Could you provide code examples of what is being sanitized? about dompurify HOT 6 CLOSED

E.g. the alert(1) values are still present in the output.

What input did you use? The only example in the README is <svg onload=alert(1)> which gets sanitized to <svg></svg> properly.

Could you write a section in the README which gives a few code examples (before/after)?

https://cure53.de/purify has a lot of examples already. There’s also https://github.com/cure53/DOMPurify/blob/master/tests/expect.json.

from dompurify.

We're planning to add some unit tests (to avoid regressions). This way it will also be easier to compare the input and expected output on a per-case basis.

from dompurify.

@mathiasbynens This is what I get when I press the left-most button on that demo page:

The alert(1) parts are still present (I also checked in the browser's console - it's the same output as the code in the bottom field in the screenshot).

The example code on that demo page is very complex and there is no visual indication where the offending code is (that is being sanitized), so it's not very useful, I think. The added examples in the README are good enough, though.

from dompurify.

@simevidas The alert(1) is visible but inactive. It's inside a style element and therefore doesn't hurt anyone. Think of it as being text/plain.

The example is in fact a bit confusing. We basically collected all test vectors without specific order when prototyping the library. This very exotic one was the last reported bypass in case we sanitize for jQuery factory usage. However no reason to worry ;)

from dompurify.

"Confusion must be avoided!" (Crockford)

Example:

1. A visitor opens the repo.
2. They read the description to get a sense what the tool is about.
3. They notice that there's a demo, so they open it.
4. They see the example code that loads with the demo and notice the alert(1) parts in several of the lines at the beginning of that code. They assume that these parts will be sanitized.
5. They press the left-most "Sanitize" button.
6. The sanitized code is outputted in the second field. They notice that the alert(1) parts are still present in the sanitized code.
7. The visitor is confused and leaves the page.

This pretty much describes my own experience yesterday. Now, that simple code examples were added to the readme, the experience is solid, I think.

from dompurify.

I actually fixed the vector-blob in the demo moments ago ;) You made a very good point, w/o studying the result, the sanitizing effect looked doubtable.

from dompurify.