Closed sonikasharma1403 closed 1 year ago
That is expected behavior. Invalid HTML gets mangled by the browser/DOM before the sanitization kicks in. If you want to keep the style element no matter what, consider using the FORCE_BODY
config option.
@cure53 -
tried the below html as well which has single line comment but the issue remains
<html lang="en">
<head>
<title>RRRR</title>
<style>
.red {
color: red
}
.blue {
color: blue
}
/* ENDS Mobile view media query to control image sizes for <599 px wide */
</style>
</head>```
The concern here is that the `<` is added in a comment and hence should NOT be removed
Ah, okay - I understand. We sadly have to do this because of an mXSS attack:
https://github.com/cure53/DOMPurify/blob/main/src/purify.js#L1003
Removing this behavior will cause mXSS bypasses.
@cure53
In the example above it's part of a comment. Correct me if I am wrong, but it won't cause an mXSS attack, right?
Can we have a flag to ignore the comments?
It will - and no, sorry.
notice that it removes the style tag..
now replace
<!-- ENDS Mobile view media query to control image sizes for <599 px wide -->
with<!-- ENDS Mobile view media query to control image sizes for 599 px wide -->
.. notice that we have only removed the<
less then symbol. and now dompurify returns the style tag