search

jasonmit / ember-dompurify

A wrapper around DOMPurify.
MIT License
7 stars 3 forks source link

Critical security vulnerability #6

Open richwd opened 2 years ago

richwd commented 2 years ago

Hi, Running npm audit gets me the following output:

dompurify <=2.0.16 Severity: critical Cross-Site Scripting in dompurify - https://github.com/advisories/GHSA-mjjq-c88q-qhr6 Cross-Site Scripting in dompurify - https://github.com/advisories/GHSA-chqj-j4fh-rw7m Cross-site Scripting in dompurify - https://github.com/advisories/GHSA-63q7-h895-m982 No fix available node_modules/dompurify ember-dompurify * Depends on vulnerable versions of dompurify node_modules/ember-dompurify

Would it be possible for the maintainers to update ember-dompurify to the most recent version of dompurify (2.3.8)? Currently it is on 1.0.3. Thanks

jray89 commented 1 year ago

Yes, please update. I'm trying to upgrade to Ember 4.0 and this dependency is giving me issues:

WARNING: [DEPRECATION] [DEPRECATION] Usage of the Ember Global is deprecated. You should import the Ember module or the specific API instead.

See https://deprecations.emberjs.com/v3.x/#toc_ember-global for details.

Usages of the Ember Global may be caused by an outdated ember-cli-babel dependency. The following steps may help:

* Upgrade the following addons to the latest version:
  * ember-purify
robclancy commented 1 year ago

I have removed this dependency with this helper. Thought I would share. I like dom-purify but it is a pretty big dependency. I've used experimental web apis instead with a fallback to the striptags package.

import { helper } from '@ember/component/helper';
import { htmlSafe } from '@ember/template';
import { striptags } from 'striptags';

export default helper(function sanitizeHtml([ html ]) {
  if (window.Sanitizer) {
    const sanitizer = new window.Sanitizer();

    // TODO: The sanitizer is an experimental feature. `sanitizeFor` is behind a flag as of writing.
    // and applying to the div is supported by all browsers as of writing but could change.
    if (typeof sanitizer.sanitizeFor === 'function') {
      return htmlSafe(sanitizer.sanitizeFor('div', html).innerHTML);
    } else {
      const div = document.createElement('div');
      div.setHTML(html, { sanitizer });

      return htmlSafe(div.innerHTML);
    }
  }

  return htmlSafe(striptags(html));
});

EDIT: and I rely on dompurify way more than I thought so now just import it directly instead of doing this.