purify style elements? about dompurify HOT 4 CLOSED

I am tempted to do it but am not sure about the right way to do it. Yet. It is however on the Todo list.

Google's Caja has additional jobs to do, we only do the stuff inside < and > so we can stay lightweight and avoid complexity ;)

from dompurify.

I'm not familiar with parsing. Are there certain potential issues?

I'm looking around for potential CSS parsers such as this:
https://github.com/reworkcss/css
https://github.com/reworkcss/rework

Potentially, a plugin on top of rework would throw errors on blacklisted/whitelist syntax. I haven't looked too much into it yet.

from dompurify.

The problem is: I don't wanna rely too much on external plug-ins. Once security is the primary focus, this is not really an option. We cannot keep a securoty promise and at the same time rely on what other people do in some repo.

Then, CSS inside style attributes or style elements is not a cause of XSS any more. At least not in the UAs DOMPurify supports. So the first question here would be: what's the threat model?

What then pops up first is HTTP leakage of course. Then again, we do not prevent leakage in HTML yet. Which is kind of a step that has to be taken before we walk down the CSS rabbit-hole. So, it's complicated :)

from dompurify.

I have decided to close this one for now - there's no urgent need for this feature and I'd prefer to create a library on its own that is capable of doing so. Possible to have this be combined with DOMPurify in a later stage.

from dompurify.