search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.85k stars 713 forks source link

Not able to sanitize dirty string #714

Closed ag0059985 closed 2 years ago

ag0059985 commented 2 years ago

This issue proposes a [bug, feature] which...

Background & Context

I am trying to use dompurify.sanitize function on below string, and this string is binding of html.

"p\ul onbeforecopy="alert(2)" contenteditabletest\/ul\br / \video onmouseover=alert(document.cookie) tabindex=1 id=x\\/video\\input autofocus\br /"

Bug

so when trying to use DOMPurify.sanitize function on this string, in return i am getting the same string, and in result document.cookie are getting shown on page in alert dialog box

Input

"p\ul onbeforecopy="alert(2)" contenteditabletest\/ul\br / \video onmouseover=alert(document.cookie) tabindex=1 id=x\/video\input autofocus\br /"

Given output

"p\ul onbeforecopy="alert(2)" contenteditabletest\/ul\br / \video onmouseover=alert(document.cookie) tabindex=1 id=x\/video\input autofocus\br /"

Expected output

"p\ul tabindex=1 id=x\/video\input autofocus\br /"### Feature

Please let me know if I am doing something wrong, and this is an expected result.

Thanks

cure53 commented 2 years ago

Heya, we only sanitize HTML, not anything that resembles HTML or might serve as HTML binding. So, this is the expected result.

Feed us actual HTML and it will work as intended, sanitization will take place :)

kamiranoff commented 1 year ago

Not sure if this is the right place but if that string is not sanitised, does it represent a threat? And what should I use to prevent this?