search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
14.14k stars 735 forks source link

How do I use the API provided by DomPurify to verify the SVG file is it risky? #937

Closed yfools closed 7 months ago

yfools commented 7 months ago

I observed that DomPurify provides some hooks and a Removed, but I don't know which elements are put in Removed because of security risks and which are just formatted

cure53 commented 7 months ago

As per documentation... :slightly_smiling_face:

After sanitizing your markup, you can also have a look at the property DOMPurify.removed and find out, what elements and attributes were thrown out. Please do not use this property for making any security critical decisions. This is just a little helper for curious minds.

https://github.com/cure53/DOMPurify?tab=readme-ov-file#okay-makes-sense-lets-move-on

We try to put all removed elements in there, including the risky ones - but there is no strong guarantee that nothing in this array means the SVG was safe.