search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.61k stars 695 forks source link

TypeError thrown by clone when configuration contains null values #897

Closed bob-difronzo closed 8 months ago

bob-difronzo commented 8 months ago

Background & Context

When upgrading from 3.0.6 to 3.0.7, a TypeError is getting thrown when calling sanitize if the configuration object contains any null values. The issue appears to be this line in the clone utility since typeof null === 'object'. For now we have replaced null with undefined.

Bug

Input

DOMPurify.sanitize(anyString, {
  CUSTOM_ELEMENT_HANDLING: {
    tagNameCheck: null
  }
});

Given output

Uncaught TypeError: Cannot read properties of null (reading 'constructor')

Expected output

Expected no error to be thrown.

cure53 commented 8 months ago

Thanks for spotting this and thanks for sending over a PR. The PR looks great and got merged :smile: