search

mozilla / sanitizer-polyfill

rewrite constructor arguments, call DOMPurify, profit
https://mozilla.github.io/sanitizer-polyfill/demo/
Mozilla Public License 2.0
66 stars 8 forks source link

Validate custom elements in configuration #33

Open 0xedward opened 2 years ago

0xedward commented 2 years ago

When the user specifies set allowCustomElements to true in sanitizer configuration, we want to allow list all custom elements.

When allowCustomElements === false, we want to remove all custom elements from allowElements.

When allowCustomElements === true, we want to check all elements in allowElements are part of https://wicg.github.io/sanitizer-api/#baseline-elements and keep all custom elements in allowElements. We can construct a regex from https://html.spec.whatwg.org/multipage/custom-elements.html#valid-custom-element-name to determine if an element is a custom element

For example:

config = { "allowElements" : ["a", "script"], "allowCustomElements" : true}

_normalizeConfig(config) // should throw an error because script is not a custom element and is not in DEFAULT_ALLOWED_ELEMENTS

safeConfig = { "allowElements" : ["a", "mycustomelement"], "allowCustomElements" : true}

_normalizeConfig(config) // should return a config with ["a", "mycustomelement"] for allowElements
thernstig commented 1 year ago

@0xedward does this mean that this polyfill does not work at all now if using Custom Elements? So this issue needs to be implemented before it can be used in projects using Custom Elements?

0xedward commented 1 year ago

Hey @thernstig, it's been a while since I worked on this, so my memory might be a bit faulty. The polyfill basically converts the configuration dictionary in the HTML Sanitizer API spec to the equivalent configuration for DOMPurify, then uses DOMPurify to sanitize the input. The polyfill should work if your input has custom elements as long as DOMPurify can handle custom elements without them being specified in its config.

Here's some code pointers for what I mentioned: https://github.com/mozilla/sanitizer-polyfill/blob/319b7a46d4f81fa0d6e483a622454855a9d5f228/src/sanitizer.js#L18-L20 https://github.com/mozilla/sanitizer-polyfill/blob/319b7a46d4f81fa0d6e483a622454855a9d5f228/src/sanitizer.js#L130-L161

mozfreddyb commented 1 year ago

So this issue needs to be implemented before it can be used in projects using Custom Elements?

FWIW, I would not recommend using this polyfill in any kind of production setup. The Sanitizer API is still under heavy development and we're changing quite a few things (e.g., the config syntax in https://github.com/WICG/sanitizer-api/issues/181)