search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
14.01k stars 726 forks source link

Endless loop of `DOMParser.parseFromString` when used with Trusted Types polyfill #1027

Closed orazioedoardo closed 2 hours ago

orazioedoardo commented 2 hours ago

Background & Context

When trying to use DOMPurify in conjunction with the trustedTypes polyfill, the HTML is not sanitized but rather seems to run into an endless loop as if DOMPurify does not set its "dompurify" policy. Not sure if it's a DOMPurify issue, or an issue with the polyfill, or if I'm using it wrong, sorry if this is the wrong place to ask.

Input

This is the sample JavaScript code which then I bundle with webpack.

import { trustedTypes, TrustedTypeConfig, TrustedTypesEnforcer } from "trusted-types";
import DOMPurify from "dompurify";

let trustedTypesObject;

if (window.trustedTypes && trustedTypes.createPolicy) {
    trustedTypesObject = window.trustedTypes;
} else {
    trustedTypesObject = trustedTypes;
    const config = new TrustedTypeConfig(false, true, ["default", "dompurify"], false);
    const enforcer = new TrustedTypesEnforcer(config);
    enforcer.install();
}

trustedTypesObject.createPolicy("default", {
    createHTML: (string, type) => {
        console.warn("Created a '" + type + "' object.");
        return DOMPurify.sanitize(string, { RETURN_TRUSTED_TYPE: false });
    },
});

Given output

Example output from Safari, caught in an endless loop of thousands of DOMParser.parseFromString sanitization instances. At some point it ends but I believe the browser is doing it. If I try it in Chrome, it never ends and hangs the tab.

tt

Expected output

Expected a TrustedHTML object.

cure53 commented 2 hours ago

Heya, thanks for filing - if this is our bug, we will happily be fixing it, but I think it's not.

In case the issue only appears with the poly-fill in place, then I think their code might need fixing, not ours.

orazioedoardo commented 2 hours ago

Wow thanks for the quick reply. I will post an issue on https://github.com/w3c/trusted-types and see what they think about this.

cure53 commented 2 hours ago

Cool, thanks :)

orazioedoardo commented 2 hours ago

In case the issue only appears with the poly-fill in place, then I think their code might need fixing, not ours.

Oh by the way, yes if I load the polyfill as explained here, DOMPurify works as expected.