node-export-server icon indicating copy to clipboard operation
node-export-server copied to clipboard
verified publisher icon highcharts

DOMPurify versions from 3.1.7 upwards strip the contents of foreignObject tags in svg data passed in

Open matt-hoskins opened this issue 8 months ago • 2 comments

I have installed the node export server via npm: npm install highcharts-export-server -g

On my server that pulled in a version of dompurify that's later than 3.1.5 (3.2.4 in fact) and during conversions by the export server the sanitize call made to dompurify for svg data is stripping the contents of foreignObject tags (the foreignObject tag remains, it's just empty).

It seems that versions of dompurify from 3.1.7 onwards will not allow HTML within foreignObject unless you add an additional option which was, I think, introduced in 3.2.0.

This issue with 3.1.7 onwards was reported by a user of Mermaid diagrams against DOMPurify and the change in 3.2.0 to be able to specify that e.g. foreignObject allow "HTML integrations" seemed to come in response to the issue report: https://github.com/cure53/DOMPurify/issues/1002

So the additional sanitize option needed with 3.2.0 onwards is: HTML_INTEGRATION_POINTS: {'foreignobject': true}

If I modify sanitize.js in my local copy of node-export-server to add that additional option below the ADD_TAGS one then that resolves the problem.

I note that the package-lock.json file in MASTER in this node-export-server repository has dompurify 3.1.5 listed in it, but of course when installing via "npm install highcharts-export-server -g" that file is not included and the package.json just specifies "^3.1.5" for dompurify which, of course, versions 3.1.7 onwards (including 3.2.0 onwards) match.

matt-hoskins avatar Mar 31 '25 19:03 matt-hoskins

Just to add to some extra detail...

The changelog entry for DOMPurify 3.1.7 says: "Removed the foreignObject element from the list of HTML entry-points, thanks @masatokinugawa"

And it was this commit that removed it from the list of default entry-points: https://github.com/cure53/DOMPurify/commit/4a9ec1f2fd19848d359c7c73294b3adaaed1a9b0

This was the commit to 3.2.0 (which was the next version after 3.1.7) that added support for configurability of HTML entry-points (but isn't listed in the changelog and the README doesn't mention it in the examples): https://github.com/cure53/DOMPurify/commit/e4caa679715187b17e8af5cdb14ad02406621ac8

My own quick test shows that, as you'd hope, 3.2.x does sanitise the HTML within the foreignObject tag after adding the HTML_INTEGRATION_POINTS option to allow HTML within it.

matt-hoskins avatar Apr 01 '25 06:04 matt-hoskins

Hi @matt-hoskins,

Thanks for letting us know about this! I actually noticed it some time ago and will try to address it soon.

PaulDalek avatar Jun 02 '25 11:06 PaulDalek