UNPKG

dompurify

Version:

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

github.com/cure53/DOMPurify

cure53/DOMPurify

167 lines (154 loc) 6.85 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
<!doctype html> <html> <head> <script src="../src/purify.js"></script> </head> <body> <!-- Our DIV to receive content --> <div id="sanitized"></div> <!-- Now let's sanitize that content --> <script> /* jshint globalstrict:true */ /* global DOMPurify */ 'use strict'; window.onload = function(){ // Specify dirty HTML var dirty = document.getElementById('payload').value; // We can allow all (default elements) but SVG var config = { FORBID_TAGS: ['svg'] // SVG is not yet supported. Too messy. }; // Specify CSS property whitelist var allowed_properties = [ 'color', 'background', 'border', 'padding', 'margin', 'font-family', 'content', 'padding' ]; // Specify if CSS functions are permitted var allow_css_functions = true; /** * Take CSS property-value pairs and validate against white-list, * then add the styles to an array of property-value pairs */ function validateStyles(output, styles) { // Validate regular CSS properties for (var prop in styles) { if (typeof styles[prop] === 'string') { if (styles[prop] && allowed_properties.indexOf(prop) > -1) { if (allow_css_functions || !/\w+\(/.test(styles[prop])) { output.push(prop + ':' + styles[prop] +';'); } } } } } /** * Take CSS rules and analyze them, create string wrapper to * apply them to the DOM later on. Note that only selector rules * are supported right now */ function addCSSRules(output, cssRules) { for (var index = cssRules.length-1; index >= 0; index--) { var rule = cssRules[index]; // check for rules with selector if (rule.type == 1 && rule.selectorText) { output.push(rule.selectorText + '{') if (rule.style) { validateStyles(output, rule.style) } output.push('}'); } } } // Add a hook to enforce CSS element sanitization DOMPurify.addHook('uponSanitizeElement', function(node, data) { if (data.tagName === 'style') { var output = []; addCSSRules(output, node.sheet.cssRules); node.textContent = output.join("\n"); } }); // Add a hook to enforce CSS attribute sanitization DOMPurify.addHook('afterSanitizeAttributes', function(node) { // Nasty hack to fix baseURI + CSS problems in Chrome if (!node.ownerDocument.baseURI) { var base = document.createElement('base'); base.href = document.baseURI; node.ownerDocument.head.appendChild(base); } // Check all style attribute values and validate them if (node.hasAttribute('style')) { var output = []; validateStyles(output, node.style); // re-add styles in case any are left if (output.length) { node.setAttribute('style', output.join("")); } else { node.removeAttribute('style'); } } }); // Clean HTML string and write into our DIV var clean = DOMPurify.sanitize(dirty, config); document.getElementById('sanitized').innerHTML = clean; } </script> <!-- Here we cage our payload in a TEXTAREA --> <textarea id="payload"> <a href="#" style="border:1ps solid blue;color:red;background:url(/images/test.gif)">ABC</a> <style> big { list-style: url(https://leaking.via/css-list-style); list-style-image: url(https://leaking.via/css-list-style-image); background: url(https://leaking.via/css-background); background-image: url(https://leaking.via/css-background-image); border-image: url(https://leaking.via/css-border-image); border-image-source: url(https://leaking.via/css-border-image-source); shape-outside: url(https://leaking.via/css-shape-outside); cursor: url(https://leaking.via/css-cursor), auto; color:red; } </style> <big>DEF</big> <svg> <style> circle { fill: green; mask: url(https://leaking.via/svg-css-mask#foo); filter: url(https://leaking.via/svg-css-filter#foo); clip-path: url(https://leaking.via/svg-css-clip-path#foo); } </style> <circle r="40"></circle> </svg> <style> @media all, not print and not monochrome, (min-width: 1px) { body { background: url(https://leaking.via/css-media-query); font-family: expression(alert('url()')); -webkit-animation: rotate-a-bit; -webkit-animation-duration: 1s; } } @font-face { font-family: leak; src: url(test.woff); } strong { font-family: leak; color:blue; background: url("/images/test.gif"); } strong:after { content: 'hola!'; } </style> <strong>GHI</strong> </textarea> </body> </html>