diff --git a/node_modules/dompurify/dist/purify.es.js b/node_modules/dompurify/dist/purify.es.js index 009cfd7..828e17e 100644 --- a/node_modules/dompurify/dist/purify.es.js +++ b/node_modules/dompurify/dist/purify.es.js @@ -1190,6 +1190,7 @@ function createDOMPurify() { namespaceURI = _attr.namespaceURI; value = name === 'value' ? attr.value : stringTrim(attr.value); lcName = transformCaseFunc(name); + var initValue = value; /* Execute a hook if present */ hookEvent.attrName = lcName; @@ -1205,19 +1206,14 @@ function createDOMPurify() { if (hookEvent.forceKeepAttr) { continue; } - /* Remove attribute */ - - - _removeAttribute(name, currentNode); /* Did the hooks approve of the attribute? */ - if (!hookEvent.keepAttr) { + _removeAttribute(name, currentNode); continue; } /* Work around a security issue in jQuery 3.0 */ - if (regExpTest(/\/>/i, value)) { _removeAttribute(name, currentNode); @@ -1225,32 +1221,31 @@ function createDOMPurify() { } /* Sanitize attribute content to be template-safe */ - if (SAFE_FOR_TEMPLATES) { value = stringReplace(value, MUSTACHE_EXPR$1, ' '); value = stringReplace(value, ERB_EXPR$1, ' '); } /* Is `value` valid for this attribute? */ - var lcTag = transformCaseFunc(currentNode.nodeName); if (!_isValidAttribute(lcTag, lcName, value)) { + _removeAttribute(name, currentNode); continue; } /* Handle invalid data-* attribute set by try-catching it */ - - - try { - if (namespaceURI) { - currentNode.setAttributeNS(namespaceURI, name, value); - } else { - /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */ - currentNode.setAttribute(name, value); + if (value !== initValue) { + try { + if (namespaceURI) { + currentNode.setAttributeNS(namespaceURI, name, value); + } else { + /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */ + currentNode.setAttribute(name, value); + } + } catch (_) { + _removeAttribute(name, currentNode); } - - arrayPop(DOMPurify.removed); - } catch (_) {} + } } /* Execute a hook if present */ diff --git a/node_modules/dompurify/dist/purify.js b/node_modules/dompurify/dist/purify.js index f270dcc..4d21b8b 100644 --- a/node_modules/dompurify/dist/purify.js +++ b/node_modules/dompurify/dist/purify.js @@ -1196,6 +1196,7 @@ namespaceURI = _attr.namespaceURI; value = name === 'value' ? attr.value : stringTrim(attr.value); lcName = transformCaseFunc(name); + var initValue = value; /* Execute a hook if present */ hookEvent.attrName = lcName; @@ -1211,19 +1212,14 @@ if (hookEvent.forceKeepAttr) { continue; } - /* Remove attribute */ - - - _removeAttribute(name, currentNode); /* Did the hooks approve of the attribute? */ - if (!hookEvent.keepAttr) { + _removeAttribute(name, currentNode); continue; } /* Work around a security issue in jQuery 3.0 */ - if (regExpTest(/\/>/i, value)) { _removeAttribute(name, currentNode); @@ -1231,32 +1227,31 @@ } /* Sanitize attribute content to be template-safe */ - if (SAFE_FOR_TEMPLATES) { value = stringReplace(value, MUSTACHE_EXPR$1, ' '); value = stringReplace(value, ERB_EXPR$1, ' '); } /* Is `value` valid for this attribute? */ - var lcTag = transformCaseFunc(currentNode.nodeName); if (!_isValidAttribute(lcTag, lcName, value)) { + _removeAttribute(name, currentNode); continue; } /* Handle invalid data-* attribute set by try-catching it */ - - - try { - if (namespaceURI) { - currentNode.setAttributeNS(namespaceURI, name, value); - } else { - /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */ - currentNode.setAttribute(name, value); + if (value !== initValue) { + try { + if (namespaceURI) { + currentNode.setAttributeNS(namespaceURI, name, value); + } else { + /* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */ + currentNode.setAttribute(name, value); + } + } catch (_) { + _removeAttribute(name, currentNode); } - - arrayPop(DOMPurify.removed); - } catch (_) {} + } } /* Execute a hook if present */