Closed ag0059985 closed 2 years ago
Heya, we only sanitize HTML, not anything that resembles HTML or might serve as HTML binding. So, this is the expected result.
Feed us actual HTML and it will work as intended, sanitization will take place :)
Not sure if this is the right place but if that string is not sanitised, does it represent a threat? And what should I use to prevent this?
Background & Context
I am trying to use dompurify.sanitize function on below string, and this string is binding of html.
"p\ul onbeforecopy="alert(2)" contenteditabletest\/ul\br / \video onmouseover=alert(document.cookie) tabindex=1 id=x\\/video\\input autofocus\br /"
Bug
so when trying to use DOMPurify.sanitize function on this string, in return i am getting the same string, and in result document.cookie are getting shown on page in alert dialog box
Input
"p\ul onbeforecopy="alert(2)" contenteditabletest\/ul\br / \video onmouseover=alert(document.cookie) tabindex=1 id=x\/video\input autofocus\br /"
Given output
"p\ul onbeforecopy="alert(2)" contenteditabletest\/ul\br / \video onmouseover=alert(document.cookie) tabindex=1 id=x\/video\input autofocus\br /"
Expected output
"p\ul tabindex=1 id=x\/video\input autofocus\br /"### Feature
Please let me know if I am doing something wrong, and this is an expected result.
Thanks