Option to return a DocumentFragment instead of html about dompurify HOT 6 CLOSED

We have the following option available (rarely used thus maybe not optimal):

// return a DOM instead of an HTML string (default is false)
var clean = DOMPurify.sanitize(dirty, {RETURN_DOM: true});

Would you need an additional flag or another refinement here?

from dompurify.

Oh sorry I missed that.

Two issues/refinements I see:

• It returns a or element, of which you have to manually move over the children
• The nodes belong to the internal temporary document of DOMPurify, using these nodes without importNode or adoptNode is against spec, so I would have to do that myself (plus feature detecting which of the two to use).

I can imagine wanting to do this in DOMPurify to make sure the internal document is not exposed and to make sure no exploits are introduced in the adopting step. I can imagine adoptNode preserving the past names map of HTMLFormElement for example (I have not tested if this is true).

from dompurify.

FWIW I'm putting the returned document inside a sandboxed iframe, so I really like the current API not making any assumptions.

from dompurify.

@ConradIrwin That's good info, I wasn't sure if people used this option or not. So we shall leave this one as it is.

@Joris-van-der-Wel I would opt for an additional option then:

// return a DocumentFragment instead of an HTML string (default is false)
var clean = DOMPurify.sanitize(dirty, {RETURN_DOM_FRAGMENT: true});

from dompurify.

Sounds good, I'll whip up a PR

from dompurify.

Thanks :)

from dompurify.