Add hook on element/attribute removal - Githubissues

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.67k stars 698 forks source link

Add hook on element/attribute removal #881

Closed Deltaxel closed 9 months ago

Deltaxel commented 9 months ago

This issue proposes a feature which add hooks for elements and attributes being removed.

Background & Context

We have a lot of customers adding content to our application. Some of the content being removed by DOM Purify should be kept. We're not always aware of every tag/attribute our customers are using. So we would like to add some telemetry to keep track of removed content and act quickly when an issue is detected.

This could also help identify potential malicious users.

Input

Given output

No handler called with

Expected output

Handler called with

Feature

I would add a uponRemovedElement and a uponRemovedAttribute hooks.

cure53 commented 9 months ago

Sounds great, this is a good idea - want to spin up a PR? Happy to review once done.

cure53 commented 9 months ago

@Deltaxel btw, before we start building anything, have you already looked at DOMPurify.removed? That should give you a comprehensive list of elements that have been removed and offer the telemetry you need.

cure53 commented 9 months ago

Also, please check the commit above, experimentally added hooks to removal methods.

Deltaxel commented 9 months ago

Hey, sorry for not replying sooner I took a look at the PR and I have a slight concern I had to debug the code before and noticed that attributes gets removed first then added back (not sure if for all of them or specific scenarios) Wouldn't this trigger your hook even though the element is no actually removed from the document in the end?

cure53 commented 9 months ago

Ah, you are right.

But, I still wonder - if it's just about telemetry, do we really need the hooks? DOMPurify.removed should give you all you need already.

cure53 commented 9 months ago

We're not always aware of every tag/attribute our customers are using. So we would like to add some telemetry to keep track of removed content and act quickly when an issue is detected.

I strongly believe that this can be done already and quite easily with the tools we already offer, closing the ticket, please reopen if any other use-cases arise

Deltaxel commented 9 months ago

You are right DOMPurify.removed would be enough. I will give it a try. Thank you!

cure53 commented 9 months ago

Cool, thanks :) If that doesn't work, we can look into the extra hooks ofc.