"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "README.md" between
DOMPurify-3.0.1.tar.gz and DOMPurify-3.0.2.tar.gz

About: DOMPurify is a DOM-only XSS sanitizer for HTML, MathML and SVG (written in JavaScript).

[ To the main DOMPurify source changes report ]

README.md  (DOMPurify-3.0.1):README.md  (DOMPurify-3.0.2)
# DOMPurify # DOMPurify
[![npm version](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js /dompurify) ![Build and Test](https://github.com/cure53/DOMPurify/workflows/Buil d%20and%20Test/badge.svg?branch=main) [![Downloads](https://img.shields.io/npm/d m/dompurify.svg)](https://www.npmjs.com/package/dompurify) [![minified size](htt ps://badgen.net/bundlephobia/min/dompurify?color=green&label=minified)](https:// cdn.jsdelivr.net/npm/dompurify/dist/purify.min.js) [![gzip size](https://badgen. net/bundlephobia/minzip/dompurify?color=green&label=gzipped)](https://packagepho bia.now.sh/result?p=dompurify) [![dependents](https://badgen.net/github/dependen ts-repo/cure53/dompurify?color=green&label=dependents)](https://github.com/cure5 3/DOMPurify/network/dependents) [![npm version](https://badge.fury.io/js/dompurify.svg)](http://badge.fury.io/js /dompurify) ![Build and Test](https://github.com/cure53/DOMPurify/workflows/Buil d%20and%20Test/badge.svg?branch=main) [![Downloads](https://img.shields.io/npm/d m/dompurify.svg)](https://www.npmjs.com/package/dompurify) [![minified size](htt ps://badgen.net/bundlephobia/min/dompurify?color=green&label=minified)](https:// cdn.jsdelivr.net/npm/dompurify/dist/purify.min.js) [![gzip size](https://badgen. net/bundlephobia/minzip/dompurify?color=green&label=gzipped)](https://packagepho bia.now.sh/result?p=dompurify) [![dependents](https://badgen.net/github/dependen ts-repo/cure53/dompurify?color=green&label=dependents)](https://github.com/cure5 3/DOMPurify/network/dependents)
[![NPM](https://nodei.co/npm/dompurify.png)](https://nodei.co/npm/dompurify/) [![NPM](https://nodei.co/npm/dompurify.png)](https://nodei.co/npm/dompurify/)
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathM L and SVG. DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathM L and SVG.
It's also very simple to use and get started with. DOMPurify was [started in Feb ruary 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787 ab19e73e3691b2b) and, meanwhile, has reached version 3.0.1. It's also very simple to use and get started with. DOMPurify was [started in Feb ruary 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787 ab19e73e3691b2b) and, meanwhile, has reached version **v3.0.2**.
DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+ ), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing. DOMPurify is written in JavaScript and works in all modern browsers (Safari (10+ ), Opera (15+), Edge, Firefox and Chrome - as well as almost anything else using Blink, Gecko or WebKit). It doesn't break on MSIE or other legacy browsers. It simply does nothing.
**Note that [DOMPurify v2.4.5](https://github.com/cure53/DOMPurify/releases/tag/ 2.4.4) is the final version supporting MSIE. For important security updates comp atible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurif y/tree/2.x).** **Note that [DOMPurify v2.4.5](https://github.com/cure53/DOMPurify/releases/tag/ 2.4.4) is the final version supporting MSIE. For important security updates comp atible with MSIE, please use the [2.x branch](https://github.com/cure53/DOMPurif y/tree/2.x).**
Our automated tests cover [19 different browsers](https://github.com/cure53/DOMP urify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to com e. We also cover Node.js v16.x, v17.x, v18.x and v19.x, running DOMPurify on [js dom](https://github.com/jsdom/jsdom). Older Node versions are known to work as w ell, but hey... no guarantees. Our automated tests cover [19 different browsers](https://github.com/cure53/DOMP urify/blob/main/test/karma.custom-launchers.config.js#L5) right now, more to com e. We also cover Node.js v16.x, v17.x, v18.x and v19.x, running DOMPurify on [js dom](https://github.com/jsdom/jsdom). Older Node versions are known to work as w ell, but hey... no guarantees.
DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat- Model). Please, read it. Like, really. DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat- Model). Please, read it. Like, really.
## What does it do? ## What does it do?
skipping to change at line 273 skipping to change at line 273
// extend the existing array of elements that can use Data URIs // extend the existing array of elements that can use Data URIs
var clean = DOMPurify.sanitize(dirty, {ADD_DATA_URI_TAGS: ['a', 'area']}); var clean = DOMPurify.sanitize(dirty, {ADD_DATA_URI_TAGS: ['a', 'area']});
// extend the existing array of elements that are safe for URI-like values (be c areful, XSS risk) // extend the existing array of elements that are safe for URI-like values (be c areful, XSS risk)
var clean = DOMPurify.sanitize(dirty, {ADD_URI_SAFE_ATTR: ['my-attr']}); var clean = DOMPurify.sanitize(dirty, {ADD_URI_SAFE_ATTR: ['my-attr']});
/** /**
* Control permitted attribute values * Control permitted attribute values
*/ */
// allow external protocol handlers in URL attributes (default is false, be care ful, XSS risk) // allow external protocol handlers in URL attributes (default is false, be care ful, XSS risk)
// by default only http, https, ftp, ftps, tel, mailto, callto, cid and xmpp are allowed. // by default only http, https, ftp, ftps, tel, mailto, callto, sms, cid and xmp p are allowed.
var clean = DOMPurify.sanitize(dirty, {ALLOW_UNKNOWN_PROTOCOLS: true}); var clean = DOMPurify.sanitize(dirty, {ALLOW_UNKNOWN_PROTOCOLS: true});
// allow specific protocols handlers in URL attributes via regex (default is fal se, be careful, XSS risk) // allow specific protocols handlers in URL attributes via regex (default is fal se, be careful, XSS risk)
// by default only http, https, ftp, ftps, tel, mailto, callto, cid and xmpp are // by default only http, https, ftp, ftps, tel, mailto, callto, sms, cid and xmp
allowed. p are allowed.
// Default RegExp: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp):|[^a-z]|[a-z // Default RegExp: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|
+.\-]+(?:[^a-z+.\-:]|$))/i; [a-z+.\-]+(?:[^a-z+.\-:]|$))/i;
var clean = DOMPurify.sanitize(dirty, {ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?| var clean = DOMPurify.sanitize(dirty, {ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|
mailto|tel|callto|cid|xmpp|xxx):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;}); mailto|tel|callto|sms|cid|xmpp|xxx):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;});
/** /**
* Influence the return-type * Influence the return-type
*/ */
// return a DOM HTMLBodyElement instead of an HTML string (default is false) // return a DOM HTMLBodyElement instead of an HTML string (default is false)
var clean = DOMPurify.sanitize(dirty, {RETURN_DOM: true}); var clean = DOMPurify.sanitize(dirty, {RETURN_DOM: true});
// return a DOM DocumentFragment instead of an HTML string (default is false) // return a DOM DocumentFragment instead of an HTML string (default is false)
var clean = DOMPurify.sanitize(dirty, {RETURN_DOM_FRAGMENT: true}); var clean = DOMPurify.sanitize(dirty, {RETURN_DOM_FRAGMENT: true});
 End of changes. 3 change blocks. 
8 lines changed or deleted 8 lines changed or added
To the Readme Files section of the DOMPurify source changes report or the top of this page
Mainly generated by pkgdiff using rfcdiff
Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)