search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.68k stars 701 forks source link

Outlook VML statements become commented #819

Closed markb-trustifi closed 1 year ago

markb-trustifi commented 1 year ago

Background & Context

Commented Outlook VML statements remain as is. Uncommented Outlook VML statements become commented.

dompurify: 3.0.1 jsdom: 22.1

Bug

Input

<!--[if gte vml 1]>
<v:shape id="Picture_x0020_2074" o:spid="_x0000_s1516" type="#_x0000_t75" style='position:absolute;margin-left:85.5pt;margin-top:0;width:322.5pt;height:0;z-index:252065792;visibility:visible;mso-wrap-style:square;mso-width-percent:0;mso-height-percent:0;mso-wrap-distance-left:9pt;mso-wrap-distance-top:0;mso-wrap-distance-right:9pt;mso-wrap-distance-bottom:0;mso-position-horizontal:absolute;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:text;mso-width-percent:0;mso-height-percent:0;mso-width-relative:page;mso-height-relative:page'>
  <v:imagedata src="cid:image001.png@01D9A2AD.BD237600" o:title="~AUT0002" />
</v:shape>
<![endif]-->
<![if !vml]>
<span style="mso-ignore:vglayout;position:absolute;z-index:252065792;margin-left:371px;margin-top:154px;width:645px;height:1px">
  <img width="430" height="1" style="width:4.4791in;height:.0069in" src="cid:image068.jpg@01D9A2AD.C8D53C40" v:shapes="Picture_x0020_2074">
</span>
<![endif]>
let cfg = {
   WHOLE_DOCUMENT: true,
   ADD_TAGS: ['#comment'],
   FORBID_TAGS: ['noscript']
};
const virtualConsole = new jsdom.VirtualConsole();
const windowShim = new jsdom.JSDOM('', {resources: "usable", virtualConsole: virtualConsole}).window;
const DOMPurify = dompurify(windowShim);
stripedHtml = DOMPurify.sanitize(html, cfg);

Given output

<!--[if gte vml 1]>
<v:shape id="Picture_x0020_2074" o:spid="_x0000_s1516" type="#_x0000_t75" style='position:absolute;margin-left:85.5pt;margin-top:0;width:322.5pt;height:0;z-index:252065792;visibility:visible;mso-wrap-style:square;mso-width-percent:0;mso-height-percent:0;mso-wrap-distance-left:9pt;mso-wrap-distance-top:0;mso-wrap-distance-right:9pt;mso-wrap-distance-bottom:0;mso-position-horizontal:absolute;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:text;mso-width-percent:0;mso-height-percent:0;mso-width-relative:page;mso-height-relative:page'>
  <v:imagedata src="cid:image001.png@01D9A2AD.BD237600" o:title="~AUT0002" />
</v:shape>
<![endif]-->
<!--[if !vml]-->
<span style="mso-ignore:vglayout;position:absolute;z-index:252065792;margin-left:371px;margin-top:154px;width:645px;height:1px">
<img src="cid:6e7d3681a84b7f1bbf21103b297ed1a0" style="width:4.4791in;height:.0069in" height="1" width="430">
</span>
<!--[endif]-->

Expected output

Everything should remain unchanged

cure53 commented 1 year ago

There is sadly not easy way to fix this behavior. The weird Outlook VML statements are non-standard HTML and naturally will e removed. maybe you can write a hook to better control this behavior - but no changes in the core library are expected to handle this.

cure53 commented 1 year ago

Closing this now as this is not a bug we can fix and not much we can do here.

markb-trustifi commented 1 year ago

FYI, there is a related ticket https://github.com/inikulin/parse5/issues/963