Extra DOM Clobbering protection via SANITIZE_NAMED_PROPS config

[SoheilKhodayari]

Summary

This PR adds a new opt-in configuration option SANITIZE_NAMED_PROPS that offers full DOM Clobbering protection by complementing the already-existing SANITIZE_DOM config.

When enabled, it isolates the namespace of named properties (i.e., id and name attributes) and JavaScript variables by prefixing their value with a constant string (i.e., user-content-).

Background & Context

The current version of DOMPurify offers protection only from selected cases of DOM Clobbering attacks (against web applications). In particular, it does not mitigate cases that clobber JavaScript variables for which no reference exists in the DOM tree.

PoC Example:

let script = document.createElement('script');
let config = window.CONF || {href: 'malicious.js'}
script.src = config.href;
document.body.appendChild(script);

In this example, the variable CONF can be clobbered if an attacker injects the payload <a id=CONF href=malicious.js>, whose value is used as the src of a dynamically loaded script, which results in arbitrary client-side code execution.

A developer using DOMPurify would attempt to sanitize this markup before adding it to the DOM tree. However, DOMPurify currently does not isolate/remove id=CONF since it does not detect any DOM collisions for such a markup.

Tasks

• Prefix id and name attributes with a constant for namespace isolation.

Dependencies

N/A