search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.67k stars 698 forks source link

Consider supporting happy-dom #876

Closed luxaritas closed 8 months ago

luxaritas commented 10 months ago

I've recently been using happy-dom with vitest instead of jsdom due to its focus on performance. It would be awesome if DOMPurify could also support happy-dom in NodeJS. Since this doesn't appear to have been brought up before, I'm curious if this would be of interest to the project, though I understand if there are scope/maintenance concerns.

I did some very basic checks with happy-dom on the current test suite, and while I get the impression the number of unique errors is fairly limited, it unfortunately doesn't seem completely trivial either. I would be happy to provide some assistance if it is of interest, though would probably need some guidance being a new contributor.

cure53 commented 10 months ago

Oh, nice - I did not have that on my radar :D

It would be awesome if DOMPurify could also support happy-dom in NodeJS.

We are open to that.

I would be happy to provide some assistance if it is of interest, though would probably need some guidance being a new contributor.

That would be great! We would likely need the testsuite to be extended and update the Github actions, etc. - and maybe the existing tests already help identifying possible sanitizer bypasses in Happy DOM they might want to address.

What would you say are next steps?

luxaritas commented 10 months ago

What would you say are next steps?

Thinking I should open a PR that at least has the adjusted tests set up so that it's easy to review and discuss specific test failures - that way once we identify specific scenarios that fail, we can build up a list of items that need to be resolved

cure53 commented 10 months ago

That sounds most excellent :D Thank you. Please do let know if any help is needed.

cure53 commented 9 months ago

I am wondering, is happy-dom still maintained? No movement for two months it seems...

luxaritas commented 9 months ago

It was very active until 2 months ago. It appears the author is a single maintainer (which I didn't realize before) and has not been active, perhaps something has prevented them from being available recently.

cure53 commented 9 months ago

Aye, okay, no worries - I was just surprised when checking the repo :sweat_smile:

cure53 commented 8 months ago

Closing this for now, it seems that the ball is in happy-dom's corner and the project is inactive. Please reopen if anything changes.