Fix: addressed a bypass on jsdom 22 when noframes tag is allowed

cure53 · Jun 29, 2023 · 786c809 · 786c809
1 parent 5e24d1f
commit 786c809
Show file tree

Hide file tree

Showing 9 changed files with 19 additions and 17 deletions.
diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.js b/dist/purify.es.js
diff --git a/dist/purify.es.js.map b/dist/purify.es.js.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/src/purify.js b/src/purify.js
@@ -1056,10 +1056,12 @@ function createDOMPurify(window = getGlobal()) {
       return true;
     }
 
-    /* Make sure that older browsers don't get noscript mXSS */
+    /* Make sure that older browsers don't get fallback-tag mXSS */
     if (
-      (tagName === 'noscript' || tagName === 'noembed') &&
-      regExpTest(/<\/no(script|embed)/i, currentNode.innerHTML)
+      (tagName === 'noscript' ||
+        tagName === 'noembed' ||
+        tagName === 'noframes') &&
+      regExpTest(/<\/no(script|embed|frames)/i, currentNode.innerHTML)
     ) {
       _forceRemove(currentNode);
       return true;