Why does name="name" on an input field get purified?

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:

https://cure53.de/purify

Other

13.34k stars 690 forks source link

Why does name="name" on an input field get purified? #952

Closed halfmoonui closed 2 months ago

halfmoonui commented 2 months ago

Bug

The issue is pretty self-explanatory. name="name" should not be purified, right?

Input

<input type="text" name="name">

Given output

<input type="text">

Expected output

<input type="text" name="name">

cure53 commented 2 months ago

With an input like this, we run into a clobbering issue as follows:

<form name="hello">
<input name="name">
</form>
<script>alert(document.forms[0].name)</script>

compared to...

<form name="hello">
<input name="foo">
</form>
<script>alert(document.forms[0].name)</script>

But, with the SANITIZE_NAMED_PROPS flag, you should be able to control this behavior.