When calling safeAttrValue, I've noticed it doesn't sanitize event handler attributes. This is problematic because untrusted data should not go in these attributes except for inside a quoted variable value (according to OWASP).
When I make this call, the event handler attribute value is not properly removed:
const value = safeAttrValue('div', 'onmouseover', 'alert(\"Hi\")');
// expected value is ''
// actual value is 'alert("Hi")'
When calling
safeAttrValue, I've noticed it doesn't sanitize event handler attributes. This is problematic because untrusted data should not go in these attributes except for inside a quoted variable value (according to OWASP).When I make this call, the event handler attribute value is not properly removed:
Putting this value into an event handler attribute causes the code to be executed: https://jsfiddle.net/bca5yj6s/
I believe
safeAttrValue()should disallow event handler attribute values entirely and return an empty string in each case.