-
-
Notifications
You must be signed in to change notification settings - Fork 684
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
xlink:href filtering (particularly in <use>) #233
Comments
Hmmm, I think blocking only cross-origin I would recommend working with a hook, that checks if the Would that work for you? |
I think this might do, no? <!doctype html>
<html>
<head>
<script src="../purify.js"></script>
</head>
<body>
<!-- Now let's sanitize that content -->
<script>
'use strict';
DOMPurify.addHook('afterSanitizeAttributes', function(node){
if(node.hasAttribute('xlink:href') && !node.getAttribute('xlink:href').match(/^#/)){
node.remove();
}
});
// Clean HTML string and write into our DIV
var clean = DOMPurify.sanitize("<svg>\
<use xlink:href='#foo' />\
<use xlink:href='//evil' />\
</svg>", {ADD_TAGS: ['use']});
console.dir(clean);
</script>
</body>
</html> |
That looks good to me, thanks! I'm still pretty unfamiliar with XSS, so I wasn't sure if it was possible to sneak some javascript in after the |
Glad there is a work around for this! :) Is there a reason why this is not done by default, though? Performance related? Thank you for your time. |
When filtering SVGs, DOMPurify seems to be over-eager in eliminating certain tags - I noticed it in one of my SVG
<use>
tags being removed. Specifically, I defined a path in an SVG file and then referred to it using ause
tag later in the document:but after being sanitized, the
<mask>
became:with the
<use>
tag removed, and the SVG image was thus missing that element when it was loaded.In my understanding, it should be safe to have internal references in
xlink:href
paths like I had above, so long as other scripts in the file are sanitized. Is there any way to improve the sanitizer to only block dangerous (e.g. cross-origin) hrefs inside<use>
tags?The text was updated successfully, but these errors were encountered: