search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.67k stars 698 forks source link

fix(purify): Fix _isNode Function #845

Closed ssi02014 closed 1 year ago

ssi02014 commented 1 year ago

Summary

Hello πŸ‘‹, @cure53

I determined that _isNode is a function that determines whether the given object argument is a DOM Node.

Can typeof Node result in object? In my tests, Node gets "function" as the result of the "typeof" operator.

console.log(typeof Node); // 'function'

I checked on safari, firefox, Edge, and Chrome and found that the result of typeof Node is function. (Of course, in Node.js, the undefined)

https://github.com/cure53/DOMPurify/commit/e7448403cd2602b0448b39a8715f52aba443153b Looking at the previous commit history, I think it's because of the code like typeof Node === 'object' that doesn't work properly.

We simply need to make sure that the result of "typeof Node" is 'function' and that the object is an instance of Node. 

typeof Node === 'function' && object instanceof Node;

After fixing the code, the tests all passed. Please review this pull request to see if it's appropriate. πŸ™

Tasks

cure53 commented 1 year ago

Thanks again!

I believe the commits back then were mostly needed for MSIE. Since we are phasing out support for MSIE and only support it in the low-frequently maintained 2.x branch, this change for main and 3.x should be fine :sweat_smile:

ssi02014 commented 1 year ago

@cure53 Thanks for explaining the history!