New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Chrome 77: sanitize() returns TrustedHTML-Object instead of string #361
Comments
Hi @Uzlopak !
|
Hey all, thanks for the report. This is intended behavior however when working with Trusted Types. See here: https://github.com/cure53/DOMPurify#what-about-dompurify-and-trusted-types @koto Maybe we should update the docs, is this on by default now? |
@cure53 https://github.com/DefinitelyTyped/DefinitelyTyped/blob/master/types/dompurify/index.d.ts |
I am still a bit confused about what has changed in Chrome 77? Did they change something related to the trusted API? Does anybody have a link to the changelog in Chrome so that we can see, why this was changed? |
This is something @koto is likely going to be able to answer |
This change in API is risky. I fear a bunch of apps are now experiencing issues with this. |
This is why it crashed on Chrome 77. It's an experimental API and it's been here from chrome 73 - 76 ( but needs users to manually enable it ). But from Chrome 77, it's Enabled by default.
see : MDN trusted-types |
The README file has been updated to reflect the changes in Chrome's behavior/config. Hope that clarifies things a bit. |
Thank you guys! |
Trusted Types should not be enabled by default on Chrome 77. We're investigating what happened in https://bugs.chromium.org/p/chromium/issues/detail?id=1002685 |
That said you should really not alter the sanitize function output, Trusted Types only makes it clear. The API will ship in one of future releases, there will be a proper Intent To Ship, so there's still time to update the code. |
In May i saw #316
IMHO it's a broken versioning and we're left with:
What do you think? |
activating TrustedHTML by parameter instead of Feature detection would be a solution but you would need to release a new major as it is a breaking change. But that would fix it perfectly. |
Regardless of the Trusted Types angle, I think the change DOMPurify might want is for the value returned from This can be achieved by e.g. returning an object with a If needed this behavior could be turned off with Now - this is a breaking change. So the plan might be to:
|
DOMPurify is not a Sheriff that controls what people do with the sanitized result. It's a sanitizer library that sanitizes - and it does so really well. What people do with the result afterwards is their choice. Even if they do the seemingly wrong thing according to this or the other philosophy. So, the immutability thing, while sounding right when being looked at from a certain angle, is not what we will do. @koto I fully see your point and support it - when looking at things from a pentester's angle. But I don't like it looking at things from a developer's angle. :)
I like this idea much more. It gives people a choice. This means we would go 2.0.0 correct? Not a versioning expert, hence asking :D @Uzlopak |
Yes, according to semver you would increase the version to 2.0.0 because there could already people using TrustedHTML feature because you already documented it as the expected behaviour (and thus make their use of your product not wrong) and you would break the expected behaviour. |
Cool, thanks :) So what would have to be done is:
Anything I have forgotten? |
Just for clarification, because i dont know what RETURN_TRUSTED_TYPE means: Two more possible points:
|
Yes |
I like that. |
I like that as well. Re: breakages for existing code bases, this will likely not happen again, as we're renaming |
@koto should we incorporate that change into the new code as well? i.e. test for both once the flag has been set to true? I am working on it as we speak, hence asking. I don't want the library to run after Chrome with a bucket in its hand - so maybe better do it now than later :D |
I'd say only check for |
Gotcha, makes it hard to write tests though. |
@koto Let me actually push the changes with After that, I would wait for your go to make the second change and use |
@koto Changes are in, now waiting for the BrowserStack results - also running Chrome 77 on BS now. |
Okay, we should be good. CI is complaining but for different reasons :) |
Can you provide the PR so that we can have a look over it, please :)? |
All relevant commits are linked in this ticket, see above. |
I think we might also need a bugfix release that removes the TT as a return value from 1.x.x? Since this was the one that introduced a breaking change. I don't see branches in your repo, would that be a manual code change & release? |
No need for that, we will not start maintain different branches or bug-fix releases because of this rather small issue. I would go as far as to close this issue for now. As far as I can see, the tests are green, the offending feature has been placed behind a flag and the library behaves again as expected. |
This version is tagged as major due to a breaking change in the API. This upgrade is forced by an unexpected change in Chrome 77 [0] (see implications for DOMPurify in [1]). Even if this is not supposed to impact Tuleap, it can be hard to troubleshoot in production since this is caused by a specific version of one browser. It is best to upgrade now to avoid the potential pain. [0] https://bugs.chromium.org/p/chromium/issues/detail?id=1002685 [1] cure53/DOMPurify#361 Change-Id: Ibc852c866d23824964ee8c0299ffb8457bf07b1b
In our usecase Chrome77 breaks our code. The sanitize method returns TrustedHTML instead of a string. We fixed it by adding a .toString() to the result of sanitize().
Bug
Input
console.log(dompurify.sanitize("a"))
Given output
TrustedHTML-Object;
Expected output
"a"
The text was updated successfully, but these errors were encountered: