DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
Does DOMPurify handle escaping the closing </script> tag problem?
Background & Context
If an embedded script contains any occurrence of </script> (even within a JavaScript string, for instance), it will close the script tag. </script> needs to be escaped as <\/script>.
In my specific use case, I'm using dynamic data to build the content of a script tag (not JavaScript, though, but JSON-LD).
It is not clear to me if and how I can use DOMPurify to achieve this result without escaping or removing anything else from the string.
So I would like a way to provide the string:
hello <script>there</script>
and instead of getting (which is what I currently get, with the default configuration):
hello
I would like to get:
hello <script>there<\/script>
There are issues like casing, the possibility of adding spaces after </script, etc, that discourage me from trying to solve this with a custom regex, but I haven't found yet a library that clearly supports this specific use case.
In my specific case, this is closer to:
{
"@type": "Article",
"name": "Some dynamic data that could contain: </script><script>alert('xss')</script>"
}
that I would like to escape to:
{
"@type": "Article",
"name": "Some dynamic data that could contain: <\/script><script>alert('xss')<\/script>"
}
All of that would live inside a surrounding tag like (this tag itself is not dynamic, only the content within it):
<script type="application/ld+json">
</script>
Is this possible to achieve with DOMPurify and what would be the configuration required? If not possible, do you know a library that solves this?
Background & Context
If an embedded script contains any occurrence of
</script>
(even within a JavaScript string, for instance), it will close the script tag.</script>
needs to be escaped as<\/script>
.A few references:
In my specific use case, I'm using dynamic data to build the content of a script tag (not JavaScript, though, but JSON-LD).
It is not clear to me if and how I can use DOMPurify to achieve this result without escaping or removing anything else from the string.
So I would like a way to provide the string:
and instead of getting (which is what I currently get, with the default configuration):
I would like to get:
There are issues like casing, the possibility of adding spaces after
</script
, etc, that discourage me from trying to solve this with a custom regex, but I haven't found yet a library that clearly supports this specific use case.In my specific case, this is closer to:
that I would like to escape to:
All of that would live inside a surrounding tag like (this tag itself is not dynamic, only the content within it):
Is this possible to achieve with DOMPurify and what would be the configuration required? If not possible, do you know a library that solves this?
Thanks!