Error thrown with `style` tag in `svg` about dompurify HOT 8 CLOSED

Hmmm, not sure if I fully understand the question 🙂

Does this only happen with style elements inside SVG or also inside HTML? If only for SVG, I would strongly assume that the browser treats style inside SVG as a XSS sink:

<svg>
<style><script>alert(1)</script></style>
</svg>

from dompurify.

Hmmm, not sure if I fully understand the question 🙂

Does this only happen with style elements inside SVG or also inside HTML? If only for SVG, I would strongly assume that the browser treats style inside SVG as a XSS sink:

<svg>

<style><script>alert(1)</script></style>

</svg>

Yes exactly, but whenever I call sanitize, it does throw the error shown above (see the stacktrace starts at sanitize). I don't understand why this throws an error?

from dompurify.

That I don't know either :) Can you spin up a test case so we can have a look at it?

from dompurify.

I created a small reproduction: https://gist.github.com/timonmasberg/d87cb5bd320d7443cab803e1a4aeed05

Thanks once again for your help!

from dompurify.

Thanks for making this available.

I am a bit confused because I am not sure how the error in fact relates to Trusted Types and not simply CSP. What I get is a CSP error complaining about the usage if inline CSS.

Could you explain further how this might be a TT issue and not simply CSP complaining about inline CSS?

from dompurify.

Thanks for making this available.

I am a bit confused because I am not sure how the error in fact relates to Trusted Types and not simply CSP. What I get is a CSP error complaining about the usage if inline CSS.

Could you explain further how this might be a TT issue and not simply CSP complaining about inline CSS?

Yes sorry, ofc it is not a TT error, i was referring to it being thrown inside of the policy. Sorry for the misunderstanding. But what I still don't understand is, why the error is thrown inside of DOMPurify? Shouldn't it strip away the style tag complete (at least when using forbidden tags option)? Because for me the only fix is to "pre-sanitize" the string and pass it into DOMPurify. I would expect that this is also something done by the library.

from dompurify.

So, I think it's a plain CSP error message that only appears to show on Chrome (and other browsers with the same engine) but doesn't show on Firefox, for example - as my testing showed.

Googling this a bit seems to indicate that others have the same issue with Chrome being a bit overcritical here. Or Firefox not being critical enough, depending on the viewpoint 🙂

I think this is not a DOMPurify issue or anything we can actually fix. You could fix it by relaxing the CSP for CSS maybe?

from dompurify.

So, I think it's a plain CSP error message that only appears to show on Chrome (and other browsers with the same engine) but doesn't show on Firefox, for example - as my testing showed.

Googling this a bit seems to indicate that others have the same issue with Chrome being a bit overcritical here. Or Firefox not being critical enough, depending on the viewpoint 🙂

I think this is not a DOMPurify issue or anything we can actually fix. You could fix it by relaxing the CSP for CSS maybe?

Hm relaxing CSP would mean allowing all inline scripts. I just thought that DOMPurify would be able to handle this and strip everything away, but it appears that Chrome doesn't even like that. I guess i stick to "pre-"sanitizing it by removing the style tag myself...

Thanks

from dompurify.