DOMPurify support. - Githubissues

fgnass / domino

Server-side DOM implementation based on Mozilla's dom.js

BSD 2-Clause "Simplified" License

764 stars 118 forks source link

DOMPurify support. #102

Open cscott opened 7 years ago

cscott commented 7 years ago

https://www.npmjs.com/package/dompurify should work under domino. It appears that outerHTML#set is one of the things needed. See: https://gerrit.wikimedia.org/r/363156

daniel-nagy commented 6 years ago

@cscott is setting the outerHTML property not supported? My server rendered Angular bundles are not working when I try to bind to the outerHTML property.

<svg [outerHTML]="mySvgIcon"></svg>

cscott commented 6 years ago

The setters for Document#outerHTML, Document#innerHTML, DocumentFragment#outerHTML, DocumentFragment#innerHTML, Element#outerHTML, and Element#innerHTML are all util.nyi (Not Yet Implemented) right now.

Probably not too hard to get that working, just a bit of tedious reading of the parsing spec to ensure contexts and templates are correct. HTMLElement#innerHTML has a working setter in htmlelts.js, so the other implementations should look very similar to that.

cscott commented 6 years ago

domino 2.1.0 works with DOMPurify. I just need to submit my patch upstream to DOMPurify.

thesocialdev commented 4 years ago

@cscott did it move forward? I'm trying to implement a sanitizer for the PCS service (mobile-html endpoint). The first choice I had was the sanitize-html package, but its minified size is prohibitive for our bundled size limit. DOMPurify is lightweight, but I'm worried that it's not reliable with domino, although it works in my code.

cscott commented 4 years ago

I'd like to talk some more about the desired use case and spec. MediaWiki has a very specific (and bespoke) sanitizer, and new attributes are added/removed from time to time (we just added one this week, for instance). Adding new incompatible sanitization mechanisms doesn't seem like necessarily the right way to proceed.

cscott commented 4 years ago

The necessary DOMPurify patches to support domino are at https://github.com/cscott/DOMPurify/tree/domino-support

thesocialdev commented 4 years ago

The specific use case is to sanitize the input from displaytitle and enforce allowed tags when inserting into the lead section using innerHtml [1].

TBH, I'm not sure if that's really necessary since I think it's a safeish content since it's coming from the mwapi. In that sense, I lack knowledge regarding mwapi/displaytitle sanitization.

[1] https://github.com/wikimedia/mobileapps/blob/master/pagelib/src/transform/EditTransform.js#L120

giniedp commented 1 year ago

I'm stuck on this. Any progress in supporting DOMPurify? Angular: 15 DOMPurify: 3.0.1 domino: 2.1.6

Client Side code works well, but server side (with domino) is sanitized to an empty string.

From what i can track down, it is the getElementsByTagName that does not return anything https://github.com/cure53/DOMPurify/blob/bcb0f7f0a1b9ba902d060cb44985fc7f5a640a4b/src/purify.js#L864 https://github.com/fgnass/domino/blob/master/lib/Element.js#L270

DOMPurify sets the content via #innerHTML. https://github.com/cure53/DOMPurify/blob/bcb0f7f0a1b9ba902d060cb44985fc7f5a640a4b/src/purify.js#L845

yet the document readyState is always loading.