UNPKG

dompurify

Version:

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It's written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Firefox and Chrome - as well as almost anything else usin

github.com/cure53/DOMPurify

cure53/DOMPurify

78 lines (69 loc) 4 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
<!doctype html> <html> <head> <script src="../src/purify.js"></script> </head> <body> <!-- Our DIV to receive content --> <div id="sanitized"></div> <!-- Now let's sanitize that content --> <script> /* jshint globalstrict:true */ /* global DOMPurify */ 'use strict'; // Specify dirty HTML var dirty = '<a href="foo:?a">INSECURE</a>\ <a href="ftp://abc.de?a"">SECURE</a>\ <a href="https://abc.de?a"">SECURE</a>\ <a href="?a"">SECURE</a>\ <svg><a href="ms-appx://some/app/test.html"><circle r=40 fill=red></a></svg>\ <svg><a href="http://benign.com/"><circle r=40 fill=green></a></svg>\ <svg><a href="#123"><circle r=40 fill=green></a></svg>\ <form action="?form"><input type="submit" value="safe"></form>\ <form action="bingweather:?lat=1&long=2"><input type="submit" value="unsafe"></form>\ <img src="404" width="200" height="200" usemap="#test"><map name="test"><area href="skype://123456?call" shape="rect" coords="0,0,200,200"></area></map>\ <img src="404" width="200" height="200" usemap="#test"><map name="test"><area href="http://test.com/" shape="rect" coords="0,0,200,200"></area></map>\ <math href="http://test.com/">SECURE</math>\ <math href="calculator:">INSECURE</math>\ <math><mi target="xxx" href="http://test.com/">SECURE</mi></math>\ <math><mi href="javascript:alert(1)">INSECURE</mi></math>\ <math><mi target="xxx" href="aim:1111111?call">INSECURE</mi></math>\ <svg xmlns:xlink="http://www.w3.org/1999/xlink"><a xlink:href="https://test.com/"><circle r=40 fill=green></a></svg>\ <svg xmlns:xlink="http://www.w3.org/1999/xlink"><a xlink:href="telnet:1.1.1.1"><circle r=40 fill=red></a></svg>\ <svg xmlns:xlink="http://www.w3.org/1999/xlink"><a xlink:href="?secure"><circle r=40 fill=green></a></svg>'; // allowed URI schemes var whitelist = ['http', 'https', 'ftp']; // build fitting regex var regex = RegExp('^('+whitelist.join('|')+'):', 'gim'); // Add a hook to enforce URI scheme whitelist DOMPurify.addHook('afterSanitizeAttributes', function(node){ // build an anchor to map URLs to var anchor = document.createElement('a'); // check all href attributes for validity if (node.hasAttribute('href')) { anchor.href = node.getAttribute('href'); if (anchor.protocol && !anchor.protocol.match(regex)) { node.removeAttribute('href'); } } // check all action attributes for validity if (node.hasAttribute('action')) { anchor.href = node.getAttribute('action'); if (anchor.protocol && !anchor.protocol.match(regex)) { node.removeAttribute('action'); } } // check all xlink:href attributes for validity if (node.hasAttribute('xlink:href')) { anchor.href = node.getAttribute('xlink:href'); if (anchor.protocol && !anchor.protocol.match(regex)) { node.removeAttribute('xlink:href'); } } }); // Clean HTML string and write into our DIV var clean = DOMPurify.sanitize(dirty); document.getElementById('sanitized').innerHTML = clean; </script> </body> </html>