Comments (9)
I am hesitant to do so as I think this introduces a security problem: In certain cases, an attacker might be able to use DOM Clobbering to overwrite those values and thereby enable white-listing of arbitrary elements and attributes.
I think the way it is right now is good enough - but might of course be convinced otherwise ;) For now I am reject and close the ticket, feel free to reopen if you have additional input.
from dompurify.
Then there should be some other easy way to add tags or attributes to the existing allowed values while sanitizing.
from dompurify.
But why? I believe it's good enough to pass configuration parameters upon instantiation. Anything else is overhead imho and a security risk.
from dompurify.
Say I'm ok with the existing ALLOWED_ATTR and just want to add valign
alone, and I don't want to give the entire attributes again, there isn't a way to give this as a configuration upon instantiation.
from dompurify.
Ah, I get it. So here's what I am worried about:
If we allow to extend the existing configuration arrays and flag, we make them accessible from the outside. That means, anyone can edit them and influence them before DOMPurify.sanitize()
is being called.
In the worst case, an attacker could for example overwrite properties using DOM clobbering and harmless-looking markup. Think for example <a href="#text,script,iframe" id="ALLOWED_TAGS"></a>
(would require more stars to be aligned but might in fact work). In essence: I don't want to allow declarative change of the configuration properties.
What we could do is to implement a public setter method. That could be used to receive an array of additional properties, pass them on to sanitize()
and merge them into the existing ones. We cannot call methods using DOM clobbering so that would be safe. Pull requests welcome :)
from dompurify.
What we could do is to implement a public setter method. That could be used to receive an array of additional properties, pass them on to sanitize() and merge them into the existing ones.
Yeah, this is what I meant to. But how should be the additional properties be passed, the same ALLOWED_ATTR with a merge flag or a new configuration ALLOWED_ADDITIONAL_ATTR (or something of this kind) ?
from dompurify.
For example, yes - maybe a more compact wording but that should do the trick.
from dompurify.
I am currently testing with the following code:
/* Merge config parameters */
cfg.ADD_ATTR ? ALLOWED_ATTR.concat(cfg.ADD_ATTR);
cfg.ADD_TAGS ? ALLOWED_TAGS.concat(cfg.ADD_TAGS);
You can pass in an array of additional tags or attributes that will be merged into the existing ones. Does that meet the requirement?
from dompurify.
Yeah, that is great 👍 Thank you.
from dompurify.
Related Issues (20)
- New release v3.1.0 (not in releases) HOT 1
- How do I use the API provided by DomPurify to verify the SVG file is it risky? HOT 1
- Sanitize returns empty string when PARSER_MEDIA_TYPE: application/xhtml+xml and void tags HOT 4
- DOMPurify and Trusted Types - Clarification to Docs HOT 9
- when using bypasssecurityTrustHtml mthod to render template HOT 3
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method HOT 2
- Use lower case for bower package name HOT 1
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
- Number.isNaN is not supported in MSIE HOT 15
- Bower issues : DOMPurify is not defined HOT 5
- HTML and BODY tags are being regardless of `ALLOWED_TAGS` settings HOT 2
- MAX_NESTING_DEPTH remove contents issue HOT 5
- Escape unsafe characters instead of removing them HOT 3
- The MAX_NESTING_DEPTH remove contents issue has not been resolved. HOT 3
- A code comment containing a tag name structure leads to removal of the entire block HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.