search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.77k stars 708 forks source link

Fix for bug in demo hooks-sanitize-css-demo.html #931

Closed koosvanderkolk closed 6 months ago

koosvanderkolk commented 6 months ago

I tried to implement this example: https://github.com/cure53/DOMPurify/blob/main/demos/hooks-sanitize-css-demo.html

but got my styles removed as there seems to be a small bug in the validateStyles function (see comments in below code)

function validateStyles(output, styles) {
  Object.keys(styles).forEach(prop => {  // prop is the index, not the CSS style property
    const value = styles[prop]; // value is the CSS style property
    if (value && typeof value === 'string') {
      const normalizedProp = prop.replace(/([A-Z])/g, '-$1').toLowerCase();
      if (allowed_properties.includes(normalizedProp) && (allow_css_functions || !/\w+\(/.test(value))) {
        output.push(`${normalizedProp}:${value};`);
      }
    }
  });
}

Below function gave me the correct result:

function validateStyles(output, styles) {
  Object.keys(styles).forEach(function(index) {
    if (styles.hasOwnProperty(index)) {
      let normalizedKey = styles[index].replace(/([A-Z])/g, '-$1').toLowerCase();
      if (allowed_properties.includes(normalizedKey)) {
        let value = styles[normalizedKey];
        output.push(`${normalizedKey}:${value};`);
      }
    }
  });
}
cure53 commented 6 months ago

Oh, nice, thanks - wanna spin up a PR? :slightly_smiling_face:

cure53 commented 6 months ago

All sorted, thanks again :)

koosvanderkolk commented 6 months ago

Great thanks!