Comments (4)
I am tempted to do it but am not sure about the right way to do it. Yet. It is however on the Todo list.
Google's Caja has additional jobs to do, we only do the stuff inside <
and >
so we can stay lightweight and avoid complexity ;)
from dompurify.
I'm not familiar with parsing. Are there certain potential issues?
I'm looking around for potential CSS parsers such as this:
https://github.com/reworkcss/css
https://github.com/reworkcss/rework
Potentially, a plugin on top of rework would throw errors on blacklisted/whitelist syntax. I haven't looked too much into it yet.
from dompurify.
The problem is: I don't wanna rely too much on external plug-ins. Once security is the primary focus, this is not really an option. We cannot keep a securoty promise and at the same time rely on what other people do in some repo.
Then, CSS inside style attributes or style elements is not a cause of XSS any more. At least not in the UAs DOMPurify supports. So the first question here would be: what's the threat model?
What then pops up first is HTTP leakage of course. Then again, we do not prevent leakage in HTML yet. Which is kind of a step that has to be taken before we walk down the CSS rabbit-hole. So, it's complicated :)
from dompurify.
I have decided to close this one for now - there's no urgent need for this feature and I'd prefer to create a library on its own that is capable of doing so. Possible to have this be combined with DOMPurify in a later stage.
from dompurify.
Related Issues (20)
- Fix for bug in demo hooks-sanitize-css-demo.html HOT 3
- Sanitization Issue: Comments Removed Despite ADD_TAGS Configuration HOT 8
- Sanitization Issue with DomPurify HOT 3
- New release v3.1.0 (not in releases) HOT 1
- How do I use the API provided by DomPurify to verify the SVG file is it risky? HOT 1
- Sanitize returns empty string when PARSER_MEDIA_TYPE: application/xhtml+xml and void tags HOT 4
- DOMPurify and Trusted Types - Clarification to Docs HOT 9
- when using bypasssecurityTrustHtml mthod to render template HOT 3
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method HOT 2
- Use lower case for bower package name HOT 1
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
- Number.isNaN is not supported in MSIE HOT 15
- Bower issues : DOMPurify is not defined HOT 5
- HTML and BODY tags are being regardless of `ALLOWED_TAGS` settings HOT 2
- MAX_NESTING_DEPTH remove contents issue HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.