From 8e598d7f2395d65e64716bb34f28f6b800740815 Mon Sep 17 00:00:00 2001
From: adon <adon@yahoo-inc.com>
Date: Mon, 17 Aug 2015 13:51:25 +0800
Subject: [PATCH 1/4] refactored a misspelled var name

---
 src/html-purify.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/html-purify.js b/src/html-purify.js
index 21fe11d..7dfb7e1 100755
--- a/src/html-purify.js
+++ b/src/html-purify.js
@@ -11,7 +11,7 @@ See the accompanying LICENSE file for terms.
         derivedState = require('./derived-states.js'),
         xssFilters = require('xss-filters'),
         CssParser = require('css-js'),
-        hrefAttribtues = tagAttList.HrefAttributes,
+        hrefAttributes = tagAttList.HrefAttributes,
         voidElements = tagAttList.VoidElements;
 
     function Purifier(config) {
@@ -116,7 +116,7 @@ See the accompanying LICENSE file for terms.
 
                             attrValString += ' ' + key;
                             if (value !== null) {
-                                attrValString += '="' + (hrefAttribtues[key] ? xssFilters.uriInDoubleQuotedAttr(decodeURI(value)) : value) + '"';
+                                attrValString += '="' + (hrefAttributes[key] ? xssFilters.uriInDoubleQuotedAttr(decodeURI(value)) : value) + '"';
                             }
                         }
                     }

From be7e501fded29797cfe962caf51471a11b7ad986 Mon Sep 17 00:00:00 2001
From: adon <adon@yahoo-inc.com>
Date: Mon, 17 Aug 2015 18:19:04 +0800
Subject: [PATCH 2/4] fix tag balancing logics

- logics simplified
- optional tags are ignored during balancing
- ignore self-closing solidus, which is required only for foreign
elements
---
 src/html-purify.js        | 67 ++++++++++++++++++++++++++-------------
 src/tag-attr-list.js      |  3 ++
 tests/test-vectors.js     | 22 +++++++++----
 tests/unit/html-purify.js |  6 ++--
 4 files changed, 67 insertions(+), 31 deletions(-)

diff --git a/src/html-purify.js b/src/html-purify.js
index 7dfb7e1..e48f0e8 100755
--- a/src/html-purify.js
+++ b/src/html-purify.js
@@ -12,7 +12,8 @@ See the accompanying LICENSE file for terms.
         xssFilters = require('xss-filters'),
         CssParser = require('css-js'),
         hrefAttributes = tagAttList.HrefAttributes,
-        voidElements = tagAttList.VoidElements;
+        voidElements = tagAttList.VoidElements,
+        optionalElements = tagAttList.OptionalElements;
 
     function Purifier(config) {
         var that = this;
@@ -41,14 +42,14 @@ See the accompanying LICENSE file for terms.
         that.cssParser = new CssParser({"ver": "strict", "throwError": false});
     }
 
-    // TODO: introduce polyfill for Array.indexOf
-    function contains(arr, element) {
-        for (var i = 0, len = arr.length; i < len; i++) {
+    // TODO: introduce polyfill for Array.lastIndexOf
+    function arrayLastIndexOf(arr, element) {
+        for (var i = arr.length - 1; i >= 0; i--) {
             if (arr[i] === element) {
-                return true;
+                return i;
             }
         }
-        return false;
+        return -1;
     }
 
     function processTransition(prevState, nextState, i) {
@@ -68,30 +69,40 @@ See the accompanying LICENSE file for terms.
             idx = parser.getCurrentTagIndex();
             tagName = parser.getCurrentTag(idx);
 
-            if (contains(this.tagsWhitelist, tagName)) {
+            if (arrayLastIndexOf(this.tagsWhitelist, tagName) !== -1) {
 
                 if (idx) {
-                    if (this.config.enableTagBalancing) {
-                        // add closing tags for any opened ones before closing the current one
-                        while((openedTag = this.openedTags.pop()) && openedTag !== tagName) {
-                            this.output += '</' + openedTag + '>';
-                        }
-                        // openedTag is undefined if tagName is never found in all openedTags, no output needed
-                        if (openedTag) {
-                            this.output += '</' + openedTag + '>';
+                    if (this.config.enableTagBalancing && !optionalElements[tagName]) {
+                        // relaxed tag balancing, accept it as long as the tag exists in the stack
+                        idx = arrayLastIndexOf(this.openedTags, tagName);
+
+                        if (idx >= 0) {
+                            this.output += '</' + tagName + '>';
+                            this.openedTags.splice(idx, 1);
                         }
+
+                        // // add closing tags for any opened ones before closing the current one
+                        // while((openedTag = this.openedTags.pop()) && openedTag !== tagName) {
+                        //     this.output += '</' + openedTag + '>';
+                        // }
+                        // // openedTag is undefined if tagName is never found in all openedTags, no output needed
+                        // if (openedTag) {
+                        //     this.output += '</' + openedTag + '>';
+                        // }
                     }
                     else {
                         this.output += '</' + tagName + '>';
                     }
                 }
                 else {
-                    //  - void elements only have a start tag; end tags must not be specified for void elements.
-                    this.hasSelfClosing = this.hasSelfClosing || voidElements[tagName];
+                    // void elements only have a start tag; end tags must not be specified for void elements.
+                    // this.hasSelfClosing = this.hasSelfClosing || voidElements[tagName];
+                    this.hasSelfClosing = voidElements[tagName];
 
                     // push the tagName into the openedTags stack if not found:
                     //  - a self-closing tag or a void element
-                    this.config.enableTagBalancing && !this.hasSelfClosing && this.openedTags.push(tagName);
+                    // this.config.enableTagBalancing && !this.hasSelfClosing && this.openedTags.push(tagName);
+                    this.config.enableTagBalancing && !this.hasSelfClosing && !optionalElements[tagName] && this.openedTags.push(tagName);
 
                     if (prevState === 35 ||
                         prevState === 36 ||
@@ -101,7 +112,7 @@ See the accompanying LICENSE file for terms.
 
                     attrValString = '';
                     for (key in this.attrVals) {
-                        if (contains(this.attributesWhitelist, key)) {
+                        if (arrayLastIndexOf(this.attributesWhitelist, key) !== -1) {
                             value = this.attrVals[key];
 
                             if (key === "style") { // TODO: move style to a const
@@ -123,12 +134,13 @@ See the accompanying LICENSE file for terms.
 
                     // handle self-closing tags
                     this.output += '<' + tagName + attrValString + (this.hasSelfClosing ? ' />' : '>');
+                    // this.output += '<' + tagName + attrValString + '>';
 
                 }
             }
             // reinitialize once tag has been written to output
             this.attrVals = {};
-            this.hasSelfClosing = 0;
+            // this.hasSelfClosing = false;
             break;
 
         case derivedState.TransitionName.ATTR_TO_AFTER_ATTR:
@@ -148,7 +160,18 @@ See the accompanying LICENSE file for terms.
             if (prevState === 35) {
                 this.attrVals[parser.getAttributeName()] = null;
             }
-            this.hasSelfClosing = 1;
+
+            /* According to https://html.spec.whatwg.org/multipage/syntax.html#start-tags
+             * "Then, if the element is one of the void elements, or if the element is a foreign element, then there may be a single U+002F SOLIDUS character (/). 
+             * This character has no effect on void elements, but on foreign elements it marks the start tag as self-closing."
+             */ 
+            // that means only foreign elements can self-close (self-closing is optional for void elements)
+            // no foreign elements will be allowed, so the following logic can be commented
+            // openedTag = parser.getStartTagName();
+            // if (openedTag === 'svg' || openedTag === 'math') { // ...
+            //     this.hasSelfClosing = true;
+            // }
+            
             break;
         }
     }
@@ -159,7 +182,7 @@ See the accompanying LICENSE file for terms.
         that.output = '';
         that.openedTags = [];
         that.attrVals = {};
-        that.hasSelfClosing = 0;
+        // that.hasSelfClosing = false;
         that.parser.reset();
         that.parser.contextualize(data);
 
diff --git a/src/tag-attr-list.js b/src/tag-attr-list.js
index 04cacbb..eac58ec 100644
--- a/src/tag-attr-list.js
+++ b/src/tag-attr-list.js
@@ -261,3 +261,6 @@ exports.HrefAttributes = {
 // Void elements only have a start tag; end tags must not be specified for void elements.
 // https://html.spec.whatwg.org/multipage/syntax.html#void-elements
 exports.VoidElements = {"area":1, "base":1, "br":1, "col":1, "embed":1, "hr":1, "img":1, "input":1, "keygen":1, "link":1, "menuitem":1, "meta":1, "param":1, "source":1, "track":1, "wbr":1};
+
+// https://html.spec.whatwg.org/multipage/syntax.html#optional-tags
+exports.OptionalElements = {/*"plaintext":1, "html":1, "head":1, "body":1,*/ "li":1, "dt":1, "dd":1, "p":1, "rt":1, "rp":1, "optgroup":1, "option":1, "colgroup":1, "caption":1, "thead":1, "tbody":1, "tfoot":1, "tr":1, "td":1, "th":1};
diff --git a/tests/test-vectors.js b/tests/test-vectors.js
index 7db885a..6d98c65 100644
--- a/tests/test-vectors.js
+++ b/tests/test-vectors.js
@@ -628,12 +628,12 @@ var generalVectors = [
 {
 	id: 10,
 	input: "<table><tr bz/></table>normal tag made standalone with bogus trunc attr",
-	output: "<table><tr /></table>normal tag made standalone with bogus trunc attr"
+	output: "<table><tr></table>normal tag made standalone with bogus trunc attr"
 },
 {
 	id: 11,
 	input: "<table><tr color/></table>normal tag made standalone with trunc attr bad val",
-	output: "<table><tr /></table>normal tag made standalone with trunc attr bad val"
+	output: "<table><tr></table>normal tag made standalone with trunc attr bad val"
 },
 {
 	id: 12,
@@ -648,7 +648,7 @@ var generalVectors = [
 {
 	id: 14,
 	input: "<table><tr size=\"4\"/></table>normal tag made standalone with value",
-	output: "<table><tr size=\"4\" /></table>normal tag made standalone with value"
+	output: "<table><tr size=\"4\"></table>normal tag made standalone with value"
 },
 //style attribute tests
 {
@@ -779,7 +779,7 @@ var generalVectors = [
 {
 	id: 40,
 	input: "<option selected />",
-	output: "<option selected />"
+	output: "<option selected>"
 },
 {
 	id: 41,
@@ -799,7 +799,7 @@ var generalVectors = [
 {
 	id: 44,
 	input: "<option selected/>",
-	output: "<option selected />"
+	output: "<option selected>"
 },
 {
 	id: 45,
@@ -831,7 +831,17 @@ var generalVectors = [
 	id: 50,
 	input: "abc <!-- 123",
 	output: "abc "
-}
+},
+{
+	id: 51,
+	input: "<a href=\"http://www.yahoo.com/\" />hello",
+	output: "<a href=\"http://www.yahoo.com/\">hello</a>"
+},
+// {
+// 	id: 52,
+// 	input: "<img src=\"x\" id=\'\" onerror=\"alert(1)\' />",
+// 	output: "<img src=\"x\" id=\'\" onerror=\"alert(1)\' />"
+// }
 ];
 
 exports.html5secVectors = html5secVectors;
diff --git a/tests/unit/html-purify.js b/tests/unit/html-purify.js
index 2d995b5..10a651b 100644
--- a/tests/unit/html-purify.js
+++ b/tests/unit/html-purify.js
@@ -35,12 +35,12 @@ Authors: Aditya Mahendrakar <maditya@yahoo-inc.com>
             var html = "</div>foo</h2>bar<a href=\"123\">hello<b>world</a><embed>123</embed><br /><br/><p>";
 
             // with tag balancing enabled by default
-            var output = (new Purifier()).purify(html);
-            assert.equal(output, 'foobar<a href=\"123\">hello<b>world</b></a><embed />123<br /><br /><p></p>');
+            var output = (new Purifier({enableTagBalancing:true})).purify(html);
+            assert.equal(output, 'foobar<a href="123">hello<b>world</a><embed />123<br /><br /><p></b>');
 
             // with tag balancing disabled
             var output = (new Purifier({enableTagBalancing:false})).purify(html);
-            assert.equal(output, "</div>foo</h2>bar<a href=\"123\">hello<b>world</a><embed />123</embed><br /><br /><p>");
+            assert.equal(output, '</div>foo</h2>bar<a href="123">hello<b>world</a><embed />123</embed><br /><br /><p>');
         });
 
         it('should handle all vectors mentioned in https://html5sec.org', function(){

From 4c0436d8dad835bacdea7ab67feb8545f9b0f12f Mon Sep 17 00:00:00 2001
From: adon <adon@yahoo-inc.com>
Date: Tue, 18 Aug 2015 18:23:25 +0800
Subject: [PATCH 3/4] updated after reviewer's comments - imposed a max stack
 size, i.e., nested-levels - stack pointer is used instead of push()

---
 src/html-purify.js        | 79 ++++++++++++++++++++++++++-------------
 tests/unit/html-purify.js | 19 ++++++++--
 2 files changed, 70 insertions(+), 28 deletions(-)

diff --git a/src/html-purify.js b/src/html-purify.js
index e48f0e8..6bfed95 100755
--- a/src/html-purify.js
+++ b/src/html-purify.js
@@ -15,13 +15,24 @@ See the accompanying LICENSE file for terms.
         voidElements = tagAttList.VoidElements,
         optionalElements = tagAttList.OptionalElements;
 
+    /*jshint -W030 */
     function Purifier(config) {
-        var that = this;
+        var that = this, tagBalance;
 
         config = config || {};
         // defaulted to true
         config.enableCanonicalization = config.enableCanonicalization !== false;
-        config.enableTagBalancing = config.enableTagBalancing !== false;
+        config.enableVoidingIEConditionalComments = config.enableVoidingIEConditionalComments !== false;
+    
+        // defaulted to true
+        config.tagBalance || (config.tagBalance = {});
+        tagBalance = that.tagBalance = {};
+        tagBalance.stackOverflow = false;
+        if ((tagBalance.enabled = config.tagBalance.enabled !== false)) {
+            tagBalance.stackSize = parseInt(config.tagBalance.stackSize) || 100;
+            tagBalance.stackPtr = 0;
+            tagBalance.stack = new Array(tagBalance.stackSize);
+        }
 
         // accept array of tags to be whitelisted, default list in tag-attr-list.js
         that.tagsWhitelist = config.whitelistTags || tagAttList.WhiteListTags;
@@ -36,15 +47,16 @@ See the accompanying LICENSE file for terms.
             enableCanonicalization: config.enableCanonicalization,
             enableVoidingIEConditionalComments: false // comments are always stripped from the output anyway
         }).on('postWalk', function (lastState, state, i, endsWithEOF) {
-            processTransition.call(that, lastState, state, i);
+            !tagBalance.stackOverflow && processTransition.call(that, lastState, state, i);
         });
 
         that.cssParser = new CssParser({"ver": "strict", "throwError": false});
+        
     }
 
     // TODO: introduce polyfill for Array.lastIndexOf
-    function arrayLastIndexOf(arr, element) {
-        for (var i = arr.length - 1; i >= 0; i--) {
+    function arrayLastIndexOf(arr, element, fromIndex) {
+        for (var i = fromIndex === undefined ? arr.length - 1 : fromIndex; i >= 0; i--) {
             if (arr[i] === element) {
                 return i;
             }
@@ -56,8 +68,8 @@ See the accompanying LICENSE file for terms.
         /* jshint validthis: true */
         /* jshint expr: true */
         var parser = this.parser,
-            idx, tagName, attrValString, openedTag, key, value;
-
+            tagBalance = this.tagBalance,
+            idx = 0, tagName = '', attrValString = '', key = '', value = '', hasSelfClosing = 0;
         
         switch (derivedState.Transitions[prevState][nextState]) {
             
@@ -72,13 +84,14 @@ See the accompanying LICENSE file for terms.
             if (arrayLastIndexOf(this.tagsWhitelist, tagName) !== -1) {
 
                 if (idx) {
-                    if (this.config.enableTagBalancing && !optionalElements[tagName]) {
+                    if (tagBalance.enabled && !optionalElements[tagName]) {
                         // relaxed tag balancing, accept it as long as the tag exists in the stack
-                        idx = arrayLastIndexOf(this.openedTags, tagName);
+                        idx = arrayLastIndexOf(tagBalance.stack, tagName, tagBalance.stackPtr - 1);
 
                         if (idx >= 0) {
                             this.output += '</' + tagName + '>';
-                            this.openedTags.splice(idx, 1);
+                            tagBalance.stack.splice(idx, 1);
+                            tagBalance.stackPtr--;
                         }
 
                         // // add closing tags for any opened ones before closing the current one
@@ -97,12 +110,20 @@ See the accompanying LICENSE file for terms.
                 else {
                     // void elements only have a start tag; end tags must not be specified for void elements.
                     // this.hasSelfClosing = this.hasSelfClosing || voidElements[tagName];
-                    this.hasSelfClosing = voidElements[tagName];
+                    hasSelfClosing = voidElements[tagName];
 
                     // push the tagName into the openedTags stack if not found:
                     //  - a self-closing tag or a void element
-                    // this.config.enableTagBalancing && !this.hasSelfClosing && this.openedTags.push(tagName);
-                    this.config.enableTagBalancing && !this.hasSelfClosing && !optionalElements[tagName] && this.openedTags.push(tagName);
+                    // this.config.tagBalance.enabled && !this.hasSelfClosing && this.openedTags.push(tagName);
+                    if (tagBalance.enabled && !hasSelfClosing && !optionalElements[tagName]) {
+                        if (tagBalance.stackPtr < tagBalance.stackSize) {
+                            tagBalance.stack[tagBalance.stackPtr++] = tagName;
+                        } else {
+                            // cease processing anything if it exceeds the maximum stack size allowed
+                            tagBalance.stackOverflow = true;
+                            break;
+                        }
+                    }
 
                     if (prevState === 35 ||
                         prevState === 36 ||
@@ -110,7 +131,6 @@ See the accompanying LICENSE file for terms.
                         this.attrVals[parser.getAttributeName()] = parser.getAttributeValue();
                     }
 
-                    attrValString = '';
                     for (key in this.attrVals) {
                         if (arrayLastIndexOf(this.attributesWhitelist, key) !== -1) {
                             value = this.attrVals[key];
@@ -133,14 +153,13 @@ See the accompanying LICENSE file for terms.
                     }
 
                     // handle self-closing tags
-                    this.output += '<' + tagName + attrValString + (this.hasSelfClosing ? ' />' : '>');
+                    this.output += '<' + tagName + attrValString + (hasSelfClosing ? ' />' : '>');
                     // this.output += '<' + tagName + attrValString + '>';
 
                 }
             }
             // reinitialize once tag has been written to output
             this.attrVals = {};
-            // this.hasSelfClosing = false;
             break;
 
         case derivedState.TransitionName.ATTR_TO_AFTER_ATTR:
@@ -177,20 +196,30 @@ See the accompanying LICENSE file for terms.
     }
 
     Purifier.prototype.purify = function (data) {
-        var that = this, openedTag;
+        var that = this, i;
 
-        that.output = '';
-        that.openedTags = [];
         that.attrVals = {};
-        // that.hasSelfClosing = false;
-        that.parser.reset();
-        that.parser.contextualize(data);
+        that.output = '';
+
+        if (that.tagBalance.enabled) {
+            that.tagBalance.stack = new Array(this.tagBalance.stackSize);
+            that.tagBalance.stackPtr = 0;
+        }
+
+        that.parser.reset().contextualize(data);
+
+        if (that.tagBalance.enabled) {
 
-        if (that.config.enableTagBalancing) {
             // close any remaining openedTags
-            while((openedTag = this.openedTags.pop())) {
-                that.output += '</' + openedTag + '>';
+            for (i = that.tagBalance.stackPtr - 1; i >= 0; i--) {
+                that.output += '</' + that.tagBalance.stack[i] + '>';
             }
+            // if ((that.tagBalance.stack.length = that.tagBalance.stackPtr)) {
+            //     that.output += '</' + that.tagBalance.stack.join('></') + '>';
+            // }
+            // while((openedTag = this.openedTags.pop())) {
+            //     that.output += '</' + openedTag + '>';
+            // }
         }
 
         return that.output;
diff --git a/tests/unit/html-purify.js b/tests/unit/html-purify.js
index 10a651b..b993a0b 100644
--- a/tests/unit/html-purify.js
+++ b/tests/unit/html-purify.js
@@ -31,18 +31,31 @@ Authors: Aditya Mahendrakar <maditya@yahoo-inc.com>
             assert.equal(output, '<h1 id="foo" title="asd" checked>hello world 2</h1>');
         });
 
-        it('should always balance unopened tags', function(){
+        it('should balance tags', function(){
             var html = "</div>foo</h2>bar<a href=\"123\">hello<b>world</a><embed>123</embed><br /><br/><p>";
 
             // with tag balancing enabled by default
-            var output = (new Purifier({enableTagBalancing:true})).purify(html);
+            var output = (new Purifier({tagBalance:{enabled:true}})).purify(html);
             assert.equal(output, 'foobar<a href="123">hello<b>world</a><embed />123<br /><br /><p></b>');
+        });
+
+        it('should balance remaining tags and drop inputs when there are too many unclosed tags', function(){
+            var html = "<b>1<b>2<b>3<b>4<b>5<b>6</b></b></b></b>";
+
+            // with tag balancing enabled by default
+            var output = (new Purifier({tagBalance:{enabled:true, stackSize:3}})).purify(html);
+            assert.equal(output, '<b>1<b>2<b>3</b></b></b>');
+        });
+
+        it('should not balance tags if disabled', function(){
+            var html = "</div>foo</h2>bar<a href=\"123\">hello<b>world</a><embed>123</embed><br /><br/><p>";
 
             // with tag balancing disabled
-            var output = (new Purifier({enableTagBalancing:false})).purify(html);
+            var output = (new Purifier({tagBalance:{enabled:false}})).purify(html);
             assert.equal(output, '</div>foo</h2>bar<a href="123">hello<b>world</a><embed />123</embed><br /><br /><p>');
         });
 
+
         it('should handle all vectors mentioned in https://html5sec.org', function(){
 	    var output, i, vector;
 	    for (var i = 0; i < html5secVectors.length; i++) {

From 3701cb7d2529666d7413ec6662a7094e1af3d336 Mon Sep 17 00:00:00 2001
From: adon <adon@yahoo-inc.com>
Date: Mon, 5 Oct 2015 16:52:44 +0800
Subject: [PATCH 4/4] updated comments and README

- also improved the arrayLastIndexOf to use the native
Array.prototype.lastIndexOf if exixts
---
 README.md          | 30 +++++++++++++++++++++
 src/html-purify.js | 66 ++++++++++++++++++++++++----------------------
 2 files changed, 65 insertions(+), 31 deletions(-)

diff --git a/README.md b/README.md
index 2cefb57..b568d07 100644
--- a/README.md
+++ b/README.md
@@ -32,6 +32,36 @@ var input = '...';
 var result = purifier.purify(input);
 ```
 
+## Advanced Usage
+
+The following outlines the configuration that is secure by default. You should perform due dilligence to confirm your use cases are safe before disabling or altering the configurations.
+
+```js
+// The default configuration
+new Purifier({
+	whitelistTags: ['a', '...'],
+	whitelistAttributes: ['href', '...'],
+	enableCanonicalization: true,
+	tagBalance: {
+		enabled: true,
+		stackSize: 100
+	}
+});
+```
+
+<!--
+#### whitelistTags
+
+#### whitelistAttributes
+
+#### enableCanonicalization
+-->
+
+#### tagBalance
+The untrusted data must be self-contained. Hence, it cannot close any tags prior to its inclusion, nor leave any of its own tags unclosed. An efficient and simple tag balancing algorithm is applied by default to enforce this goal only, and may not produce perfectly nested output. You may implement another tag balancing algorithm before invoking purify. But the default one should still be enabled, unless you're sure the self-contained requirement is met.
+
+The ``stackSize`` (default: 100) is a limit imposed on the maximum number of unclosed tags (or the max levels of nested tags). When an untrusted data attempts to open tags that are so nested and has exceeded the allowed limit, the algorithm will cease any further processing but simply close all of those tags.
+
 ## Development
 
 ### How to build
diff --git a/src/html-purify.js b/src/html-purify.js
index 6bfed95..f944221 100755
--- a/src/html-purify.js
+++ b/src/html-purify.js
@@ -29,9 +29,9 @@ See the accompanying LICENSE file for terms.
         tagBalance = that.tagBalance = {};
         tagBalance.stackOverflow = false;
         if ((tagBalance.enabled = config.tagBalance.enabled !== false)) {
-            tagBalance.stackSize = parseInt(config.tagBalance.stackSize) || 100;
+            tagBalance.stackPtrMax = (parseInt(config.tagBalance.stackSize) || 100) - 1;
             tagBalance.stackPtr = 0;
-            tagBalance.stack = new Array(tagBalance.stackSize);
+            tagBalance.stack = new Array(tagBalance.stackPtrMax + 1);
         }
 
         // accept array of tags to be whitelisted, default list in tag-attr-list.js
@@ -54,11 +54,18 @@ See the accompanying LICENSE file for terms.
         
     }
 
-    // TODO: introduce polyfill for Array.lastIndexOf
+    // A simple polyfill for Array.lastIndexOf
     function arrayLastIndexOf(arr, element, fromIndex) {
-        for (var i = fromIndex === undefined ? arr.length - 1 : fromIndex; i >= 0; i--) {
-            if (arr[i] === element) {
-                return i;
+        if (arguments.length < 3) {
+            fromIndex = arr.length - 1;
+        }
+
+        if (Array.prototype.lastIndexOf) {
+            return arr.lastIndexOf(element, fromIndex);
+        }
+        for (; fromIndex >= 0; fromIndex--) {
+            if (arr[fromIndex] === element) {
+                return fromIndex;
             }
         }
         return -1;
@@ -85,7 +92,12 @@ See the accompanying LICENSE file for terms.
 
                 if (idx) {
                     if (tagBalance.enabled && !optionalElements[tagName]) {
-                        // relaxed tag balancing, accept it as long as the tag exists in the stack
+                        
+                        // Simple tag balancing: close the tag as long as it 
+                        // exists in the stack, as we only want to ensure the 
+                        // untrusted data must be self-contained. Hence, it can
+                        // not close any tags prior to its inclusion, nor leave
+                        // any of its own tags unclosed.
                         idx = arrayLastIndexOf(tagBalance.stack, tagName, tagBalance.stackPtr - 1);
 
                         if (idx >= 0) {
@@ -94,7 +106,7 @@ See the accompanying LICENSE file for terms.
                             tagBalance.stackPtr--;
                         }
 
-                        // // add closing tags for any opened ones before closing the current one
+                        // Pop-until-matched tag balancing: add closing tags for any opened ones before closing the matched one
                         // while((openedTag = this.openedTags.pop()) && openedTag !== tagName) {
                         //     this.output += '</' + openedTag + '>';
                         // }
@@ -109,20 +121,18 @@ See the accompanying LICENSE file for terms.
                 }
                 else {
                     // void elements only have a start tag; end tags must not be specified for void elements.
-                    // this.hasSelfClosing = this.hasSelfClosing || voidElements[tagName];
                     hasSelfClosing = voidElements[tagName];
 
                     // push the tagName into the openedTags stack if not found:
                     //  - a self-closing tag or a void element
-                    // this.config.tagBalance.enabled && !this.hasSelfClosing && this.openedTags.push(tagName);
                     if (tagBalance.enabled && !hasSelfClosing && !optionalElements[tagName]) {
-                        if (tagBalance.stackPtr < tagBalance.stackSize) {
-                            tagBalance.stack[tagBalance.stackPtr++] = tagName;
-                        } else {
-                            // cease processing anything if it exceeds the maximum stack size allowed
+                        // cease further processing if it exceeds the maximum stack size allowed
+                        if (tagBalance.stackPtr > tagBalance.stackPtrMax) {
                             tagBalance.stackOverflow = true;
-                            break;
+                            return;
                         }
+
+                        tagBalance.stack[tagBalance.stackPtr++] = tagName;
                     }
 
                     if (prevState === 35 ||
@@ -172,7 +182,7 @@ See the accompanying LICENSE file for terms.
 
         //case derivedState.TransitionName.TAG_OPEN_TO_MARKUP_OPEN:
         //    this.output += "<" + parser.input[i];
-	    //    break;
+        //    break;
 
         case derivedState.TransitionName.TO_SELF_CLOSING_START:
             // boolean attributes may not have a value
@@ -196,30 +206,24 @@ See the accompanying LICENSE file for terms.
     }
 
     Purifier.prototype.purify = function (data) {
-        var that = this, i;
+        var that = this, i, 
+            tagBalance = that.tagBalance;
 
         that.attrVals = {};
         that.output = '';
 
-        if (that.tagBalance.enabled) {
-            that.tagBalance.stack = new Array(this.tagBalance.stackSize);
-            that.tagBalance.stackPtr = 0;
+        if (tagBalance.enabled) {
+            tagBalance.stack = new Array(tagBalance.stackPtrMax + 1);
+            tagBalance.stackPtr = 0;
         }
 
         that.parser.reset().contextualize(data);
 
-        if (that.tagBalance.enabled) {
-
-            // close any remaining openedTags
-            for (i = that.tagBalance.stackPtr - 1; i >= 0; i--) {
-                that.output += '</' + that.tagBalance.stack[i] + '>';
+        if (tagBalance.enabled) {
+            // close remaining opened tags, if any
+            for (i = tagBalance.stackPtr - 1; i >= 0; i--) {
+                that.output += '</' + tagBalance.stack[i] + '>';
             }
-            // if ((that.tagBalance.stack.length = that.tagBalance.stackPtr)) {
-            //     that.output += '</' + that.tagBalance.stack.join('></') + '>';
-            // }
-            // while((openedTag = this.openedTags.pop())) {
-            //     that.output += '</' + openedTag + '>';
-            // }
         }
 
         return that.output;