search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.34k stars 690 forks source link

name='lang' Attribute Removed During Sanitization #980

Closed nitiponth closed 1 week ago

nitiponth commented 1 week ago

When using DOMPurify to sanitize an HTML input element with a name attribute, the name attribute is being removed even when it is expected to be preserved.

Steps to Reproduce:

Use the following code to sanitize an input element:

const dirtyHTML = '<input type="hidden" name="lang" value="T">';
const cleanHTML = DOMPurify.sanitize(dirtyHTML, {
  ALLOWED_TAGS: ['input'],
  ALLOWED_ATTR: ['type', 'name', 'value']
});

console.log(cleanHTML);  // Expected output: <input type="hidden" name="lang" value="T">

Observe that the name attribute is removed in the sanitized output:

<input value="T" type="hidden">
image
cure53 commented 1 week ago

This is because DOMPurify thinks there might be a DOM clobbering attack :slightly_smiling_face:

You can control that behavior using this SANITIZE_DOM or this SANITIZE_NAMED_PROPS config option.