cure53
commented
3 months ago Yup, this is expected behavior.
Closed tommy888883 closed 3 months ago
cure53
commented
3 months ago Yup, this is expected behavior.
tommy888883
commented
3 months ago Maybe I'm not understanding this well. Why would that extra space make any difference in it being allowed versus not allowed by the sanitization? It seems like that extra space wouldn't effect whether or not a malicious piece of html code could be injected or not right? Just curious why it would get stripped when with no spaces, but when with one space within the tag the html would not be stripped. Thanks for the response by the way!!!
cure53
commented
3 months ago No space, the browser thinks it's a tag. Add the space, and the browser thinks it's text/CDATA. That explains the differing behavior.
Working with dompurify on a next.js project, should the sanitization remove malicious html code? I ask this because when testing I was trying to get the code: < funny > to show up (but with no space), after sanitizing however the text in between is removed. What I did find and this is where my question comes in is that if you add a space after the '<' then you get < funny> which the text in that seems to not be removed. Is this expected behavior?