New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DOMPurify fails on sanitization of Trusted Types sink attributes #660
Comments
If I understand the issue correctly, we'd have to pass a policy object using an empty/noop policy, no? |
So, my thinking is, we wanna wrap it like this, correct? if (namespaceURI) {
currentNode.setAttributeNS(namespaceURI, name, value);
} else {
/* Fallback to setAttribute() for browser-unrecognized namespaces e.g. "x-schema". */
value = trustedTypesPolicy
? trustedTypesPolicy.createScriptURL(value)
: value;
currentNode.setAttribute(name, value);
} But we also want to only do this for |
So, like this, no? if (lcTag === 'script' && lcName === 'src') {
value = trustedTypesPolicy
? trustedTypesPolicy.createScriptURL(value)
: value;
}
currentNode.setAttribute(name, value); |
cc @tosmolka :) |
@cure53 , I wanted to suggest using TrustedTypePolicyFactory.getAttributeType() but I was having some issues with Chromium implementation. I filed https://bugs.chromium.org/p/chromium/issues/detail?id=1305293 to get more eyes on the issue I was having. If possible, I'd like to avoid hard-coding the mapping between attributes and expected Trusted Types within the lib such as DOMPurify. |
Gotcha, then let's wait until we have more clarity here. And I fully agree. |
closing for inactivity, happy to reopen when needed / actionable. |
Background & Context
DOMPurify does not (by design) validate script URLs and we want to perform our own validation using hooks. It turns out DOMPurify calls setAttribute for all allowed attributes and this causes Trusted Types sink violation:
DOMPurify/src/purify.js
Line 1196 in 5c28248
Bug
Input
Given output
DOMPurify fails with following exception and GLightbox gallery in iframe is not functional.
Expected output
DOMPurify sanitizes dirty HTML without throwing an exception and GLightbox gallery in iframe is functional.
The text was updated successfully, but these errors were encountered: