Drops charset declarations about dompurify HOT 9 CLOSED

I am worried about allowing META tags in general, but I think <meta charset> might be doable.

Is there a specific use-case for this need? Or do you see a specific attack based on the omission of META elements?

from dompurify.

Definitely agree that allowing META tags in general is not something we should do.

I encountered this problem when converting a javascript byte array to a string and then running it through purify. I'll see if I can narrow down the testcase.

from dompurify.

This is weird. I have a file containing the norwegian letter ø
When the file size goes above 32786, the encoding breaks, and the ø becomes ø

Seems there also needs to be an image with a data:uri

from dompurify.

Same in different browsers?

from dompurify.

Ok, I've narrowed it down. I have only tested this in Chrome. See the following files: http://research.insecurelabs.org/encoding/

So between the diff between broken.html and works-because-meta.html is the meta header setting the character set. The difference between works.html and broken.html is a single line feed (\x0a).

In my version of Chrome, in broken.html ø becomes ø

Seems I can include a BOM in the HTML before running it through purify, and it will then work correctly.

from dompurify.

I am surprised though that the charset is lost under certain seemingly unrelated conditions.

My assumption was, that an HTML document created via document.implementation.createHTMLDocument inherits the charset from the creating document unless explicitly told otherwise (via META). What is doc.characterSet set to for the broken one?

from dompurify.

ISO-8859-1

from dompurify.

Strange. I believe it's a Chrome issue but I am not 100% sure. What's your take on this?

from dompurify.

Likely. I'll close this one

from dompurify.