Merge pull request #557 from 0xedward/expose-FORBID_CONTENTS

Expose `FORBID_CONTENTS` to allow users to specify which elements DOMPurify should remove from the input with its children
cure53 · Aug 10, 2021 · ded85d9 · ded85d9
2 parents d494912 + 56c29b1
commit ded85d9
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 1 deletion.
diff --git a/src/purify.js b/src/purify.js
@@ -263,7 +263,8 @@ function createDOMPurify(window = getGlobal()) {
   let USE_PROFILES = {};
 
   /* Tags to ignore content of when KEEP_CONTENT is true */
-  const FORBID_CONTENTS = addToSet({}, [
+  let FORBID_CONTENTS = null;
+  const DEFAULT_FORBID_CONTENTS = addToSet({}, [
     'annotation-xml',
     'audio',
     'colgroup',
@@ -372,6 +373,10 @@ function createDOMPurify(window = getGlobal()) {
       'ADD_DATA_URI_TAGS' in cfg
         ? addToSet(clone(DEFAULT_DATA_URI_TAGS), cfg.ADD_DATA_URI_TAGS)
         : DEFAULT_DATA_URI_TAGS;
+    FORBID_CONTENTS =
+      'FORBID_CONTENTS' in cfg
+        ? addToSet({}, cfg.FORBID_CONTENTS)
+        : DEFAULT_FORBID_CONTENTS;
     FORBID_TAGS = 'FORBID_TAGS' in cfg ? addToSet({}, cfg.FORBID_TAGS) : {};
     FORBID_ATTR = 'FORBID_ATTR' in cfg ? addToSet({}, cfg.FORBID_ATTR) : {};
     USE_PROFILES = 'USE_PROFILES' in cfg ? cfg.USE_PROFILES : false;
@@ -447,6 +452,14 @@ function createDOMPurify(window = getGlobal()) {
       addToSet(URI_SAFE_ATTRIBUTES, cfg.ADD_URI_SAFE_ATTR);
     }
 
+    if (cfg.FORBID_CONTENTS) {
+      if (FORBID_CONTENTS === DEFAULT_FORBID_CONTENTS) {
+        FORBID_CONTENTS = clone(FORBID_CONTENTS);
+      }
+
+      addToSet(FORBID_CONTENTS, cfg.FORBID_CONTENTS);
+    }
+
     /* Add #text in case KEEP_CONTENT is set to true */
     if (KEEP_CONTENT) {
       ALLOWED_TAGS['#text'] = true;

diff --git a/test/test-suite.js b/test/test-suite.js
@@ -161,6 +161,19 @@ module.exports = function (DOMPurify, window, tests, xssTests) {
       '<my-component my-attr="foo">abc</my-component>'
     );
   });
+  QUnit.test(
+    'Config-Flag tests: FORBID_CONTENTS + FORBID_TAGS',
+    function (assert) {
+      // FORBID_CONTENTS + FORBID_TAGS
+      assert.equal(
+        DOMPurify.sanitize(
+          '<div><b>preserve me</b></div><p><b>no not preserve me</b></p>',
+          { FORBID_CONTENTS: ['p'], FORBID_TAGS: ['div', 'p'] }
+        ),
+        '<b>preserve me</b>'
+      );
+    }
+  );
   QUnit.test('Config-Flag tests: SAFE_FOR_JQUERY (now inactive, secure by default)', function (assert) {
     assert.equal(
       DOMPurify.sanitize('<a>123</a><option><style><img src=x onerror=alert(1)>'),