Skip to content

Commit

Permalink
Added clobber-checks against potential bypasses
Browse files Browse the repository at this point in the history
Withdraw elements whose name / id collide with the ones DOMPurify uses
  • Loading branch information
filedescriptor committed Feb 17, 2015
1 parent 9691bd3 commit 16e431f
Showing 1 changed file with 6 additions and 0 deletions.
6 changes: 6 additions & 0 deletions purify.js
Original file line number Diff line number Diff line change
Expand Up @@ -384,6 +384,12 @@
currentNode.removeAttribute(currentNode.attributes[attr].name);

if (!tmp instanceof Attr) { continue; }

/* Protect DOMPurify itself against clobbering attack */
if ((tmp.name === 'id' || tmp.name === 'name')
&& (tmp.value === 'implementation' || tmp.value === 'createNodeIterator')) {
clobbering = true;
}

if(SANITIZE_DOM) {
if(tmp.name === 'id'
Expand Down

0 comments on commit 16e431f

Please sign in to comment.