Json value missed up while using Dompurify

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.97k stars 723 forks source link

Json value missed up while using Dompurify #822

Closed AnjuDevkota closed 1 year ago

AnjuDevkota commented 1 year ago

i have input like test. it is a json value. but i am getting test after sanitization. that means i am getting double quote on href by using dompurify. and the problem is i need to pass this value in Json so it becomes " test", which cause bad format json. here is my code

const sanitizedHtml = DOMPurify.sanitize(modifiedHtml, { ADD_TAGS: allowedTagsWithUnderscore });

![Uploading image.png…]()

AnjuDevkota commented 1 year ago

cure53 commented 1 year ago

DOMPurify will always "heal" HTML which means it also fixes quotes and changes them to double-quotes. You need to employ proper escaping and handle the output correctly, not our bug :)

cure53 commented 1 year ago

Closing this for now as there is nothing to fix