dompurify
Version:
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin
54 lines (48 loc) • 2.2 kB
HTML
<html>
<head>
<script src="../src/purify.js"></script>
</head>
<body>
<!-- Our DIV to receive content -->
<div id="sanitized"></div>
<!-- Now let's sanitize that content -->
<script>
/* jshint globalstrict:true */
/* global DOMPurify */
;
var proxy = 'https://my.proxy.service/?';
// Specify dirty HTML
var dirty = '<a href="http://evil.com/">CLICK</a>\
<a href="http://evil.com/" target="jajaja">CLICK</a>\
<svg><a xlink:href="http://evil.com/"><circle r=40></a></svg>\
<svg><a xlink:href="http://evil.com/" href="http://evil.com/"><circle r=40></a></svg>\
<form action="http://evil.com/"><input type="submit"></form>\
<map name="test"><area href="http://evil.com/" shape="rect" \
coords="0,0,200,200"></area></map>\
<math href="http://evil.com/">CLICKME</math>\
';
// Add a hook to make all links point to a proxy
DOMPurify.addHook('afterSanitizeAttributes', function(node) {
// proxy form actions
if ('action' in node) {
node.setAttribute('action', proxy
+ encodeURIComponent(node.getAttribute('action')));
}
// proxy regular HTML links
if (node.hasAttribute('href')) {
node.setAttribute('href', proxy
+ encodeURIComponent(node.getAttribute('href')));
}
// proxy SVG/MathML links
if (node.hasAttribute('xlink:href')) {
node.setAttribute('xlink:href', proxy
+ encodeURIComponent(node.getAttribute('xlink:href')));
}
});
// Clean HTML string and write into our DIV
var clean = DOMPurify.sanitize(dirty);
document.getElementById('sanitized').innerHTML = clean;
</script>
</body>
</html>