1 change: 1 addition & 0 deletions .travis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ matrix:
- node_js: "8"
- node_js: "9"
- node_js: "10"
- node_js: "11"
env: TEST_BROWSERSTACK=true
addons:
apt:
Expand Down
8 changes: 4 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,11 +6,11 @@

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.

It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 1.0.10.
It's also very simple to use and get started with. DOMPurify was [started in February 2014](https://github.com/cure53/DOMPurify/commit/a630922616927373485e0e787ab19e73e3691b2b) and, meanwhile, has reached version 1.0.11.

DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses [a fall-back](#what-about-older-browsers-like-msie8) or simply does nothing.

Our automated tests cover [25 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v8.0.0, v9.0.0 and v10.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom).
Our automated tests cover [25 different browsers](https://github.com/cure53/DOMPurify/blob/master/test/karma.custom-launchers.config.js#L5) right now, more to come. We also cover Node.js v8.0.0, v9.0.0, v10.0.0 and v11.0.0, running DOMPurify on [jsdom](https://github.com/tmpvar/jsdom).

DOMPurify is written by security people who have vast background in web attacks and XSS. Fear not. For more details please also read about our [Security Goals & Threat Model](https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model). Please, read it. Like, really.

Expand Down Expand Up @@ -199,7 +199,7 @@ var clean = DOMPurify.sanitize(dirty, {WHOLE_DOCUMENT: true});
// disable DOM Clobbering protection on output (default is true, handle with care!)
var clean = DOMPurify.sanitize(dirty, {SANITIZE_DOM: false});

// discard an element's content when the element is removed (default is true)
// keep an element's content when the element is removed (default is true)
var clean = DOMPurify.sanitize(dirty, {KEEP_CONTENT: false});

// glue elements like style, script or others to document.body and prevent unintuitive browser behavior in several edge-cases (default is false)
Expand Down Expand Up @@ -257,7 +257,7 @@ We support both `yarn` and `npm@5.2` officially while providing lock-files for e

#### Scripts

We rely on npm run-scripts for integrating with out tooling infrastructure. We use ESLint as a pre-commit hook to ensure code consistency. Moreover, to ease formatting we use [prettier](https://github.com/prettier/prettier) while building the `/dist` assets happens through `rollup`.
We rely on npm run-scripts for integrating with our tooling infrastructure. We use ESLint as a pre-commit hook to ensure code consistency. Moreover, to ease formatting we use [prettier](https://github.com/prettier/prettier) while building the `/dist` assets happens through `rollup`.

These are our npm scripts:

Expand Down
2 changes: 1 addition & 1 deletion bower.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "DOMPurify",
"version": "1.0.10",
"version": "1.0.11",
"homepage": "https://github.com/cure53/DOMPurify",
"author": "Cure53 <info@cure53.de>",
"description": "A DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG",
Expand Down
32 changes: 32 additions & 0 deletions demos/hooks-node-removal-demo.html
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
<!doctype html>
<html>
<head>
<script src="../dist/purify.js"></script>
</head>
<body>
<!-- Our DIV to receive content -->
<div id="sanitized"></div>

<!-- Now let's sanitize that content -->
<script>
/* jshint globalstrict:true */
/* global DOMPurify */
'use strict';

// Specify dirty HTML
var dirty = '<p>Not empty</p><p class="empty"></p>';

// Add a hook to remove empty nodes
DOMPurify.addHook('beforeSanitizeAttributes', function(node) {
// Remove the node in case it is empty
if (!node.hasChildNodes() && !node.textContent) {
node.remove();
}
});

// Clean HTML string and write into our DIV
var clean = DOMPurify.sanitize(dirty);
document.getElementById('sanitized').innerHTML = clean;
</script>
</body>
</html>
2 changes: 2 additions & 0 deletions demos/hooks-target-blank-demo.html
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@
// set all elements owning target to target=_blank
if ('target' in node) {
node.setAttribute('target','_blank');
// prevent https://www.owasp.org/index.php/Reverse_Tabnabbing
node.setAttribute('rel', 'noopener noreferrer');
}
// set non-HTML/MathML links to xlink:show=new
if (!node.hasAttribute('target')
Expand Down
14 changes: 9 additions & 5 deletions dist/purify.cjs.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading