Context Navigation

← Previous Revision
Next Revision →
Blame
Revision Log

source: node_modules/dompurify/dist/purify.cjs.js

main

Last change on this file was d24f17c, checked in by Aleksandar Panovski <apano77@…>, 15 months ago
Initial commit
Property mode set to `100644`
File size: 60.5 KB

Line
1	/! @license DOMPurify 3.0.8 \| (c) Cure53 and other contributors \| Released under the Apache license 2.0 and Mozilla Public License 2.0 \| github.com/cure53/DOMPurify/blob/3.0.8/LICENSE /
2
3	'use strict';
4
5	const {
6	entries,
7	setPrototypeOf,
8	isFrozen,
9	getPrototypeOf,
10	getOwnPropertyDescriptor
11	} = Object;
12	let {
13	freeze,
14	seal,
15	create
16	} = Object; // eslint-disable-line import/no-mutable-exports
17	let {
18	apply,
19	construct
20	} = typeof Reflect !== 'undefined' && Reflect;
21	if (!freeze) {
22	freeze = function freeze(x) {
23	return x;
24	};
25	}
26	if (!seal) {
27	seal = function seal(x) {
28	return x;
29	};
30	}
31	if (!apply) {
32	apply = function apply(fun, thisValue, args) {
33	return fun.apply(thisValue, args);
34	};
35	}
36	if (!construct) {
37	construct = function construct(Func, args) {
38	return new Func(...args);
39	};
40	}
41	const arrayForEach = unapply(Array.prototype.forEach);
42	const arrayPop = unapply(Array.prototype.pop);
43	const arrayPush = unapply(Array.prototype.push);
44	const stringToLowerCase = unapply(String.prototype.toLowerCase);
45	const stringToString = unapply(String.prototype.toString);
46	const stringMatch = unapply(String.prototype.match);
47	const stringReplace = unapply(String.prototype.replace);
48	const stringIndexOf = unapply(String.prototype.indexOf);
49	const stringTrim = unapply(String.prototype.trim);
50	const regExpTest = unapply(RegExp.prototype.test);
51	const typeErrorCreate = unconstruct(TypeError);
52
53	/**
54	* Creates a new function that calls the given function with a specified thisArg and arguments.
55	*
56	* @param {Function} func - The function to be wrapped and called.
57	* @returns {Function} A new function that calls the given function with a specified thisArg and arguments.
58	*/
59	function unapply(func) {
60	return function (thisArg) {
61	for (var _len = arguments.length, args = new Array(_len > 1 ? _len - 1 : 0), _key = 1; _key < _len; _key++) {
62	args[_key - 1] = arguments[_key];
63	}
64	return apply(func, thisArg, args);
65	};
66	}
67
68	/**
69	* Creates a new function that constructs an instance of the given constructor function with the provided arguments.
70	*
71	* @param {Function} func - The constructor function to be wrapped and called.
72	* @returns {Function} A new function that constructs an instance of the given constructor function with the provided arguments.
73	*/
74	function unconstruct(func) {
75	return function () {
76	for (var _len2 = arguments.length, args = new Array(_len2), _key2 = 0; _key2 < _len2; _key2++) {
77	args[_key2] = arguments[_key2];
78	}
79	return construct(func, args);
80	};
81	}
82
83	/**
84	* Add properties to a lookup table
85	*
86	* @param {Object} set - The set to which elements will be added.
87	* @param {Array} array - The array containing elements to be added to the set.
88	* @param {Function} transformCaseFunc - An optional function to transform the case of each element before adding to the set.
89	* @returns {Object} The modified set with added elements.
90	*/
91	function addToSet(set, array) {
92	let transformCaseFunc = arguments.length > 2 && arguments[2] !== undefined ? arguments[2] : stringToLowerCase;
93	if (setPrototypeOf) {
94	// Make 'in' and truthy checks like Boolean(set.constructor)
95	// independent of any properties defined on Object.prototype.
96	// Prevent prototype setters from intercepting set as a this value.
97	setPrototypeOf(set, null);
98	}
99	let l = array.length;
100	while (l--) {
101	let element = array[l];
102	if (typeof element === 'string') {
103	const lcElement = transformCaseFunc(element);
104	if (lcElement !== element) {
105	// Config presets (e.g. tags.js, attrs.js) are immutable.
106	if (!isFrozen(array)) {
107	array[l] = lcElement;
108	}
109	element = lcElement;
110	}
111	}
112	set[element] = true;
113	}
114	return set;
115	}
116
117	/**
118	* Clean up an array to harden against CSPP
119	*
120	* @param {Array} array - The array to be cleaned.
121	* @returns {Array} The cleaned version of the array
122	*/
123	function cleanArray(array) {
124	for (let index = 0; index < array.length; index++) {
125	if (getOwnPropertyDescriptor(array, index) === undefined) {
126	array[index] = null;
127	}
128	}
129	return array;
130	}
131
132	/**
133	* Shallow clone an object
134	*
135	* @param {Object} object - The object to be cloned.
136	* @returns {Object} A new object that copies the original.
137	*/
138	function clone(object) {
139	const newObject = create(null);
140	for (const [property, value] of entries(object)) {
141	if (getOwnPropertyDescriptor(object, property) !== undefined) {
142	if (Array.isArray(value)) {
143	newObject[property] = cleanArray(value);
144	} else if (value && typeof value === 'object' && value.constructor === Object) {
145	newObject[property] = clone(value);
146	} else {
147	newObject[property] = value;
148	}
149	}
150	}
151	return newObject;
152	}
153
154	/**
155	* This method automatically checks if the prop is function or getter and behaves accordingly.
156	*
157	* @param {Object} object - The object to look up the getter function in its prototype chain.
158	* @param {String} prop - The property name for which to find the getter function.
159	* @returns {Function} The getter function found in the prototype chain or a fallback function.
160	*/
161	function lookupGetter(object, prop) {
162	while (object !== null) {
163	const desc = getOwnPropertyDescriptor(object, prop);
164	if (desc) {
165	if (desc.get) {
166	return unapply(desc.get);
167	}
168	if (typeof desc.value === 'function') {
169	return unapply(desc.value);
170	}
171	}
172	object = getPrototypeOf(object);
173	}
174	function fallbackValue(element) {
175	console.warn('fallback value for', element);
176	return null;
177	}
178	return fallbackValue;
179	}
180
181	const html$1 = freeze(['a', 'abbr', 'acronym', 'address', 'area', 'article', 'aside', 'audio', 'b', 'bdi', 'bdo', 'big', 'blink', 'blockquote', 'body', 'br', 'button', 'canvas', 'caption', 'center', 'cite', 'code', 'col', 'colgroup', 'content', 'data', 'datalist', 'dd', 'decorator', 'del', 'details', 'dfn', 'dialog', 'dir', 'div', 'dl', 'dt', 'element', 'em', 'fieldset', 'figcaption', 'figure', 'font', 'footer', 'form', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'head', 'header', 'hgroup', 'hr', 'html', 'i', 'img', 'input', 'ins', 'kbd', 'label', 'legend', 'li', 'main', 'map', 'mark', 'marquee', 'menu', 'menuitem', 'meter', 'nav', 'nobr', 'ol', 'optgroup', 'option', 'output', 'p', 'picture', 'pre', 'progress', 'q', 'rp', 'rt', 'ruby', 's', 'samp', 'section', 'select', 'shadow', 'small', 'source', 'spacer', 'span', 'strike', 'strong', 'style', 'sub', 'summary', 'sup', 'table', 'tbody', 'td', 'template', 'textarea', 'tfoot', 'th', 'thead', 'time', 'tr', 'track', 'tt', 'u', 'ul', 'var', 'video', 'wbr']);
182
183	// SVG
184	const svg$1 = freeze(['svg', 'a', 'altglyph', 'altglyphdef', 'altglyphitem', 'animatecolor', 'animatemotion', 'animatetransform', 'circle', 'clippath', 'defs', 'desc', 'ellipse', 'filter', 'font', 'g', 'glyph', 'glyphref', 'hkern', 'image', 'line', 'lineargradient', 'marker', 'mask', 'metadata', 'mpath', 'path', 'pattern', 'polygon', 'polyline', 'radialgradient', 'rect', 'stop', 'style', 'switch', 'symbol', 'text', 'textpath', 'title', 'tref', 'tspan', 'view', 'vkern']);
185	const svgFilters = freeze(['feBlend', 'feColorMatrix', 'feComponentTransfer', 'feComposite', 'feConvolveMatrix', 'feDiffuseLighting', 'feDisplacementMap', 'feDistantLight', 'feDropShadow', 'feFlood', 'feFuncA', 'feFuncB', 'feFuncG', 'feFuncR', 'feGaussianBlur', 'feImage', 'feMerge', 'feMergeNode', 'feMorphology', 'feOffset', 'fePointLight', 'feSpecularLighting', 'feSpotLight', 'feTile', 'feTurbulence']);
186
187	// List of SVG elements that are disallowed by default.
188	// We still need to know them so that we can do namespace
189	// checks properly in case one wants to add them to
190	// allow-list.
191	const svgDisallowed = freeze(['animate', 'color-profile', 'cursor', 'discard', 'font-face', 'font-face-format', 'font-face-name', 'font-face-src', 'font-face-uri', 'foreignobject', 'hatch', 'hatchpath', 'mesh', 'meshgradient', 'meshpatch', 'meshrow', 'missing-glyph', 'script', 'set', 'solidcolor', 'unknown', 'use']);
192	const mathMl$1 = freeze(['math', 'menclose', 'merror', 'mfenced', 'mfrac', 'mglyph', 'mi', 'mlabeledtr', 'mmultiscripts', 'mn', 'mo', 'mover', 'mpadded', 'mphantom', 'mroot', 'mrow', 'ms', 'mspace', 'msqrt', 'mstyle', 'msub', 'msup', 'msubsup', 'mtable', 'mtd', 'mtext', 'mtr', 'munder', 'munderover', 'mprescripts']);
193
194	// Similarly to SVG, we want to know all MathML elements,
195	// even those that we disallow by default.
196	const mathMlDisallowed = freeze(['maction', 'maligngroup', 'malignmark', 'mlongdiv', 'mscarries', 'mscarry', 'msgroup', 'mstack', 'msline', 'msrow', 'semantics', 'annotation', 'annotation-xml', 'mprescripts', 'none']);
197	const text = freeze(['#text']);
198
199	const html = freeze(['accept', 'action', 'align', 'alt', 'autocapitalize', 'autocomplete', 'autopictureinpicture', 'autoplay', 'background', 'bgcolor', 'border', 'capture', 'cellpadding', 'cellspacing', 'checked', 'cite', 'class', 'clear', 'color', 'cols', 'colspan', 'controls', 'controlslist', 'coords', 'crossorigin', 'datetime', 'decoding', 'default', 'dir', 'disabled', 'disablepictureinpicture', 'disableremoteplayback', 'download', 'draggable', 'enctype', 'enterkeyhint', 'face', 'for', 'headers', 'height', 'hidden', 'high', 'href', 'hreflang', 'id', 'inputmode', 'integrity', 'ismap', 'kind', 'label', 'lang', 'list', 'loading', 'loop', 'low', 'max', 'maxlength', 'media', 'method', 'min', 'minlength', 'multiple', 'muted', 'name', 'nonce', 'noshade', 'novalidate', 'nowrap', 'open', 'optimum', 'pattern', 'placeholder', 'playsinline', 'poster', 'preload', 'pubdate', 'radiogroup', 'readonly', 'rel', 'required', 'rev', 'reversed', 'role', 'rows', 'rowspan', 'spellcheck', 'scope', 'selected', 'shape', 'size', 'sizes', 'span', 'srclang', 'start', 'src', 'srcset', 'step', 'style', 'summary', 'tabindex', 'title', 'translate', 'type', 'usemap', 'valign', 'value', 'width', 'xmlns', 'slot']);
200	const svg = freeze(['accent-height', 'accumulate', 'additive', 'alignment-baseline', 'ascent', 'attributename', 'attributetype', 'azimuth', 'basefrequency', 'baseline-shift', 'begin', 'bias', 'by', 'class', 'clip', 'clippathunits', 'clip-path', 'clip-rule', 'color', 'color-interpolation', 'color-interpolation-filters', 'color-profile', 'color-rendering', 'cx', 'cy', 'd', 'dx', 'dy', 'diffuseconstant', 'direction', 'display', 'divisor', 'dur', 'edgemode', 'elevation', 'end', 'fill', 'fill-opacity', 'fill-rule', 'filter', 'filterunits', 'flood-color', 'flood-opacity', 'font-family', 'font-size', 'font-size-adjust', 'font-stretch', 'font-style', 'font-variant', 'font-weight', 'fx', 'fy', 'g1', 'g2', 'glyph-name', 'glyphref', 'gradientunits', 'gradienttransform', 'height', 'href', 'id', 'image-rendering', 'in', 'in2', 'k', 'k1', 'k2', 'k3', 'k4', 'kerning', 'keypoints', 'keysplines', 'keytimes', 'lang', 'lengthadjust', 'letter-spacing', 'kernelmatrix', 'kernelunitlength', 'lighting-color', 'local', 'marker-end', 'marker-mid', 'marker-start', 'markerheight', 'markerunits', 'markerwidth', 'maskcontentunits', 'maskunits', 'max', 'mask', 'media', 'method', 'mode', 'min', 'name', 'numoctaves', 'offset', 'operator', 'opacity', 'order', 'orient', 'orientation', 'origin', 'overflow', 'paint-order', 'path', 'pathlength', 'patterncontentunits', 'patterntransform', 'patternunits', 'points', 'preservealpha', 'preserveaspectratio', 'primitiveunits', 'r', 'rx', 'ry', 'radius', 'refx', 'refy', 'repeatcount', 'repeatdur', 'restart', 'result', 'rotate', 'scale', 'seed', 'shape-rendering', 'specularconstant', 'specularexponent', 'spreadmethod', 'startoffset', 'stddeviation', 'stitchtiles', 'stop-color', 'stop-opacity', 'stroke-dasharray', 'stroke-dashoffset', 'stroke-linecap', 'stroke-linejoin', 'stroke-miterlimit', 'stroke-opacity', 'stroke', 'stroke-width', 'style', 'surfacescale', 'systemlanguage', 'tabindex', 'targetx', 'targety', 'transform', 'transform-origin', 'text-anchor', 'text-decoration', 'text-rendering', 'textlength', 'type', 'u1', 'u2', 'unicode', 'values', 'viewbox', 'visibility', 'version', 'vert-adv-y', 'vert-origin-x', 'vert-origin-y', 'width', 'word-spacing', 'wrap', 'writing-mode', 'xchannelselector', 'ychannelselector', 'x', 'x1', 'x2', 'xmlns', 'y', 'y1', 'y2', 'z', 'zoomandpan']);
201	const mathMl = freeze(['accent', 'accentunder', 'align', 'bevelled', 'close', 'columnsalign', 'columnlines', 'columnspan', 'denomalign', 'depth', 'dir', 'display', 'displaystyle', 'encoding', 'fence', 'frame', 'height', 'href', 'id', 'largeop', 'length', 'linethickness', 'lspace', 'lquote', 'mathbackground', 'mathcolor', 'mathsize', 'mathvariant', 'maxsize', 'minsize', 'movablelimits', 'notation', 'numalign', 'open', 'rowalign', 'rowlines', 'rowspacing', 'rowspan', 'rspace', 'rquote', 'scriptlevel', 'scriptminsize', 'scriptsizemultiplier', 'selection', 'separator', 'separators', 'stretchy', 'subscriptshift', 'supscriptshift', 'symmetric', 'voffset', 'width', 'xmlns']);
202	const xml = freeze(['xlink:href', 'xml:id', 'xlink:title', 'xml:space', 'xmlns:xlink']);
203
204	// eslint-disable-next-line unicorn/better-regex
205	const MUSTACHE_EXPR = seal(/\{\{[\w\W]\|[\w\W]\}\}/gm); // Specify template detection regex for SAFE_FOR_TEMPLATES mode
206	const ERB_EXPR = seal(/<%[\w\W]\|[\w\W]%>/gm);
207	const TMPLIT_EXPR = seal(/\${[\w\W]*}/gm);
208	const DATA_ATTR = seal(/^data-[\-\w.\u00B7-\uFFFF]/); // eslint-disable-line no-useless-escape
209	const ARIA_ATTR = seal(/^aria-[\-\w]+$/); // eslint-disable-line no-useless-escape
210	const IS_ALLOWED_URI = seal(/^(?:(?:(?:f\|ht)tps?\|mailto\|tel\|callto\|sms\|cid\|xmpp):\|[^a-z]\|[a-z+.\-]+(?:[^a-z+.\-:]\|$))/i // eslint-disable-line no-useless-escape
211	);
212
213	const IS_SCRIPT_OR_DATA = seal(/^(?:\w+script\|data):/i);
214	const ATTR_WHITESPACE = seal(/[\u0000-\u0020\u00A0\u1680\u180E\u2000-\u2029\u205F\u3000]/g // eslint-disable-line no-control-regex
215	);
216
217	const DOCTYPE_NAME = seal(/^html$/i);
218
219	var EXPRESSIONS = /#__PURE__/Object.freeze({
220	__proto__: null,
221	MUSTACHE_EXPR: MUSTACHE_EXPR,
222	ERB_EXPR: ERB_EXPR,
223	TMPLIT_EXPR: TMPLIT_EXPR,
224	DATA_ATTR: DATA_ATTR,
225	ARIA_ATTR: ARIA_ATTR,
226	IS_ALLOWED_URI: IS_ALLOWED_URI,
227	IS_SCRIPT_OR_DATA: IS_SCRIPT_OR_DATA,
228	ATTR_WHITESPACE: ATTR_WHITESPACE,
229	DOCTYPE_NAME: DOCTYPE_NAME
230	});
231
232	const getGlobal = function getGlobal() {
233	return typeof window === 'undefined' ? null : window;
234	};
235
236	/**
237	* Creates a no-op policy for internal use only.
238	* Don't export this function outside this module!
239	* @param {TrustedTypePolicyFactory} trustedTypes The policy factory.
240	* @param {HTMLScriptElement} purifyHostElement The Script element used to load DOMPurify (to determine policy name suffix).
241	* @return {TrustedTypePolicy} The policy created (or null, if Trusted Types
242	* are not supported or creating the policy failed).
243	*/
244	const _createTrustedTypesPolicy = function _createTrustedTypesPolicy(trustedTypes, purifyHostElement) {
245	if (typeof trustedTypes !== 'object' \|\| typeof trustedTypes.createPolicy !== 'function') {
246	return null;
247	}
248
249	// Allow the callers to control the unique policy name
250	// by adding a data-tt-policy-suffix to the script element with the DOMPurify.
251	// Policy creation with duplicate names throws in Trusted Types.
252	let suffix = null;
253	const ATTR_NAME = 'data-tt-policy-suffix';
254	if (purifyHostElement && purifyHostElement.hasAttribute(ATTR_NAME)) {
255	suffix = purifyHostElement.getAttribute(ATTR_NAME);
256	}
257	const policyName = 'dompurify' + (suffix ? '#' + suffix : '');
258	try {
259	return trustedTypes.createPolicy(policyName, {
260	createHTML(html) {
261	return html;
262	},
263	createScriptURL(scriptUrl) {
264	return scriptUrl;
265	}
266	});
267	} catch (_) {
268	// Policy creation failed (most likely another DOMPurify script has
269	// already run). Skip creating the policy, as this will only cause errors
270	// if TT are enforced.
271	console.warn('TrustedTypes policy ' + policyName + ' could not be created.');
272	return null;
273	}
274	};
275	function createDOMPurify() {
276	let window = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : getGlobal();
277	const DOMPurify = root => createDOMPurify(root);
278
279	/**
280	* Version label, exposed for easier checks
281	* if DOMPurify is up to date or not
282	*/
283	DOMPurify.version = '3.0.8';
284
285	/**
286	* Array of elements that DOMPurify removed during sanitation.
287	* Empty if nothing was removed.
288	*/
289	DOMPurify.removed = [];
290	if (!window \|\| !window.document \|\| window.document.nodeType !== 9) {
291	// Not running in a browser, provide a factory function
292	// so that you can pass your own Window
293	DOMPurify.isSupported = false;
294	return DOMPurify;
295	}
296	let {
297	document
298	} = window;
299	const originalDocument = document;
300	const currentScript = originalDocument.currentScript;
301	const {
302	DocumentFragment,
303	HTMLTemplateElement,
304	Node,
305	Element,
306	NodeFilter,
307	NamedNodeMap = window.NamedNodeMap \|\| window.MozNamedAttrMap,
308	HTMLFormElement,
309	DOMParser,
310	trustedTypes
311	} = window;
312	const ElementPrototype = Element.prototype;
313	const cloneNode = lookupGetter(ElementPrototype, 'cloneNode');
314	const getNextSibling = lookupGetter(ElementPrototype, 'nextSibling');
315	const getChildNodes = lookupGetter(ElementPrototype, 'childNodes');
316	const getParentNode = lookupGetter(ElementPrototype, 'parentNode');
317
318	// As per issue #47, the web-components registry is inherited by a
319	// new document created via createHTMLDocument. As per the spec
320	// (http://w3c.github.io/webcomponents/spec/custom/#creating-and-passing-registries)
321	// a new empty registry is used when creating a template contents owner
322	// document, so we use that as our parent document to ensure nothing
323	// is inherited.
324	if (typeof HTMLTemplateElement === 'function') {
325	const template = document.createElement('template');
326	if (template.content && template.content.ownerDocument) {
327	document = template.content.ownerDocument;
328	}
329	}
330	let trustedTypesPolicy;
331	let emptyHTML = '';
332	const {
333	implementation,
334	createNodeIterator,
335	createDocumentFragment,
336	getElementsByTagName
337	} = document;
338	const {
339	importNode
340	} = originalDocument;
341	let hooks = {};
342
343	/**
344	* Expose whether this browser supports running the full DOMPurify.
345	*/
346	DOMPurify.isSupported = typeof entries === 'function' && typeof getParentNode === 'function' && implementation && implementation.createHTMLDocument !== undefined;
347	const {
348	MUSTACHE_EXPR,
349	ERB_EXPR,
350	TMPLIT_EXPR,
351	DATA_ATTR,
352	ARIA_ATTR,
353	IS_SCRIPT_OR_DATA,
354	ATTR_WHITESPACE
355	} = EXPRESSIONS;
356	let {
357	IS_ALLOWED_URI: IS_ALLOWED_URI$1
358	} = EXPRESSIONS;
359
360	/**
361	* We consider the elements and attributes below to be safe. Ideally
362	* don't add any new ones but feel free to remove unwanted ones.
363	*/
364
365	/* allowed element names */
366	let ALLOWED_TAGS = null;
367	const DEFAULT_ALLOWED_TAGS = addToSet({}, [...html$1, ...svg$1, ...svgFilters, ...mathMl$1, ...text]);
368
369	/* Allowed attribute names */
370	let ALLOWED_ATTR = null;
371	const DEFAULT_ALLOWED_ATTR = addToSet({}, [...html, ...svg, ...mathMl, ...xml]);
372
373	/*
374	* Configure how DOMPUrify should handle custom elements and their attributes as well as customized built-in elements.
375	* @property {RegExp\|Function\|null} tagNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any custom elements)
376	* @property {RegExp\|Function\|null} attributeNameCheck one of [null, regexPattern, predicate]. Default: `null` (disallow any attributes not on the allow list)
377	* @property {boolean} allowCustomizedBuiltInElements allow custom elements derived from built-ins if they pass CUSTOM_ELEMENT_HANDLING.tagNameCheck. Default: `false`.
378	*/
379	let CUSTOM_ELEMENT_HANDLING = Object.seal(create(null, {
380	tagNameCheck: {
381	writable: true,
382	configurable: false,
383	enumerable: true,
384	value: null
385	},
386	attributeNameCheck: {
387	writable: true,
388	configurable: false,
389	enumerable: true,
390	value: null
391	},
392	allowCustomizedBuiltInElements: {
393	writable: true,
394	configurable: false,
395	enumerable: true,
396	value: false
397	}
398	}));
399
400	/* Explicitly forbidden tags (overrides ALLOWED_TAGS/ADD_TAGS) */
401	let FORBID_TAGS = null;
402
403	/* Explicitly forbidden attributes (overrides ALLOWED_ATTR/ADD_ATTR) */
404	let FORBID_ATTR = null;
405
406	/* Decide if ARIA attributes are okay */
407	let ALLOW_ARIA_ATTR = true;
408
409	/* Decide if custom data attributes are okay */
410	let ALLOW_DATA_ATTR = true;
411
412	/* Decide if unknown protocols are okay */
413	let ALLOW_UNKNOWN_PROTOCOLS = false;
414
415	/* Decide if self-closing tags in attributes are allowed.
416	* Usually removed due to a mXSS issue in jQuery 3.0 */
417	let ALLOW_SELF_CLOSE_IN_ATTR = true;
418
419	/* Output should be safe for common template engines.
420	* This means, DOMPurify removes data attributes, mustaches and ERB
421	*/
422	let SAFE_FOR_TEMPLATES = false;
423
424	/* Decide if document with <html>... should be returned */
425	let WHOLE_DOCUMENT = false;
426
427	/* Track whether config is already set on this instance of DOMPurify. */
428	let SET_CONFIG = false;
429
430	/* Decide if all elements (e.g. style, script) must be children of
431	* document.body. By default, browsers might move them to document.head */
432	let FORCE_BODY = false;
433
434	/* Decide if a DOM `HTMLBodyElement` should be returned, instead of a html
435	* string (or a TrustedHTML object if Trusted Types are supported).
436	* If `WHOLE_DOCUMENT` is enabled a `HTMLHtmlElement` will be returned instead
437	*/
438	let RETURN_DOM = false;
439
440	/* Decide if a DOM `DocumentFragment` should be returned, instead of a html
441	* string (or a TrustedHTML object if Trusted Types are supported) */
442	let RETURN_DOM_FRAGMENT = false;
443
444	/* Try to return a Trusted Type object instead of a string, return a string in
445	* case Trusted Types are not supported */
446	let RETURN_TRUSTED_TYPE = false;
447
448	/* Output should be free from DOM clobbering attacks?
449	* This sanitizes markups named with colliding, clobberable built-in DOM APIs.
450	*/
451	let SANITIZE_DOM = true;
452
453	/* Achieve full DOM Clobbering protection by isolating the namespace of named
454	* properties and JS variables, mitigating attacks that abuse the HTML/DOM spec rules.
455	*
456	* HTML/DOM spec rules that enable DOM Clobbering:
457	* - Named Access on Window (§7.3.3)
458	* - DOM Tree Accessors (§3.1.5)
459	* - Form Element Parent-Child Relations (§4.10.3)
460	* - Iframe srcdoc / Nested WindowProxies (§4.8.5)
461	* - HTMLCollection (§4.2.10.2)
462	*
463	* Namespace isolation is implemented by prefixing `id` and `name` attributes
464	* with a constant string, i.e., `user-content-`
465	*/
466	let SANITIZE_NAMED_PROPS = false;
467	const SANITIZE_NAMED_PROPS_PREFIX = 'user-content-';
468
469	/* Keep element content when removing element? */
470	let KEEP_CONTENT = true;
471
472	/* If a `Node` is passed to sanitize(), then performs sanitization in-place instead
473	* of importing it into a new Document and returning a sanitized copy */
474	let IN_PLACE = false;
475
476	/* Allow usage of profiles like html, svg and mathMl */
477	let USE_PROFILES = {};
478
479	/* Tags to ignore content of when KEEP_CONTENT is true */
480	let FORBID_CONTENTS = null;
481	const DEFAULT_FORBID_CONTENTS = addToSet({}, ['annotation-xml', 'audio', 'colgroup', 'desc', 'foreignobject', 'head', 'iframe', 'math', 'mi', 'mn', 'mo', 'ms', 'mtext', 'noembed', 'noframes', 'noscript', 'plaintext', 'script', 'style', 'svg', 'template', 'thead', 'title', 'video', 'xmp']);
482
483	/* Tags that are safe for data: URIs */
484	let DATA_URI_TAGS = null;
485	const DEFAULT_DATA_URI_TAGS = addToSet({}, ['audio', 'video', 'img', 'source', 'image', 'track']);
486
487	/* Attributes safe for values like "javascript:" */
488	let URI_SAFE_ATTRIBUTES = null;
489	const DEFAULT_URI_SAFE_ATTRIBUTES = addToSet({}, ['alt', 'class', 'for', 'id', 'label', 'name', 'pattern', 'placeholder', 'role', 'summary', 'title', 'value', 'style', 'xmlns']);
490	const MATHML_NAMESPACE = 'http://www.w3.org/1998/Math/MathML';
491	const SVG_NAMESPACE = 'http://www.w3.org/2000/svg';
492	const HTML_NAMESPACE = 'http://www.w3.org/1999/xhtml';
493	/* Document namespace */
494	let NAMESPACE = HTML_NAMESPACE;
495	let IS_EMPTY_INPUT = false;
496
497	/* Allowed XHTML+XML namespaces */
498	let ALLOWED_NAMESPACES = null;
499	const DEFAULT_ALLOWED_NAMESPACES = addToSet({}, [MATHML_NAMESPACE, SVG_NAMESPACE, HTML_NAMESPACE], stringToString);
500
501	/* Parsing of strict XHTML documents */
502	let PARSER_MEDIA_TYPE = null;
503	const SUPPORTED_PARSER_MEDIA_TYPES = ['application/xhtml+xml', 'text/html'];
504	const DEFAULT_PARSER_MEDIA_TYPE = 'text/html';
505	let transformCaseFunc = null;
506
507	/* Keep a reference to config to pass to hooks */
508	let CONFIG = null;
509
510	/* Ideally, do not touch anything below this line */
511	/* ______________________________________________ */
512
513	const formElement = document.createElement('form');
514	const isRegexOrFunction = function isRegexOrFunction(testValue) {
515	return testValue instanceof RegExp \|\| testValue instanceof Function;
516	};
517
518	/**
519	* _parseConfig
520	*
521	* @param {Object} cfg optional config literal
522	*/
523	// eslint-disable-next-line complexity
524	const _parseConfig = function _parseConfig() {
525	let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
526	if (CONFIG && CONFIG === cfg) {
527	return;
528	}
529
530	/* Shield configuration object from tampering */
531	if (!cfg \|\| typeof cfg !== 'object') {
532	cfg = {};
533	}
534
535	/* Shield configuration object from prototype pollution */
536	cfg = clone(cfg);
537	PARSER_MEDIA_TYPE =
538	// eslint-disable-next-line unicorn/prefer-includes
539	SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1 ? DEFAULT_PARSER_MEDIA_TYPE : cfg.PARSER_MEDIA_TYPE;
540
541	// HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
542	transformCaseFunc = PARSER_MEDIA_TYPE === 'application/xhtml+xml' ? stringToString : stringToLowerCase;
543
544	/* Set configuration parameters */
545	ALLOWED_TAGS = 'ALLOWED_TAGS' in cfg ? addToSet({}, cfg.ALLOWED_TAGS, transformCaseFunc) : DEFAULT_ALLOWED_TAGS;
546	ALLOWED_ATTR = 'ALLOWED_ATTR' in cfg ? addToSet({}, cfg.ALLOWED_ATTR, transformCaseFunc) : DEFAULT_ALLOWED_ATTR;
547	ALLOWED_NAMESPACES = 'ALLOWED_NAMESPACES' in cfg ? addToSet({}, cfg.ALLOWED_NAMESPACES, stringToString) : DEFAULT_ALLOWED_NAMESPACES;
548	URI_SAFE_ATTRIBUTES = 'ADD_URI_SAFE_ATTR' in cfg ? addToSet(clone(DEFAULT_URI_SAFE_ATTRIBUTES),
549	// eslint-disable-line indent
550	cfg.ADD_URI_SAFE_ATTR,
551	// eslint-disable-line indent
552	transformCaseFunc // eslint-disable-line indent
553	) // eslint-disable-line indent
554	: DEFAULT_URI_SAFE_ATTRIBUTES;
555	DATA_URI_TAGS = 'ADD_DATA_URI_TAGS' in cfg ? addToSet(clone(DEFAULT_DATA_URI_TAGS),
556	// eslint-disable-line indent
557	cfg.ADD_DATA_URI_TAGS,
558	// eslint-disable-line indent
559	transformCaseFunc // eslint-disable-line indent
560	) // eslint-disable-line indent
561	: DEFAULT_DATA_URI_TAGS;
562	FORBID_CONTENTS = 'FORBID_CONTENTS' in cfg ? addToSet({}, cfg.FORBID_CONTENTS, transformCaseFunc) : DEFAULT_FORBID_CONTENTS;
563	FORBID_TAGS = 'FORBID_TAGS' in cfg ? addToSet({}, cfg.FORBID_TAGS, transformCaseFunc) : {};
564	FORBID_ATTR = 'FORBID_ATTR' in cfg ? addToSet({}, cfg.FORBID_ATTR, transformCaseFunc) : {};
565	USE_PROFILES = 'USE_PROFILES' in cfg ? cfg.USE_PROFILES : false;
566	ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
567	ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false; // Default true
568	ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS \|\| false; // Default false
569	ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
570	SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES \|\| false; // Default false
571	WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT \|\| false; // Default false
572	RETURN_DOM = cfg.RETURN_DOM \|\| false; // Default false
573	RETURN_DOM_FRAGMENT = cfg.RETURN_DOM_FRAGMENT \|\| false; // Default false
574	RETURN_TRUSTED_TYPE = cfg.RETURN_TRUSTED_TYPE \|\| false; // Default false
575	FORCE_BODY = cfg.FORCE_BODY \|\| false; // Default false
576	SANITIZE_DOM = cfg.SANITIZE_DOM !== false; // Default true
577	SANITIZE_NAMED_PROPS = cfg.SANITIZE_NAMED_PROPS \|\| false; // Default false
578	KEEP_CONTENT = cfg.KEEP_CONTENT !== false; // Default true
579	IN_PLACE = cfg.IN_PLACE \|\| false; // Default false
580	IS_ALLOWED_URI$1 = cfg.ALLOWED_URI_REGEXP \|\| IS_ALLOWED_URI;
581	NAMESPACE = cfg.NAMESPACE \|\| HTML_NAMESPACE;
582	CUSTOM_ELEMENT_HANDLING = cfg.CUSTOM_ELEMENT_HANDLING \|\| {};
583	if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck)) {
584	CUSTOM_ELEMENT_HANDLING.tagNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.tagNameCheck;
585	}
586	if (cfg.CUSTOM_ELEMENT_HANDLING && isRegexOrFunction(cfg.CUSTOM_ELEMENT_HANDLING.attributeNameCheck)) {
587	CUSTOM_ELEMENT_HANDLING.attributeNameCheck = cfg.CUSTOM_ELEMENT_HANDLING.attributeNameCheck;
588	}
589	if (cfg.CUSTOM_ELEMENT_HANDLING && typeof cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements === 'boolean') {
590	CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements = cfg.CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements;
591	}
592	if (SAFE_FOR_TEMPLATES) {
593	ALLOW_DATA_ATTR = false;
594	}
595	if (RETURN_DOM_FRAGMENT) {
596	RETURN_DOM = true;
597	}
598
599	/* Parse profile info */
600	if (USE_PROFILES) {
601	ALLOWED_TAGS = addToSet({}, text);
602	ALLOWED_ATTR = [];
603	if (USE_PROFILES.html === true) {
604	addToSet(ALLOWED_TAGS, html$1);
605	addToSet(ALLOWED_ATTR, html);
606	}
607	if (USE_PROFILES.svg === true) {
608	addToSet(ALLOWED_TAGS, svg$1);
609	addToSet(ALLOWED_ATTR, svg);
610	addToSet(ALLOWED_ATTR, xml);
611	}
612	if (USE_PROFILES.svgFilters === true) {
613	addToSet(ALLOWED_TAGS, svgFilters);
614	addToSet(ALLOWED_ATTR, svg);
615	addToSet(ALLOWED_ATTR, xml);
616	}
617	if (USE_PROFILES.mathMl === true) {
618	addToSet(ALLOWED_TAGS, mathMl$1);
619	addToSet(ALLOWED_ATTR, mathMl);
620	addToSet(ALLOWED_ATTR, xml);
621	}
622	}
623
624	/* Merge configuration parameters */
625	if (cfg.ADD_TAGS) {
626	if (ALLOWED_TAGS === DEFAULT_ALLOWED_TAGS) {
627	ALLOWED_TAGS = clone(ALLOWED_TAGS);
628	}
629	addToSet(ALLOWED_TAGS, cfg.ADD_TAGS, transformCaseFunc);
630	}
631	if (cfg.ADD_ATTR) {
632	if (ALLOWED_ATTR === DEFAULT_ALLOWED_ATTR) {
633	ALLOWED_ATTR = clone(ALLOWED_ATTR);
634	}
635	addToSet(ALLOWED_ATTR, cfg.ADD_ATTR, transformCaseFunc);
636	}
637	if (cfg.ADD_URI_SAFE_ATTR) {
638	addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR, transformCaseFunc);
639	}
640	if (cfg.FORBID_CONTENTS) {
641	if (FORBID_CONTENTS === DEFAULT_FORBID_CONTENTS) {
642	FORBID_CONTENTS = clone(FORBID_CONTENTS);
643	}
644	addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS, transformCaseFunc);
645	}
646
647	/* Add #text in case KEEP_CONTENT is set to true */
648	if (KEEP_CONTENT) {
649	ALLOWED_TAGS['#text'] = true;
650	}
651
652	/* Add html, head and body to ALLOWED_TAGS in case WHOLE_DOCUMENT is true */
653	if (WHOLE_DOCUMENT) {
654	addToSet(ALLOWED_TAGS, ['html', 'head', 'body']);
655	}
656
657	/* Add tbody to ALLOWED_TAGS in case tables are permitted, see #286, #365 */
658	if (ALLOWED_TAGS.table) {
659	addToSet(ALLOWED_TAGS, ['tbody']);
660	delete FORBID_TAGS.tbody;
661	}
662	if (cfg.TRUSTED_TYPES_POLICY) {
663	if (typeof cfg.TRUSTED_TYPES_POLICY.createHTML !== 'function') {
664	throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createHTML" hook.');
665	}
666	if (typeof cfg.TRUSTED_TYPES_POLICY.createScriptURL !== 'function') {
667	throw typeErrorCreate('TRUSTED_TYPES_POLICY configuration option must provide a "createScriptURL" hook.');
668	}
669
670	// Overwrite existing TrustedTypes policy.
671	trustedTypesPolicy = cfg.TRUSTED_TYPES_POLICY;
672
673	// Sign local variables required by `sanitize`.
674	emptyHTML = trustedTypesPolicy.createHTML('');
675	} else {
676	// Uninitialized policy, attempt to initialize the internal dompurify policy.
677	if (trustedTypesPolicy === undefined) {
678	trustedTypesPolicy = _createTrustedTypesPolicy(trustedTypes, currentScript);
679	}
680
681	// If creating the internal policy succeeded sign internal variables.
682	if (trustedTypesPolicy !== null && typeof emptyHTML === 'string') {
683	emptyHTML = trustedTypesPolicy.createHTML('');
684	}
685	}
686
687	// Prevent further manipulation of configuration.
688	// Not available in IE8, Safari 5, etc.
689	if (freeze) {
690	freeze(cfg);
691	}
692	CONFIG = cfg;
693	};
694	const MATHML_TEXT_INTEGRATION_POINTS = addToSet({}, ['mi', 'mo', 'mn', 'ms', 'mtext']);
695	const HTML_INTEGRATION_POINTS = addToSet({}, ['foreignobject', 'desc', 'title', 'annotation-xml']);
696
697	// Certain elements are allowed in both SVG and HTML
698	// namespace. We need to specify them explicitly
699	// so that they don't get erroneously deleted from
700	// HTML namespace.
701	const COMMON_SVG_AND_HTML_ELEMENTS = addToSet({}, ['title', 'style', 'font', 'a', 'script']);
702
703	/* Keep track of all possible SVG and MathML tags
704	* so that we can perform the namespace checks
705	* correctly. */
706	const ALL_SVG_TAGS = addToSet({}, [...svg$1, ...svgFilters, ...svgDisallowed]);
707	const ALL_MATHML_TAGS = addToSet({}, [...mathMl$1, ...mathMlDisallowed]);
708
709	/**
710	* @param {Element} element a DOM element whose namespace is being checked
711	* @returns {boolean} Return false if the element has a
712	* namespace that a spec-compliant parser would never
713	* return. Return true otherwise.
714	*/
715	const _checkValidNamespace = function _checkValidNamespace(element) {
716	let parent = getParentNode(element);
717
718	// In JSDOM, if we're inside shadow DOM, then parentNode
719	// can be null. We just simulate parent in this case.
720	if (!parent \|\| !parent.tagName) {
721	parent = {
722	namespaceURI: NAMESPACE,
723	tagName: 'template'
724	};
725	}
726	const tagName = stringToLowerCase(element.tagName);
727	const parentTagName = stringToLowerCase(parent.tagName);
728	if (!ALLOWED_NAMESPACES[element.namespaceURI]) {
729	return false;
730	}
731	if (element.namespaceURI === SVG_NAMESPACE) {
732	// The only way to switch from HTML namespace to SVG
733	// is via <svg>. If it happens via any other tag, then
734	// it should be killed.
735	if (parent.namespaceURI === HTML_NAMESPACE) {
736	return tagName === 'svg';
737	}
738
739	// The only way to switch from MathML to SVG is via`
740	// svg if parent is either <annotation-xml> or MathML
741	// text integration points.
742	if (parent.namespaceURI === MATHML_NAMESPACE) {
743	return tagName === 'svg' && (parentTagName === 'annotation-xml' \|\| MATHML_TEXT_INTEGRATION_POINTS[parentTagName]);
744	}
745
746	// We only allow elements that are defined in SVG
747	// spec. All others are disallowed in SVG namespace.
748	return Boolean(ALL_SVG_TAGS[tagName]);
749	}
750	if (element.namespaceURI === MATHML_NAMESPACE) {
751	// The only way to switch from HTML namespace to MathML
752	// is via <math>. If it happens via any other tag, then
753	// it should be killed.
754	if (parent.namespaceURI === HTML_NAMESPACE) {
755	return tagName === 'math';
756	}
757
758	// The only way to switch from SVG to MathML is via
759	// <math> and HTML integration points
760	if (parent.namespaceURI === SVG_NAMESPACE) {
761	return tagName === 'math' && HTML_INTEGRATION_POINTS[parentTagName];
762	}
763
764	// We only allow elements that are defined in MathML
765	// spec. All others are disallowed in MathML namespace.
766	return Boolean(ALL_MATHML_TAGS[tagName]);
767	}
768	if (element.namespaceURI === HTML_NAMESPACE) {
769	// The only way to switch from SVG to HTML is via
770	// HTML integration points, and from MathML to HTML
771	// is via MathML text integration points
772	if (parent.namespaceURI === SVG_NAMESPACE && !HTML_INTEGRATION_POINTS[parentTagName]) {
773	return false;
774	}
775	if (parent.namespaceURI === MATHML_NAMESPACE && !MATHML_TEXT_INTEGRATION_POINTS[parentTagName]) {
776	return false;
777	}
778
779	// We disallow tags that are specific for MathML
780	// or SVG and should never appear in HTML namespace
781	return !ALL_MATHML_TAGS[tagName] && (COMMON_SVG_AND_HTML_ELEMENTS[tagName] \|\| !ALL_SVG_TAGS[tagName]);
782	}
783
784	// For XHTML and XML documents that support custom namespaces
785	if (PARSER_MEDIA_TYPE === 'application/xhtml+xml' && ALLOWED_NAMESPACES[element.namespaceURI]) {
786	return true;
787	}
788
789	// The code should never reach this place (this means
790	// that the element somehow got namespace that is not
791	// HTML, SVG, MathML or allowed via ALLOWED_NAMESPACES).
792	// Return false just in case.
793	return false;
794	};
795
796	/**
797	* _forceRemove
798	*
799	* @param {Node} node a DOM node
800	*/
801	const _forceRemove = function _forceRemove(node) {
802	arrayPush(DOMPurify.removed, {
803	element: node
804	});
805	try {
806	// eslint-disable-next-line unicorn/prefer-dom-node-remove
807	node.parentNode.removeChild(node);
808	} catch (_) {
809	node.remove();
810	}
811	};
812
813	/**
814	* _removeAttribute
815	*
816	* @param {String} name an Attribute name
817	* @param {Node} node a DOM node
818	*/
819	const _removeAttribute = function _removeAttribute(name, node) {
820	try {
821	arrayPush(DOMPurify.removed, {
822	attribute: node.getAttributeNode(name),
823	from: node
824	});
825	} catch (_) {
826	arrayPush(DOMPurify.removed, {
827	attribute: null,
828	from: node
829	});
830	}
831	node.removeAttribute(name);
832
833	// We void attribute values for unremovable "is"" attributes
834	if (name === 'is' && !ALLOWED_ATTR[name]) {
835	if (RETURN_DOM \|\| RETURN_DOM_FRAGMENT) {
836	try {
837	_forceRemove(node);
838	} catch (_) {}
839	} else {
840	try {
841	node.setAttribute(name, '');
842	} catch (_) {}
843	}
844	}
845	};
846
847	/**
848	* _initDocument
849	*
850	* @param {String} dirty a string of dirty markup
851	* @return {Document} a DOM, filled with the dirty markup
852	*/
853	const _initDocument = function _initDocument(dirty) {
854	/* Create a HTML document */
855	let doc = null;
856	let leadingWhitespace = null;
857	if (FORCE_BODY) {
858	dirty = '<remove></remove>' + dirty;
859	} else {
860	/* If FORCE_BODY isn't used, leading whitespace needs to be preserved manually */
861	const matches = stringMatch(dirty, /^[\r\n\t ]+/);
862	leadingWhitespace = matches && matches[0];
863	}
864	if (PARSER_MEDIA_TYPE === 'application/xhtml+xml' && NAMESPACE === HTML_NAMESPACE) {
865	// Root of XHTML doc must contain xmlns declaration (see https://www.w3.org/TR/xhtml1/normative.html#strict)
866	dirty = '<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body>' + dirty + '</body></html>';
867	}
868	const dirtyPayload = trustedTypesPolicy ? trustedTypesPolicy.createHTML(dirty) : dirty;
869	/*
870	* Use the DOMParser API by default, fallback later if needs be
871	* DOMParser not work for svg when has multiple root element.
872	*/
873	if (NAMESPACE === HTML_NAMESPACE) {
874	try {
875	doc = new DOMParser().parseFromString(dirtyPayload, PARSER_MEDIA_TYPE);
876	} catch (_) {}
877	}
878
879	/* Use createHTMLDocument in case DOMParser is not available */
880	if (!doc \|\| !doc.documentElement) {
881	doc = implementation.createDocument(NAMESPACE, 'template', null);
882	try {
883	doc.documentElement.innerHTML = IS_EMPTY_INPUT ? emptyHTML : dirtyPayload;
884	} catch (_) {
885	// Syntax error if dirtyPayload is invalid xml
886	}
887	}
888	const body = doc.body \|\| doc.documentElement;
889	if (dirty && leadingWhitespace) {
890	body.insertBefore(document.createTextNode(leadingWhitespace), body.childNodes[0] \|\| null);
891	}
892
893	/* Work on whole document or just its body */
894	if (NAMESPACE === HTML_NAMESPACE) {
895	return getElementsByTagName.call(doc, WHOLE_DOCUMENT ? 'html' : 'body')[0];
896	}
897	return WHOLE_DOCUMENT ? doc.documentElement : body;
898	};
899
900	/**
901	* Creates a NodeIterator object that you can use to traverse filtered lists of nodes or elements in a document.
902	*
903	* @param {Node} root The root element or node to start traversing on.
904	* @return {NodeIterator} The created NodeIterator
905	*/
906	const _createNodeIterator = function _createNodeIterator(root) {
907	return createNodeIterator.call(root.ownerDocument \|\| root, root,
908	// eslint-disable-next-line no-bitwise
909	NodeFilter.SHOW_ELEMENT \| NodeFilter.SHOW_COMMENT \| NodeFilter.SHOW_TEXT, null);
910	};
911
912	/**
913	* _isClobbered
914	*
915	* @param {Node} elm element to check for clobbering attacks
916	* @return {Boolean} true if clobbered, false if safe
917	*/
918	const _isClobbered = function _isClobbered(elm) {
919	return elm instanceof HTMLFormElement && (typeof elm.nodeName !== 'string' \|\| typeof elm.textContent !== 'string' \|\| typeof elm.removeChild !== 'function' \|\| !(elm.attributes instanceof NamedNodeMap) \|\| typeof elm.removeAttribute !== 'function' \|\| typeof elm.setAttribute !== 'function' \|\| typeof elm.namespaceURI !== 'string' \|\| typeof elm.insertBefore !== 'function' \|\| typeof elm.hasChildNodes !== 'function');
920	};
921
922	/**
923	* Checks whether the given object is a DOM node.
924	*
925	* @param {Node} object object to check whether it's a DOM node
926	* @return {Boolean} true is object is a DOM node
927	*/
928	const _isNode = function _isNode(object) {
929	return typeof Node === 'function' && object instanceof Node;
930	};
931
932	/**
933	* _executeHook
934	* Execute user configurable hooks
935	*
936	* @param {String} entryPoint Name of the hook's entry point
937	* @param {Node} currentNode node to work on with the hook
938	* @param {Object} data additional hook parameters
939	*/
940	const _executeHook = function _executeHook(entryPoint, currentNode, data) {
941	if (!hooks[entryPoint]) {
942	return;
943	}
944	arrayForEach(hooks[entryPoint], hook => {
945	hook.call(DOMPurify, currentNode, data, CONFIG);
946	});
947	};
948
949	/**
950	* _sanitizeElements
951	*
952	* @protect nodeName
953	* @protect textContent
954	* @protect removeChild
955	*
956	* @param {Node} currentNode to check for permission to exist
957	* @return {Boolean} true if node was killed, false if left alive
958	*/
959	const _sanitizeElements = function _sanitizeElements(currentNode) {
960	let content = null;
961
962	/* Execute a hook if present */
963	_executeHook('beforeSanitizeElements', currentNode, null);
964
965	/* Check if element is clobbered or can clobber */
966	if (_isClobbered(currentNode)) {
967	_forceRemove(currentNode);
968	return true;
969	}
970
971	/* Now let's check the element's type and name */
972	const tagName = transformCaseFunc(currentNode.nodeName);
973
974	/* Execute a hook if present */
975	_executeHook('uponSanitizeElement', currentNode, {
976	tagName,
977	allowedTags: ALLOWED_TAGS
978	});
979
980	/* Detect mXSS attempts abusing namespace confusion */
981	if (currentNode.hasChildNodes() && !_isNode(currentNode.firstElementChild) && regExpTest(/<[/\w]/g, currentNode.innerHTML) && regExpTest(/<[/\w]/g, currentNode.textContent)) {
982	_forceRemove(currentNode);
983	return true;
984	}
985
986	/* Remove element if anything forbids its presence */
987	if (!ALLOWED_TAGS[tagName] \|\| FORBID_TAGS[tagName]) {
988	/* Check if we have a custom element to handle */
989	if (!FORBID_TAGS[tagName] && _isBasicCustomElement(tagName)) {
990	if (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, tagName)) {
991	return false;
992	}
993	if (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(tagName)) {
994	return false;
995	}
996	}
997
998	/* Keep content except for bad-listed elements */
999	if (KEEP_CONTENT && !FORBID_CONTENTS[tagName]) {
1000	const parentNode = getParentNode(currentNode) \|\| currentNode.parentNode;
1001	const childNodes = getChildNodes(currentNode) \|\| currentNode.childNodes;
1002	if (childNodes && parentNode) {
1003	const childCount = childNodes.length;
1004	for (let i = childCount - 1; i >= 0; --i) {
1005	parentNode.insertBefore(cloneNode(childNodes[i], true), getNextSibling(currentNode));
1006	}
1007	}
1008	}
1009	_forceRemove(currentNode);
1010	return true;
1011	}
1012
1013	/* Check whether element has a valid namespace */
1014	if (currentNode instanceof Element && !_checkValidNamespace(currentNode)) {
1015	_forceRemove(currentNode);
1016	return true;
1017	}
1018
1019	/* Make sure that older browsers don't get fallback-tag mXSS */
1020	if ((tagName === 'noscript' \|\| tagName === 'noembed' \|\| tagName === 'noframes') && regExpTest(/<\/no(script\|embed\|frames)/i, currentNode.innerHTML)) {
1021	_forceRemove(currentNode);
1022	return true;
1023	}
1024
1025	/* Sanitize element content to be template-safe */
1026	if (SAFE_FOR_TEMPLATES && currentNode.nodeType === 3) {
1027	/* Get the element's text content */
1028	content = currentNode.textContent;
1029	arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
1030	content = stringReplace(content, expr, ' ');
1031	});
1032	if (currentNode.textContent !== content) {
1033	arrayPush(DOMPurify.removed, {
1034	element: currentNode.cloneNode()
1035	});
1036	currentNode.textContent = content;
1037	}
1038	}
1039
1040	/* Execute a hook if present */
1041	_executeHook('afterSanitizeElements', currentNode, null);
1042	return false;
1043	};
1044
1045	/**
1046	* _isValidAttribute
1047	*
1048	* @param {string} lcTag Lowercase tag name of containing element.
1049	* @param {string} lcName Lowercase attribute name.
1050	* @param {string} value Attribute value.
1051	* @return {Boolean} Returns true if `value` is valid, otherwise false.
1052	*/
1053	// eslint-disable-next-line complexity
1054	const _isValidAttribute = function _isValidAttribute(lcTag, lcName, value) {
1055	/* Make sure attribute cannot clobber */
1056	if (SANITIZE_DOM && (lcName === 'id' \|\| lcName === 'name') && (value in document \|\| value in formElement)) {
1057	return false;
1058	}
1059
1060	/* Allow valid data-* attributes: At least one character after "-"
1061	(https://html.spec.whatwg.org/multipage/dom.html#embedding-custom-non-visible-data-with-the-data-*-attributes)
1062	XML-compatible (https://html.spec.whatwg.org/multipage/infrastructure.html#xml-compatible and http://www.w3.org/TR/xml/#d0e804)
1063	We don't need to check the value; it's always URI safe. */
1064	if (ALLOW_DATA_ATTR && !FORBID_ATTR[lcName] && regExpTest(DATA_ATTR, lcName)) ; else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR, lcName)) ; else if (!ALLOWED_ATTR[lcName] \|\| FORBID_ATTR[lcName]) {
1065	if (
1066	// First condition does a very basic check if a) it's basically a valid custom element tagname AND
1067	// b) if the tagName passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck
1068	// and c) if the attribute name passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.attributeNameCheck
1069	_isBasicCustomElement(lcTag) && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, lcTag) \|\| CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(lcTag)) && (CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.attributeNameCheck, lcName) \|\| CUSTOM_ELEMENT_HANDLING.attributeNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.attributeNameCheck(lcName)) \|\|
1070	// Alternative, second condition checks if it's an `is`-attribute, AND
1071	// the value passes whatever the user has configured for CUSTOM_ELEMENT_HANDLING.tagNameCheck
1072	lcName === 'is' && CUSTOM_ELEMENT_HANDLING.allowCustomizedBuiltInElements && (CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof RegExp && regExpTest(CUSTOM_ELEMENT_HANDLING.tagNameCheck, value) \|\| CUSTOM_ELEMENT_HANDLING.tagNameCheck instanceof Function && CUSTOM_ELEMENT_HANDLING.tagNameCheck(value))) ; else {
1073	return false;
1074	}
1075	/* Check value is safe. First, is attr inert? If so, is safe */
1076	} else if (URI_SAFE_ATTRIBUTES[lcName]) ; else if (regExpTest(IS_ALLOWED_URI$1, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if ((lcName === 'src' \|\| lcName === 'xlink:href' \|\| lcName === 'href') && lcTag !== 'script' && stringIndexOf(value, 'data:') === 0 && DATA_URI_TAGS[lcTag]) ; else if (ALLOW_UNKNOWN_PROTOCOLS && !regExpTest(IS_SCRIPT_OR_DATA, stringReplace(value, ATTR_WHITESPACE, ''))) ; else if (value) {
1077	return false;
1078	} else ;
1079	return true;
1080	};
1081
1082	/**
1083	* _isBasicCustomElement
1084	* checks if at least one dash is included in tagName, and it's not the first char
1085	* for more sophisticated checking see https://github.com/sindresorhus/validate-element-name
1086	*
1087	* @param {string} tagName name of the tag of the node to sanitize
1088	* @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
1089	*/
1090	const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
1091	return tagName.indexOf('-') > 0;
1092	};
1093
1094	/**
1095	* _sanitizeAttributes
1096	*
1097	* @protect attributes
1098	* @protect nodeName
1099	* @protect removeAttribute
1100	* @protect setAttribute
1101	*
1102	* @param {Node} currentNode to sanitize
1103	*/
1104	const _sanitizeAttributes = function _sanitizeAttributes(currentNode) {
1105	/* Execute a hook if present */
1106	_executeHook('beforeSanitizeAttributes', currentNode, null);
1107	const {
1108	attributes
1109	} = currentNode;
1110
1111	/* Check if we have attributes; if not we might have a text node */
1112	if (!attributes) {
1113	return;
1114	}
1115	const hookEvent = {
1116	attrName: '',
1117	attrValue: '',
1118	keepAttr: true,
1119	allowedAttributes: ALLOWED_ATTR
1120	};
1121	let l = attributes.length;
1122
1123	/* Go backwards over all attributes; safely remove bad ones */
1124	while (l--) {
1125	const attr = attributes[l];
1126	const {
1127	name,
1128	namespaceURI,
1129	value: attrValue
1130	} = attr;
1131	const lcName = transformCaseFunc(name);
1132	let value = name === 'value' ? attrValue : stringTrim(attrValue);
1133
1134	/* Execute a hook if present */
1135	hookEvent.attrName = lcName;
1136	hookEvent.attrValue = value;
1137	hookEvent.keepAttr = true;
1138	hookEvent.forceKeepAttr = undefined; // Allows developers to see this is a property they can set
1139	_executeHook('uponSanitizeAttribute', currentNode, hookEvent);
1140	value = hookEvent.attrValue;
1141	/* Did the hooks approve of the attribute? */
1142	if (hookEvent.forceKeepAttr) {
1143	continue;
1144	}
1145
1146	/* Remove attribute */
1147	_removeAttribute(name, currentNode);
1148
1149	/* Did the hooks approve of the attribute? */
1150	if (!hookEvent.keepAttr) {
1151	continue;
1152	}
1153
1154	/* Work around a security issue in jQuery 3.0 */
1155	if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
1156	_removeAttribute(name, currentNode);
1157	continue;
1158	}
1159
1160	/* Sanitize attribute content to be template-safe */
1161	if (SAFE_FOR_TEMPLATES) {
1162	arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
1163	value = stringReplace(value, expr, ' ');
1164	});
1165	}
1166
1167	/* Is `value` valid for this attribute? */
1168	const lcTag = transformCaseFunc(currentNode.nodeName);
1169	if (!_isValidAttribute(lcTag, lcName, value)) {
1170	continue;
1171	}
1172
1173	/* Full DOM Clobbering protection via namespace isolation,
1174	* Prefix id and name attributes with `user-content-`
1175	*/
1176	if (SANITIZE_NAMED_PROPS && (lcName === 'id' \|\| lcName === 'name')) {
1177	// Remove the attribute with this value
1178	_removeAttribute(name, currentNode);
1179
1180	// Prefix the value and later re-create the attribute with the sanitized value
1181	value = SANITIZE_NAMED_PROPS_PREFIX + value;
1182	}
1183
1184	/* Handle attributes that require Trusted Types */
1185	if (trustedTypesPolicy && typeof trustedTypes === 'object' && typeof trustedTypes.getAttributeType === 'function') {
1186	if (namespaceURI) ; else {
1187	switch (trustedTypes.getAttributeType(lcTag, lcName)) {
1188	case 'TrustedHTML':
1189	{
1190	value = trustedTypesPolicy.createHTML(value);
1191	break;
1192	}
1193	case 'TrustedScriptURL':
1194	{
1195	value = trustedTypesPolicy.createScriptURL(value);
1196	break;
1197	}
1198	}
1199	}
1200	}
1201
1202	/* Handle invalid data-* attribute set by try-catching it */
1203	try {
1204	if (namespaceURI) {
1205	currentNode.setAttributeNS(namespaceURI, name, value);
1206	} else {
1207	/* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
1208	currentNode.setAttribute(name, value);
1209	}
1210	arrayPop(DOMPurify.removed);
1211	} catch (_) {}
1212	}
1213
1214	/* Execute a hook if present */
1215	_executeHook('afterSanitizeAttributes', currentNode, null);
1216	};
1217
1218	/**
1219	* _sanitizeShadowDOM
1220	*
1221	* @param {DocumentFragment} fragment to iterate over recursively
1222	*/
1223	const _sanitizeShadowDOM = function _sanitizeShadowDOM(fragment) {
1224	let shadowNode = null;
1225	const shadowIterator = _createNodeIterator(fragment);
1226
1227	/* Execute a hook if present */
1228	_executeHook('beforeSanitizeShadowDOM', fragment, null);
1229	while (shadowNode = shadowIterator.nextNode()) {
1230	/* Execute a hook if present */
1231	_executeHook('uponSanitizeShadowNode', shadowNode, null);
1232
1233	/* Sanitize tags and elements */
1234	if (_sanitizeElements(shadowNode)) {
1235	continue;
1236	}
1237
1238	/* Deep shadow DOM detected */
1239	if (shadowNode.content instanceof DocumentFragment) {
1240	_sanitizeShadowDOM(shadowNode.content);
1241	}
1242
1243	/* Check attributes, sanitize if necessary */
1244	_sanitizeAttributes(shadowNode);
1245	}
1246
1247	/* Execute a hook if present */
1248	_executeHook('afterSanitizeShadowDOM', fragment, null);
1249	};
1250
1251	/**
1252	* Sanitize
1253	* Public method providing core sanitation functionality
1254	*
1255	* @param {String\|Node} dirty string or DOM node
1256	* @param {Object} cfg object
1257	*/
1258	// eslint-disable-next-line complexity
1259	DOMPurify.sanitize = function (dirty) {
1260	let cfg = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
1261	let body = null;
1262	let importedNode = null;
1263	let currentNode = null;
1264	let returnNode = null;
1265	/* Make sure we have a string to sanitize.
1266	DO NOT return early, as this will return the wrong type if
1267	the user has requested a DOM object rather than a string */
1268	IS_EMPTY_INPUT = !dirty;
1269	if (IS_EMPTY_INPUT) {
1270	dirty = '<!-->';
1271	}
1272
1273	/* Stringify, in case dirty is an object */
1274	if (typeof dirty !== 'string' && !_isNode(dirty)) {
1275	if (typeof dirty.toString === 'function') {
1276	dirty = dirty.toString();
1277	if (typeof dirty !== 'string') {
1278	throw typeErrorCreate('dirty is not a string, aborting');
1279	}
1280	} else {
1281	throw typeErrorCreate('toString is not a function');
1282	}
1283	}
1284
1285	/* Return dirty HTML if DOMPurify cannot run */
1286	if (!DOMPurify.isSupported) {
1287	return dirty;
1288	}
1289
1290	/* Assign config vars */
1291	if (!SET_CONFIG) {
1292	_parseConfig(cfg);
1293	}
1294
1295	/* Clean up removed elements */
1296	DOMPurify.removed = [];
1297
1298	/* Check if dirty is correctly typed for IN_PLACE */
1299	if (typeof dirty === 'string') {
1300	IN_PLACE = false;
1301	}
1302	if (IN_PLACE) {
1303	/* Do some early pre-sanitization to avoid unsafe root nodes */
1304	if (dirty.nodeName) {
1305	const tagName = transformCaseFunc(dirty.nodeName);
1306	if (!ALLOWED_TAGS[tagName] \|\| FORBID_TAGS[tagName]) {
1307	throw typeErrorCreate('root node is forbidden and cannot be sanitized in-place');
1308	}
1309	}
1310	} else if (dirty instanceof Node) {
1311	/* If dirty is a DOM element, append to an empty document to avoid
1312	elements being stripped by the parser */
1313	body = _initDocument('<!---->');
1314	importedNode = body.ownerDocument.importNode(dirty, true);
1315	if (importedNode.nodeType === 1 && importedNode.nodeName === 'BODY') {
1316	/* Node is already a body, use as is */
1317	body = importedNode;
1318	} else if (importedNode.nodeName === 'HTML') {
1319	body = importedNode;
1320	} else {
1321	// eslint-disable-next-line unicorn/prefer-dom-node-append
1322	body.appendChild(importedNode);
1323	}
1324	} else {
1325	/* Exit directly if we have nothing to do */
1326	if (!RETURN_DOM && !SAFE_FOR_TEMPLATES && !WHOLE_DOCUMENT &&
1327	// eslint-disable-next-line unicorn/prefer-includes
1328	dirty.indexOf('<') === -1) {
1329	return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(dirty) : dirty;
1330	}
1331
1332	/* Initialize the document to work on */
1333	body = _initDocument(dirty);
1334
1335	/* Check we have a DOM node from the data */
1336	if (!body) {
1337	return RETURN_DOM ? null : RETURN_TRUSTED_TYPE ? emptyHTML : '';
1338	}
1339	}
1340
1341	/* Remove first element node (ours) if FORCE_BODY is set */
1342	if (body && FORCE_BODY) {
1343	_forceRemove(body.firstChild);
1344	}
1345
1346	/* Get node iterator */
1347	const nodeIterator = _createNodeIterator(IN_PLACE ? dirty : body);
1348
1349	/* Now start iterating over the created document */
1350	while (currentNode = nodeIterator.nextNode()) {
1351	/* Sanitize tags and elements */
1352	if (_sanitizeElements(currentNode)) {
1353	continue;
1354	}
1355
1356	/* Shadow DOM detected, sanitize it */
1357	if (currentNode.content instanceof DocumentFragment) {
1358	_sanitizeShadowDOM(currentNode.content);
1359	}
1360
1361	/* Check attributes, sanitize if necessary */
1362	_sanitizeAttributes(currentNode);
1363	}
1364
1365	/* If we sanitized `dirty` in-place, return it. */
1366	if (IN_PLACE) {
1367	return dirty;
1368	}
1369
1370	/* Return sanitized string or DOM */
1371	if (RETURN_DOM) {
1372	if (RETURN_DOM_FRAGMENT) {
1373	returnNode = createDocumentFragment.call(body.ownerDocument);
1374	while (body.firstChild) {
1375	// eslint-disable-next-line unicorn/prefer-dom-node-append
1376	returnNode.appendChild(body.firstChild);
1377	}
1378	} else {
1379	returnNode = body;
1380	}
1381	if (ALLOWED_ATTR.shadowroot \|\| ALLOWED_ATTR.shadowrootmode) {
1382	/*
1383	AdoptNode() is not used because internal state is not reset
1384	(e.g. the past names map of a HTMLFormElement), this is safe
1385	in theory but we would rather not risk another attack vector.
1386	The state that is cloned by importNode() is explicitly defined
1387	by the specs.
1388	*/
1389	returnNode = importNode.call(originalDocument, returnNode, true);
1390	}
1391	return returnNode;
1392	}
1393	let serializedHTML = WHOLE_DOCUMENT ? body.outerHTML : body.innerHTML;
1394
1395	/* Serialize doctype if allowed */
1396	if (WHOLE_DOCUMENT && ALLOWED_TAGS['!doctype'] && body.ownerDocument && body.ownerDocument.doctype && body.ownerDocument.doctype.name && regExpTest(DOCTYPE_NAME, body.ownerDocument.doctype.name)) {
1397	serializedHTML = '<!DOCTYPE ' + body.ownerDocument.doctype.name + '>\n' + serializedHTML;
1398	}
1399
1400	/* Sanitize final string template-safe */
1401	if (SAFE_FOR_TEMPLATES) {
1402	arrayForEach([MUSTACHE_EXPR, ERB_EXPR, TMPLIT_EXPR], expr => {
1403	serializedHTML = stringReplace(serializedHTML, expr, ' ');
1404	});
1405	}
1406	return trustedTypesPolicy && RETURN_TRUSTED_TYPE ? trustedTypesPolicy.createHTML(serializedHTML) : serializedHTML;
1407	};
1408
1409	/**
1410	* Public method to set the configuration once
1411	* setConfig
1412	*
1413	* @param {Object} cfg configuration object
1414	*/
1415	DOMPurify.setConfig = function () {
1416	let cfg = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : {};
1417	_parseConfig(cfg);
1418	SET_CONFIG = true;
1419	};
1420
1421	/**
1422	* Public method to remove the configuration
1423	* clearConfig
1424	*
1425	*/
1426	DOMPurify.clearConfig = function () {
1427	CONFIG = null;
1428	SET_CONFIG = false;
1429	};
1430
1431	/**
1432	* Public method to check if an attribute value is valid.
1433	* Uses last set config, if any. Otherwise, uses config defaults.
1434	* isValidAttribute
1435	*
1436	* @param {String} tag Tag name of containing element.
1437	* @param {String} attr Attribute name.
1438	* @param {String} value Attribute value.
1439	* @return {Boolean} Returns true if `value` is valid. Otherwise, returns false.
1440	*/
1441	DOMPurify.isValidAttribute = function (tag, attr, value) {
1442	/* Initialize shared config vars if necessary. */
1443	if (!CONFIG) {
1444	_parseConfig({});
1445	}
1446	const lcTag = transformCaseFunc(tag);
1447	const lcName = transformCaseFunc(attr);
1448	return _isValidAttribute(lcTag, lcName, value);
1449	};
1450
1451	/**
1452	* AddHook
1453	* Public method to add DOMPurify hooks
1454	*
1455	* @param {String} entryPoint entry point for the hook to add
1456	* @param {Function} hookFunction function to execute
1457	*/
1458	DOMPurify.addHook = function (entryPoint, hookFunction) {
1459	if (typeof hookFunction !== 'function') {
1460	return;
1461	}
1462	hooks[entryPoint] = hooks[entryPoint] \|\| [];
1463	arrayPush(hooks[entryPoint], hookFunction);
1464	};
1465
1466	/**
1467	* RemoveHook
1468	* Public method to remove a DOMPurify hook at a given entryPoint
1469	* (pops it from the stack of hooks if more are present)
1470	*
1471	* @param {String} entryPoint entry point for the hook to remove
1472	* @return {Function} removed(popped) hook
1473	*/
1474	DOMPurify.removeHook = function (entryPoint) {
1475	if (hooks[entryPoint]) {
1476	return arrayPop(hooks[entryPoint]);
1477	}
1478	};
1479
1480	/**
1481	* RemoveHooks
1482	* Public method to remove all DOMPurify hooks at a given entryPoint
1483	*
1484	* @param {String} entryPoint entry point for the hooks to remove
1485	*/
1486	DOMPurify.removeHooks = function (entryPoint) {
1487	if (hooks[entryPoint]) {
1488	hooks[entryPoint] = [];
1489	}
1490	};
1491
1492	/**
1493	* RemoveAllHooks
1494	* Public method to remove all DOMPurify hooks
1495	*/
1496	DOMPurify.removeAllHooks = function () {
1497	hooks = {};
1498	};
1499	return DOMPurify;
1500	}
1501	var purify = createDOMPurify();
1502
1503	module.exports = purify;
1504	//# sourceMappingURL=purify.cjs.js.map

Note: See TracBrowser for help on using the repository browser.

Download in other formats: