Closed Bengejd closed 2 weeks ago
In this case, it never gets removed by DOMPurify, but by the browser before sanitization happens. Hence, it never lands in .removed
:slightly_smiling_face:
Try this, then it shows: A<script>alert('XSS');</script> Some arbitrary text at the end doesn't matter
Background & Context
.removed
isn't reporting script tags as having been removed if they are the first tag encountered and the string ends with arbitrary characters. However, the content is correctly purified. So that's nice.Bug
Input
Leading script with text at the end (FAILS TO BE REPORTED):
Given output
removed: []
Expected output
removed: [{ element: script }]
While I know that
.removed
is just for funzies, this is a legitimate bug, unless there is a reason it is removed but not reported as having been removed.