Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
microsoft
GitHub Repository: microsoft/vscode
 Path: blob/main/src/vs/base/browser/dompurify/dompurify.js
5222 views
1
/*! @license DOMPurify 3.2.7 | (c) Cure53 and other contributors | Released under the Apache license 2.0 and Mozilla Public License 2.0 | github.com/cure53/DOMPurify/blob/3.2.7/LICENSE */

2


3
const {

4
  entries,

5
  setPrototypeOf,

6
  isFrozen,

7
  getPrototypeOf,

8
  getOwnPropertyDescriptor

9
} = Object;

10
let {

11
  freeze,

12
  seal,

13
  create

14
} = Object; // eslint-disable-line import/no-mutable-exports

15
let {

16
  apply,

17
  construct

18
} = typeof Reflect !== 'undefined' && Reflect;

19
if (!freeze) {

20
  freeze = function freeze(x) {

21
    return x;

22
  };

23
}

24
if (!seal) {

25
  seal = function seal(x) {

26
    return x;

27
  };

28
}

29
if (!apply) {

30
  apply = function apply(func, thisArg) {

31
    for (var _len = arguments.length, args = new Array(_len > 2 ? _len - 2 : 0), _key = 2; _key < _len; _key++) {

32
      args[_key - 2] = arguments[_key];

33
    }

34
    return func.apply(thisArg, args);

35
  };

36
}

37
if (!construct) {

38
  construct = function construct(Func) {

39
    for (var _len2 = arguments.length, args = new Array(_len2 > 1 ? _len2 - 1 : 0), _key2 = 1; _key2 < _len2; _key2++) {

40
      args[_key2 - 1] = arguments[_key2];

41
    }

42
    return new Func(...args);

43
  };

44
}

45
const arrayForEach = unapply(Array.prototype.forEach);

46
const arrayLastIndexOf = unapply(Array.prototype.lastIndexOf);

47
const arrayPop = unapply(Array.prototype.pop);

48
const arrayPush = unapply(Array.prototype.push);

49
const arraySplice = unapply(Array.prototype.splice);

50
const stringToLowerCase = unapply(String.prototype.toLowerCase);

51
const stringToString = unapply(String.prototype.toString);

52
const stringMatch = unapply(String.prototype.match);

53
const stringReplace = unapply(String.prototype.replace);

54
const stringIndexOf = unapply(String.prototype.indexOf);

55
const stringTrim = unapply(String.prototype.trim);

56
const objectHasOwnProperty = unapply(Object.prototype.hasOwnProperty);

57
const regExpTest = unapply(RegExp.prototype.test);

58
const typeErrorCreate = unconstruct(TypeError);

59
/**

60
 * Creates a new function that calls the given function with a specified thisArg and arguments.

61
 *

62
 * @param func - The function to be wrapped and called.

63
 * @returns A new function that calls the given function with a specified thisArg and arguments.

64
 */

65
function unapply(func) {

66
  return function (thisArg) {

67
    if (thisArg instanceof RegExp) {

68
      thisArg.lastIndex = 0;

69
    }

70
    for (var _len3 = arguments.length, args = new Array(_len3 > 1 ? _len3 - 1 : 0), _key3 = 1; _key3 < _len3; _key3++) {

71
      args[_key3 - 1] = arguments[_key3];

72
    }

73
    return apply(func, thisArg, args);

74
  };

75
}

76
/**

77
 * Creates a new function that constructs an instance of the given constructor function with the provided arguments.

78
 *

79
 * @param func - The constructor function to be wrapped and called.

80
 * @returns A new function that constructs an instance of the given constructor function with the provided arguments.

81
 */

82
function unconstruct(Func) {

83
  return function () {

84
    for (var _len4 = arguments.length, args = new Array(_len4), _key4 = 0; _key4 < _len4; _key4++) {

85
      args[_key4] = arguments[_key4];

86
    }

87
    return construct(Func, args);

88
  };

89
}

90
/**

91
 * Add properties to a lookup table

92
 *

93
 * @param set - The set to which elements will be added.

94
 * @param array - The array containing elements to be added to the set.

95
 * @param transformCaseFunc - An optional function to transform the case of each element before adding to the set.

96
 * @returns The modified set with added elements.

97
 */

98
function addToSet(set, array) {

99
  let transformCaseFunc = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : stringToLowerCase;

100
  if (setPrototypeOf) {

101
    // Make 'in' and truthy checks like Boolean(set.constructor)

102
    // independent of any properties defined on Object.prototype.

103
    // Prevent prototype setters from intercepting set as a this value.

104
    setPrototypeOf(set, null);

105
  }

106
  let l = array.length;

107
  while (l--) {

108
    let element = array[l];

109
    if (typeof element === 'string') {

110
      const lcElement = transformCaseFunc(element);

111
      if (lcElement !== element) {

112
        // Config presets (e.g. tags.js, attrs.js) are immutable.

113
        if (!isFrozen(array)) {

114
          array[l] = lcElement;

115
        }

116
        element = lcElement;

117
      }

118
    }

119
    set[element] = true;

120
  }

121
  return set;

122
}

123
/**

124
 * Clean up an array to harden against CSPP

125
 *

126
 * @param array - The array to be cleaned.

127
 * @returns The cleaned version of the array

128
 */

129
function cleanArray(array) {

130
  for (let index = 0; index < array.length; index++) {

131
    const isPropertyExist = objectHasOwnProperty(array, index);

132
    if (!isPropertyExist) {

133
      array[index] = null;

134
    }

135
  }

136
  return array;

137
}

138
/**

139
 * Shallow clone an object

140
 *

141
 * @param object - The object to be cloned.

142
 * @returns A new object that copies the original.

143
 */

144
function clone(object) {

145
  const newObject = create(null);

146
  for (const [property, value] of entries(object)) {

147
    const isPropertyExist = objectHasOwnProperty(object, property);

148
    if (isPropertyExist) {

149
      if (Array.isArray(value)) {

150
        newObject[property] = cleanArray(value);

151
      } else if (value && typeof value === 'object' && value.constructor === Object) {

152
        newObject[property] = clone(value);

153
      } else {

154
        newObject[property] = value;

155
      }

156
    }

157
  }

158
  return newObject;

159
}

160
/**

161
 * This method automatically checks if the prop is function or getter and behaves accordingly.

162
 *

163
 * @param object - The object to look up the getter function in its prototype chain.

164
 * @param prop - The property name for which to find the getter function.

165
 * @returns The getter function found in the prototype chain or a fallback function.

166
 */

167
function lookupGetter(object, prop) {

168
  while (object !== null) {

169
    const desc = getOwnPropertyDescriptor(object, prop);

170
    if (desc) {

171
      if (desc.get) {

172
        return unapply(desc.get);

173
      }

174
      if (typeof desc.value === 'function') {

175
        return unapply(desc.value);

176
      }

177
    }

178
    object = getPrototypeOf(object);

179
  }

180
  function fallbackValue() {

181
    return null;

182
  }

183
  return fallbackValue;

184
}

185


186
const html$1 = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dialog', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'search', 'section', 'select', 'shadow', 'slot', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']);

187
const svg$1 = freeze(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'enterkeyhint', 'exportparts', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'inputmode', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'part', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'slot', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'view', 'vkern']);

188
const svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feDropShadow', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']);

189
// List of SVG elements that are disallowed by default.

190
// We still need to know them so that we can do namespace

191
// checks properly in case one wants to add them to

192
// allow-list.

193
const svgDisallowed = freeze(['animate', 'color-profile', 'cursor', 'discard', 'font-face', 'font-face-format', 'font-face-name', 'font-face-src', 'font-face-uri', 'foreignobject', 'hatch', 'hatchpath', 'mesh', 'meshgradient', 'meshpatch', 'meshrow', 'missing-glyph', 'script', 'set', 'solidcolor', 'unknown', 'use']);

194
const mathMl$1 = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover', 'mprescripts']);

195
// Similarly to SVG, we want to know all MathML elements,

196
// even those that we disallow by default.

197
const mathMlDisallowed = freeze(['maction', 'maligngroup', 'malignmark', 'mlongdiv', 'mscarries', 'mscarry', 'msgroup', 'mstack', 'msline', 'msrow', 'semantics', 'annotation', 'annotation-xml', 'mprescripts', 'none']);

198
const text = freeze(['#text']);

199


200
const html = freeze(['accept', 'action', 'align', 'alt', 'autocapitalize', 'autocomplete', 'autopictureinpicture', 'autoplay', 'background', 'bgcolor', 'border', 'capture', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'controlslist', 'coords', 'crossorigin', 'datetime', 'decoding', 'default', 'dir', 'disabled', 'disablepictureinpicture', 'disableremoteplayback', 'download', 'draggable', 'enctype', 'enterkeyhint', 'exportparts', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'inert', 'inputmode', 'integrity', 'ismap', 'kind', 'label', 'lang', 'list', 'loading', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'muted', 'name', 'nonce', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'part', 'pattern', 'placeholder', 'playsinline', 'popover', 'popovertarget', 'popovertargetaction', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'slot', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'translate', 'type', 'usemap', 'valign', 'value', 'width', 'wrap', 'xmlns', 'slot']);

201
const svg = freeze(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'amplitude', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clippathunits', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'exponent', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'intercept', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'slope', 'specularconstant', 'specularexponent', 'spreadmethod', 'startoffset', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'systemlanguage', 'tabindex', 'tablevalues', 'targetx', 'targety', 'transform', 'transform-origin', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']);

202
const mathMl = freeze(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']);

203
const xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']);

204


205
// eslint-disable-next-line unicorn/better-regex

206
const MUSTACHE_EXPR = seal(/\{\{[\w\W]*|[\w\W]*\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode

207
const ERB_EXPR = seal(/<%[\w\W]*|[\w\W]*%>/gm);

208
const TMPLIT_EXPR = seal(/\$\{[\w\W]*/gm); // eslint-disable-line unicorn/better-regex

209
const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]+$/); // eslint-disable-line no-useless-escape

210
const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape

211
const IS_ALLOWED_URI = seal(/^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|matrix):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape

212
);

213
const IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i);

214
const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex

215
);

216
const DOCTYPE_NAME = seal(/^html$/i);

217
const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);

218


219
var EXPRESSIONS = /*#__PURE__*/Object.freeze({

220
  __proto__: null,

221
  ARIA_ATTR: ARIA_ATTR,

222
  ATTR_WHITESPACE: ATTR_WHITESPACE,

223
  CUSTOM_ELEMENT: CUSTOM_ELEMENT,

224
  DATA_ATTR: DATA_ATTR,

225
  DOCTYPE_NAME: DOCTYPE_NAME,

226
  ERB_EXPR: ERB_EXPR,

227
  IS_ALLOWED_URI: IS_ALLOWED_URI,

228
  IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,

229
  MUSTACHE_EXPR: MUSTACHE_EXPR,

230
  TMPLIT_EXPR: TMPLIT_EXPR

231
});

232


233
/* eslint-disable @typescript-eslint/indent */

234
// https://developer.mozilla.org/en-US/docs/Web/API/Node/nodeType

235
const NODE_TYPE = {

236
  element: 1,

237
  attribute: 2,

238
  text: 3,

239
  cdataSection: 4,

240
  entityReference: 5,

241
  // Deprecated

242
  entityNode: 6,

243
  // Deprecated

244
  progressingInstruction: 7,

245
  comment: 8,

246
  document: 9,

247
  documentType: 10,

248
  documentFragment: 11,

249
  notation: 12 // Deprecated

250
};

251
const getGlobal = function getGlobal() {

252
  return typeof window === 'undefined' ? null : window;

253
};

254
/**

255
 * Creates a no-op policy for internal use only.

256
 * Don't export this function outside this module!

257
 * @param trustedTypes The policy factory.

258
 * @param purifyHostElement The Script element used to load DOMPurify (to determine policy name suffix).

259
 * @return The policy created (or null, if Trusted Types

260
 * are not supported or creating the policy failed).

261
 */

262
const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes, purifyHostElement) {

263
  if (typeof trustedTypes !== 'object' || typeof trustedTypes.createPolicy !== 'function') {

264
    return null;

265
  }

266
  // Allow the callers to control the unique policy name

267
  // by adding a data-tt-policy-suffix to the script element with the DOMPurify.

268
  // Policy creation with duplicate names throws in Trusted Types.

269
  let suffix = null;

270
  const ATTR_NAME = 'data-tt-policy-suffix';

271
  if (purifyHostElement && purifyHostElement.hasAttribute(ATTR_NAME)) {

272
    suffix = purifyHostElement.getAttribute(ATTR_NAME);

273
  }

274
  const policyName = 'dompurify' + (suffix ? '#' + suffix : '');

275
  try {

276
    return trustedTypes.createPolicy(policyName, {

277
      createHTML(html) {

278
        return html;

279
      },

280
      createScriptURL(scriptUrl) {

281
        return scriptUrl;

282
      }

283
    });

284
  } catch (_) {

285
    // Policy creation failed (most likely another DOMPurify script has

286
    // already run). Skip creating the policy, as this will only cause errors

287
    // if TT are enforced.

288
    console.warn('TrustedTypes policy ' + policyName + ' could not be created.');

289
    return null;

290
  }

291
};

292
const _createHooksMap = function _createHooksMap() {

293
  return {

294
    afterSanitizeAttributes: [],

295
    afterSanitizeElements: [],

296
    afterSanitizeShadowDOM: [],

297
    beforeSanitizeAttributes: [],

298
    beforeSanitizeElements: [],

299
    beforeSanitizeShadowDOM: [],

300
    uponSanitizeAttribute: [],

301
    uponSanitizeElement: [],

302
    uponSanitizeShadowNode: []

303
  };

304
};

305
function createDOMPurify() {

306
  let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();

307
  const DOMPurify = root => createDOMPurify(root);

308
  DOMPurify.version = '3.2.7';

309
  DOMPurify.removed = [];

310
  if (!window || !window.document || window.document.nodeType !== NODE_TYPE.document || !window.Element) {

311
    // Not running in a browser, provide a factory function

312
    // so that you can pass your own Window

313
    DOMPurify.isSupported = false;

314
    return DOMPurify;

315
  }

316
  let {

317
    document

318
  } = window;

319
  const originalDocument = document;

320
  const currentScript = originalDocument.currentScript;

321
  const {

322
    DocumentFragment,

323
    HTMLTemplateElement,

324
    Node,

325
    Element,

326
    NodeFilter,

327
    NamedNodeMap = window.NamedNodeMap || window.MozNamedAttrMap,

328
    HTMLFormElement,

329
    DOMParser,

330
    trustedTypes

331
  } = window;

332
  const ElementPrototype = Element.prototype;

333
  const cloneNode = lookupGetter(ElementPrototype, 'cloneNode');

334
  const remove = lookupGetter(ElementPrototype, 'remove');

335
  const getNextSibling = lookupGetter(ElementPrototype, 'nextSibling');

336
  const getChildNodes = lookupGetter(ElementPrototype, 'childNodes');

337
  const getParentNode = lookupGetter(ElementPrototype, 'parentNode');

338
  // As per issue #47, the web-components registry is inherited by a

339
  // new document created via createHTMLDocument. As per the spec

340
  // (http://w3c.github.io/webcomponents/spec/custom/#creating-and-passing-registries)

341
  // a new empty registry is used when creating a template contents owner

342
  // document, so we use that as our parent document to ensure nothing

343
  // is inherited.

344
  if (typeof HTMLTemplateElement === 'function') {

345
    const template = document.createElement('template');

346
    if (template.content && template.content.ownerDocument) {

347
      document = template.content.ownerDocument;

348
    }

349
  }

350
  let trustedTypesPolicy;

351
  let emptyHTML = '';

352
  const {

353
    implementation,

354
    createNodeIterator,

355
    createDocumentFragment,

356
    getElementsByTagName

357
  } = document;

358
  const {

359
    importNode

360
  } = originalDocument;

361
  let hooks = _createHooksMap();

362
  /**

363
   * Expose whether this browser supports running the full DOMPurify.

364
   */

365
  DOMPurify.isSupported = typeof entries === 'function' && typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined;

366
  const {

367
    MUSTACHE_EXPR,

368
    ERB_EXPR,

369
    TMPLIT_EXPR,

370
    DATA_ATTR,

371
    ARIA_ATTR,

372
    IS_SCRIPT_OR_DATA,

373
    ATTR_WHITESPACE,

374
    CUSTOM_ELEMENT

375
  } = EXPRESSIONS;

376
  let {

377
    IS_ALLOWED_URI: IS_ALLOWED_URI$1

378
  } = EXPRESSIONS;

379
  /**

380
   * We consider the elements and attributes below to be safe. Ideally

381
   * don't add any new ones but feel free to remove unwanted ones.

382
   */

383
  /* allowed element names */

384
  let ALLOWED_TAGS = null;

385
  const DEFAULT_ALLOWED_TAGS = addToSet({}, [...html$1, ...svg$1, ...svgFilters, ...mathMl$1, ...text]);

386
  /* Allowed attribute names */

387
  let ALLOWED_ATTR = null;

388
  const DEFAULT_ALLOWED_ATTR = addToSet({}, [...html, ...svg, ...mathMl, ...xml]);

389
  /*

390
   * Configure how DOMPurify should handle custom elements and their attributes as well as customized built-in elements.

391
   * @property {RegExp|Function|null} tagNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any custom elements)

392
   * @property {RegExp|Function|null} attributeNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any attributes not on the allow list)

393
   * @property {boolean} allowCustomizedBuiltInElements allow custom elements derived from built-ins if they pass CUSTOM_ELEMENT_HANDLING.tagNameCheck. Default: `false`.

394
   */

395
  let CUSTOM_ELEMENT_HANDLING = Object.seal(create(null, {

396
    tagNameCheck: {

397
      writable: true,

398
      configurable: false,

399
      enumerable: true,

400
      value: null

401
    },

402
    attributeNameCheck: {

403
      writable: true,

404
      configurable: false,

405
      enumerable: true,

406
      value: null

407
    },

408
    allowCustomizedBuiltInElements: {

409
      writable: true,

410
      configurable: false,

411
      enumerable: true,

412
      value: false

413
    }

414
  }));

415
  /* Explicitly forbidden tags (overrides ALLOWED_TAGS/ADD_TAGS) */

416
  let FORBID_TAGS = null;

417
  /* Explicitly forbidden attributes (overrides ALLOWED_ATTR/ADD_ATTR) */

418
  let FORBID_ATTR = null;

419
  /* Decide if ARIA attributes are okay */

420
  let ALLOW_ARIA_ATTR = true;

421
  /* Decide if custom data attributes are okay */

422
  let ALLOW_DATA_ATTR = true;

423
  /* Decide if unknown protocols are okay */

424
  let ALLOW_UNKNOWN_PROTOCOLS = false;

425
  /* Decide if self-closing tags in attributes are allowed.

426
   * Usually removed due to a mXSS issue in jQuery 3.0 */

427
  let ALLOW_SELF_CLOSE_IN_ATTR = true;

428
  /* Output should be safe for common template engines.

429
   * This means, DOMPurify removes data attributes, mustaches and ERB

430
   */

431
  let SAFE_FOR_TEMPLATES = false;

432
  /* Output should be safe even for XML used within HTML and alike.

433
   * This means, DOMPurify removes comments when containing risky content.

434
   */

435
  let SAFE_FOR_XML = true;

436
  /* Decide if document with <html>... should be returned */

437
  let WHOLE_DOCUMENT = false;

438
  /* Track whether config is already set on this instance of DOMPurify. */

439
  let SET_CONFIG = false;

440
  /* Decide if all elements (e.g. style, script) must be children of

441
   * document.body. By default, browsers might move them to document.head */

442
  let FORCE_BODY = false;

443
  /* Decide if a DOM `HTMLBodyElement` should be returned, instead of a html

444
   * string (or a TrustedHTML object if Trusted Types are supported).

445
   * If `WHOLE_DOCUMENT` is enabled a `HTMLHtmlElement` will be returned instead

446
   */

447
  let RETURN_DOM = false;

448
  /* Decide if a DOM `DocumentFragment` should be returned, instead of a html

449
   * string  (or a TrustedHTML object if Trusted Types are supported) */

450
  let RETURN_DOM_FRAGMENT = false;

451
  /* Try to return a Trusted Type object instead of a string, return a string in

452
   * case Trusted Types are not supported  */

453
  let RETURN_TRUSTED_TYPE = false;

454
  /* Output should be free from DOM clobbering attacks?

455
   * This sanitizes markups named with colliding, clobberable built-in DOM APIs.

456
   */

457
  let SANITIZE_DOM = true;

458
  /* Achieve full DOM Clobbering protection by isolating the namespace of named

459
   * properties and JS variables, mitigating attacks that abuse the HTML/DOM spec rules.

460
   *

461
   * HTML/DOM spec rules that enable DOM Clobbering:

462
   *   - Named Access on Window (§7.3.3)

463
   *   - DOM Tree Accessors (§3.1.5)

464
   *   - Form Element Parent-Child Relations (§4.10.3)

465
   *   - Iframe srcdoc / Nested WindowProxies (§4.8.5)

466
   *   - HTMLCollection (§4.2.10.2)

467
   *

468
   * Namespace isolation is implemented by prefixing `id` and `name` attributes

469
   * with a constant string, i.e., `user-content-`

470
   */

471
  let SANITIZE_NAMED_PROPS = false;

472
  const SANITIZE_NAMED_PROPS_PREFIX = 'user-content-';

473
  /* Keep element content when removing element? */

474
  let KEEP_CONTENT = true;

475
  /* If a `Node` is passed to sanitize(), then performs sanitization in-place instead

476
   * of importing it into a new Document and returning a sanitized copy */

477
  let IN_PLACE = false;

478
  /* Allow usage of profiles like html, svg and mathMl */

479
  let USE_PROFILES = {};

480
  /* Tags to ignore content of when KEEP_CONTENT is true */

481
  let FORBID_CONTENTS = null;

482
  const DEFAULT_FORBID_CONTENTS = addToSet({}, ['annotation-xml', 'audio', 'colgroup', 'desc', 'foreignobject', 'head', 'iframe', 'math', 'mi', 'mn', 'mo', 'ms', 'mtext', 'noembed', 'noframes', 'noscript', 'plaintext', 'script', 'style', 'svg', 'template', 'thead', 'title', 'video', 'xmp']);

483
  /* Tags that are safe for data: URIs */

484
  let DATA_URI_TAGS = null;

485
  const DEFAULT_DATA_URI_TAGS = addToSet({}, ['audio', 'video', 'img', 'source', 'image', 'track']);

486
  /* Attributes safe for values like "javascript:" */

487
  let URI_SAFE_ATTRIBUTES = null;

488
  const DEFAULT_URI_SAFE_ATTRIBUTES = addToSet({}, ['alt', 'class', 'for', 'id', 'label', 'name', 'pattern', 'placeholder', 'role', 'summary', 'title', 'value', 'style', 'xmlns']);

489
  const MATHML_NAMESPACE = 'http://www.w3.org/1998/Math/MathML';

490
  const SVG_NAMESPACE = 'http://www.w3.org/2000/svg';

491
  const HTML_NAMESPACE = 'http://www.w3.org/1999/xhtml';

492
  /* Document namespace */

493
  let NAMESPACE = HTML_NAMESPACE;

494
  let IS_EMPTY_INPUT = false;

495
  /* Allowed XHTML+XML namespaces */

496
  let ALLOWED_NAMESPACES = null;

497
  const DEFAULT_ALLOWED_NAMESPACES = addToSet({}, [MATHML_NAMESPACE, SVG_NAMESPACE, HTML_NAMESPACE], stringToString);

498
  let MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);

499
  let HTML_INTEGRATION_POINTS = addToSet({}, ['annotation-xml']);

500
  // Certain elements are allowed in both SVG and HTML

501
  // namespace. We need to specify them explicitly

502
  // so that they don't get erroneously deleted from

503
  // HTML namespace.

504
  const COMMON_SVG_AND_HTML_ELEMENTS = addToSet({}, ['title', 'style', 'font', 'a', 'script']);

505
  /* Parsing of strict XHTML documents */

506
  let PARSER_MEDIA_TYPE = null;

507
  const SUPPORTED_PARSER_MEDIA_TYPES = ['application/xhtml+xml', 'text/html'];

508
  const DEFAULT_PARSER_MEDIA_TYPE = 'text/html';

509
  let transformCaseFunc = null;

510
  /* Keep a reference to config to pass to hooks */

511
  let CONFIG = null;

512
  /* Ideally, do not touch anything below this line */

513
  /* ______________________________________________ */

514
  const formElement = document.createElement('form');

515
  const isRegexOrFunction = function isRegexOrFunction(testValue) {

516
    return testValue instanceof RegExp || testValue instanceof Function;

517
  };

518
  /**

519
   * _parseConfig

520
   *

521
   * @param cfg optional config literal

522
   */

523
  // eslint-disable-next-line complexity

524
  const _parseConfig = function _parseConfig() {

525
    let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};

526
    if (CONFIG && CONFIG === cfg) {

527
      return;

528
    }

529
    /* Shield configuration object from tampering */

530
    if (!cfg || typeof cfg !== 'object') {

531
      cfg = {};

532
    }

533
    /* Shield configuration object from prototype pollution */

534
    cfg = clone(cfg);

535
    PARSER_MEDIA_TYPE =

536
    // eslint-disable-next-line unicorn/prefer-includes

537
    SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? DEFAULT_PARSER_MEDIA_TYPE : cfg.PARSER_MEDIA_TYPE;

538
    // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.

539
    transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? stringToString : stringToLowerCase;

540
    /* Set configuration parameters */

541
    ALLOWED_TAGS = objectHasOwnProperty(cfg, 'ALLOWED_TAGS') ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;

542
    ALLOWED_ATTR = objectHasOwnProperty(cfg, 'ALLOWED_ATTR') ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;

543
    ALLOWED_NAMESPACES = objectHasOwnProperty(cfg, 'ALLOWED_NAMESPACES') ? addToSet({}, cfg.ALLOWED_NAMESPACES, stringToString) : DEFAULT_ALLOWED_NAMESPACES;

544
    URI_SAFE_ATTRIBUTES = objectHasOwnProperty(cfg, 'ADD_URI_SAFE_ATTR') ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES), cfg.ADD_URI_SAFE_ATTR, transformCaseFunc) : DEFAULT_URI_SAFE_ATTRIBUTES;

545
    DATA_URI_TAGS = objectHasOwnProperty(cfg, 'ADD_DATA_URI_TAGS') ? addToSet(clone(DEFAULT_DATA_URI_TAGS), cfg.ADD_DATA_URI_TAGS, transformCaseFunc) : DEFAULT_DATA_URI_TAGS;

546
    FORBID_CONTENTS = objectHasOwnProperty(cfg, 'FORBID_CONTENTS') ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;

547
    FORBID_TAGS = objectHasOwnProperty(cfg, 'FORBID_TAGS') ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : clone({});

548
    FORBID_ATTR = objectHasOwnProperty(cfg, 'FORBID_ATTR') ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : clone({});

549
    USE_PROFILES = objectHasOwnProperty(cfg, 'USE_PROFILES') ? cfg.USE_PROFILES : false;

550
    ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true

551
    ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false; // Default true

552
    ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false

553
    ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true

554
    SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false

555
    SAFE_FOR_XML = cfg.SAFE_FOR_XML !== false; // Default true

556
    WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false

557
    RETURN_DOM = cfg.RETURN_DOM || false; // Default false

558
    RETURN_DOM_FRAGMENT = cfg.RETURN_DOM_FRAGMENT || false; // Default false

559
    RETURN_TRUSTED_TYPE = cfg.RETURN_TRUSTED_TYPE || false; // Default false

560
    FORCE_BODY = cfg.FORCE_BODY || false; // Default false

561
    SANITIZE_DOM = cfg.SANITIZE_DOM !== false; // Default true

562
    SANITIZE_NAMED_PROPS = cfg.SANITIZE_NAMED_PROPS || false; // Default false

563
    KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true

564
    IN_PLACE = cfg.IN_PLACE || false; // Default false

565
    IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP || IS_ALLOWED_URI;

566
    NAMESPACE = cfg.NAMESPACE || HTML_NAMESPACE;

567
    MATHML_TEXT_INTEGRATION_POINTS = cfg.MATHML_TEXT_INTEGRATION_POINTS || MATHML_TEXT_INTEGRATION_POINTS;

568
    HTML_INTEGRATION_POINTS = cfg.HTML_INTEGRATION_POINTS || HTML_INTEGRATION_POINTS;

569
    CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING || {};

570
    if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck)) {

571
      CUSTOM_ELEMENT_HANDLING.tagNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck;

572
    }

573
    if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.attributeNameCheck)) {

574
      CUSTOM_ELEMENT_HANDLING.attributeNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.attributeNameCheck;

575
    }

576
    if (cfg.CUSTOM_ELEMENT_HANDLING && typeof cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements === 'boolean') {

577
      CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements = cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements;

578
    }

579
    if (SAFE_FOR_TEMPLATES) {

580
      ALLOW_DATA_ATTR = false;

581
    }

582
    if (RETURN_DOM_FRAGMENT) {

583
      RETURN_DOM = true;

584
    }

585
    /* Parse profile info */

586
    if (USE_PROFILES) {

587
      ALLOWED_TAGS = addToSet({}, text);

588
      ALLOWED_ATTR = [];

589
      if (USE_PROFILES.html === true) {

590
        addToSet(ALLOWED_TAGS, html$1);

591
        addToSet(ALLOWED_ATTR, html);

592
      }

593
      if (USE_PROFILES.svg === true) {

594
        addToSet(ALLOWED_TAGS, svg$1);

595
        addToSet(ALLOWED_ATTR, svg);

596
        addToSet(ALLOWED_ATTR, xml);

597
      }

598
      if (USE_PROFILES.svgFilters === true) {

599
        addToSet(ALLOWED_TAGS, svgFilters);

600
        addToSet(ALLOWED_ATTR, svg);

601
        addToSet(ALLOWED_ATTR, xml);

602
      }

603
      if (USE_PROFILES.mathMl === true) {

604
        addToSet(ALLOWED_TAGS, mathMl$1);

605
        addToSet(ALLOWED_ATTR, mathMl);

606
        addToSet(ALLOWED_ATTR, xml);

607
      }

608
    }

609
    /* Merge configuration parameters */

610
    if (cfg.ADD_TAGS) {

611
      if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {

612
        ALLOWED_TAGS = clone(ALLOWED_TAGS);

613
      }

614
      addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);

615
    }

616
    if (cfg.ADD_ATTR) {

617
      if (ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) {

618
        ALLOWED_ATTR = clone(ALLOWED_ATTR);

619
      }

620
      addToSet(ALLOWED_ATTR, cfg.ADD_ATTR, transformCaseFunc);

621
    }

622
    if (cfg.ADD_URI_SAFE_ATTR) {

623
      addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR, transformCaseFunc);

624
    }

625
    if (cfg.FORBID_CONTENTS) {

626
      if (FORBID_CONTENTS === DEFAULT_FORBID_CONTENTS) {

627
        FORBID_CONTENTS = clone(FORBID_CONTENTS);

628
      }

629
      addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);

630
    }

631
    /* Add #text in case KEEP_CONTENT is set to true */

632
    if (KEEP_CONTENT) {

633
      ALLOWED_TAGS['#text'] = true;

634
    }

635
    /* Add html, head and body to ALLOWED_TAGS in case WHOLE_DOCUMENT is true */

636
    if (WHOLE_DOCUMENT) {

637
      addToSet(ALLOWED_TAGS, ['html', 'head', 'body']);

638
    }

639
    /* Add tbody to ALLOWED_TAGS in case tables are permitted, see #286, #365 */

640
    if (ALLOWED_TAGS.table) {

641
      addToSet(ALLOWED_TAGS, ['tbody']);

642
      delete FORBID_TAGS.tbody;

643
    }

644
    if (cfg.TRUSTED_TYPES_POLICY) {

645
      if (typeof cfg.TRUSTED_TYPES_POLICY.createHTML !== 'function') {

646
        throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');

647
      }

648
      if (typeof cfg.TRUSTED_TYPES_POLICY.createScriptURL !== 'function') {

649
        throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');

650
      }

651
      // Overwrite existing TrustedTypes policy.

652
      trustedTypesPolicy = cfg.TRUSTED_TYPES_POLICY;

653
      // Sign local variables required by `sanitize`.

654
      emptyHTML = trustedTypesPolicy.createHTML('');

655
    } else {

656
      // Uninitialized policy, attempt to initialize the internal dompurify policy.

657
      if (trustedTypesPolicy === undefined) {

658
        trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, currentScript);

659
      }

660
      // If creating the internal policy succeeded sign internal variables.

661
      if (trustedTypesPolicy !== null && typeof emptyHTML === 'string') {

662
        emptyHTML = trustedTypesPolicy.createHTML('');

663
      }

664
    }

665
    // Prevent further manipulation of configuration.

666
    // Not available in IE8, Safari 5, etc.

667
    if (freeze) {

668
      freeze(cfg);

669
    }

670
    CONFIG = cfg;

671
  };

672
  /* Keep track of all possible SVG and MathML tags

673
   * so that we can perform the namespace checks

674
   * correctly. */

675
  const ALL_SVG_TAGS = addToSet({}, [...svg$1, ...svgFilters, ...svgDisallowed]);

676
  const ALL_MATHML_TAGS = addToSet({}, [...mathMl$1, ...mathMlDisallowed]);

677
  /**

678
   * @param element a DOM element whose namespace is being checked

679
   * @returns Return false if the element has a

680
   *  namespace that a spec-compliant parser would never

681
   *  return. Return true otherwise.

682
   */

683
  const _checkValidNamespace = function _checkValidNamespace(element) {

684
    let parent = getParentNode(element);

685
    // In JSDOM, if we're inside shadow DOM, then parentNode

686
    // can be null. We just simulate parent in this case.

687
    if (!parent || !parent.tagName) {

688
      parent = {

689
        namespaceURI: NAMESPACE,

690
        tagName: 'template'

691
      };

692
    }

693
    const tagName = stringToLowerCase(element.tagName);

694
    const parentTagName = stringToLowerCase(parent.tagName);

695
    if (!ALLOWED_NAMESPACES[element.namespaceURI]) {

696
      return false;

697
    }

698
    if (element.namespaceURI === SVG_NAMESPACE) {

699
      // The only way to switch from HTML namespace to SVG

700
      // is via <svg>. If it happens via any other tag, then

701
      // it should be killed.

702
      if (parent.namespaceURI === HTML_NAMESPACE) {

703
        return tagName === 'svg';

704
      }

705
      // The only way to switch from MathML to SVG is via`

706
      // svg if parent is either <annotation-xml> or MathML

707
      // text integration points.

708
      if (parent.namespaceURI === MATHML_NAMESPACE) {

709
        return tagName === 'svg' && (parentTagName === 'annotation-xml' || MATHML_TEXT_INTEGRATION_POINTS[parentTagName]);

710
      }

711
      // We only allow elements that are defined in SVG

712
      // spec. All others are disallowed in SVG namespace.

713
      return Boolean(ALL_SVG_TAGS[tagName]);

714
    }

715
    if (element.namespaceURI === MATHML_NAMESPACE) {

716
      // The only way to switch from HTML namespace to MathML

717
      // is via <math>. If it happens via any other tag, then

718
      // it should be killed.

719
      if (parent.namespaceURI === HTML_NAMESPACE) {

720
        return tagName === 'math';

721
      }

722
      // The only way to switch from SVG to MathML is via

723
      // <math> and HTML integration points

724
      if (parent.namespaceURI === SVG_NAMESPACE) {

725
        return tagName === 'math' && HTML_INTEGRATION_POINTS[parentTagName];

726
      }

727
      // We only allow elements that are defined in MathML

728
      // spec. All others are disallowed in MathML namespace.

729
      return Boolean(ALL_MATHML_TAGS[tagName]);

730
    }

731
    if (element.namespaceURI === HTML_NAMESPACE) {

732
      // The only way to switch from SVG to HTML is via

733
      // HTML integration points, and from MathML to HTML

734
      // is via MathML text integration points

735
      if (parent.namespaceURI === SVG_NAMESPACE && !HTML_INTEGRATION_POINTS[parentTagName]) {

736
        return false;

737
      }

738
      if (parent.namespaceURI === MATHML_NAMESPACE && !MATHML_TEXT_INTEGRATION_POINTS[parentTagName]) {

739
        return false;

740
      }

741
      // We disallow tags that are specific for MathML

742
      // or SVG and should never appear in HTML namespace

743
      return !ALL_MATHML_TAGS[tagName] && (COMMON_SVG_AND_HTML_ELEMENTS[tagName] || !ALL_SVG_TAGS[tagName]);

744
    }

745
    // For XHTML and XML documents that support custom namespaces

746
    if (PARSER_MEDIA_TYPE === 'application/xhtml+xml' && ALLOWED_NAMESPACES[element.namespaceURI]) {

747
      return true;

748
    }

749
    // The code should never reach this place (this means

750
    // that the element somehow got namespace that is not

751
    // HTML, SVG, MathML or allowed via ALLOWED_NAMESPACES).

752
    // Return false just in case.

753
    return false;

754
  };

755
  /**

756
   * _forceRemove

757
   *

758
   * @param node a DOM node

759
   */

760
  const _forceRemove = function _forceRemove(node) {

761
    arrayPush(DOMPurify.removed, {

762
      element: node

763
    });

764
    try {

765
      // eslint-disable-next-line unicorn/prefer-dom-node-remove

766
      getParentNode(node).removeChild(node);

767
    } catch (_) {

768
      remove(node);

769
    }

770
  };

771
  /**

772
   * _removeAttribute

773
   *

774
   * @param name an Attribute name

775
   * @param element a DOM node

776
   */

777
  const _removeAttribute = function _removeAttribute(name, element) {

778
    try {

779
      arrayPush(DOMPurify.removed, {

780
        attribute: element.getAttributeNode(name),

781
        from: element

782
      });

783
    } catch (_) {

784
      arrayPush(DOMPurify.removed, {

785
        attribute: null,

786
        from: element

787
      });

788
    }

789
    element.removeAttribute(name);

790
    // We void attribute values for unremovable "is" attributes

791
    if (name === 'is') {

792
      if (RETURN_DOM || RETURN_DOM_FRAGMENT) {

793
        try {

794
          _forceRemove(element);

795
        } catch (_) {}

796
      } else {

797
        try {

798
          element.setAttribute(name, '');

799
        } catch (_) {}

800
      }

801
    }

802
  };

803
  /**

804
   * _initDocument

805
   *

806
   * @param dirty - a string of dirty markup

807
   * @return a DOM, filled with the dirty markup

808
   */

809
  const _initDocument = function _initDocument(dirty) {

810
    /* Create a HTML document */

811
    let doc = null;

812
    let leadingWhitespace = null;

813
    if (FORCE_BODY) {

814
      dirty = '<remove></remove>' + dirty;

815
    } else {

816
      /* If FORCE_BODY isn't used, leading whitespace needs to be preserved manually */

817
      const matches = stringMatch(dirty, /^[\r\n\t ]+/);

818
      leadingWhitespace = matches && matches[0];

819
    }

820
    if (PARSER_MEDIA_TYPE === 'application/xhtml+xml' && NAMESPACE === HTML_NAMESPACE) {

821
      // Root of XHTML doc must contain xmlns declaration (see https://www.w3.org/TR/xhtml1/normative.html#strict)

822
      dirty = '<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>' + dirty + '</body></html>';

823
    }

824
    const dirtyPayload = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty;

825
    /*

826
     * Use the DOMParser API by default, fallback later if needs be

827
     * DOMParser not work for svg when has multiple root element.

828
     */

829
    if (NAMESPACE === HTML_NAMESPACE) {

830
      try {

831
        doc = new DOMParser().parseFromString(dirtyPayload, PARSER_MEDIA_TYPE);

832
      } catch (_) {}

833
    }

834
    /* Use createHTMLDocument in case DOMParser is not available */

835
    if (!doc || !doc.documentElement) {

836
      doc = implementation.createDocument(NAMESPACE, 'template', null);

837
      try {

838
        doc.documentElement.innerHTML = IS_EMPTY_INPUT ? emptyHTML : dirtyPayload;

839
      } catch (_) {

840
        // Syntax error if dirtyPayload is invalid xml

841
      }

842
    }

843
    const body = doc.body || doc.documentElement;

844
    if (dirty && leadingWhitespace) {

845
      body.insertBefore(document.createTextNode(leadingWhitespace), body.childNodes[0] || null);

846
    }

847
    /* Work on whole document or just its body */

848
    if (NAMESPACE === HTML_NAMESPACE) {

849
      return getElementsByTagName.call(doc, WHOLE_DOCUMENT ? 'html' : 'body')[0];

850
    }

851
    return WHOLE_DOCUMENT ? doc.documentElement : body;

852
  };

853
  /**

854
   * Creates a NodeIterator object that you can use to traverse filtered lists of nodes or elements in a document.

855
   *

856
   * @param root The root element or node to start traversing on.

857
   * @return The created NodeIterator

858
   */

859
  const _createNodeIterator = function _createNodeIterator(root) {

860
    return createNodeIterator.call(root.ownerDocument || root, root,

861
    // eslint-disable-next-line no-bitwise

862
    NodeFilter.SHOW_ELEMENT | NodeFilter.SHOW_COMMENT | NodeFilter.SHOW_TEXT | NodeFilter.SHOW_PROCESSING_INSTRUCTION | NodeFilter.SHOW_CDATA_SECTION, null);

863
  };

864
  /**

865
   * _isClobbered

866
   *

867
   * @param element element to check for clobbering attacks

868
   * @return true if clobbered, false if safe

869
   */

870
  const _isClobbered = function _isClobbered(element) {

871
    return element instanceof HTMLFormElement && (typeof element.nodeName !== 'string' || typeof element.textContent !== 'string' || typeof element.removeChild !== 'function' || !(element.attributes instanceof NamedNodeMap) || typeof element.removeAttribute !== 'function' || typeof element.setAttribute !== 'function' || typeof element.namespaceURI !== 'string' || typeof element.insertBefore !== 'function' || typeof element.hasChildNodes !== 'function');

872
  };

873
  /**

874
   * Checks whether the given object is a DOM node.

875
   *

876
   * @param value object to check whether it's a DOM node

877
   * @return true is object is a DOM node

878
   */

879
  const _isNode = function _isNode(value) {

880
    return typeof Node === 'function' && value instanceof Node;

881
  };

882
  function _executeHooks(hooks, currentNode, data) {

883
    arrayForEach(hooks, hook => {

884
      hook.call(DOMPurify, currentNode, data, CONFIG);

885
    });

886
  }

887
  /**

888
   * _sanitizeElements

889
   *

890
   * @protect nodeName

891
   * @protect textContent

892
   * @protect removeChild

893
   * @param currentNode to check for permission to exist

894
   * @return true if node was killed, false if left alive

895
   */

896
  const _sanitizeElements = function _sanitizeElements(currentNode) {

897
    let content = null;

898
    /* Execute a hook if present */

899
    _executeHooks(hooks.beforeSanitizeElements, currentNode, null);

900
    /* Check if element is clobbered or can clobber */

901
    if (_isClobbered(currentNode)) {

902
      _forceRemove(currentNode);

903
      return true;

904
    }

905
    /* Now let's check the element's type and name */

906
    const tagName = transformCaseFunc(currentNode.nodeName);

907
    /* Execute a hook if present */

908
    _executeHooks(hooks.uponSanitizeElement, currentNode, {

909
      tagName,

910
      allowedTags: ALLOWED_TAGS

911
    });

912
    /* Detect mXSS attempts abusing namespace confusion */

913
    if (SAFE_FOR_XML && currentNode.hasChildNodes() && !_isNode(currentNode.firstElementChild) && regExpTest(/<[/\w!]/g, currentNode.innerHTML) && regExpTest(/<[/\w!]/g, currentNode.textContent)) {

914
      _forceRemove(currentNode);

915
      return true;

916
    }

917
    /* Remove any occurrence of processing instructions */

918
    if (currentNode.nodeType === NODE_TYPE.progressingInstruction) {

919
      _forceRemove(currentNode);

920
      return true;

921
    }

922
    /* Remove any kind of possibly harmful comments */

923
    if (SAFE_FOR_XML && currentNode.nodeType === NODE_TYPE.comment && regExpTest(/<[/\w]/g, currentNode.data)) {

924
      _forceRemove(currentNode);

925
      return true;

926
    }

927
    /* Remove element if anything forbids its presence */

928
    if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {

929
      /* Check if we have a custom element to handle */

930
      if (!FORBID_TAGS[tagName] && _isBasicCustomElement(tagName)) {

931
        if (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, tagName)) {

932
          return false;

933
        }

934
        if (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(tagName)) {

935
          return false;

936
        }

937
      }

938
      /* Keep content except for bad-listed elements */

939
      if (KEEP_CONTENT && !FORBID_CONTENTS[tagName]) {

940
        const parentNode = getParentNode(currentNode) || currentNode.parentNode;

941
        const childNodes = getChildNodes(currentNode) || currentNode.childNodes;

942
        if (childNodes && parentNode) {

943
          const childCount = childNodes.length;

944
          for (let i = childCount - 1; i >= 0; --i) {

945
            const childClone = cloneNode(childNodes[i], true);

946
            childClone.__removalCount = (currentNode.__removalCount || 0) + 1;

947
            parentNode.insertBefore(childClone, getNextSibling(currentNode));

948
          }

949
        }

950
      }

951
      _forceRemove(currentNode);

952
      return true;

953
    }

954
    /* Check whether element has a valid namespace */

955
    if (currentNode instanceof Element && !_checkValidNamespace(currentNode)) {

956
      _forceRemove(currentNode);

957
      return true;

958
    }

959
    /* Make sure that older browsers don't get fallback-tag mXSS */

960
    if ((tagName === 'noscript' || tagName === 'noembed' || tagName === 'noframes') && regExpTest(/<\/no(script|embed|frames)/i, currentNode.innerHTML)) {

961
      _forceRemove(currentNode);

962
      return true;

963
    }

964
    /* Sanitize element content to be template-safe */

965
    if (SAFE_FOR_TEMPLATES && currentNode.nodeType === NODE_TYPE.text) {

966
      /* Get the element's text content */

967
      content = currentNode.textContent;

968
      arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {

969
        content = stringReplace(content, expr, ' ');

970
      });

971
      if (currentNode.textContent !== content) {

972
        arrayPush(DOMPurify.removed, {

973
          element: currentNode.cloneNode()

974
        });

975
        currentNode.textContent = content;

976
      }

977
    }

978
    /* Execute a hook if present */

979
    _executeHooks(hooks.afterSanitizeElements, currentNode, null);

980
    return false;

981
  };

982
  /**

983
   * _isValidAttribute

984
   *

985
   * @param lcTag Lowercase tag name of containing element.

986
   * @param lcName Lowercase attribute name.

987
   * @param value Attribute value.

988
   * @return Returns true if `value` is valid, otherwise false.

989
   */

990
  // eslint-disable-next-line complexity

991
  const _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {

992
    /* Make sure attribute cannot clobber */

993
    if (SANITIZE_DOM && (lcName === 'id' || lcName === 'name') && (value in document || value in formElement)) {

994
      return false;

995
    }

996
    /* Allow valid data-* attributes: At least one character after "-"

997
        (https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)

998
        XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)

999
        We don't need to check the value; it's always URI safe. */

1000
    if (ALLOW_DATA_ATTR && !FORBID_ATTR[lcName] && regExpTest(DATA_ATTR, lcName)) ; else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR, lcName)) ; else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName]) {

1001
      if (

1002
      // First condition does a very basic check if a) it's basically a valid custom element tagname AND

1003
      // b) if the tagName passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck

1004
      // and c) if the attribute name passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.attributeNameCheck

1005
      _isBasicCustomElement(lcTag) && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, lcTag) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(lcTag)) && (CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.attributeNameCheck, lcName) || CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.attributeNameCheck(lcName, lcTag)) ||

1006
      // Alternative, second condition checks if it's an `is`-attribute, AND

1007
      // the value passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck

1008
      lcName === 'is' && CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, value) || CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(value))) ; else {

1009
        return false;

1010
      }

1011
      /* Check value is safe. First, is attr inert? If so, is safe */

1012
    } else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if ((lcName === 'src' || lcName === 'xlink:href' || lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if (value) {

1013
      return false;

1014
    } else ;

1015
    return true;

1016
  };

1017
  /**

1018
   * _isBasicCustomElement

1019
   * checks if at least one dash is included in tagName, and it's not the first char

1020
   * for more sophisticated checking see https://github.com/sindresorhus/validate-element-name

1021
   *

1022
   * @param tagName name of the tag of the node to sanitize

1023
   * @returns Returns true if the tag name meets the basic criteria for a custom element, otherwise false.

1024
   */

1025
  const _isBasicCustomElement = function _isBasicCustomElement(tagName) {

1026
    return tagName !== 'annotation-xml' && stringMatch(tagName, CUSTOM_ELEMENT);

1027
  };

1028
  /**

1029
   * _sanitizeAttributes

1030
   *

1031
   * @protect attributes

1032
   * @protect nodeName

1033
   * @protect removeAttribute

1034
   * @protect setAttribute

1035
   *

1036
   * @param currentNode to sanitize

1037
   */

1038
  const _sanitizeAttributes = function _sanitizeAttributes(currentNode) {

1039
    /* Execute a hook if present */

1040
    _executeHooks(hooks.beforeSanitizeAttributes, currentNode, null);

1041
    const {

1042
      attributes

1043
    } = currentNode;

1044
    /* Check if we have attributes; if not we might have a text node */

1045
    if (!attributes || _isClobbered(currentNode)) {

1046
      return;

1047
    }

1048
    const hookEvent = {

1049
      attrName: '',

1050
      attrValue: '',

1051
      keepAttr: true,

1052
      allowedAttributes: ALLOWED_ATTR,

1053
      forceKeepAttr: undefined

1054
    };

1055
    let l = attributes.length;

1056
    /* Go backwards over all attributes; safely remove bad ones */

1057
    while (l--) {

1058
      const attr = attributes[l];

1059
      const {

1060
        name,

1061
        namespaceURI,

1062
        value: attrValue

1063
      } = attr;

1064
      const lcName = transformCaseFunc(name);

1065
      const initValue = attrValue;

1066
      let value = name === 'value' ? initValue : stringTrim(initValue);

1067
      /* Execute a hook if present */

1068
      hookEvent.attrName = lcName;

1069
      hookEvent.attrValue = value;

1070
      hookEvent.keepAttr = true;

1071
      hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set

1072
      _executeHooks(hooks.uponSanitizeAttribute, currentNode, hookEvent);

1073
      value = hookEvent.attrValue;

1074
      /* Full DOM Clobbering protection via namespace isolation,

1075
       * Prefix id and name attributes with `user-content-`

1076
       */

1077
      if (SANITIZE_NAMED_PROPS && (lcName === 'id' || lcName === 'name')) {

1078
        // Remove the attribute with this value

1079
        _removeAttribute(name, currentNode);

1080
        // Prefix the value and later re-create the attribute with the sanitized value

1081
        value = SANITIZE_NAMED_PROPS_PREFIX + value;

1082
      }

1083
      /* Work around a security issue with comments inside attributes */

1084
      if (SAFE_FOR_XML && regExpTest(/((--!?|])>)|<\/(style|title|textarea)/i, value)) {

1085
        _removeAttribute(name, currentNode);

1086
        continue;

1087
      }

1088
      /* Make sure we cannot easily use animated hrefs, even if animations are allowed */

1089
      if (lcName === 'attributename' && stringMatch(value, 'href')) {

1090
        _removeAttribute(name, currentNode);

1091
        continue;

1092
      }

1093
      /* Did the hooks approve of the attribute? */

1094
      if (hookEvent.forceKeepAttr) {

1095
        continue;

1096
      }

1097
      /* Did the hooks approve of the attribute? */

1098
      if (!hookEvent.keepAttr) {

1099
        _removeAttribute(name, currentNode);

1100
        continue;

1101
      }

1102
      /* Work around a security issue in jQuery 3.0 */

1103
      if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {

1104
        _removeAttribute(name, currentNode);

1105
        continue;

1106
      }

1107
      /* Sanitize attribute content to be template-safe */

1108
      if (SAFE_FOR_TEMPLATES) {

1109
        arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {

1110
          value = stringReplace(value, expr, ' ');

1111
        });

1112
      }

1113
      /* Is `value` valid for this attribute? */

1114
      const lcTag = transformCaseFunc(currentNode.nodeName);

1115
      if (!_isValidAttribute(lcTag, lcName, value)) {

1116
        _removeAttribute(name, currentNode);

1117
        continue;

1118
      }

1119
      /* Handle attributes that require Trusted Types */

1120
      if (trustedTypesPolicy && typeof trustedTypes === 'object' && typeof trustedTypes.getAttributeType === 'function') {

1121
        if (namespaceURI) ; else {

1122
          switch (trustedTypes.getAttributeType(lcTag, lcName)) {

1123
            case 'TrustedHTML':

1124
              {

1125
                value = trustedTypesPolicy.createHTML(value);

1126
                break;

1127
              }

1128
            case 'TrustedScriptURL':

1129
              {

1130
                value = trustedTypesPolicy.createScriptURL(value);

1131
                break;

1132
              }

1133
          }

1134
        }

1135
      }

1136
      /* Handle invalid data-* attribute set by try-catching it */

1137
      if (value !== initValue) {

1138
        try {

1139
          if (namespaceURI) {

1140
            currentNode.setAttributeNS(namespaceURI, name, value);

1141
          } else {

1142
            /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */

1143
            currentNode.setAttribute(name, value);

1144
          }

1145
          if (_isClobbered(currentNode)) {

1146
            _forceRemove(currentNode);

1147
          } else {

1148
            arrayPop(DOMPurify.removed);

1149
          }

1150
        } catch (_) {

1151
          _removeAttribute(name, currentNode);

1152
        }

1153
      }

1154
    }

1155
    /* Execute a hook if present */

1156
    _executeHooks(hooks.afterSanitizeAttributes, currentNode, null);

1157
  };

1158
  /**

1159
   * _sanitizeShadowDOM

1160
   *

1161
   * @param fragment to iterate over recursively

1162
   */

1163
  const _sanitizeShadowDOM = function _sanitizeShadowDOM(fragment) {

1164
    let shadowNode = null;

1165
    const shadowIterator = _createNodeIterator(fragment);

1166
    /* Execute a hook if present */

1167
    _executeHooks(hooks.beforeSanitizeShadowDOM, fragment, null);

1168
    while (shadowNode = shadowIterator.nextNode()) {

1169
      /* Execute a hook if present */

1170
      _executeHooks(hooks.uponSanitizeShadowNode, shadowNode, null);

1171
      /* Sanitize tags and elements */

1172
      _sanitizeElements(shadowNode);

1173
      /* Check attributes next */

1174
      _sanitizeAttributes(shadowNode);

1175
      /* Deep shadow DOM detected */

1176
      if (shadowNode.content instanceof DocumentFragment) {

1177
        _sanitizeShadowDOM(shadowNode.content);

1178
      }

1179
    }

1180
    /* Execute a hook if present */

1181
    _executeHooks(hooks.afterSanitizeShadowDOM, fragment, null);

1182
  };

1183
  // eslint-disable-next-line complexity

1184
  DOMPurify.sanitize = function (dirty) {

1185
    let cfg = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};

1186
    let body = null;

1187
    let importedNode = null;

1188
    let currentNode = null;

1189
    let returnNode = null;

1190
    /* Make sure we have a string to sanitize.

1191
      DO NOT return early, as this will return the wrong type if

1192
      the user has requested a DOM object rather than a string */

1193
    IS_EMPTY_INPUT = !dirty;

1194
    if (IS_EMPTY_INPUT) {

1195
      dirty = '<!-->';

1196
    }

1197
    /* Stringify, in case dirty is an object */

1198
    if (typeof dirty !== 'string' && !_isNode(dirty)) {

1199
      if (typeof dirty.toString === 'function') {

1200
        dirty = dirty.toString();

1201
        if (typeof dirty !== 'string') {

1202
          throw typeErrorCreate('dirty is not a string, aborting');

1203
        }

1204
      } else {

1205
        throw typeErrorCreate('toString is not a function');

1206
      }

1207
    }

1208
    /* Return dirty HTML if DOMPurify cannot run */

1209
    if (!DOMPurify.isSupported) {

1210
      return dirty;

1211
    }

1212
    /* Assign config vars */

1213
    if (!SET_CONFIG) {

1214
      _parseConfig(cfg);

1215
    }

1216
    /* Clean up removed elements */

1217
    DOMPurify.removed = [];

1218
    /* Check if dirty is correctly typed for IN_PLACE */

1219
    if (typeof dirty === 'string') {

1220
      IN_PLACE = false;

1221
    }

1222
    if (IN_PLACE) {

1223
      /* Do some early pre-sanitization to avoid unsafe root nodes */

1224
      if (dirty.nodeName) {

1225
        const tagName = transformCaseFunc(dirty.nodeName);

1226
        if (!ALLOWED_TAGS[tagName] || FORBID_TAGS[tagName]) {

1227
          throw typeErrorCreate('root node is forbidden and cannot be sanitized in-place');

1228
        }

1229
      }

1230
    } else if (dirty instanceof Node) {

1231
      /* If dirty is a DOM element, append to an empty document to avoid

1232
         elements being stripped by the parser */

1233
      body = _initDocument('<!---->');

1234
      importedNode = body.ownerDocument.importNode(dirty, true);

1235
      if (importedNode.nodeType === NODE_TYPE.element && importedNode.nodeName === 'BODY') {

1236
        /* Node is already a body, use as is */

1237
        body = importedNode;

1238
      } else if (importedNode.nodeName === 'HTML') {

1239
        body = importedNode;

1240
      } else {

1241
        // eslint-disable-next-line unicorn/prefer-dom-node-append

1242
        body.appendChild(importedNode);

1243
      }

1244
    } else {

1245
      /* Exit directly if we have nothing to do */

1246
      if (!RETURN_DOM && !SAFE_FOR_TEMPLATES && !WHOLE_DOCUMENT &&

1247
      // eslint-disable-next-line unicorn/prefer-includes

1248
      dirty.indexOf('<') === -1) {

1249
        return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(dirty) : dirty;

1250
      }

1251
      /* Initialize the document to work on */

1252
      body = _initDocument(dirty);

1253
      /* Check we have a DOM node from the data */

1254
      if (!body) {

1255
        return RETURN_DOM ? null : RETURN_TRUSTED_TYPE ? emptyHTML : '';

1256
      }

1257
    }

1258
    /* Remove first element node (ours) if FORCE_BODY is set */

1259
    if (body && FORCE_BODY) {

1260
      _forceRemove(body.firstChild);

1261
    }

1262
    /* Get node iterator */

1263
    const nodeIterator = _createNodeIterator(IN_PLACE ? dirty : body);

1264
    /* Now start iterating over the created document */

1265
    while (currentNode = nodeIterator.nextNode()) {

1266
      /* Sanitize tags and elements */

1267
      _sanitizeElements(currentNode);

1268
      /* Check attributes next */

1269
      _sanitizeAttributes(currentNode);

1270
      /* Shadow DOM detected, sanitize it */

1271
      if (currentNode.content instanceof DocumentFragment) {

1272
        _sanitizeShadowDOM(currentNode.content);

1273
      }

1274
    }

1275
    /* If we sanitized `dirty` in-place, return it. */

1276
    if (IN_PLACE) {

1277
      return dirty;

1278
    }

1279
    /* Return sanitized string or DOM */

1280
    if (RETURN_DOM) {

1281
      if (RETURN_DOM_FRAGMENT) {

1282
        returnNode = createDocumentFragment.call(body.ownerDocument);

1283
        while (body.firstChild) {

1284
          // eslint-disable-next-line unicorn/prefer-dom-node-append

1285
          returnNode.appendChild(body.firstChild);

1286
        }

1287
      } else {

1288
        returnNode = body;

1289
      }

1290
      if (ALLOWED_ATTR.shadowroot || ALLOWED_ATTR.shadowrootmode) {

1291
        /*

1292
          AdoptNode() is not used because internal state is not reset

1293
          (e.g. the past names map of a HTMLFormElement), this is safe

1294
          in theory but we would rather not risk another attack vector.

1295
          The state that is cloned by importNode() is explicitly defined

1296
          by the specs.

1297
        */

1298
        returnNode = importNode.call(originalDocument, returnNode, true);

1299
      }

1300
      return returnNode;

1301
    }

1302
    let serializedHTML = WHOLE_DOCUMENT ? body.outerHTML : body.innerHTML;

1303
    /* Serialize doctype if allowed */

1304
    if (WHOLE_DOCUMENT && ALLOWED_TAGS['!doctype'] && body.ownerDocument && body.ownerDocument.doctype && body.ownerDocument.doctype.name && regExpTest(DOCTYPE_NAME, body.ownerDocument.doctype.name)) {

1305
      serializedHTML = '<!DOCTYPE ' + body.ownerDocument.doctype.name + '>\n' + serializedHTML;

1306
    }

1307
    /* Sanitize final string template-safe */

1308
    if (SAFE_FOR_TEMPLATES) {

1309
      arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {

1310
        serializedHTML = stringReplace(serializedHTML, expr, ' ');

1311
      });

1312
    }

1313
    return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(serializedHTML) : serializedHTML;

1314
  };

1315
  DOMPurify.setConfig = function () {

1316
    let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};

1317
    _parseConfig(cfg);

1318
    SET_CONFIG = true;

1319
  };

1320
  DOMPurify.clearConfig = function () {

1321
    CONFIG = null;

1322
    SET_CONFIG = false;

1323
  };

1324
  DOMPurify.isValidAttribute = function (tag, attr, value) {

1325
    /* Initialize shared config vars if necessary. */

1326
    if (!CONFIG) {

1327
      _parseConfig({});

1328
    }

1329
    const lcTag = transformCaseFunc(tag);

1330
    const lcName = transformCaseFunc(attr);

1331
    return _isValidAttribute(lcTag, lcName, value);

1332
  };

1333
  DOMPurify.addHook = function (entryPoint, hookFunction) {

1334
    if (typeof hookFunction !== 'function') {

1335
      return;

1336
    }

1337
    arrayPush(hooks[entryPoint], hookFunction);

1338
  };

1339
  DOMPurify.removeHook = function (entryPoint, hookFunction) {

1340
    if (hookFunction !== undefined) {

1341
      const index = arrayLastIndexOf(hooks[entryPoint], hookFunction);

1342
      return index === -1 ? undefined : arraySplice(hooks[entryPoint], index, 1)[0];

1343
    }

1344
    return arrayPop(hooks[entryPoint]);

1345
  };

1346
  DOMPurify.removeHooks = function (entryPoint) {

1347
    hooks[entryPoint] = [];

1348
  };

1349
  DOMPurify.removeAllHooks = function () {

1350
    hooks = _createHooksMap();

1351
  };

1352
  return DOMPurify;

1353
}

1354
var purify = createDOMPurify();

1355


1356
export { purify as default };

1357


1358