Closed JounQin closed 8 months ago
cure53
commented
8 months ago Nah, I don't agree. Clearing the content of unknown elements would severely affect harmless sanitization results. You can change the behavior via a hook and take care of that yourself, but we won't change anything in the core library, sorry.
JounQin
commented
8 months ago But this is how browser works?
cure53
commented
8 months ago Might be, but it would harm legitimate and harmless content - so we cannot empty it.
JounQin
commented
8 months ago @cure53 Then I don't quite understand this case:
Why harmless div is removed?
cure53
commented
8 months ago Because of the <frameset>, which causes the DIV (and almost everything else) to be removed:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/frameset
JounQin
commented
8 months ago I'm still confused, why div must be removed due to frameset?
cure53
commented
8 months ago Please read the link I sent you, it's all there :)
JounQin
commented
8 months ago @cure53
Sorry, but I did read, but I could just find Deprecated.
If you mean:
A frameset document has a
I think <body>${fragment} will make sure the output always inside body and harmless?
cure53
commented
8 months ago FRAMESET is a special tag has everything being removed that cannot be in there or around it, that includes a DIV.
JounQin
commented
8 months ago @cure53
I think
<body>${fragment}will make sure the output always inside body and harmless?
cure53
commented
8 months ago Yes, again, please inform yourself about HTML, about what the body tag does, what the frameset element does - once you know that, you will see it all makes sense.
Background & Context
https://github.com/cure53/DOMPurify/blob/main/test/fixtures/expect.mjs#L886
Bug
Input
Given output
Expected output
The expected output.
Feature
The
xsselement should be considered containing all its following instead of void element which is how browser works.