search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.34k stars 690 forks source link

KEEP_CONTENT remove contents of all ALLOWED_TAGS #969

Closed Firioesa closed 1 month ago

Firioesa commented 1 month ago

Hi guys, thanks for creating this library. I've been using it for my projects and it works really well, except for the KEEP_CONTENT config. The documentation states:

// keep an element's content when the element is removed (default is true)
const clean = DOMPurify.sanitize(dirty, {KEEP_CONTENT: false});

I'd expect that KEEP_CONTENT only affects disallowed tags (because they will be removed). However, according to my test, if KEEP_CONTENT is false, all content within the allowed tags is removed, while the tags remain.

Example:

DOMPurify.sanitize("<b>tea</b>", {
    ALLOWED_TAGS: ["b"],
    KEEP_CONTENT: false
})

Output: <b></b> Expected: <b>tea</b>

So, how do I keep the all (tags and content) of the allowed tags while removing all of other tags?

I'm using the latest version.

cure53 commented 1 month ago

Heya :slightly_smiling_face: I think this would do the trick, no?

DOMPurify.sanitize("<b>tea</b>", {
    ALLOWED_TAGS: ["b", '#text'],
    KEEP_CONTENT: false
})
Firioesa commented 1 month ago

@cure53 Oh it does solve my issue. Thanks!