homebrewery icon indicating copy to clipboard operation
homebrewery copied to clipboard

Published 20 hours ago verified publisher icon naturalcrit

Improve HTML sanitization

Open G-Ambatte opened this issue 7 months ago • 4 comments

This PR resolves #3547, and resolves #3549. It also allows us to close #3507 as that PR will be obsolete once this is merged.

~~This PR changes the DOMPurify configuration to allow the target attribute in the output. It also adds the DOMPurify.addHook to allow all custom elements in the output, while still stripping potentially harmful attributes.~~

This PR is based on the vue-html-secure package, using a similar method to parse the HTML elements prior to injection to the browser. Currently, certain tags are completely forbidden (e.g. <script>), and some attributes (anything starting with on). Blacklisted tags are identified by simple string comparison, while attributes are passed through a series of test functions. Any tag that matches one in the blacklistTags array is removed, as is any attribute that causes a function in the blacklistAttribs array to return true.

Testing is achieved via the jsdom and jsdom-global packages, to allow implementation of HTML specifications outside of a browser.

G-Ambatte avatar Jun 29 '24 03:06 G-Ambatte