DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
We are currently looking at removing the images nodes that have a src that's matching the current origin.
Hooks like uponSanitizeAttribute seemed to be what we needed.
But hooks being global, we want to narrow its usage to one particular spot in our code base.
const currentOrigin = window.location.origin;
function uponSanitizeAttribute(node, data) {
if (node.nodeName === 'IMG' && data.attrName === 'src') {
if (new URL(data.attrValue)?.origin === currentOrigin) {
node.remove();
}
}
}
DOMPurify.addHook('uponSanitizeAttribute', uponSanitizeAttribute);
var cleaned = DOMPurify.sanitize(parsedHtml);
DOMPurify.removeHook('uponSanitizeAttribute', uponSanitizeAttribute);
return cleaned;
is there a way to achieve this without using hooks? but local sanitizing config?
Hmmm, not sure if this can be achieved without using hooks. Likely you have to add and remove the hook as your example shows. Do you have any ideas how to implement this more elegantly in our code-base?
We are currently looking at removing the images nodes that have a
src
that's matching the current origin.Hooks like
uponSanitizeAttribute
seemed to be what we needed. But hooks being global, we want to narrow its usage to one particular spot in our code base.is there a way to achieve this without using hooks? but local sanitizing config?