sanitizer-polyfill icon indicating copy to clipboard operation
sanitizer-polyfill copied to clipboard

Published 20 hours ago verified publisher icon mozilla

Validate custom elements in configuration

Open 0xedward opened this issue 4 years ago • 3 comments

When the user specifies set allowCustomElements to true in sanitizer configuration, we want to allow list all custom elements.

When allowCustomElements === false, we want to remove all custom elements from allowElements.

When allowCustomElements === true, we want to check all elements in allowElements are part of https://wicg.github.io/sanitizer-api/#baseline-elements and keep all custom elements in allowElements. We can construct a regex from https://html.spec.whatwg.org/multipage/custom-elements.html#valid-custom-element-name to determine if an element is a custom element

For example:

config = { "allowElements" : ["a", "script"], "allowCustomElements" : true}

_normalizeConfig(config) // should throw an error because script is not a custom element and is not in DEFAULT_ALLOWED_ELEMENTS

safeConfig = { "allowElements" : ["a", "mycustomelement"], "allowCustomElements" : true}

_normalizeConfig(config) // should return a config with ["a", "mycustomelement"] for allowElements

0xedward avatar Aug 14 '21 22:08 0xedward

@0xedward does this mean that this polyfill does not work at all now if using Custom Elements? So this issue needs to be implemented before it can be used in projects using Custom Elements?

thernstig avatar Jan 30 '23 12:01 thernstig

Hey @thernstig, it's been a while since I worked on this, so my memory might be a bit faulty. The polyfill basically converts the configuration dictionary in the HTML Sanitizer API spec to the equivalent configuration for DOMPurify, then uses DOMPurify to sanitize the input. The polyfill should work if your input has custom elements as long as DOMPurify can handle custom elements without them being specified in its config.

Here's some code pointers for what I mentioned: https://github.com/mozilla/sanitizer-polyfill/blob/319b7a46d4f81fa0d6e483a622454855a9d5f228/src/sanitizer.js#L18-L20 https://github.com/mozilla/sanitizer-polyfill/blob/319b7a46d4f81fa0d6e483a622454855a9d5f228/src/sanitizer.js#L130-L161

0xedward avatar Feb 01 '23 06:02 0xedward

So this issue needs to be implemented before it can be used in projects using Custom Elements?

FWIW, I would not recommend using this polyfill in any kind of production setup. The Sanitizer API is still under heavy development and we're changing quite a few things (e.g., the config syntax in https://github.com/WICG/sanitizer-api/issues/181)

mozfreddyb avatar Feb 06 '23 08:02 mozfreddyb