable: false,
396 + enumerable: true,
397 + value: null
398 + },
399 + attributeNameCheck: {
400 + writable: true,
401 + configurable: false,
402 + enumerable: true,
403 + value: null
404 + },
405 + allowCustomizedBuiltInElements: {
406 + writable: true,
407 + configurable: false,
408 + enumerable: true,
409 + value: false
410 + }
411 + }));
412 + /* Explicitly forbidden tags (overrides ALLOWED_TAGS/ADD_TAGS) */
413 + let FORBID_TAGS = null;
414 + /* Explicitly forbidden attributes (overrides ALLOWED_ATTR/ADD_ATTR) */
415 + let FORBID_ATTR = null;
416 + /* Decide if ARIA attributes are okay */
417 + let ALLOW_ARIA_ATTR = true;
418 + /* Decide if custom data attributes are okay */
419 + let ALLOW_DATA_ATTR = true;
420 + /* Decide if unknown protocols are okay */
421 + let ALLOW_UNKNOWN_PROTOCOLS = false;
422 + /* Decide if self-closing tags in attributes are allowed.
423 + * Usually removed due to a mXSS issue in jQuery 3.0 */
424 + let ALLOW_SELF_CLOSE_IN_ATTR = true;
425 + /* Output should be safe for common template engines.
426 + * This means, DOMPurify removes data attributes, mustaches and ERB
427 + */
428 + let SAFE_FOR_TEMPLATES = false;
429 + /* Output should be safe even for XML used within HTML and alike.
430 + * This means, DOMPurify removes comments when containing risky content.
431 + */
432 + let SAFE_FOR_XML = true;
433 + /* Decide if document with <html>... should be returned */
434 + let WHOLE_DOCUMENT = false;
435 + /* Track whether config is already set on this instance of DOMPurify. */
436 + let SET_CONFIG = false;
437 + /* Decide if all elements (e.g. style, script) must be children of
438 + * document.body. By default, browsers might move them to document.head */
439 + let FORCE_BODY = false;
440 + /* Decide if a DOM `HTMLBodyElement` should be returned, instead of a html
441 + * string (or a TrustedHTML object if Trusted Types are supported).
442 + * If `WHOLE_DOCUMENT` is enabled a `HTMLHtmlElement` will be returned instead
443 + */
444 + let RETURN_DOM = false;
445 + /* Decide if a DOM `DocumentFragment` should be returned, instead of a html
446 + * string (or a TrustedHTML object if Trusted Types are supported) */
447 + let RETURN_DOM_FRAGMENT = false;
448 + /* Try to return a Trusted Type object instead of a string, return a string in
449 + * case Trusted Types are not supported */
450 + let RETURN_TRUSTED_TYPE = false;
451 + /* Output should be free from DOM clobbering attacks?
452 + * This sanitizes markups named with colliding, clobberable built-in DOM APIs.
453 + */
454 + let SANITIZE_DOM = true;
455 + /* Achieve full DOM Clobbering protection by isolating the namespace of named
456 + * properties and JS variables, mitigating attacks that abuse the HTML/DOM spec rules.
457 + *
458 + * HTML/DOM spec rules that enable DOM Clobbering:
459 + * - Named Access on Window (§7.3.3)
460 + * - DOM Tree Accessors (§3.1.5)
461 + * - Form Element Parent-Child Relations (§4.10.3)
462 + * - Iframe srcdoc / Nested WindowProxies (§4.8.5)
463 + * - HTMLCollection (§4.2.10.2)
464 + *
465 + * Namespace isolation is implemented by prefixing `id` and `name` attributes
466 + * with a constant string, i.e., `user-content-`
467 + */
468 + let SANITIZE_NAMED_PROPS = false;
469 + const SANITIZE_NAMED_PROPS_PREFIX = 'user-content-';
470 + /* Keep element content when removing element? */
471 + let KEEP_CONTENT = true;
472 + /* If a `Node` is passed to sanitize(), then performs sanitization in-place instead
473 + * of importing it into a new Document and returning a sanitized copy */
474 + let IN_PLACE = false;
475 + /* Allow usage of profiles like html, svg and mathMl */
476 + let USE_PROFILES = {};
477 + /* Tags to ignore content of when KEEP_CONTENT is true */
478 + let FORBID_CONTENTS = null;
479 + const DEFAULT_FORBID_CONTENTS = addToSet({}, ['annotation-xml', 'audio', 'colgroup', 'desc', 'foreignobject', 'head', 'iframe', 'math', 'mi', 'mn', 'mo', 'ms', 'mtext', 'noembed', 'noframes', 'noscript', 'plaintext', 'script', 'style', 'svg', 'template', 'thead', 'title', 'video', 'xmp']);
480 + /* Tags that are safe for data: URIs */
481 + let DATA_URI_TAGS = null;
482 + const DEFAULT_DATA_URI_TAGS = addToSet({}, ['audio', 'video', 'img', 'source', 'image', 'track']);
483 + /* Attributes safe for values like "javascript:" */
484 + let URI_SAFE_ATTRIBUTES = null;
485 + const DEFAULT_URI_SAFE_ATTRIBUTES = addToSet({}, ['alt', 'class', 'for', 'id', 'label', 'name', 'pattern', 'placeholder', 'role', 'summary', 'title', 'value', 'style', 'xmlns']);
486 + const MATHML_NAMESPACE = 'http://www.w3.org/1998/Math/MathML';
487 + const SVG_NAMESPACE = 'http://www.w3.org/2000/svg';
488 + const HTML_NAMESPACE = 'http://www.w3.org/1999/xhtml';
489 + /* Document namespace */
490 + let NAMESPACE = HTML_NAMESPACE;
491 + let IS_EMPTY_INPUT = false;
492 + /* Allowed XHTML+XML namespaces */
493 + let ALLOWED_NAMESPACES = null;
494 + const DEFAULT_ALLOWED_NAMESPACES = addToSet({}, [MATHML_NAMESPACE, SVG_NAMESPACE, HTML_NAMESPACE], stringToString);
495 + let MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
496 + let HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);
497 + // Certain elements are allowed in both SVG and HTML
498 + // namespace. We need to specify them explicitly
499 + // so that they don't get erroneously deleted from
500 + // HTML namespace.
501 + const COMMON_SVG_AND_HTML_ELEMENTS = addToSet({}, ['title', 'style', 'font', 'a', 'script']);
502 + /* Parsing of strict XHTML documents */
503 + let PARSER_MEDIA_TYPE = null;
504 + const SUPPORTED_PARSER_MEDIA_TYPES = ['application/xhtml+xml', 'text/html'];
505 + const DEFAULT_PARSER_MEDIA_TYPE = 'text/html';
506 + let transformCaseFunc = null;
507 + /* Keep a reference to config to pass to hooks */
508 + let CONFIG = null;
509 + /* Ideally, do not touch anything below this line */
510 + /* ______________________________________________ */
511 + const formElement = document.createElement('form');
512 + const isRegexOrFunction = function isRegexOrFunction(testValue) {
513 + return testValue instanceof RegExp || testValue instanceof Function;
514 + };
515 + /**
516 + * _parseConfig
517 + *
518 + * @param cfg optional config literal
519 + */
520 + // eslint-disable-next-line complexity
521 + const _parseConfig = function _parseConfig() {
522 + let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
523 + if (CONFIG && CONFIG === cfg) {
524 + return;
525 + }
526 + /* Shield configuration object from tampering */
527 + if (!cfg || typeof cfg !== 'object') {
528 + cfg = {};
529 + }
530 + /* Shield configuration object from prototype pollution */
531 + cfg = clone(cfg);
532 + PARSER_MEDIA_TYPE =
533 + // eslint-disable-next-line unicorn/prefer-includes
534 + SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? DEFAULT_PARSER_MEDIA_TYPE : cfg.PARSER_MEDIA_TYPE;
535 + // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
536 + transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? stringToString : stringToLowerCase;
537 + /* Set configuration parameters */
538 + ALLOWED_TAGS = objectHasOwnProperty(cfg, 'ALLOWED_TAGS') ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
539 + ALLOWED_ATTR = objectHasOwnProperty(cfg, 'ALLOWED_ATTR') ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
540 + ALLOWED_NAMESPACES = objectHasOwnProperty(cfg, 'ALLOWED_NAMESPACES') ? addToSet({}, cfg.ALLOWED_NAMESPACES, stringToString) : DEFAULT_ALLOWED_NAMESPACES;
541 + URI_SAFE_ATTRIBUTES = objectHasOwnProperty(cfg, 'ADD_URI_SAFE_ATTR') ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), cfg.ADD_URI_SAFE_ATTR, transformCaseFunc) : DEFAULT_URI_SAFE_ATTRIBUTES;
542 + DATA_URI_TAGS = objectHasOwnProperty(cfg, 'ADD_DATA_URI_TAGS') ? addToSet(clone(DEFAULT_DATA_URI_TAGS), cfg.ADD_DATA_URI_TAGS, transformCaseFunc) : DEFAULT_DATA_URI_TAGS;
543 + FORBID_CONTENTS = objectHasOwnProperty(cfg, 'FORBID_CONTENTS') ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
544 + FORBID_TAGS = objectHasOwnProperty(cfg, 'FORBID_TAGS') ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
545 + FORBID_ATTR = objectHasOwnProperty(cfg, 'FORBID_ATTR') ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
546 + USE_PROFILES = objectHasOwnProperty(cfg, 'USE_PROFILES') ? cfg.USE_PROFILES : false;
547 + ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
548 + ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false; // Default true
549 + ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
550 + ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
551 + SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
552 + SAFE_FOR_XML = cfg.SAFE_FOR_XML !== false; // Default true
553 + WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
554 + RETURN_DOM = cfg.RETURN_DOM || false; // Default false
555 + RETURN_DOM_FRAGMENT = cfg.RETURN_DOM_FRAGMENT || false; // Default false
556 + RETURN_TRUSTED_TYPE = cfg.RETURN_TRUSTED_TYPE || false; // Default false
557 + FORCE_BODY = cfg.FORCE_BODY || false; // Default false
558 + SANITIZE_DOM = cfg.SANITIZE_DOM !== false; // Default true
559 + SANITIZE_NAMED_PROPS = cfg.SANITIZE_NAMED_PROPS || false; // Default false
560 + KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true
561 + IN_PLACE = cfg.IN_PLACE || false; // Default false
562 + IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI;
563 + NAMESPACE = cfg.NAMESPACE || HTML_NAMESPACE;
564 + MATHML_TEXT_INTEGRATION_POINTS = cfg.MATHML_TEXT_INTEGRATION_POINTS || MATHML_TEXT_INTEGRATION_POINTS;
565 + HTML_INTEGRATION_POINTS = cfg.HTML_INTEGRATION_POINTS || HTML_INTEGRATION_POINTS;
566 + CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING || {};
567 + if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck)) {
568 + CUSTOM_ELEMENT_HANDLING.tagNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck;
569 + }
570 + if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.attributeNameCheck)) {
571 + CUSTOM_ELEMENT_HANDLING.attributeNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.attributeNameCheck;
572 + }
573 + if (cfg.CUSTOM_ELEMENT_HANDLING && typeof cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements === 'boolean') {
574 + CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements = cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements;
575 + }
576 + if (SAFE_FOR_TEMPLATES) {
577 + ALLOW_DATA_ATTR = false;
578 + }
579 + if (RETURN_DOM_FRAGMENT) {
580 + RETURN_DOM = true;
581 + }
582 + /* Parse profile info */
583 + if (USE_PROFILES) {
584 + ALLOWED_TAGS = addToSet({}, text);
585 + ALLOWED_ATTR = [];
586 + if (USE_PROFILES.html === true) {
587 + addToSet(ALLOWED_TAGS, html$1);
588 + addToSet(ALLOWED_ATTR, html);
589 + }
590 + if (USE_PROFILES.svg === true) {
591 + addToSet(ALLOWED_TAGS, svg$1);
592 + addToSet(ALLOWED_ATTR, svg);
593 + addToSet(ALLOWED_ATTR, xml);
594 + }
595 + if (USE_PROFILES.svgFilters === true) {
596 + addToSet(ALLOWED_TAGS, svgFilters);
597 + addToSet(ALLOWED_ATTR, svg);
598 + addToSet(ALLOWED_ATTR, xml);
599 + }
600 + if (USE_PROFILES.mathMl === true) {
601 + addToSet(ALLOWED_TAGS, mathMl$1);
602 + addToSet(ALLOWED_ATTR, mathMl);
603 + addToSet(ALLOWED_ATTR, xml);
604 + }
605 + }
606 + /* Merge configuration parameters */
607 + if (cfg.ADD_TAGS) {
608 + if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
609 + ALLOWED_TAGS = clone(ALLOWED_TAGS);
610 + }
611 + addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
612 + }
613 + if (cfg.ADD_ATTR) {
614 + if (ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) {
615 + ALLOWED_ATTR = clone(ALLOWED_ATTR);
616 + }
617 + addToSet(ALLOWED_ATTR, cfg.ADD_ATTR, transformCaseFunc);
618 + }
619 + if (cfg.ADD_URI_SAFE_ATTR) {
620 + addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR, transformCaseFunc);
621 + }
622 + if (cfg.FORBID_CONTENTS) {
623 + if (FORBID_CONTENTS === DEFAULT_FORBID_CONTENTS) {
624 + FORBID_CONTENTS = clone(FORBID_CONTENTS);
625 + }
626 + addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);
627 + }
628 + /* Add #text in case KEEP_CONTENT is set to true */
629 + if (KEEP_CONTENT) {
630 + ALLOWED_TAGS['#text'] = true;
631 + }
632 + /* Add html, head and body to ALLOWED_TAGS in case WHOLE_DOCUMENT is true */
633 + if (WHOLE_DOCUMENT) {
634 + addToSet(ALLOWED_TAGS, ['html', 'head', 'body']);
635 + }
636 + /* Add tbody to ALLOWED_TAGS in case tables are permitted, see #286, #365 */
637 + if (ALLOWED_TAGS.table) {
638 + addToSet(ALLOWED_TAGS, ['tbody']);
639 + delete FORBID_TAGS.tbody;
640 + }
641 + if (cfg.TRUSTED_TYPES_POLICY) {
642 + if (typeof cfg.TRUSTED_TYPES_POLICY.createHTML !== 'function') {
643 + throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');
644 + }
645 + if (typeof cfg.TRUSTED_TYPES_POLICY.createScriptURL !== 'function') {
646 + throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');
647 + }
648 + // Overwrite existing TrustedTypes policy.
649 + trustedTypesPolicy = cfg.TRUSTED_TYPES_POLICY;
650 + // Sign local variables required by `sanitize`.
651 + emptyHTML = trustedTypesPolicy.createHTML('');
652 + } else {
653 + // Uninitialized policy, attempt to initialize the internal dompurify policy.
654 + if (trustedTypesPolicy === undefined) {
655 + trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, currentScript);
656 + }
657 + // If creating the internal policy succeeded sign internal variables.
658 + if (trustedTypesPolicy !== null && typeof emptyHTML === 'string') {
659 + emptyHTML = trustedTypesPolicy.createHTML('');
660 + }
661 + }
662 + // Prevent further manipulation of configuration.
663 + // Not available in IE8, Safari 5, etc.
664 + if (freeze) {
665 + freeze(cfg);
666 + }
667 + CONFIG = cfg;
668 + };
669 + /* Keep track of all possible SVG and MathML tags
670 + * so that we can perform the namespace checks
671 + * correctly. */
672 + const ALL_SVG_TAGS = addToSet({}, [...svg$1, ...svgFilters, ...svgDisallowed]);
673 + const ALL_MATHML_TAGS = addToSet({}, [...mathMl$1, ...mathMlDisallowed]);
674 + /**
675 + * @param element a DOM element whose namespace is being checked
676 + * @returns Return false if the element has a
677 + * namespace that a spec-compliant parser would never
678 + * return. Return true otherwise.
679 + */
680 + const _checkValidNamespace = function _checkValidNamespace(element) {
681 + let parent = getParentNode(element);
682 + // In JSDOM, if we're inside shadow DOM, then parentNode
683 + // can be null. We just simulate parent in this case.
684 + if (!parent || !parent.tagName) {
685 + parent = {
686 + namespaceURI: NAMESPACE,
687 + tagName: 'template'
688 + };
689 + }
690 + const tagName = stringToLowerCase(element.tagName);
691 + const parentTagName = stringToLowerCase(parent.tagName);
692 + if (!ALLOWED_NAMESPACES[element.namespaceURI]) {
693 + return false;
694 + }
695 + if (element.namespaceURI === SVG_NAMESPACE) {
696 + // The only way to switch from HTML namespace to SVG
697 + // is via <svg>. If it happens via any other tag, then
698 + // it should be killed.
699 + if (parent.namespaceURI === HTML_NAMESPACE) {
700 + return tagName === 'svg';
701 + }
702 + // The only way to switch from MathML to SVG is via`
703 + // svg if parent is either <annotation-xml> or MathML
704 + // text integration points.
705 + if (parent.namespaceURI === MATHML_NAMESPACE) {
706 + return tagName === 'svg' && (parentTagName === 'annotation-xml' || MATHML_TEXT_INTEGRATION_POINTS[parentTagName]);
707 + }
708 + // We only allow elements that are defined in SVG
709 + // spec. All others are disallowed in SVG namespace.
710 + return Boolean(ALL_SVG_TAGS[tagName]);
711 + }
712 + if (element.namespaceURI === MATHML_NAMESPACE) {
713 + // The only way to switch from HTML namespace to MathML
714 + // is via <math>. If it happens via any other tag, then
715 + // it should be killed.
716 + if (parent.namespaceURI === HTML_NAMESPACE) {
717 + return tagName === 'math';
718 + }
719 + // The only way to switch from SVG to MathML is via
720 + // <math> and HTML integration points
721 + if (parent.namespaceURI === SVG_NAMESPACE) {
722 + return tagName === 'math' && HTML_INTEGRATION_POINTS[parentTagName];
723 + }
724 + // We only allow elements that are defined in MathML
725 + // spec. All others are disallowed in MathML namespace.
726 + return Boolean(ALL_MATHML_TAGS[tagName]);
727 + }
728 + if (element.namespaceURI === HTML_NAMESPACE) {
729 + // The only way to switch from SVG to HTML is via
730 + // HTML integration points, and from MathML to HTML
731 + // is via MathML text integration points
732 + if (parent.namespaceURI === SVG_NAMESPACE && !HTML_INTEGRATION_POINTS[parentTagName]) {
733 + return false;
734 + }
735 + if (parent.namespaceURI === MATHML_NAMESPACE && !MATHML_TEXT_INTEGRATION_POINTS[parentTagName]) {
736 + return false;
737 + }
738 + // We disallow tags that are specific for MathML
739 + // or SVG and should never appear in HTML namespace
740 + return !ALL_MATHML_TAGS[tagName] && (COMMON_SVG_AND_HTML_ELEMENTS[tagName] || !ALL_SVG_TAGS[tagName]);
741 + }
742 + // For XHTML and XML documents that support custom namespaces
743 + if (PARSER_MEDIA_TYPE === 'application/xhtml+xml' && ALLOWED_NAMESPACES[element.namespaceURI]) {
744 + return true;
745 + }
746 + // The code should never reach this place (this means
747 + // that the element somehow got namespace that is not
748 + // HTML, SVG, MathML or allowed via ALLOWED_NAMESPACES).
749 + // Return false just in case.
750 + return false;
751 + };
752 + /**
753 + * _forceRemove
754 + *
755 + * @param node a DOM node
756 + */
757 + const _forceRemove = function _forceRemove(node) {
758 + arrayPush(DOMPurify.removed, {
759 + element: node
760 + });
761 + try {
762 + // eslint-disable-next-line unicorn/prefer-dom-node-remove
763 + getParentNode(node).removeChild(node);
764 + } catch (_) {
765 + remove(node);
766 + }
767 + };
768 + /**
769 + * _removeAttribute
770 + *
771 + * @param name an Attribute name
772 + * @param element a DOM node
773 + */
774 + const _removeAttribute = function _removeAttribute(name, element) {
775 + try {
776 + arrayPush(DOMPurify.removed, {
777 + attribute: element.getAttributeNode(name),
778 + from: element
779 + });
780 + } catch (_) {
781 + arrayPush(DOMPurify.removed, {
782 + attribute: null,
783 + from: element
784 + });
785 + }
786 + element.removeAttribute(name);
787 + // We void attribute values for unremovable "is" attributes
788 + if (name === 'is') {
789 + if (RETURN_DOM || RETURN_DOM_FRAGMENT) {
790 + try {
791 + _forceRemove(element);
792 + } catch (_) {}
793 + } else {
794 + try {
795 + element.setAttribute(name, '');
796 + } catch (_) {}
797 + }
798 + }
799 + };
800 + /**
801 + * _initDocument
802 + *
803 + * @param dirty - a string of dirty markup
804 + * @return a DOM, filled with the dirty markup
805 + */
806 + const _initDocument = function _initDocument(dirty) {
807 + /* Create a HTML document */
808 + let doc = null;
809 + let leadingWhitespace = null;
810 + if (FORCE_BODY) {
811 + dirty = '<remove></remove>' + dirty;
812 + } else {
813 + /* If FORCE_BODY isn't used, leading whitespace needs to be preserved manually */
814 + const matches = stringMatch(dirty, /^[\r\n\t ]+/);
815 + leadingWhitespace = matches && matches[0];
816 + }
817 + if (PARSER_MEDIA_TYPE === 'application/xhtml+xml' && NAMESPACE === HTML_NAMESPACE) {
818 + // Root of XHTML doc must contain xmlns declaration (see https://www.w3.org/TR/xhtml1/normative.html#strict)
819 + dirty = '<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>' + dirty + '</body></html>';
820 + }
821 + const dirtyPayload = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty;
822 + /*
823 + * Use the DOMParser API by default, fallback later if needs be
824 + * DOMParser not work for svg when has multiple root element.
825 + */
826 + if (NAMESPACE === HTML_NAMESPACE) {
827 + try {
828 + doc = new DOMParser().parseFromString(dirtyPayload, PARSER_MEDIA_TYPE);
829 + } catch (_) {}
830 + }
831 + /* Use createHTMLDocument in case DOMParser is not available */
832 + if (!doc || !doc.documentElement) {
833 + doc = implementation.createDocument(NAMESPACE, 'template', null);
834 + try {
835 + doc.documentElement.innerHTML = IS_EMPTY_INPUT ? emptyHTML : dirtyPayload;
836 + } catch (_) {
837 + // Syntax error if dirtyPayload is invalid xml
838 + }
839 + }
840 + const body = doc.body || doc.documentElement;
841 + if (dirty && leadingWhitespace) {
842 + body.insertBefore(document.createTextNode(leadingWhitespace), body.childNodes[0] || null);
843 + }
844 + /* Work on whole document or just its body */
845 + if (NAMESPACE === HTML_NAMESPACE) {
846 + return getElementsByTagName.call(doc, WHOLE_DOCUMENT ? 'html' : 'body')[0];
847 + }
848 + return WHOLE_DOCUMENT ? doc.documentElement : body;
849 + };
850 + /**
851 + * Creates a NodeIterator object that you can use to traverse filtered lists of nodes or elements in a document.
852 + *
853 + * @param root The root element or node to start traversing on.
854 + * @return The created NodeIterator
855 + */
856 + const _createNodeIterator = function _createNodeIterator(root) {
857 + return createNodeIterator.call(root.ownerDocument || root, root,
858 + // eslint-disable-next-line no-bitwise
859 + NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION | NodeFilter.SHOW_CDATA_SECTION, null);
860 + };
861 + /**
862 + * _isClobbered
863 + *
864 + * @param element element to check for clobbering attacks
865 + * @return true if clobbered, false if safe
866 + */
867 + const _isClobbered = function _isClobbered(element) {
868 + return element instanceof HTMLFormElement && (typeof element.nodeName !== 'string' || typeof element.textContent !== 'string' || typeof element.removeChild !== 'function' || !(element.attributes instanceof NamedNodeMap) || typeof element.removeAttribute !== 'function' || typeof element.setAttribute !== 'function' || typeof element.namespaceURI !== 'string' || typeof element.insertBefore !== 'function' || typeof element.hasChildNodes !== 'function');
869 + };
870 + /**
871 + * Checks whether the given object is a DOM node.
872 + *
873 + * @param value object to check whether it's a DOM node
874 + * @return true is object is a DOM node
875 + */
876 + const _isNode = function _isNode(value) {
877 + return typeof Node === 'function' && value instanceof Node;
878 + };
879 + function _executeHooks(hooks, currentNode, data) {
880 + arrayForEach(hooks, hook => {
881 + hook.call(DOMPurify, currentNode, data, CONFIG);
882 + });
883 + }
884 + /**
885 + * _sanitizeElements
886 + *
887 + * @protect nodeName
888 + * @protect textContent
889 + * @protect removeChild
890 + * @param currentNode to check for permission to exist
891 + * @return true if node was killed, false if left alive
892 + */
893 + const _sanitizeElements = function _sanitizeElements(currentNode) {
894 + let content = null;
895 + /* Execute a hook if present */
896 + _executeHooks(hooks.beforeSanitizeElements, currentNode, null);
897 + /* Check if element is clobbered or can clobber */
898 + if (_isClobbered(currentNode)) {
899 + _forceRemove(currentNode);
900 + return true;
901 + }
902 + /* Now let's check the element's type and name */
903 + const tagName = transformCaseFunc(currentNode.nodeName);
904 + /* Execute a hook if present */
905 + _executeHooks(hooks.uponSanitizeElement, currentNode, {
906 + tagName,
907 + allowedTags: ALLOWED_TAGS
908 + });
909 + /* Detect mXSS attempts abusing namespace confusion */
910 + if (currentNode.hasChildNodes() && !_isNode(currentNode.firstElementChild) && regExpTest(/<[/\w]/g, currentNode.innerHTML) && regExpTest(/<[/\w]/g, currentNode.textContent)) {
911 + _forceRemove(currentNode);
912 + return true;
913 + }
914 + /* Remove any occurrence of processing instructions */
915 + if (currentNode.nodeType === NODE_TYPE.progressingInstruction) {
916 + _forceRemove(currentNode);
917 + return true;
918 + }
919 + /* Remove any kind of possibly harmful comments */
920 + if (SAFE_FOR_XML && currentNode.nodeType === NODE_TYPE.comment && regExpTest(/<[/\w]/g, currentNode.data)) {
921 + _forceRemove(currentNode);
922 + return true;
923 + }
924 + /* Remove element if anything forbids its presence */
925 + if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {
926 + /* Check if we have a custom element to handle */
927 + if (!FORBID_TAGS[tagName] && _isBasicCustomElement(tagName)) {
928 + if (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, tagName)) {
929 + return false;
930 + }
931 + if (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(tagName)) {
932 + return false;
933 + }
934 + }
935 + /* Keep content except for bad-listed elements */
936 + if (KEEP_CONTENT && !FORBID_CONTENTS[tagName]) {
937 + const parentNode = getParentNode(currentNode) || currentNode.parentNode;
938 + const childNodes = getChildNodes(currentNode) || currentNode.childNodes;
939 + if (childNodes && parentNode) {
940 + const childCount = childNodes.length;
941 + for (let i = childCount - 1; i >= 0; --i) {
942 + const childClone = cloneNode(childNodes[i], true);
943 + childClone.__removalCount = (currentNode.__removalCount || 0) + 1;
944 + parentNode.insertBefore(childClone, getNextSibling(currentNode));
945 + }
946 + }
947 + }
948 + _forceRemove(currentNode);
949 + return true;
950 + }
951 + /* Check whether element has a valid namespace */
952 + if (currentNode instanceof Element && !_checkValidNamespace(currentNode)) {
953 + _forceRemove(currentNode);
954 + return true;
955 + }
956 + /* Make sure that older browsers don't get fallback-tag mXSS */
957 + if ((tagName === 'noscript' || tagName === 'noembed' || tagName === 'noframes') && regExpTest(/<\/no(script|embed|frames)/i, currentNode.innerHTML)) {
958 + _forceRemove(currentNode);
959 + return true;
960 + }
961 + /* Sanitize element content to be template-safe */
962 + if (SAFE_FOR_TEMPLATES && currentNode.nodeType === NODE_TYPE.text) {
963 + /* Get the element's text content */
964 + content = currentNode.textContent;
965 + arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
966 + content = stringReplace(content, expr, ' ');
967 + });
968 + if (currentNode.textContent !== content) {
969 + arrayPush(DOMPurify.removed, {
970 + element: currentNode.cloneNode()
971 + });
972 + currentNode.textContent = content;
973 + }
974 + }
975 + /* Execute a hook if present */
976 + _executeHooks(hooks.afterSanitizeElements, currentNode, null);
977 + return false;
978 + };
979 + /**
980 + * _isValidAttribute
981 + *
982 + * @param lcTag Lowercase tag name of containing element.
983 + * @param lcName Lowercase attribute name.
984 + * @param value Attribute value.
985 + * @return Returns true if `value` is valid, otherwise false.
986 + */
987 + // eslint-disable-next-line complexity
988 + const _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
989 + /* Make sure attribute cannot clobber */
990 + if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {
991 + return false;
992 + }
993 + /* Allow valid data-* attributes: At least one character after "-"
994 + (https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
995 + XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
996 + We don't need to check the value; it's always URI safe. */
997 + if (ALLOW_DATA_ATTR && !FORBID_ATTR[lcName] && regExpTest(DATA_ATTR, lcName)) ; else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR, lcName)) ; else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) {
998 + if (
999 + // First condition does a very basic check if a) it's basically a valid custom element tagname AND
1000 + // b) if the tagName passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck
1001 + // and c) if the attribute name passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.attributeNameCheck
1002 + _isBasicCustomElement(lcTag) && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, lcTag) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(lcTag)) && (CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.attributeNameCheck, lcName) || CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.attributeNameCheck(lcName)) ||
1003 + // Alternative, second condition checks if it's an `is`-attribute, AND
1004 + // the value passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck
1005 + lcName === 'is' && CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, value) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(value))) ; else {
1006 + return false;
1007 + }
1008 + /* Check value is safe. First, is attr inert? If so, is safe */
1009 + } else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if (value) {
1010 + return false;
1011 + } else ;
1012 + return true;
1013 + };
1014 + /**
1015 + * _isBasicCustomElement
1016 + * checks if at least one dash is included in tagName, and it's not the first char
1017 + * for more sophisticated checking see https://github.com/sindresorhus/validate-element-name
1018 + *
1019 + * @param tagName name of the tag of the node to sanitize
1020 + * @returns Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
1021 + */
1022 + const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
1023 + return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
1024 + };
1025 + /**
1026 + * _sanitizeAttributes
1027 + *
1028 + * @protect attributes
1029 + * @protect nodeName
1030 + * @protect removeAttribute
1031 + * @protect setAttribute
1032 + *
1033 + * @param currentNode to sanitize
1034 + */
1035 + const _sanitizeAttributes = function _sanitizeAttributes(currentNode) {
1036 + /* Execute a hook if present */
1037 + _executeHooks(hooks.beforeSanitizeAttributes, currentNode, null);
1038 + const {
1039 + attributes
1040 + } = currentNode;
1041 + /* Check if we have attributes; if not we might have a text node */
1042 + if (!attributes || _isClobbered(currentNode)) {
1043 + return;
1044 + }
1045 + const hookEvent = {
1046 + attrName: '',
1047 + attrValue: '',
1048 + keepAttr: true,
1049 + allowedAttributes: ALLOWED_ATTR,
1050 + forceKeepAttr: undefined
1051 + };
1052 + let l = attributes.length;
1053 + /* Go backwards over all attributes; safely remove bad ones */
1054 + while (l--) {
1055 + const attr = attributes[l];
1056 + const {
1057 + name,
1058 + namespaceURI,
1059 + value: attrValue
1060 + } = attr;
1061 + const lcName = transformCaseFunc(name);
1062 + let value = name === 'value' ? attrValue : stringTrim(attrValue);
1063 + /* Execute a hook if present */
1064 + hookEvent.attrName = lcName;
1065 + hookEvent.attrValue = value;
1066 + hookEvent.keepAttr = true;
1067 + hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
1068 + _executeHooks(hooks.uponSanitizeAttribute, currentNode, hookEvent);
1069 + value = hookEvent.attrValue;
1070 + /* Full DOM Clobbering protection via namespace isolation,
1071 + * Prefix id and name attributes with `user-content-`
1072 + */
1073 + if (SANITIZE_NAMED_PROPS && (lcName === 'id' || lcName === 'name')) {
1074 + // Remove the attribute with this value
1075 + _removeAttribute(name, currentNode);
1076 + // Prefix the value and later re-create the attribute with the sanitized value
1077 + value = SANITIZE_NAMED_PROPS_PREFIX + value;
1078 + }
1079 + /* Work around a security issue with comments inside attributes */
1080 + if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title)/i, value)) {
1081 + _removeAttribute(name, currentNode);
1082 + continue;
1083 + }
1084 + /* Did the hooks approve of the attribute? */
1085 + if (hookEvent.forceKeepAttr) {
1086 + continue;
1087 + }
1088 + /* Remove attribute */
1089 + _removeAttribute(name, currentNode);
1090 + /* Did the hooks approve of the attribute? */
1091 + if (!hookEvent.keepAttr) {
1092 + continue;
1093 + }
1094 + /* Work around a security issue in jQuery 3.0 */
1095 + if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
1096 + _removeAttribute(name, currentNode);
1097 + continue;
1098 + }
1099 + /* Sanitize attribute content to be template-safe */
1100 + if (SAFE_FOR_TEMPLATES) {
1101 + arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
1102 + value = stringReplace(value, expr, ' ');
1103 + });
1104 + }
1105 + /* Is `value` valid for this attribute? */
1106 + const lcTag = transformCaseFunc(currentNode.nodeName);
1107 + if (!_isValidAttribute(lcTag, lcName, value)) {
1108 + continue;
1109 + }
1110 + /* Handle attributes that require Trusted Types */
1111 + if (trustedTypesPolicy && typeof trustedTypes === 'object' && typeof trustedTypes.getAttributeType === 'function') {
1112 + if (namespaceURI) ; else {
1113 + switch (trustedTypes.getAttributeType(lcTag, lcName)) {
1114 + case 'TrustedHTML':
1115 + {
1116 + value = trustedTypesPolicy.createHTML(value);
1117 + break;
1118 + }
1119 + case 'TrustedScriptURL':
1120 + {
1121 + value = trustedTypesPolicy.createScriptURL(value);
1122 + break;
1123 + }
1124 + }
1125 + }
1126 + }
1127 + /* Handle invalid data-* attribute set by try-catching it */
1128 + try {
1129 + if (namespaceURI) {
1130 + currentNode.setAttributeNS(namespaceURI, name, value);
1131 + } else {
1132 + /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
1133 + currentNode.setAttribute(name, value);
1134 + }
1135 + if (_isClobbered(currentNode)) {
1136 + _forceRemove(currentNode);
1137 + } else {
1138 + arrayPop(DOMPurify.removed);
1139 + }
1140 + } catch (_) {}
1141 + }
1142 + /* Execute a hook if present */
1143 + _executeHooks(hooks.afterSanitizeAttributes, currentNode, null);
1144 + };
1145 + /**
1146 + * _sanitizeShadowDOM
1147 + *
1148 + * @param fragment to iterate over recursively
1149 + */
1150 + const _sanitizeShadowDOM = function _sanitizeShadowDOM(fragment) {
1151 + let shadowNode = null;
1152 + const shadowIterator = _createNodeIterator(fragment);
1153 + /* Execute a hook if present */
1154 + _executeHooks(hooks.beforeSanitizeShadowDOM, fragment, null);
1155 + while (shadowNode = shadowIterator.nextNode()) {
1156 + /* Execute a hook if present */
1157 + _executeHooks(hooks.uponSanitizeShadowNode, shadowNode, null);
1158 + /* Sanitize tags and elements */
1159 + _sanitizeElements(shadowNode);
1160 + /* Check attributes next */
1161 + _sanitizeAttributes(shadowNode);
1162 + /* Deep shadow DOM detected */
1163 + if (shadowNode.content instanceof DocumentFragment) {
1164 + _sanitizeShadowDOM(shadowNode.content);
1165 + }
1166 + }
1167 + /* Execute a hook if present */
1168 + _executeHooks(hooks.afterSanitizeShadowDOM, fragment, null);
1169 + };
1170 + // eslint-disable-next-line complexity
1171 + DOMPurify.sanitize = function (dirty) {
1172 + let cfg = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
1173 + let body = null;
1174 + let importedNode = null;
1175 + let currentNode = null;
1176 + let returnNode = null;
1177 + /* Make sure we have a string to sanitize.
1178 + DO NOT return early, as this will return the wrong type if
1179 + the user has requested a DOM object rather than a string */
1180 + IS_EMPTY_INPUT = !dirty;
1181 + if (IS_EMPTY_INPUT) {
1182 + dirty = '<!-->';
1183 + }
1184 + /* Stringify, in case dirty is an object */
1185 + if (typeof dirty !== 'string' && !_isNode(dirty)) {
1186 + if (typeof dirty.toString === 'function') {
1187 + dirty = dirty.toString();
1188 + if (typeof dirty !== 'string') {
1189 + throw typeErrorCreate('dirty is not a string, aborting');
1190 + }
1191 + } else {
1192 + throw typeErrorCreate('toString is not a function');
1193 + }
1194 + }
1195 + /* Return dirty HTML if DOMPurify cannot run */
1196 + if (!DOMPurify.isSupported) {
1197 + return dirty;
1198 + }
1199 + /* Assign config vars */
1200 + if (!SET_CONFIG) {
1201 + _parseConfig(cfg);
1202 + }
1203 + /* Clean up removed elements */
1204 + DOMPurify.removed = [];
1205 + /* Check if dirty is correctly typed for IN_PLACE */
1206 + if (typeof dirty === 'string') {
1207 + IN_PLACE = false;
1208 + }
1209 + if (IN_PLACE) {
1210 + /* Do some early pre-sanitization to avoid unsafe root nodes */
1211 + if (dirty.nodeName) {
1212 + const tagName = transformCaseFunc(dirty.nodeName);
1213 + if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {
1214 + throw typeErrorCreate('root node is forbidden and cannot be sanitized in-place');
1215 + }
1216 + }
1217 + } else if (dirty instanceof Node) {
1218 + /* If dirty is a DOM element, append to an empty document to avoid
1219 + elements being stripped by the parser */
1220 + body = _initDocument('<!---->');
1221 + importedNode = body.ownerDocument.importNode(dirty, true);
1222 + if (importedNode.nodeType === NODE_TYPE.element && importedNode.nodeName === 'BODY') {
1223 + /* Node is already a body, use as is */
1224 + body = importedNode;
1225 + } else if (importedNode.nodeName === 'HTML') {
1226 + body = importedNode;
1227 + } else {
1228 + // eslint-disable-next-line unicorn/prefer-dom-node-append
1229 + body.appendChild(importedNode);
1230 + }
1231 + } else {
1232 + /* Exit directly if we have nothing to do */
1233 + if (!RETURN_DOM && !SAFE_FOR_TEMPLATES && !WHOLE_DOCUMENT &&
1234 + // eslint-disable-next-line unicorn/prefer-includes
1235 + dirty.indexOf('<') === -1) {
1236 + return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(dirty) : dirty;
1237 + }
1238 + /* Initialize the document to work on */
1239 + body = _initDocument(dirty);
1240 + /* Check we have a DOM node from the data */
1241 + if (!body) {
1242 + return RETURN_DOM ? null : RETURN_TRUSTED_TYPE ? emptyHTML : '';
1243 + }
1244 + }
1245 + /* Remove first element node (ours) if FORCE_BODY is set */
1246 + if (body && FORCE_BODY) {
1247 + _forceRemove(body.firstChild);
1248 + }
1249 + /* Get node iterator */
1250 + const nodeIterator = _createNodeIterator(IN_PLACE ? dirty : body);
1251 + /* Now start iterating over the created document */
1252 + while (currentNode = nodeIterator.nextNode()) {
1253 + /* Sanitize tags and elements */
1254 + _sanitizeElements(currentNode);
1255 + /* Check attributes next */
1256 + _sanitizeAttributes(currentNode);
1257 + /* Shadow DOM detected, sanitize it */
1258 + if (currentNode.content instanceof DocumentFragment) {
1259 + _sanitizeShadowDOM(currentNode.content);
1260 + }
1261 + }
1262 + /* If we sanitized `dirty` in-place, return it. */
1263 + if (IN_PLACE) {
1264 + return dirty;
1265 + }
1266 + /* Return sanitized string or DOM */
1267 + if (RETURN_DOM) {
1268 + if (RETURN_DOM_FRAGMENT) {
1269 + returnNode = createDocumentFragment.call(body.ownerDocument);
1270 + while (body.firstChild) {
1271 + // eslint-disable-next-line unicorn/prefer-dom-node-append
1272 + returnNode.appendChild(body.firstChild);
1273 + }
1274 + } else {
1275 + returnNode = body;
1276 + }
1277 + if (ALLOWED_ATTR.shadowroot || ALLOWED_ATTR.shadowrootmode) {
1278 + /*
1279 + AdoptNode() is not used because internal state is not reset
1280 + (e.g. the past names map of a HTMLFormElement), this is safe
1281 + in theory but we would rather not risk another attack vector.
1282 + The state that is cloned by importNode() is explicitly defined
1283 + by the specs.
1284 + */
1285 + returnNode = importNode.call(originalDocument, returnNode, true);
1286 + }
1287 + return returnNode;
1288 + }
1289 + let serializedHTML = WHOLE_DOCUMENT ? body.outerHTML : body.innerHTML;
1290 + /* Serialize doctype if allowed */
1291 + if (WHOLE_DOCUMENT && ALLOWED_TAGS['!doctype'] && body.ownerDocument && body.ownerDocument.doctype && body.ownerDocument.doctype.name && regExpTest(DOCTYPE_NAME, body.ownerDocument.doctype.name)) {
1292 + serializedHTML = '<!DOCTYPE ' + body.ownerDocument.doctype.name + '>\n' + serializedHTML;
1293 + }
1294 + /* Sanitize final string template-safe */
1295 + if (SAFE_FOR_TEMPLATES) {
1296 + arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
1297 + serializedHTML = stringReplace(serializedHTML, expr, ' ');
1298 + });
1299 + }
1300 + return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(serializedHTML) : serializedHTML;
1301 + };
1302 + DOMPurify.setConfig = function () {
1303 + let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
1304 + _parseConfig(cfg);
1305 + SET_CONFIG = true;
1306 + };
1307 + DOMPurify.clearConfig = function () {
1308 + CONFIG = null;
1309 + SET_CONFIG = false;
1310 + };
1311 + DOMPurify.isValidAttribute = function (tag, attr, value) {
1312 + /* Initialize shared config vars if necessary. */
1313 + if (!CONFIG) {
1314 + _parseConfig({});
1315 + }
1316 + const lcTag = transformCaseFunc(tag);
1317 + const lcName = transformCaseFunc(attr);
1318 + return _isValidAttribute(lcTag, lcName, value);
1319 + };
1320 + DOMPurify.addHook = function (entryPoint, hookFunction) {
1321 + if (typeof hookFunction !== 'function') {
1322 + return;
1323 + }
1324 + arrayPush(hooks[entryPoint], hookFunction);
1325 + };
1326 + DOMPurify.removeHook = function (entryPoint, hookFunction) {
1327 + if (hookFunction !== undefined) {
1328 + const index = arrayLastIndexOf(hooks[entryPoint], hookFunction);
1329 + return index === -1 ? undefined : arraySplice(hooks[entryPoint], index, 1)[0];
1330 + }
1331 + return arrayPop(hooks[entryPoint]);
1332 + };
1333 + DOMPurify.removeHooks = function (entryPoint) {
1334 + hooks[entryPoint] = [];
1335 + };
1336 + DOMPurify.removeAllHooks = function () {
1337 + hooks = _createHooksMap();
1338 + };
1339 + return DOMPurify;
1340 + }
1341 + var purify = createDOMPurify();
1342 +
1343 + return purify;
1344 +
1345 + }));
1346 + //# sourceMappingURL=purify.js.map
1347 +