Update 3.x to be in sync with main

.github/workflows/build-and-test.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'

README.md

@@ -271,7 +271,7 @@ const clean = DOMPurify.sanitize(dirty, {ALLOW_UNKNOWN_PROTOCOLS: true});
 // allow specific protocols handlers in URL attributes via regex (default is false, be careful, XSS risk)
 // by default only http, https, ftp, ftps, tel, mailto, callto, sms, cid and xmpp are allowed.
 // Default RegExp: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;
-const clean = DOMPurify.sanitize(dirty, {ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|xxx):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i;});
+const clean = DOMPurify.sanitize(dirty, {ALLOWED_URI_REGEXP: /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|sms|cid|xmpp|xxx):|[^a-z]|[a-z+.\-]+(?:[^a-z+.\-:]|$))/i});
 
 ```
 ### Influence the return-type

demos/README.md

@@ -286,7 +286,7 @@ var config = {
 };
 
 // Specify attributes to proxy
-var attributes = ['action', 'background', 'href', 'poster', 'src'];
+var attributes = ['action', 'background', 'href', 'poster', 'src', 'srcset']
 
 // specify the regex to detect external content
 var regex = /(url\("?)(?!data:)/gim;

package.json

@@ -7,19 +7,27 @@
     "commit-amend-build": "scripts/commit-amend-build.sh",
     "prebuild": "rimraf dist/**",
     "dev": "cross-env NODE_ENV=development BABEL_ENV=rollup rollup -w -c -o dist/purify.js",
-    "build": "cross-env run-p build:umd build:umd:min build:es build:cjs",
-    "build:umd": "cross-env NODE_ENV=development BABEL_ENV=rollup rollup -c -f umd -o dist/purify.js",
-    "build:umd:min": "cross-env NODE_ENV=production BABEL_ENV=rollup rollup -c -f umd -o dist/purify.min.js",
-    "build:es": "cross-env NODE_ENV=development BABEL_ENV=rollup rollup -c -f es -o dist/purify.es.js",
-    "build:cjs": "cross-env NODE_ENV=development BABEL_ENV=rollup rollup -c -f cjs -o dist/purify.cjs.js",
+    "build": "rollup -c",
+    "build:umd": "rollup -c -f umd -o dist/purify.js",
+    "build:umd:min": "rollup -c -f umd -o dist/purify.min.js -p terser",
+    "build:es": "rollup -c -f es -o dist/purify.es.mjs",
+    "build:cjs": "rollup -c -f cjs -o dist/purify.cjs.js",
     "test:jsdom": "cross-env NODE_ENV=test BABEL_ENV=rollup node test/jsdom-node-runner --dot",
     "test:karma": "cross-env NODE_ENV=test BABEL_ENV=rollup karma start test/karma.conf.js --log-level warn ",
     "test:ci": "cross-env NODE_ENV=test BABEL_ENV=rollup npm run test:jsdom && npm run test:karma -- --log-level error --reporters dots --single-run --shouldTestOnBrowserStack=\"${TEST_BROWSERSTACK}\" --shouldProbeOnly=\"${TEST_PROBE_ONLY}\"",
     "test": "cross-env NODE_ENV=test BABEL_ENV=rollup npm run lint &&  npm run test:jsdom && npm run test:karma -- --browsers Chrome"
   },
-  "main": "dist/purify.cjs.js",
-  "module": "dist/purify.es.js",
-  "browser": "dist/purify.js",
+  "exports": {
+    ".": {
+      "require": "./dist/purify.cjs.js",
+      "import": "./dist/purify.es.mjs"
+    },
+    "./package.json": "./package.json"
+  },
+  "main": "./dist/purify.cjs.js",
+  "module": "./dist/purify.es.mjs",
+  "browser": "./dist/purify.js",
+  "production": "./dist/purify.min.js",
   "files": [
     "dist"
   ],

rollup.config.js

@@ -3,22 +3,48 @@ const babel = require('@rollup/plugin-babel').babel;
 const nodeResolve = require('@rollup/plugin-node-resolve').nodeResolve;
 const replace = require('@rollup/plugin-replace');
 const { terser } = require('rollup-plugin-terser');
+const pkg = require('./package.json');
 
 const env = process.env.NODE_ENV;
-const isProd = env === 'production';
+const event = process.env.npm_lifecycle_event; // build, build:umd, ...
 const version = process.env.npm_package_version;
-const license = fs.readFileSync('./src/license_header', 'utf8').replace(/VERSION/ig, version);
+const license = fs
+  .readFileSync('./src/license_header', 'utf8')
+  .replace(/VERSION/gi, version);
+
+const commonOutputConfig = {
+  name: 'DOMPurify',
+  sourcemap: true,
+  banner: license,
+  exports: 'default',
+};
 
 const config = {
   input: 'src/purify.js',
   external: [],
-  output: {
-    name: 'DOMPurify',
-    globals: {},
-    format: 'umd',
-    sourcemap: true,
-    banner: license,
-  },
+  output: [
+    {
+      ...commonOutputConfig,
+      file: pkg.browser,
+      format: 'umd',
+    },
+    {
+      ...commonOutputConfig,
+      file: pkg.production,
+      format: 'umd',
+      plugins: event === 'build' ? [terser()] : [],
+    },
+    {
+      ...commonOutputConfig,
+      file: pkg.module,
+      format: 'es',
+    },
+    {
+      ...commonOutputConfig,
+      file: pkg.main,
+      format: 'cjs',
+    },
+  ],
   plugins: [
     babel({
       // It is recommended to configure this option explicitly (even if with its default value) so an informed decision is taken on how those babel helpers are inserted into the code.
@@ -32,13 +58,9 @@ const config = {
       values: {
         'process.env.NODE_ENV': JSON.stringify(env),
         VERSION: `'${version}'`,
-      }
+      },
     }),
   ],
 };
 
-if (isProd) {
-  config.plugins.push(terser());
-}
-
 module.exports = config;

scripts/commit-amend-build.sh

@@ -1,3 +1,3 @@
 echo "# Amending minified assets to HEAD"
 
-git add ./dist/purify.js ./dist/purify.js.map ./dist/purify.min.js ./dist/purify.min.js.map ./dist/purify.cjs.js ./dist/purify.cjs.js.map ./dist/purify.es.js ./dist/purify.es.js.map
+git add ./dist/purify.js ./dist/purify.js.map ./dist/purify.min.js ./dist/purify.min.js.map ./dist/purify.cjs.js ./dist/purify.cjs.js.map ./dist/purify.es.mjs ./dist/purify.es.mjs.map

src/purify.js

@@ -28,9 +28,9 @@ const getGlobal = function () {
 /**
  * Creates a no-op policy for internal use only.
  * Don't export this function outside this module!
- * @param {?TrustedTypePolicyFactory} trustedTypes The policy factory.
+ * @param {TrustedTypePolicyFactory} trustedTypes The policy factory.
  * @param {HTMLScriptElement} purifyHostElement The Script element used to load DOMPurify (to determine policy name suffix).
- * @return {?TrustedTypePolicy} The policy created (or null, if Trusted Types
+ * @return {TrustedTypePolicy} The policy created (or null, if Trusted Types
  * are not supported or creating the policy failed).
  */
 const _createTrustedTypesPolicy = function (trustedTypes, purifyHostElement) {
@@ -412,8 +412,8 @@ function createDOMPurify(window = getGlobal()) {
     PARSER_MEDIA_TYPE =
       // eslint-disable-next-line unicorn/prefer-includes
       SUPPORTED_PARSER_MEDIA_TYPES.indexOf(cfg.PARSER_MEDIA_TYPE) === -1
-        ? (PARSER_MEDIA_TYPE = DEFAULT_PARSER_MEDIA_TYPE)
-        : (PARSER_MEDIA_TYPE = cfg.PARSER_MEDIA_TYPE);
+        ? DEFAULT_PARSER_MEDIA_TYPE
+        : cfg.PARSER_MEDIA_TYPE;
 
     // HTML tags and attributes are not case-sensitive, converting to lowercase. Keeping XHTML as is.
     transformCaseFunc =
@@ -515,7 +515,7 @@ function createDOMPurify(window = getGlobal()) {
 
     /* Parse profile info */
     if (USE_PROFILES) {
-      ALLOWED_TAGS = addToSet({}, [...TAGS.text]);
+      ALLOWED_TAGS = addToSet({}, TAGS.text);
       ALLOWED_ATTR = [];
       if (USE_PROFILES.html === true) {
         addToSet(ALLOWED_TAGS, TAGS.html);
@@ -658,12 +658,15 @@ function createDOMPurify(window = getGlobal()) {
   /* Keep track of all possible SVG and MathML tags
    * so that we can perform the namespace checks
    * correctly. */
-  const ALL_SVG_TAGS = addToSet({}, TAGS.svg);
-  addToSet(ALL_SVG_TAGS, TAGS.svgFilters);
-  addToSet(ALL_SVG_TAGS, TAGS.svgDisallowed);
-
-  const ALL_MATHML_TAGS = addToSet({}, TAGS.mathMl);
-  addToSet(ALL_MATHML_TAGS, TAGS.mathMlDisallowed);
+  const ALL_SVG_TAGS = addToSet({}, [
+    ...TAGS.svg,
+    ...TAGS.svgFilters,
+    ...TAGS.svgDisallowed,
+  ]);
+  const ALL_MATHML_TAGS = addToSet({}, [
+    ...TAGS.mathMl,
+    ...TAGS.mathMlDisallowed,
+  ]);
 
   /**
    * @param  {Element} element a DOM element whose namespace is being checked