Cannot prevent automatic conversion of phone numbers to <a links with tel: href

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.68k stars 701 forks source link

Cannot prevent automatic conversion of phone numbers to <a links with tel: href #816

Closed myufa closed 1 year ago

myufa commented 1 year ago

This issue proposes a bug in dompurify ^2.3.3 on IOS 16

Background & Context

When using dompurify on IOS 16 (and potentially other IOS versions) strings of numbers and dashes formatted as seen below are converted to telephone links. This is not to be confused with any formatting apple could be doing on these strings. The link is generated in the sanitize function.

This is causing item IDs for our product to be misrepresented in the UI as phone numbers

This does not happen on desktop, that I have seen

Bug

Input

sanitize("1234-567-891")

Given output

"<a href="tel:1234-567-891">1234-567-891</a>"

Expected output

"1234-567-891"

cure53 commented 1 year ago

Hah, interesting and seemingly a weird behavior of iOS and nothing we can fix. Unless you have any ideas?

myufa commented 1 year ago

Hah, interesting and seemingly a weird behavior of iOS and nothing we can fix. Unless you have any ideas?

This is not just an IOS behavior, these strings do not get formatted into links outside of the sanitize function.

cure53 commented 1 year ago

Well, we don't have any code implementing that, that I can pretty much guarantee :smile: So, where does this come from?

cure53 commented 1 year ago

I also tried these snippets on iOS v16 using BrowserStack: https://jsfiddle.net/0rcaLfe4/ https://jsfiddle.net/0rcaLfe4/1

It does not reproduce for me.

iPhone 14 v16.4

OS: iOS, v16.4
Browser: Safari

Also, changing the version from (outdated) DOMPurify 2.3.3 to newer versions doesn't deliver any repro, can you produce a working test case per chance? Else I have nothing to work with.

cure53 commented 1 year ago

Closing this for now, no repro, no case - please reopen if needed.

Anderman commented 8 months ago

I see this behaviour also on the IPhone. and it is indeed dompurify that adding this. That is because they use the virtual dom of safari which is inserting the phone number

see where the confusion is coming from. DOMPurify uses a virtual DOM to sanitize HTML, but it doesn't inherently add links to numbers. It's designed to remove potentially harmful elements from HTML, not add new ones.

However, when DOMPurify parses and sanitizes the HTML, it uses the browser's HTML parsing engine, which in Safari on iOS includes automatic phone number detection. So, when the sanitized HTML is inserted back into the page, any phone numbers may appear as links, even though DOMPurify didn't explicitly add those links.

This is a feature of the browser, not DOMPurify. If you want to prevent this behavior, you can use the format-detection meta tag in your HTML:

<meta name="format-detection" content="telephone=no">

This will tell Safari not to automatically detect and link phone numbers.