Comments (6)
E.g. the
alert(1)
values are still present in the output.
What input did you use? The only example in the README is <svg onload=alert(1)>
which gets sanitized to <svg></svg>
properly.
Could you write a section in the README which gives a few code examples (before/after)?
https://cure53.de/purify has a lot of examples already. Thereโs also https://github.com/cure53/DOMPurify/blob/master/tests/expect.json.
from dompurify.
We're planning to add some unit tests (to avoid regressions). This way it will also be easier to compare the input and expected output on a per-case basis.
from dompurify.
@mathiasbynens This is what I get when I press the left-most button on that demo page:
The alert(1)
parts are still present (I also checked in the browser's console - it's the same output as the code in the bottom field in the screenshot).
The example code on that demo page is very complex and there is no visual indication where the offending code is (that is being sanitized), so it's not very useful, I think. The added examples in the README are good enough, though.
from dompurify.
@simevidas The alert(1)
is visible but inactive. It's inside a style element and therefore doesn't hurt anyone. Think of it as being text/plain
.
The example is in fact a bit confusing. We basically collected all test vectors without specific order when prototyping the library. This very exotic one was the last reported bypass in case we sanitize for jQuery factory usage. However no reason to worry ;)
from dompurify.
"Confusion must be avoided!" (Crockford)
Example:
- A visitor opens the repo.
- They read the description to get a sense what the tool is about.
- They notice that there's a demo, so they open it.
- They see the example code that loads with the demo and notice the
alert(1)
parts in several of the lines at the beginning of that code. They assume that these parts will be sanitized. - They press the left-most "Sanitize" button.
- The sanitized code is outputted in the second field. They notice that the
alert(1)
parts are still present in the sanitized code. - The visitor is confused and leaves the page.
This pretty much describes my own experience yesterday. Now, that simple code examples were added to the readme, the experience is solid, I think.
from dompurify.
I actually fixed the vector-blob in the demo moments ago ;) You made a very good point, w/o studying the result, the sanitizing effect looked doubtable.
from dompurify.
Related Issues (20)
- Fix for bug in demo hooks-sanitize-css-demo.html HOT 3
- Sanitization Issue: Comments Removed Despite ADD_TAGS Configuration HOT 8
- Sanitization Issue with DomPurify HOT 3
- New release v3.1.0 (not in releases) HOT 1
- How do I use the API provided by DomPurify to verify the SVG file is it risky? HOT 1
- Sanitize returns empty string when PARSER_MEDIA_TYPE: application/xhtml+xml and void tags HOT 4
- DOMPurify and Trusted Types - Clarification to Docs HOT 9
- when using bypasssecurityTrustHtml mthod to render template HOT 3
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method HOT 2
- Use lower case for bower package name HOT 1
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
- Number.isNaN is not supported in MSIE HOT 15
- Bower issues : DOMPurify is not defined HOT 5
- HTML and BODY tags are being regardless of `ALLOWED_TAGS` settings HOT 2
- MAX_NESTING_DEPTH remove contents issue HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.