Comments (5)
Heya,
I understand what you mean. Currently, the demo is basically a large bunch of test vectors that we simply write to the DOM to show that no dangerous HTML slips through. So the huge red letters are in fact expected behavior :)
What would you suggest to make it better? One thing I could imagine would be less HTML and annotations explaining what happens. We could do that as soon as we have a test-suite running (cc @fhemberger ). Right now the demo is a quasi test-suite. That is of course not ideal.
Do you have any specific suggestions of how to make the demo be more intuitive and friendly?
from dompurify.
I think explaining what's actually happening during the test is very useful, as is having an example or description of the expected behaviour.
(Also, as an aside, if Style tags are allowed, how does it handle remote includes in styles? https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_sheet)
from dompurify.
Makes sense. I'll tidy up the demo once we have a test-suite. Thanks for raining this issue!
from dompurify.
I have added some extra text to explain what happens. I also changed the jQuery stress-test to use html()
instead of the factory. A quick look at the wording and maybe a pull request in case the wording is still confusion would be appreciated ;) I am not a great texter and it wasn't confusing to me before - so not sure if my change hit the target.
About your question on CSS and remote styles: The info given in the OWASP "cheatsheet" is hopelessly outdated. It is not possible to cause XSS using CSS on modern browsers (as far as I know). There's a whole bunch of UI attacks and what not but we don't consider them in scope for the DOMPurify default values. Anyone can however simply remove <style>
from the list of permitted elements to be 101% safe and secure.
from dompurify.
Looks great to me!
from dompurify.
Related Issues (20)
- How do I use the API provided by DomPurify to verify the SVG file is it risky? HOT 1
- Sanitize returns empty string when PARSER_MEDIA_TYPE: application/xhtml+xml and void tags HOT 4
- DOMPurify and Trusted Types - Clarification to Docs HOT 9
- when using bypasssecurityTrustHtml mthod to render template HOT 3
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method HOT 2
- Use lower case for bower package name HOT 1
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
- Number.isNaN is not supported in MSIE HOT 15
- Bower issues : DOMPurify is not defined HOT 5
- HTML and BODY tags are being regardless of `ALLOWED_TAGS` settings HOT 2
- MAX_NESTING_DEPTH remove contents issue HOT 5
- Escape unsafe characters instead of removing them HOT 3
- The MAX_NESTING_DEPTH remove contents issue has not been resolved. HOT 3
- A code comment containing a tag name structure leads to removal of the entire block HOT 2
- Issue secure [email protected] Apache-2.0 + Fair + MPL-2.0 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.