search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.97k stars 723 forks source link

DOMPurify deleting H1, H2, P, and other tags #836

Closed Antonio225t closed 1 year ago

Antonio225t commented 1 year ago

Hello, just an information regarding h1, h2, ect. tags, is there a way to keep them but still removing the risk of people "hacking" in the website with <img src="" onerror="(code)"> exploits and so on?

I'm trying to making a user able to convert MarkDown into HTML, and I would like if the user could use HTML in their documents without changing CSS or running scripts (with "running script" I mean ANY JavaScript code). Can I do this with DOMPurify, to keep the p, h1, ect. tags but blocking them for running scripts or changing CSS?

Thanks in advance 👍.

Antonio225t commented 1 year ago

Alright, about the h1, h2, ect. problem it was my foult. I was using a node element that was <h1>Hello, World</h1> and was sanitizing the .innerHTML (wich is just Hello, World! without the tags). So, now I used .outerHTML and it works very great. Sorry about this silly mistake 😅.