Question regarding DOMPurify ADD_TAGS is not allowing <script> tag

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.61k stars 695 forks source link

Question regarding DOMPurify ADD_TAGS is not allowing <script> tag #928

Closed yam4office closed 5 months ago

yam4office commented 5 months ago

Hi Team, For a particular use case I need to allow ',{ADD_TAGS:['script']},{FORCE_BODY: true})

DOMPurify.sanitize takes a single config object with all options, not multiple objects.

DOMPurify.sanitize('<script>a</script>',{ADD_TAGS:['script'], FORCE_BODY: true}) should work instead.

cure53 commented 5 months ago

Correct @realansgar , thanks :sweat_smile:

yam4office commented 5 months ago

It gave the output as \x3Cscript>a\x3C/script> is that expected?

attached screenshot

cure53 commented 5 months ago

Nope, this is what the result looks like:

DOMPurify.sanitize('<script>a</script>',{ADD_TAGS:['script'], FORCE_BODY: true})
//  "<script>a</script>"

realansgar commented 5 months ago

\x3c is the hex encoded < character. So the string actually contains <script>, it is just displayed differently by the Chrome console.

Today I learned: The Chrome console does this deliberately and only in very specific instances to enable devs to copy paste stuff from the console directly into an inline script in their HTML file without accidently breaking out of it (or inserting a comment).