Comments (7)
Mario suggested doing this in a branch or exploring this using the hooking API, before taking it into DOMPurify.
from dompurify.
I like the idea but I don't see it arriving in the core anytime soon. However a branch and maybe a plugin or even a split project would be cool.
I am wondering though - how would you image the API to look like?
from dompurify.
// let's assume these three vars are untrusted
var href = "javascript:alert(1)";
var title = "click me";
var text = "innocent text <script>alert(1)</script>";
whatever.innerHTML = interpolate`<a href='${href}' title='${title}'>${text}</a>`
// returns <a href='' title='click me'>innocent text <script>alert(1)</script></a>
from dompurify.
Would you expect DOMPurify to sanitize the single components or rather the final result?
I'd assume the latter, just to be sure.
from dompurify.
I have assumed to do the context-aware encoding in DOMPurify, but that's beyond its capabilities and it dawns me that there is very little overlap between my interpolation suggestion and DOMPurify.
Thanks for this good question :-) This will mean my interpolation should really live outside of DOMPurify or use it (at the end) to sanitize the final result..
from dompurify.
@mozfreddyb Should we close this for now?
from dompurify.
aye
from dompurify.
Related Issues (20)
- How do I use the API provided by DomPurify to verify the SVG file is it risky? HOT 1
- Sanitize returns empty string when PARSER_MEDIA_TYPE: application/xhtml+xml and void tags HOT 4
- DOMPurify and Trusted Types - Clarification to Docs HOT 9
- when using bypasssecurityTrustHtml mthod to render template HOT 3
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method HOT 2
- Use lower case for bower package name HOT 1
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
- Number.isNaN is not supported in MSIE HOT 15
- Bower issues : DOMPurify is not defined HOT 5
- HTML and BODY tags are being regardless of `ALLOWED_TAGS` settings HOT 2
- MAX_NESTING_DEPTH remove contents issue HOT 5
- Escape unsafe characters instead of removing them HOT 3
- The MAX_NESTING_DEPTH remove contents issue has not been resolved. HOT 3
- A code comment containing a tag name structure leads to removal of the entire block HOT 2
- Issue secure [email protected] Apache-2.0 + Fair + MPL-2.0 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.