search

cure53 / DOMPurify

DOMPurify - a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify works with a secure default, but offers a lot of configurability and hooks. Demo:
https://cure53.de/purify
Other
13.67k stars 698 forks source link

DOMPurify.removed isn't reporting inline scripts with arbitrary text afterwards #988

Closed Bengejd closed 2 weeks ago

Bengejd commented 2 weeks ago

This issue proposes a [bug] which...

Background & Context

.removed isn't reporting script tags as having been removed if they are the first tag encountered and the string ends with arbitrary characters. However, the content is correctly purified. So that's nice.

Bug

Input

Leading script with text at the end (FAILS TO BE REPORTED):

<script>alert('XSS');</script> Some arbitrary text at the end doesn't matter

Given output

removed: []

Expected output

removed: [{ element: script }]

While I know that .removed is just for funzies, this is a legitimate bug, unless there is a reason it is removed but not reported as having been removed.

cure53 commented 2 weeks ago

In this case, it never gets removed by DOMPurify, but by the browser before sanitization happens. Hence, it never lands in .removed :slightly_smiling_face:

Try this, then it shows: A<script>alert('XSS');</script> Some arbitrary text at the end doesn't matter