cure53
commented
1 month ago Nah, that is not a bypass and 100% expected behavior - the sanitizer sanitizes HTML, not strings that might get concatenated into existing HTML.
Closed agonvuniqi closed 1 month ago
cure53
commented
1 month ago Nah, that is not a bypass and 100% expected behavior - the sanitizer sanitizes HTML, not strings that might get concatenated into existing HTML.
Background & Context
onFocus is not properly handled
Bug
I can enter
" onfocus="alert('=returnXSS')"and that will trigger alert method on my field as soon as I focus in.Input
" onfocus="alert('=returnXSS')"Given output
" onfocus="alert('=returnXSS')"Expected output
The expected output.
I already have the config set up: DOMPurify.setConfig({ FORBID_TAGS: ['script', 'iframe', 'img', 'a', 'div', 'input', 'object', 'embed', 'form', 'svg', 'math'], FORBID_ATTR: ['onerror', 'onload', 'onclick', 'onmouseover', 'onfocus', 'onblur', 'onchange', 'style', 'src', 'href'] });