search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.67k stars 698 forks source link

Use DOMPurify with `<!DOCTYPE NETSCAPE-Bookmark-file-1>` files? #863

Closed Jeff-411 closed 10 months ago

Jeff-411 commented 11 months ago

Total newbie asks...

I'm building an Express app ("Bookmarks Ripper") where users upload the files that browsers use to export/import bookmarks. The syntax of these <!DOCTYPE NETSCAPE-Bookmark-file-1> files is quite odd.

I'm using Multer to restrict the file type and size, but I'm wondering...

Could I use DOMPurify to sanitize these uploads, to reduce my chances of getting hit by malicious code?

cure53 commented 11 months ago

Interesting :D I'd say why not, do you have some example markup so we can have a closer look?

Jeff-411 commented 11 months ago

Sure. Here's the content of browser_export_file.html -- one of the test uploads I'm using for "Bookmarks Ripper" development.

The only change I've made to the standard export/import markup in the example below is to edit out the base64 strings.

<!DOCTYPE NETSCAPE-Bookmark-file-1>
<!-- This is an automatically generated file.
     It will be read and overwritten.
     DO NOT EDIT! -->
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<TITLE>Bookmarks</TITLE>
<H1>Bookmarks</H1>
<DL><p>
    <DT><H3 ADD_DATE="1678057016" LAST_MODIFIED="1696348108" PERSONAL_TOOLBAR_FOLDER="true">Bookmarks bar</H3>
    <DL><p>
        <DT><H3 ADD_DATE="1696347783" LAST_MODIFIED="1696348291">Export me</H3>
        <DL><p>
            <DT><A HREF="https://www.akc.org/dog-breeds/poodle-standard/" ADD_DATE="1696347813" ICON="...">Poodle Dog Breed Information</A>
            <DT><H3 ADD_DATE="1696348152" LAST_MODIFIED="1696348244">Folder 1</H3>
            <DL><p>
                <DT><A HREF="https://en.wikipedia.org/wiki/Pickled_cucumber" ADD_DATE="1696348216" ICON="...">Pickled cucumber - Wikipedia</A>
                <DT><A HREF="https://en.wikipedia.org/wiki/Cattle" ADD_DATE="1696348244" ICON="...">Cattle - Wikipedia</A>
            </DL><p>
            <DT><H3 ADD_DATE="1696348287" LAST_MODIFIED="1697136137">Folder 2</H3>
            <DL><p>
                <DT><A HREF="https://en.wikipedia.org/wiki/Apple" ADD_DATE="1696348291" ICON="...">Apple - Wikipedia</A>
            </DL><p>
        </DL><p>
        <DT><H3 ADD_DATE="1696187838" LAST_MODIFIED="1697136146">test</H3>
        <DL><p>
            <DT><A HREF="https://en.wikipedia.org/wiki/Waltzing_Matilda" ADD_DATE="1697136137" ICON="...">Waltzing Matilda - Wikipedia</A>
        </DL><p>
    </DL><p>
</DL><p>
cure53 commented 11 months ago

Yup, if you allow-list the additional attributes, this should indeed work :)