DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
Description:
I've encountered an issue with DOMPurify's sanitization process where valid attributes on iframe elements are being removed, and the order of attributes in the output is being changed. This behavior is unexpected and may lead to unintended changes in the rendered HTML. I believe this issue needs to be addressed to ensure that DOMPurify accurately preserves valid attributes and maintains the order of attributes as specified in the input HTML.
Steps to Reproduce:
Provide a sample HTML input containing an iframe element with valid attributes such as src, width, height, frameborder, allow, and allowfullscreen.
Apply DOMPurify's sanitization process to the input HTML.
Compare the output HTML with the input HTML to identify any missing attributes or changes in attribute order.
Expected Behavior:
DOMPurify should preserve all valid attributes on iframe elements and maintain the order of attributes as specified in the input HTML.
Actual Behavior:
Attributes such as frameborder, allow, and allowfullscreen are being removed from the output HTML, and the order of attributes is being changed.
Additional Information:
Version of DOMPurify used: [Insert Version Number]
Sample Input HTML:html
Output HTML after sanitization (incorrect):html
This issue affects [insert specific use case or application where DOMPurify is being used].
Proposed Solution:
Investigate the sanitization process to identify why valid attributes are being removed and the order of attributes is being changed. Implement changes to ensure that all valid attributes are preserved, and the order of attributes is maintained in the output HTML.
Impact:
This issue may impact applications that rely on DOMPurify for HTML sanitization, potentially causing unexpected rendering behavior or security vulnerabilities due to missing or altered attributes.
Priority:
[High] - Depending on the severity and impact of the issue.
Description: I've encountered an issue with DOMPurify's sanitization process where valid attributes on iframe elements are being removed, and the order of attributes in the output is being changed. This behavior is unexpected and may lead to unintended changes in the rendered HTML. I believe this issue needs to be addressed to ensure that DOMPurify accurately preserves valid attributes and maintains the order of attributes as specified in the input HTML.
Steps to Reproduce:
Provide a sample HTML input containing an iframe element with valid attributes such as src, width, height, frameborder, allow, and allowfullscreen. Apply DOMPurify's sanitization process to the input HTML. Compare the output HTML with the input HTML to identify any missing attributes or changes in attribute order. Expected Behavior: DOMPurify should preserve all valid attributes on iframe elements and maintain the order of attributes as specified in the input HTML.
Actual Behavior: Attributes such as frameborder, allow, and allowfullscreen are being removed from the output HTML, and the order of attributes is being changed.
Additional Information:
Version of DOMPurify used: [Insert Version Number] Sample Input HTML:html
Output HTML after sanitization (incorrect):html
This issue affects [insert specific use case or application where DOMPurify is being used]. Proposed Solution: Investigate the sanitization process to identify why valid attributes are being removed and the order of attributes is being changed. Implement changes to ensure that all valid attributes are preserved, and the order of attributes is maintained in the output HTML.
Impact: This issue may impact applications that rely on DOMPurify for HTML sanitization, potentially causing unexpected rendering behavior or security vulnerabilities due to missing or altered attributes.
Priority: [High] - Depending on the severity and impact of the issue.