Closed kakao-bishop-cho closed 6 months ago
cure53
commented
6 months ago Hey there, thanks for filing this. That is interesting, we hoped that markup nested so deeply would not really occur in real life but we did not have MS Office on our radar :slightly_smiling_face:
Are you currently using the 3.x or the 2.x branch?
kakao-bishop-cho
commented
6 months ago @cure53
That's a really quick response!!
I'm using version 3.0.9!
cure53
commented
6 months ago As a side-note, we currently test if we can remove the whole nesting counter logic again as by now we have a more reliable defense against the mXSS attacks that were recently discovered...
cure53
commented
6 months ago We'll release 3.1.5 today, the issue should be fixed there :)
kakao-bishop-cho
commented
6 months ago @cure53 Thank you!
We will proceed with the testing, and if there are any issues, we will report back.
Have a great day!
Background & Context
Hello,
We are using dom purify for HTML XSS filtering in our email service.
Our email service is designed to preserve user-generated content as much as possible, and avoid removing content unless there is a specific issue.
However, when users paste content from Word, it often has a deeply nested DOM structure.
Due to the MAX_NESTING_DEPTH setting, content with more than 255 levels of nesting is being removed.
We have been customizing this option to address the issue, but can you make it configurable through an input in the settings?
Bug
MAX_NESTING_DEPTH option remove contents
Input
over 255 nested DOM element
Given output
empty text
Expected output