[QUESTION] How to sanitize style tags and attributes

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.68k stars 701 forks source link

[QUESTION] How to sanitize style tags and attributes #808

Closed JeremyBradshaw7 closed 1 year ago

JeremyBradshaw7 commented 1 year ago

I plan to allow style tags and attributes through, but I do want to strip out any security vulnerabilities from them, such as any expression or javascript: use as discussed here.

How can that be achieved in dompurify?

cure53 commented 1 year ago

Why? Is MSIE6 part of your threat model? If so, DOMPurify won't work anyway and for no other browser, those kinds of sanitizations are actually needed.