search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.97k stars 723 forks source link

Differences in Browser Behavior(Chrome vs. Firefox) #830

Closed JoeColmado closed 1 year ago

JoeColmado commented 1 year ago

While using your plugin, I noticed a discrepancy between different browsers. I was able to replicate different behavior between Chrome and Firefox (Version: 114.0). When an HTML tag has the attribute type="hidden", Firefox removes line breaks. Chrome doesn't CompareBrowser Console Snippet to reproduce: foo= '<input value="foo\nbar">' window.DOMPurify.sanitize(foo) foo= '<input value="foo\nbar" type="hidden">' window.DOMPurify.sanitize(foo) ;

Is this a bug or is there a configuration to trigger the same behavior between the browser?

cure53 commented 1 year ago

Interesting :D Likely something that the browser does and we don't have any direct control over.

JoeColmado commented 1 year ago

Can you provide a workaround?

cure53 commented 1 year ago

No, this would be way outside our documented goals and threat model: https://github.com/cure53/DOMPurify/wiki/Security-Goals-&-Threat-Model

You can probably fix that with a hook, if it's of high impact to you specific use-case.