DOMPurify icon indicating copy to clipboard operation
DOMPurify copied to clipboard

Published 20 hours ago verified publisher icon cure53

HTML and BODY tags are being regardless of `ALLOWED_TAGS` settings

Open secret-agent-B opened this issue 9 months ago • 0 comments

This issue proposes a [bug, feature] which...

Background & Context

I have a string that needs to be sanitized. But I want to allow HTML and BODY tags if it exists. I don't want it to be added automatically if they're not in the input string. I've also tried CUSTOM_ELEMENT_HANDLING but it was still filtering out HTML and BODY tags.

Bug

HTML and BODY tags should be allowed if they're on the ALLOWED_TAGS.

Input

        // test
        const input = '<html><body><span>text<span></body></html>';
        const expected = '<html><body>text</body></html>';
        const actual = DOMPurify.sanitize(input, {
            ALLOWED_TAGS: ['html', 'body'],
            ALLOW_ARIA_ATTR: false,
            ADD_TAGS: ['html', 'body'],
            IN_PLACE: true
        });

<html><body><span>text</span></body></html>

Given output

text

Expected output

<html><body>text</body></html>

Feature

It should allow HTML and BODY tags if they're in the ALLOWED_TAGS or another settings to allow it would be nice too.

secret-agent-B avatar May 23 '24 17:05 secret-agent-B