Issue with attribute sanitizer on input when name="name"

[srajagop]

Background & Context

We found this issue in one of the projects. Where if an input has an attribute like this name="name" or name="URL", the attribute is getting stripped away.

Bug

Input

<form>
       <label for="name">Test Name</label>
       <input id="name" maxlength="80" name="name" size="20" type="text" />
       <label for="URL">Test Url</label>
       <input id="url" maxlength="80" name="URL" size="20" type="text" />
</form>

Given output

<form>
       <label for="name">Test Name</label>
       <input type="text" size="20" maxlength="80">
       <label for="URL">Test Url</label>
       <input type="text" size="20" maxlength="80" id="url">
</form>

Expected output

<form>
       <label for="name">Test Name</label>
       <input id="name" maxlength="80" name="name" size="20" type="text" />
       <label for="URL">Test Url</label>
       <input id="url" maxlength="80" name="URL" size="20" type="text" />
</form>

Also note that id="name" is also getting stripped of

[cure53]

Heya, this is part of our DOM clobbering protection. You can disable it using this code:

var clean = DOMPurify.sanitize(dirty, {SANITIZE_DOM: false});

[srajagop]

Thank you for the quick response. Will there be any side effects because of this?

[cure53]

Basically, the library doesn't check for DOM Clobbering attacks any longer. Depending on our use case, this might or might not have side effects.

I would assume them to be marginal though - for most cases.

[srajagop]

Thank you very much. The config change is working properly. I will be closing this.