search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.67k stars 698 forks source link

Custom element attribute gets trimmed (end whitespace is deleted) #853

Closed JSnow11 closed 1 year ago

JSnow11 commented 1 year ago

This issue proposes a bug

Background & Context

When trying to pass an initial-value (string) attribute to a custom element it gets trimmed, the whitespaces at the end of it are disappearing.

Bug

Input

sanitizer("<qz-element initial-value='test ' ></qz-element>", {
      CUSTOM_ELEMENT_HANDLING: {
        tagNameCheck: /^/,
        attributeNameCheck: /^/,
        allowCustomizedBuiltInElements: true,
      },
    })

Given output

<qz-element initial-value="test"></qz-element>

Expected output

<qz-element initial-value="test "></qz-element>

I tried

ADD_DATA_URI_TAGS: ["qz-element"],
ADD_URI_SAFE_ATTR: ["initial-value"],

Question

Is there any config to prevent this?, I couldn't find any

cure53 commented 1 year ago

Sadly no, no config option for this :)