Comments (8)
fhemberger
commented on July 24, 2024
Nope, it's this statement: https://github.com/cure53/DOMPurify/blob/master/purify.js#L178
/* Cover IE9's buggy outerHTML behavior */
if(dom.body === null) {
dom.body.innerHTML = dirty;
}I don't know what your original intention was … ;)
Second issue: https://github.com/cure53/DOMPurify/blob/master/test/index.html#L29
QUnit.assert.contains = function( needle, haystack, message ) {
var actual = haystack.indexOf(needle) > -1;
QUnit.push(actual, actual, needle, message);
}; This doesn't seem to work when you return early and return an empty sting (https://github.com/cure53/DOMPurify/blob/master/purify.js#L390) (cc @mathiasbynens):
Expected: ""
Result: false
from dompurify.
cure53
commented on July 24, 2024
In IE9, outerHTML and innerHTML in virtual documents is broken. The seemingly hackish code covers that and enables DOMPurify to work fine nevertheless. Unfortunately the tests disagree. Workarounds are welcome :)
from dompurify.
fhemberger
commented on July 24, 2024
Well, null shouldn't be an object and have any properties. And it's exactly this line that breaks all the tests in IE9, because of the attempt to write to null.innerHTML.
from dompurify.
codylindley
commented on July 24, 2024
This is breaking for me in ie9 (not the tests).
https://www.dropbox.com/s/mb490tr9xpxu080/Screenshot%202014-04-15%2014.51.43.png
from dompurify.
codylindley
commented on July 24, 2024
I'm not sure the intent, but using innerHTML instead of outer, works. But it might negate your intention.
from dompurify.
cure53
commented on July 24, 2024
I am currently revising this issue, you guys are right. Additional code is needed for IE9 to work fine.
from dompurify.
cure53
commented on July 24, 2024
I added a fix for the innerHTML issue shown above, yet are close to believe that based on the flawed outerHTML behavior on MSIE9 we might not be able to fully support this browser.
I ran the tests and they do work now - but many of them yield results that are beyond reason (closing <body> element in the middle of a HTML string, double-open links, absurd XML processing instructions for MathML strings etc.).
So far my conclusion is: DOMPurify works on IE9, produces safe output, but to make all tests go green we'd have to start accepting absurd HTML that might have structural flaws and produce results we cannot observe on any other browser. Thoughts?
from dompurify.
cure53
commented on July 24, 2024
Closed for inactivity, no bug reports from IE9. Re-open if necessary.
from dompurify.
Related Issues (20)
- Question about using DOMPurify for a tricky usecase. HOT 8
- Question regarding DOMPurify ADD_TAGS is not allowing <script> tag HOT 7
- n
- Title: Sanitization removes valid iframe attributes and changes attribute order HOT 8
- Fix for bug in demo hooks-sanitize-css-demo.html HOT 3
- Sanitization Issue: Comments Removed Despite ADD_TAGS Configuration HOT 8
- Sanitization Issue with DomPurify HOT 3
- New release v3.1.0 (not in releases) HOT 1
- How do I use the API provided by DomPurify to verify the SVG file is it risky? HOT 1
- Sanitize returns empty string when PARSER_MEDIA_TYPE: application/xhtml+xml and void tags HOT 4
- DOMPurify and Trusted Types - Clarification to Docs HOT 9
- when using bypasssecurityTrustHtml mthod to render template HOT 3
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method HOT 2
- Use lower case for bower package name HOT 1
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.