jquery-pjax icon indicating copy to clipboard operation
jquery-pjax copied to clipboard
verified publisher icon defunkt

How to saftey sanitize html content before injection in jquery-pajax?

Open karthickvTR opened this issue 9 months ago • 1 comments 

fire('pjax:beforeReplace', [container.contents, options], {
     state: pjax.state,
     previousState: previousState
   })
   context.html(container.contents)

The content is injected context.html, which can potentially introduce XSS vulnerabilities if the response contains unsafe HTML.

Is there a recommended or built-in way to sanitize the content before it's injected, or do we need to implement our own client-side sanitization (e.g., using Dompurify) outside the library?

Also, are there any plans to include built-in sanitization or hooks for this in future releases?

karthickvTR avatar May 22 '25 08:05 karthickvTR

Take a look at pjax:beforeReplace event.

$(document).on('pjax:beforeReplace', function(evt, contents, options) {
   // you can update contents here
})

cuixiping avatar Aug 21 '25 03:08 cuixiping