Skip to content

Commit

Permalink
fix: Switched to using the getParentNode API for some calls
Browse files Browse the repository at this point in the history
  • Loading branch information
cure53 committed Apr 27, 2024
1 parent ee17313 commit 61b761f
Show file tree
Hide file tree
Showing 10 changed files with 40 additions and 25 deletions.
10 changes: 6 additions & 4 deletions dist/purify.cjs.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.cjs.js.map

Large diffs are not rendered by default.

10 changes: 6 additions & 4 deletions dist/purify.es.mjs
Original file line number Diff line number Diff line change
Expand Up @@ -1264,15 +1264,16 @@ function createDOMPurify() {
if (_sanitizeElements(shadowNode)) {
continue;
}
const parentNode = getParentNode(shadowNode);

/* Set the nesting depth of an element */
if (shadowNode.nodeType === 1) {
if (shadowNode.parentNode && shadowNode.parentNode.__depth) {
if (parentNode && parentNode.__depth) {
/*
We want the depth of the node in the original tree, which can
change when it's removed from its parent.
*/
shadowNode.__depth = (shadowNode.__removalCount || 0) + shadowNode.parentNode.__depth + 1;
shadowNode.__depth = (shadowNode.__removalCount || 0) + parentNode.__depth + 1;
} else {
shadowNode.__depth = 1;
}
Expand Down Expand Up @@ -1401,15 +1402,16 @@ function createDOMPurify() {
if (_sanitizeElements(currentNode)) {
continue;
}
const parentNode = getParentNode(currentNode);

/* Set the nesting depth of an element */
if (currentNode.nodeType === 1) {
if (currentNode.parentNode && currentNode.parentNode.__depth) {
if (parentNode && parentNode.__depth) {
/*
We want the depth of the node in the original tree, which can
change when it's removed from its parent.
*/
currentNode.__depth = (currentNode.__removalCount || 0) + currentNode.parentNode.__depth + 1;
currentNode.__depth = (currentNode.__removalCount || 0) + parentNode.__depth + 1;
} else {
currentNode.__depth = 1;
}
Expand Down
2 changes: 1 addition & 1 deletion dist/purify.es.mjs.map

Large diffs are not rendered by default.

10 changes: 6 additions & 4 deletions dist/purify.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion dist/purify.js.map

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/purify.min.js.map

Large diffs are not rendered by default.

16 changes: 8 additions & 8 deletions src/purify.js
Original file line number Diff line number Diff line change
Expand Up @@ -1379,17 +1379,17 @@ function createDOMPurify(window = getGlobal()) {
continue;
}

const parentNode = getParentNode(shadowNode);

/* Set the nesting depth of an element */
if (shadowNode.nodeType === 1) {
if (shadowNode.parentNode && shadowNode.parentNode.__depth) {
if (parentNode && parentNode.__depth) {
/*
We want the depth of the node in the original tree, which can
change when it's removed from its parent.
*/
shadowNode.__depth =
(shadowNode.__removalCount || 0) +
shadowNode.parentNode.__depth +
1;
(shadowNode.__removalCount || 0) + parentNode.__depth + 1;
} else {
shadowNode.__depth = 1;
}
Expand Down Expand Up @@ -1527,17 +1527,17 @@ function createDOMPurify(window = getGlobal()) {
continue;
}

const parentNode = getParentNode(currentNode);

/* Set the nesting depth of an element */
if (currentNode.nodeType === 1) {
if (currentNode.parentNode && currentNode.parentNode.__depth) {
if (parentNode && parentNode.__depth) {
/*
We want the depth of the node in the original tree, which can
change when it's removed from its parent.
*/
currentNode.__depth =
(currentNode.__removalCount || 0) +
currentNode.parentNode.__depth +
1;
(currentNode.__removalCount || 0) + parentNode.__depth + 1;
} else {
currentNode.__depth = 1;
}
Expand Down
9 changes: 9 additions & 0 deletions test/test-suite.js
Original file line number Diff line number Diff line change
Expand Up @@ -2177,6 +2177,15 @@
];
clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);

dirty = `<form><input name="parentNode"></form>${`<div>`.repeat(
500
)}${`</div>`.repeat(500)}<img>`;
expected = [
`<form><input></form>${`<div>`.repeat(253)}${`</div>`.repeat(253)}<img>`
];
clean = DOMPurify.sanitize(dirty);
assert.contains(clean, expected);
});

QUnit.test('Test proper handling of nesting-based mXSS 3/3', function (assert) {
Expand Down

0 comments on commit 61b761f

Please sign in to comment.