Comments (36)
In case anyone else comes looking - to make current jsdom
work (Feb 2019):
import { JSDOM } from 'jsdom'
import DOMPurify from 'dompurify'
const { window } = new JSDOM('<!DOCTYPE html>')
const domPurify = DOMPurify(window)
console.log(domPurify.sanitize(`
hell <script>alert("hi");</script>
<div onclick="alert(123);">
o
</div>
world
<img id="createElement">
`));
from dompurify.
@CaptainN Thanks for your solution.
I've gone further and created an isomorphic wrapper which allows using DOMPurify on both frontend and backend seamlessly https://github.com/kkomelin/isomorphic-dompurify
I would appreciate your feedback on the wrapper.
from dompurify.
Well seems like a port was created 2 months ago
https://github.com/kkomelin/isomorphic-dompurify#readme
from dompurify.
I just stumbled upon this problem. I found a lightweight alternative for a simple DOMPurify use-case that works in Node: https://github.com/leizongmin/js-xss
import xss from 'xss';
export function sanitizeText(string) {
// only include whitelisted tags, remove the others
return xss(string, { whiteList: ['b', 'i', 'strong'], stripIgnoreTag: true });
}
It has to be lightweight because I'm using it with server-side rendered React, which runs in Node first but then runs in the browser.
from dompurify.
@EddyVinck There are a few xss-filtering solutions on NPM, you're free to use any of them.
What led me to DOMPurify is this presentation Building Secure React Applications by Philippe De Ryck. Since you're working with React, it may interest you too.
from dompurify.
It supports iojs. (nodejs will be supported in the near future because iojs and nodejs are merging).
Try this:
npm install cure53/DOMPurify jsdom
var document = require('jsdom').jsdom();
var dompurify = require('dompurify')(document.defaultView);
console.log(dompurify.sanitize(`
hell <script>alert("hi");</script>
<div onclick="alert(123);">
o
</div>
world
<img id="createElement">
`));
from dompurify.
I'm currently trying to implement the NodeIterator myself.
from dompurify.
Is there any news on this one?
from dompurify.
Nope, sorry. Didn't have time during the last months to work on the NodeIterator. It's still on my list.
from dompurify.
Sighs.
Was wondering why I was getting this error.
/path/to/node_modules/dompurify/purify.js:405
if(typeof document.implementation.createHTMLDocument === 'undefined')
^
ReferenceError: document is not defined
...
Please don't host DOMPurify on npm if it's not going to work on node.js env; it's not a package manager for libraries that conveniently support CommonJS.
from dompurify.
npm is not a package manager exclusively for Node.js modules (Please read about the npm 2.0 release).
Also, DOMpurify works great with Browserify, that's why it's on npm.
from dompurify.
Today, I've sent a PR to the jsdom project to include add document.implementation.createHTMLDocument()
to living standard.
You were right @cure53, dealing with DOM implementations is really a mess. ;)
from dompurify.
Hmmm. Are you planning on adding jsdom as a dependency?
Would it be possible to use cheerio as an alternative?
from dompurify.
Cheerio is a jQuery-like HTML parser, not a DOM implementation (which we need, e.g. for createHTMLDocument, NodeFilter, NodeIterator, etc.).
from dompurify.
@fhemberger Nice!
Would that mean that w ecan make DOMPurify happen in combination with jsdom? Or do we need to start creating a feature table of missing APIs and work our way through them?
from dompurify.
NodeFilter and NodeIterator are still missing in jsdom. NodeFilter is just a bunch of constants, NodeIterator is a tiny bit more complex. ;) Both should pass W3C's implementation tests as well.
Then we should be able to use DOMPurify together with jsdom for Node.js.
from dompurify.
I have a feeling this can be done without jsdom. DOMPurify caught my attention because of its performance characteristics; and jsdom may slow things down a lot.
from dompurify.
Well, if you know of a different DOM implementation and you can get DOMPurify working with it, we'd happily accept a pull request. At the moment, jsdom is the only thing that comes to my mind …
from dompurify.
@dashed I fully agree with @fhemberger, if there was a way to do it w/o jsdom: awesome :)
Using DOMPurify with node.js opens many many new doors.
from dompurify.
Would be really awesome to have it run in full node.js env. Looking forward to see that happening! Good luck guys!
from dompurify.
I'm already pushing updates to jsdom, I'll have a bit more time in December so I hope we can close this issue by the end of the year. ;)
from dompurify.
+1 for this feature..
from dompurify.
jsdom 5.1.0 supports NodeIterator: jsdom/jsdom#1092
There are still other issues though, such as firstElementChild
from dompurify.
Thanks, I read the announcement (but hadn't notice the version has already been released).
I hope to find the time soon to look into this topic again. Sorry this takes so long, but fiddling around with a DOM implementation in Node is really messy. ;)
from dompurify.
jsdom 5.2.0 has many fixes to make dompurify work. Most html snippets can now be "purified" properly.
Although I have to load dompurify as a script using jsdom.env because dompurify uses a lot of globals. It would be great if I could instantiate dompurify by passing it a Window
.
There are still a few test cases failing though, which would require more work in jsdom. One example is that jsdom currently throws an exception if an attribute is set with an invalid name: foo.innerHTML = "<img id/=' >"
. The spec says that resolving parser errors is optional, but it is of course not how the browsers behave. The result is that dompurify is not able to clean up such snippets.
from dompurify.
Above has been fixed. There are now 13 failing test cases.
Additional stuff to fix in jsdom:
- A few test cases with svg tags fail, the output looks safe, but it is not what the test cases expect
- stub or implement adoptNode
- stub or implement activeElement
- Do not throw if the
style
attribute contains invalid CSS: https://github.com/chad3814/CSSStyleDeclaration/issues/30 - Implement insertAdjacentHTML (required if you want to use KEEP_CONTENT)
from dompurify.
Thanks @Joris-van-der-Wel for digging into this, looks like we're getting closer.
Unfortunately, I'm pretty occupied at the moment, so I'm not able to dive into the jsdom code right now to implement the missing features. 😞
from dompurify.
A quick question: I think we are close to the next release. Should we go ahead or wait for you guys? Not sure how far this ticket is in total, thus asking :)
from dompurify.
No, don't wait for me. Just go ahead and release it. Node support would be a major version increment anyway.
from dompurify.
As for releasing:
I do not think that any XSS attempts will get through if you use jsdom with these unresolved issues. The effects of these issues are:
adoptNode
,activeElement
and maybe others that are not in the test cases may get clobbered if you only filter using jsdom. These are not causing XSS leaks.Invalid CSS in style tags will throw. For example if DOMPurify is used in a node http server, it would give clients a 500 error instead of the sanitized html.- The KEEP_CONTENT option does not work at all
The only thing I am not sure about yet are the 2 cases (87 and 173) that fail with svg content. I have not looked at those extensively. Perhaps all those need are an additional "expected" value in the test case itself.
Here is the output of the test cases: https://joris-van-der-wel.github.io/DOMPurify-04d7218-on-jsdom-5.4.0.html and here is the script I used to generate this https://joris-van-der-wel.github.io/DOMPurify-test-jsdom.js
from dompurify.
So if none of those issues can cause a security issue, I would say, release it
from dompurify.
So will 0.6.4 support NodeJS?
from dompurify.
I'm so grateful for your help so we finally got this out. Thanks!
from dompurify.
I haven't had the time for testing it, but can we close this issue now?
from dompurify.
Well, enabling KEEP_CONTENT has no effect now. Beyond that, I can imagine wanting to add a test runner in DOMPurify for jsdom (also see #61).
And the readme will need updating
from dompurify.
Updated the README just now: 6b0c682.
I'm closing this issue now and create a new issue for KEEP_CONTENT.
from dompurify.
Related Issues (20)
- when using bypasssecurityTrustHtml mthod to render template HOT 3
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method HOT 2
- Use lower case for bower package name HOT 1
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
- Number.isNaN is not supported in MSIE HOT 15
- Bower issues : DOMPurify is not defined HOT 5
- HTML and BODY tags are being regardless of `ALLOWED_TAGS` settings HOT 2
- MAX_NESTING_DEPTH remove contents issue HOT 5
- Escape unsafe characters instead of removing them HOT 3
- The MAX_NESTING_DEPTH remove contents issue has not been resolved. HOT 3
- A code comment containing a tag name structure leads to removal of the entire block HOT 2
- Issue secure [email protected] Apache-2.0 + Fair + MPL-2.0 HOT 1
- KEEP_CONTENT remove contents of all ALLOWED_TAGS HOT 2
- <img> xss vulnerability
- MathML Content Markup Removed HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.