Comments (13)
fhemberger
commented on July 24, 2024
If it's a breaking change, that means this should be a 1.0.0 release (semver-major). And the reason for it should be documented. What browsers could break by switching from document.implementation.createHTMLDocument to window.DOMParser?
from dompurify.
cure53
commented on July 24, 2024
It might be a breaking change but I hope it's not, hence my review request :) So far it looks like it's not - but I cannot judge that on my own.
from dompurify.
fhemberger
commented on July 24, 2024
If all the browser tests are green, it seems to work … I'm sorry, but at some point you lost me with all the DOM voodoo going on. I must admit, I'm not that much into that particular topic to be of much help here. (Especially after exclusively working on the server side the last 14+ months.) ;)
from dompurify.
cure53
commented on July 24, 2024
Aye, okay :) Are the code conventions all met? If so, I'd merge and prepare a release.
from dompurify.
mozfreddyb
commented on July 24, 2024
s/@freddyb/@mozfreddyb ;-)
from dompurify.
fhemberger
commented on July 24, 2024
LGTM
from dompurify.
cure53
commented on July 24, 2024
Thx. I am preparing the 0.6.7 release now.
from dompurify.
koto
commented on July 24, 2024
So, what was the bypass?
from dompurify.
cure53
commented on July 24, 2024
It was documented along with the release:
https://github.com/cure53/DOMPurify/releases/tag/0.6.7
<script>
// This is SAFE (but shouldn't be!)
document.body.innerHTML='<svg><p><style><img src="</style><img src=x onerror=alert(1)//">'
</script>
<script>
// This is UNSAFE
document.write('<svg><p><style><img src="</style><img src=x onerror=alert(1)//">')
</script>
from dompurify.
mozfreddyb
commented on July 24, 2024
I think it was mentioned in the release notes, here's the issue discussed in Bugzilla:
https://bugzilla.mozilla.org/show_bug.cgi?id=1205631
from dompurify.
cure53
commented on July 24, 2024
@mozfreddyb "discussed" :)
The issue is still existing, FF is still unreliable and delivers broken innerHTML.
DOMPurify patches around it successfully - but we had to change a lot for that.
from dompurify.
mozfreddyb
commented on July 24, 2024
Seems like a spec problem to me. shrugs
document.write was invented when HTML parsing wasn't properly defined.
You may have also gotten better results when supplying a doctype prior to your .write().
from dompurify.
cure53
commented on July 24, 2024
Nope, it's a Firefox problem :)
FF doesn't properly handle innerHTML in the SVG context. Even MSIE does it right :P
from dompurify.
Related Issues (20)
- Question about using DOMPurify for a tricky usecase. HOT 8
- Question regarding DOMPurify ADD_TAGS is not allowing <script> tag HOT 7
- n
- Title: Sanitization removes valid iframe attributes and changes attribute order HOT 8
- Fix for bug in demo hooks-sanitize-css-demo.html HOT 3
- Sanitization Issue: Comments Removed Despite ADD_TAGS Configuration HOT 8
- Sanitization Issue with DomPurify HOT 3
- New release v3.1.0 (not in releases) HOT 1
- How do I use the API provided by DomPurify to verify the SVG file is it risky? HOT 1
- Sanitize returns empty string when PARSER_MEDIA_TYPE: application/xhtml+xml and void tags HOT 4
- DOMPurify and Trusted Types - Clarification to Docs HOT 9
- when using bypasssecurityTrustHtml mthod to render template HOT 3
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method HOT 2
- Use lower case for bower package name HOT 1
- Uncertain how to handle 'non-standard' HTML HOT 3
- Need to block external calls, e.g. all HTTP requests HOT 7
- Why does name="name" on an input field get purified? HOT 1
- Exception when passing 0 or "" or null to Dompurify.Sanitize Method #947 HOT 3
- Latest versions of DOMPurify 2.5.x block custom SVG elements when they are set via ADD_TAGS config. HOT 6
- release 3.1.3 assets are the same as 3.1.2 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dompurify.