Merge pull request #917 from cure53/main

 Getting 3.x branch ready for 3.0.10 release

Author: cure53

README.md

@@ -6,11 +6,11 @@
 
 DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
 
-It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.9**.
+It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.10**.
 
 DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
 
-**Note that [DOMPurify v2.4.7](https://github.com/cure53/DOMPurify/releases/tag/2.4.6) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
+**Note that [DOMPurify v2.4.8](https://github.com/cure53/DOMPurify/releases/tag/2.4.8) is the latest version supporting MSIE. For important security updates compatible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurify/tree/2.x).**
 
 Our automated tests cover [19 different browsers](https://github.com/cure53/DOMPurify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v16.x, v17.x, v18.x and v19.x, running DOMPurify on [jsdom](https://github.com/jsdom/jsdom). Older Node versions are known to work as well, but hey... no guarantees.
 

bower.json

@@ -1,6 +1,6 @@
 {
   "name": "DOMPurify",
-  "version": "3.0.9",
+  "version": "3.0.10",
   "homepage": "https://github.com/cure53/DOMPurify",
   "author": "Cure53 <info@cure53.de>",
   "description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",

dist/purify.cjs.js

@@ -1,4 +1,4 @@
-/*! @license DOMPurify 3.0.9 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.9/LICENSE */
+/*! @license DOMPurify 3.0.10 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.0.10/LICENSE */
 
 const {
   entries,
@@ -215,6 +215,7 @@ const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205
 );
 
 const DOCTYPE_NAME = seal(/^html$/i);
+const CUSTOM_ELEMENT = seal(/^[a-z][a-z\d]*(-[a-z\d]+)+$/i);
 
 var EXPRESSIONS = /*#__PURE__*/Object.freeze({
   __proto__: null,
@@ -226,7 +227,8 @@ var EXPRESSIONS = /*#__PURE__*/Object.freeze({
   IS_ALLOWED_URI: IS_ALLOWED_URI,
   IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,
   ATTR_WHITESPACE: ATTR_WHITESPACE,
-  DOCTYPE_NAME: DOCTYPE_NAME
+  DOCTYPE_NAME: DOCTYPE_NAME,
+  CUSTOM_ELEMENT: CUSTOM_ELEMENT
 });
 
 const getGlobal = function getGlobal() {
@@ -280,7 +282,7 @@ function createDOMPurify() {
    * Version label, exposed for easier checks
    * if DOMPurify is up to date or not
    */
-  DOMPurify.version = '3.0.9';
+  DOMPurify.version = '3.0.10';
 
   /**
    * Array of elements that DOMPurify removed during sanitation.
@@ -351,7 +353,8 @@ function createDOMPurify() {
     DATA_ATTR,
     ARIA_ATTR,
     IS_SCRIPT_OR_DATA,
-    ATTR_WHITESPACE
+    ATTR_WHITESPACE,
+    CUSTOM_ELEMENT
   } = EXPRESSIONS;
   let {
     IS_ALLOWED_URI: IS_ALLOWED_URI$1
@@ -906,7 +909,7 @@ function createDOMPurify() {
   const _createNodeIterator = function _createNodeIterator(root) {
     return createNodeIterator.call(root.ownerDocument || root, root,
     // eslint-disable-next-line no-bitwise
-    NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT, null);
+    NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION, null);
   };
 
   /**
@@ -1088,7 +1091,7 @@ function createDOMPurify() {
    * @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
    */
   const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
-    return tagName !== 'annotation-xml' && tagName.indexOf('-') > 0;
+    return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
   };
 
   /**

dist/purify.cjs.js.map

@@ -98,7 +98,7 @@
   },
   "name": "dompurify",
   "description": "DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else using Blink or WebKit). DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not.",
-  "version": "3.0.9",
+  "version": "3.0.10",
   "directories": {
     "test": "test"
   },

dist/purify.es.mjs

@@ -162,6 +162,7 @@ function createDOMPurify(window = getGlobal()) {
     ARIA_ATTR,
     IS_SCRIPT_OR_DATA,
     ATTR_WHITESPACE,
+    CUSTOM_ELEMENT,
   } = EXPRESSIONS;
 
   let { IS_ALLOWED_URI } = EXPRESSIONS;
@@ -909,7 +910,10 @@ function createDOMPurify(window = getGlobal()) {
       root.ownerDocument || root,
       root,
       // eslint-disable-next-line no-bitwise
-      NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT,
+      NodeFilter.SHOW_ELEMENT |
+        NodeFilter.SHOW_COMMENT |
+        NodeFilter.SHOW_TEXT |
+        NodeFilter.SHOW_PROCESSING_INSTRUCTION,
       null
     );
   };
@@ -1189,7 +1193,7 @@ function createDOMPurify(window = getGlobal()) {
    * @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
    */
   const _isBasicCustomElement = function (tagName) {
-    return tagName !== 'annotation-xml' && tagName.indexOf('-') > 0;
+    return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);
   };
 
   /**

dist/purify.es.mjs.map

@@ -14,3 +14,4 @@ export const ATTR_WHITESPACE = seal(
   /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
 );
 export const DOCTYPE_NAME = seal(/^html$/i);
+export const CUSTOM_ELEMENT = seal(/^[a-z][a-z\d]*(-[a-z\d]+)+$/i);

dist/purify.js

@@ -2,7 +2,7 @@
 <html>
     <head>
         <meta charset="UTF-8">
-        <title>DOMPurify 3.0.9 "Waterfront"</title>
+        <title>DOMPurify 3.0.10 "Pitviper"</title>
         <script src="../dist/purify.min.js"></script>
         <!-- we don't actually need it - just to demo and test the $(html) sanitation -->
         <script src="//code.jquery.com/jquery-3.2.0.min.js"></script>
@@ -23,7 +23,7 @@
         </script>
     </head>
     <body>
-        <h4>DOMPurify 3.0.9 "Waterfront"</h4>
+        <h4>DOMPurify 3.0.10 "Pitviper"</h4>
         <p>
             <a href="http://badge.fury.io/js/dompurify" rel="nofollow"><img alt="npm version" src="https://badge.fury.io/js/dompurify.svg"></a>  
             <a target="_blank" rel="noopener noreferrer" href="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main"><img src="https://github.com/cure53/DOMPurify/workflows/Build%20and%20Test/badge.svg?branch=main" alt="Build and Test"></a>