search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.61k stars 695 forks source link

Removal of <textarea> `wrap` attribute #925

Closed ghost closed 5 months ago

ghost commented 5 months ago

Background & Context

It looks like DOMPurify is removing the wrap attribute on elements like <textarea>.

Bug

Is this intentional? I'm guessing it might be a side-effect of something else, but if it's intentional, could you share some info on the risks created by this attribute or others like it?

Input

<textarea
    rows = '1'
    cols = '20'
    wrap = 'soft'>
</textarea>

Given output

<textarea
    rows = '1'
    cols = '20'>
</textarea>

Expected output

<textarea
    rows = '1'
    cols = '20'
    wrap = 'soft'>
</textarea>

Feature

If this attribute is being removed not because of a direct risk, but as a side-effect of something else, could that behavior be reversed without much trouble?

cure53 commented 5 months ago

Hey there, thanks for raising this - as far as I can see, there is no security-related reason for removing the wrap attribute, we should safely be able to add it.

Wanna spin up a PR? :)

ghost commented 5 months ago

Thanks for the quick response! And also for the great library.

I'm not too familiar with its internal workings, but I did a quick review and I think (hope) the fix was just adding the wrap attribute to the html list in attrs.js? I opened a PR with that change, if that's hopefully all that was needed.

cure53 commented 5 months ago

This looks great, thank you :)