search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.67k stars 698 forks source link

Style tag is gettin removed #851

Closed abdalla-rko closed 1 year ago

abdalla-rko commented 1 year ago

This issue proposes a bug which...

Background & Context

When sanitizing an HTML string using the sanitize method, if the HTML string starts with a style tag the style tag will be removed. However, if I add some text and then include a style tag it works as expected. Therefore, the issue seems to occur only when starting with a style tag.

Bug

When starting with a style tag, the style tag will be removed.

Input

<style> p{ color: blue; } </style> <p> hello world </p> <style> p{ color: red; } </style>

Given output

<p> hello world </p> <style> p{ color: red; } </style>

Notice that the first style tag is removed

Expected output

<style> p{ color: blue; } </style> <p> hello world </p> <style> p{ color: red; } </style>
cure53 commented 1 year ago

Have you tried using DOMPurify.sanitize(dirty, {FORCE_BODY: true}) ?

abdalla-rko commented 1 year ago

Thanks, it works with this config.

marissa-halpert commented 1 year ago

Thank you so much @abdalla-rko! I just ran into that exact same bug that was reported by my customer. Your post and validation of the fix was helpful.

@cure53 Will this be fixed in the project or do you recommend we patch it on our side? For reference, we are using version 3.0.3 Thank you!

cure53 commented 1 year ago

@marissa-halpert No fix is expected as this is default browser behavior. If we fix this, things will fall apart :smile: