search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
14.14k stars 735 forks source link

how to keep (sub)strong tags included in a deleted(unwanted) span tag ? #1012

Closed fabGutin closed 3 weeks ago

fabGutin commented 4 weeks ago

Hello and thank you for this library that I use to clean up html code copied from google docs

I would like to remove the span tags from the copied text but keep the text inside the tags as well as any strong tags included in the deleted span tags.

I manage to remove the span tags while keeping the text inside the tags but any strong tags are also removed.

Example

DOMPurify.sanitize("<p>
<span style="background-color:transparent;color:#000000;"><strong>Some strong text</strong></span>
</p>", {
    ALLOWED_TAGS: ['p','strong']
})

Output

<p>Some strong text</p>

Expected output

<p><strong>Some strong text</strong></p>

I also tried with this kind of hook 

DOMPurify.addHook("afterSanitizeAttributes", function (node, data, config) {
  if (node.nodeName === "SPAN") {
    node.replaceWith(node.textContent ?? "");
  }
});

But the output is the same, <strong> tags inside <span> are also deleted.

Can you please tell me how to keep (sub) <strong> tags after “sanitize”?

Many thanks

fabGutin commented 3 weeks ago

Sorry the problem was not from DOMPurify. I am posting my own answer to this issue.

In fact I use DOMPurify library in addition to ckeditor 5 (https://ckeditor.com/ckeditor-5/). So, what i should have done before, I tested my DOMPurify code outside the ckeditor context and I realized by doing this that my DOMPurify code worked as expected.

So I then investigated to understand what was happening by continuing testing in ckeditor context.

In fact I had left the “font” plugin active in ckeditor configuration and because of that ckeditor was constantly adding this unwanted <span> tag after DOMPurify sanitization. What disturbed me.

<span style="background-color:transparent;color:#000000;"></span>

This post helped me identify and fix my problem https://github.com/ckeditor/ckeditor5/issues/6492

After removing the font plugin in ckeditor configuration everything works as expected.

So I close this issue as DOMPurify works perfectly for my needs.

Thanks again for developing this very useful library.