UNPKG

dompurify

Version:

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

github.com/cure53/DOMPurify

cure53/DOMPurify

17 lines (15 loc) 891 B
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
import { seal } from './utils.js'; export const MUSTACHE_EXPR = seal(/{{[\w\W]*|^[\w\W]*}}/g); export const ERB_EXPR = seal(/<%[\w\W]*|^[\w\W]*%>/g); export const TMPLIT_EXPR = seal(/\${[\w\W]*/g); export const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]+$/); // eslint-disable-line no-useless-escape export const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape export const IS_ALLOWED_URI = seal( /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|matrix):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i // eslint-disable-line no-useless-escape ); export const IS_SCRIPT_OR_DATA = seal(/^(?:\w+script|data):/i); export const ATTR_WHITESPACE = seal( /[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex ); export const DOCTYPE_NAME = seal(/^html$/i); export const CUSTOM_ELEMENT = seal(/^[a-z][.\w]*(-[.\w]+)+$/i);