DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
but got my styles removed as there seems to be a small bug in the validateStyles function (see comments in below code)
function validateStyles(output, styles) {
Object.keys(styles).forEach(prop => { // prop is the index, not the CSS style property
const value = styles[prop]; // value is the CSS style property
if (value && typeof value === 'string') {
const normalizedProp = prop.replace(/([A-Z])/g, '-$1').toLowerCase();
if (allowed_properties.includes(normalizedProp) && (allow_css_functions || !/\w+\(/.test(value))) {
output.push(`${normalizedProp}:${value};`);
}
}
});
}
Below function gave me the correct result:
function validateStyles(output, styles) {
Object.keys(styles).forEach(function(index) {
if (styles.hasOwnProperty(index)) {
let normalizedKey = styles[index].replace(/([A-Z])/g, '-$1').toLowerCase();
if (allowed_properties.includes(normalizedKey)) {
let value = styles[normalizedKey];
output.push(`${normalizedKey}:${value};`);
}
}
});
}
I tried to implement this example: https://github.com/cure53/DOMPurify/blob/main/demos/hooks-sanitize-css-demo.html
but got my styles removed as there seems to be a small bug in the validateStyles function (see comments in below code)
Below function gave me the correct result: