Closed tmb-github closed 10 months ago
Note: the 9 warnings provided by the Closure Compiler provide the code that solves the problem (i.e., replacing each of the indicated semicolons with {}
, although the real problem is that those if
statements should simply be turned into comments, since nothing is to be done if those conditions obtain.)
The one error (i.e., return new Func(...args);
) may be fixed with this code revision: return new Func.apply(null, args);
The warnings from the Advanced mode require more work that the author(s) of the code would be best to attend to.
I am wondering, since these are only warnings, why not just ignore them?
Looking at the code, the error thrown by the Closure Compiler comes from code that is older than 3 years:
https://github.com/cure53/DOMPurify/blame/main/src/utils.js#L32
This makes me think the problem is not on our end, wdyt?
Consider line 1163 (of the the stand-alone purify.js):
if (ALLOW_DATA_ATTR && !FORBID_ATTR[lcName] && regExpTest(DATA_ATTR, lcName)) ; else if (ALLOW_ARIA_ATTR && regExpTest(ARIA_ATTR, lcName)) ; else if (!ALLOWED_ATTR[lcName] || FORBID_ATTR[lcName])
The first if
and else if
statements do nothing; they apparently function as comments to the programmer as to what's not being done for certain cases; they really should just be comments. Only the last else if
produces an actionable result.
All of the warnings in simple mode are triggered by this, which is poor coding on the face of it (is there something deeper going on here that necessitates this?)
At the end of the day, those contraptions were created to make it easier to follow the complex sanitization logic and are what I would judge a matter of taste, nothing deeper going on here.
I would personally not judge this as poor coding but am happy to accept that others might think differently about this. Still, not a strong reason yet to change things assuming the only reason is to satisfy another compressor or linter tool than the ones we have opted to use for ourselves.
Background & Context
I use the Closure Compiler for minification. It throws warnings and errors when I attempt to minify purify.js, all of which except one seem to be JavaScript syntax errors (note: at least one set of them seems to be a conflation of Java syntax with JavaScript syntax).
There are three minification settings of the Closure Compiler. One simply removes whitespace, which is not useful. The other two are "simple" and "advanced", which are widely used. There are 9 warnings and 1 error detected in the "simple" minification mode, and 92 warnings and 1 error detected in the "advanced" minification mode. Each warning and error cites the line of code and explains what must be done to fix it.
Please correct the syntax errors and the error so that Closure Compiler can do its work. (These warnings and errors pose a problem for all interpreters of the script, not just the Closure Compiler.)
You may use the online version of the Closure Compiler without any need to install it. It will attempt to compile/minify the JavaScript and report all problems directly in the online interface, so verification of syntax and error correction may be done easily.
Bug
In "simple" compiler mode, the 9 warnings are:
The 1 error detected in "simple" mode is:
In "advanced" mode, the 92 warnings are:
The one error is:
Input
Some HTML which is thrown at DOMPurify.
Given output
The output given by DOMPurify.
Expected output
The Closure Compiler should minify/compile the JavaScript without any warnings or errors, both in "simple" and "advanced" mode.
Feature
n/a