`>` as text node should not be escaped - Githubissues

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.61k stars 695 forks source link

`>` as text node should not be escaped #887

Closed JounQin closed 8 months ago

JounQin commented 8 months ago

This issue proposes a bug/feature

Background & Context

> as text node can not be XSSed?

Bug

Input

<div>>xxx</div>

Given output

<div>&gt;xxx</div>

Expected output

<div>>xxx</div>

Feature

Don't escape unnecessary chars

cure53 commented 8 months ago

That is what the browser does, not us - hence we cannot and won't override this :)

JounQin commented 8 months ago

I'm using DOMParser, and it doesn't escape.

cure53 commented 8 months ago

Are you sure?

new DOMParser().parseFromString('<div>></div>', 'text/html').body.outerHTML 
// "<body><div>&gt;</div></body>"

JounQin commented 8 months ago

Interesting, sorry, it seems I misread the diff at https://github.com/un-ts/domiso/blob/test/dompurify_cases/test/__snapshots__/dompurify.spec.ts.snap