How to keep !important for a css attribute?

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.67k stars 698 forks source link

How to keep !important for a css attribute? #877

Closed nguyenap closed 10 months ago

nguyenap commented 10 months ago

I just have a question. In demos/hooks-sanitize-css-demo.html; i changed color with !important attr ;

<style>
                big {
                    list-style: url(https://leaking.via/css-list-style);
                    list-style-image: url(https://leaking.via/css-list-style-image);
                    background: url(https://leaking.via/css-background);
                    background-image: url(https://leaking.via/css-background-image);
                    border-image: url(https://leaking.via/css-border-image);
                    border-image-source: url(https://leaking.via/css-border-image-source);
                    shape-outside: url(https://leaking.via/css-shape-outside);
                    cursor: url(https://leaking.via/css-cursor), auto;
                    color:red !important;
                }
 </style>

I checked in the 'uponSanitizeElement ' hook event, but The !important has been removed the node value.

cure53 commented 10 months ago

Hmm, I think you need to use special magic for this:

https://stackoverflow.com/questions/13765266/how-can-one-set-a-css-property-with-the-important-flag-via-the-dom

cure53 commented 10 months ago

Closing this as likely not our bug.

nguyenap commented 10 months ago

Thank you for your reply, I'll look into it more but have no other ideas as this "!important" is being left out of the sanitize function and we can't determine which css attribute it goes with .

cure53 commented 10 months ago

Maybe it is possible that the browser removes it when processing the markup internally? At least from what I can see, we have no logic in DOMPurify that does anything with that directive.

I tested, and it looks like DOMPurify indeed leaves the important declaration untouched:

DOMPurify.sanitize('ABC<style>big {color:red !important;}</style><big>HELLO</big>')
//"ABC<style>big {color:red !important;}</style><big>HELLO</big>"

So, my guess is, the problem is caused by something else?

nguyenap commented 9 months ago

Thanks, I also looked at the source code of DOMPurify and didn't see any problems. So maybe it comes in functions that are handled in event hooks. I will test these functions again, and post back if there are any investigation results

cure53 commented 9 months ago

Aye, thanks :)