cure53 · Feb 12, 2024
diff --git a/‎dist/purify.cjs.js
+1-1 b/‎dist/purify.cjs.js
+1-1
diff --git a/‎dist/purify.cjs.js.map
+1-1 b/‎dist/purify.cjs.js.map
+1-1
diff --git a/‎dist/purify.es.mjs
+1-1 b/‎dist/purify.es.mjs
+1-1
diff --git a/‎dist/purify.es.mjs.map
+1-1 b/‎dist/purify.es.mjs.map
+1-1
diff --git a/‎dist/purify.js
+1-1 b/‎dist/purify.js
+1-1
diff --git a/‎dist/purify.js.map
+1-1 b/‎dist/purify.js.map
+1-1
diff --git a/‎dist/purify.min.js
+1-1 b/‎dist/purify.min.js
+1-1
diff --git a/‎dist/purify.min.js.map
+1-1 b/‎dist/purify.min.js.map
+1-1
diff --git a/‎src/purify.js
+1-1 b/‎src/purify.js
+1-1
diff --git a/‎test/test-suite.js
+11 b/‎test/test-suite.js
+11
@@ -1088,7 +1088,7 @@ function createDOMPurify() {
    * @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
    */
   const _isBasicCustomElement = function _isBasicCustomElement(tagName) {
-    return tagName.indexOf('-') > 0;
+    return tagName !== 'annotation-xml' && tagName.indexOf('-') > 0;
   };
 
   /**
 
@@ -1194,7 +1194,7 @@ function createDOMPurify(window = getGlobal()) {
    * @returns {boolean} Returns true if the tag name meets the basic criteria for a custom element, otherwise false.
    */
   const _isBasicCustomElement = function (tagName) {
-    return tagName.indexOf('-') > 0;
+    return tagName !== 'annotation-xml' && tagName.indexOf('-') > 0;
   };
 
   /**
 
@@ -2093,5 +2093,16 @@
       // cleanup hook
       DOMPurify.removeHook(entryPoint);
     });
+    
+    QUnit.test('Test proper removal of annotation-xml w. custom elements', function (assert) {
+      const dirty  = '<svg><annotation-xml><foreignobject><style><!--</style><p id="--><img src=\'x\' onerror=\'alert(1)\'>">';
+      const config = { 
+        CUSTOM_ELEMENT_HANDLING: { tagNameCheck: /.*/ },
+        FORBID_CONTENTS: [""] 
+      };
+      const expected = '<svg></svg>';
+      let clean = DOMPurify.sanitize(dirty, config);
+      assert.contains(clean, expected);
+    });
   };
 });