Enhancement suggestion: Interpolation API about dompurify HOT 7 CLOSED

Mario suggested doing this in a branch or exploring this using the hooking API, before taking it into DOMPurify.

from dompurify.

I like the idea but I don't see it arriving in the core anytime soon. However a branch and maybe a plugin or even a split project would be cool.

I am wondering though - how would you image the API to look like?

from dompurify.

// let's assume these three vars are untrusted
var href = "javascript:alert(1)";
var title = "click me";
var text = "innocent text <script>alert(1)</script>";

whatever.innerHTML = interpolate`<a href='${href}' title='${title}'>${text}</a>`
// returns <a href='' title='click me'>innocent text &lt;script&gt;alert(1)&lt;/script&gt;</a>

from dompurify.

Would you expect DOMPurify to sanitize the single components or rather the final result?
I'd assume the latter, just to be sure.

from dompurify.

I have assumed to do the context-aware encoding in DOMPurify, but that's beyond its capabilities and it dawns me that there is very little overlap between my interpolation suggestion and DOMPurify.

Thanks for this good question :-) This will mean my interpolation should really live outside of DOMPurify or use it (at the end) to sanitize the final result..

from dompurify.

@mozfreddyb Should we close this for now?

from dompurify.

aye

from dompurify.