Closed agonvuniqi closed 1 month ago
This issue proposes a [bug, feature] which...
onFocus is not properly handled
I can enter " onfocus="alert('=returnXSS')" and that will trigger alert method on my field as soon as I focus in.
" onfocus="alert('=returnXSS')"
The expected output.
I already have the config set up: DOMPurify.setConfig({ FORBID_TAGS: ['script', 'iframe', 'img', 'a', 'div', 'input', 'object', 'embed', 'form', 'svg', 'math'], FORBID_ATTR: ['onerror', 'onload', 'onclick', 'onmouseover', 'onfocus', 'onblur', 'onchange', 'style', 'src', 'href'] });
Nah, that is not a bypass and 100% expected behavior - the sanitizer sanitizes HTML, not strings that might get concatenated into existing HTML.
Background & Context
onFocus is not properly handled
Bug
I can enter
" onfocus="alert('=returnXSS')"
and that will trigger alert method on my field as soon as I focus in.Input
" onfocus="alert('=returnXSS')"
Given output
" onfocus="alert('=returnXSS')"
Expected output
The expected output.
I already have the config set up: DOMPurify.setConfig({ FORBID_TAGS: ['script', 'iframe', 'img', 'a', 'div', 'input', 'object', 'embed', 'form', 'svg', 'math'], FORBID_ATTR: ['onerror', 'onload', 'onclick', 'onmouseover', 'onfocus', 'onblur', 'onchange', 'style', 'src', 'href'] });