You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
clarifies this example and comment in the main documentation.
// keep an element's content when the element is removed (default is true, careful, minor XSS risks here)
var clean = DOMPurify.sanitize(dirty, {KEEP_CONTENT: false});
It's a little ambiguous here if the "minor XSS risk" refers to "default is true" or if it refers to this specific example where it's setting the value to false. I would assume that the default setting of true is where the minor XSS risk occurs which is a little troubling because it sounds like the default settings for this library has a minor XSS risk but doesn't that defeat the point? Do we need to set KEEP_CONTENT: false to avoid this minor XSS risk?
Can you perhaps clarify this and expand on what the risk is?
The text was updated successfully, but these errors were encountered:
In the past, we had one case where an XSS was possible in case KEEP_CONTENT was changed from true to false. We have meanwhile eliminated the root cause of this. But it might - as always - be that there are variations we don't know of yet.
So, while I am not aware of any case where this flag causes XSS, we feel better with mentioning a tiny bit of residual risk here, just because we had a problem with that in the past.
Thanks for the quick reply! So the vulnerability occurred with KEEP_CONTENT: false? If so, I would suggest you tweak the comment a little bit since it suggests the opposite.
clarifies this example and comment in the main documentation.
It's a little ambiguous here if the "minor XSS risk" refers to "default is true" or if it refers to this specific example where it's setting the value to false. I would assume that the default setting of true is where the minor XSS risk occurs which is a little troubling because it sounds like the default settings for this library has a minor XSS risk but doesn't that defeat the point? Do we need to set KEEP_CONTENT: false to avoid this minor XSS risk?
Can you perhaps clarify this and expand on what the risk is?
The text was updated successfully, but these errors were encountered: