See #761

feat: added ALLOW_SELF_CLOSE_IN_ATTR tag test: added test case
cure53 · Feb 7, 2023 · 5f766bc · 5f766bc
1 parent 90326ef
commit 5f766bc
Show file tree

Hide file tree

Showing 10 changed files with 47 additions and 9 deletions.
diff --git a/dist/purify.cjs.js b/dist/purify.cjs.js
diff --git a/dist/purify.cjs.js.map b/dist/purify.cjs.js.map
diff --git a/dist/purify.es.js b/dist/purify.es.js
diff --git a/dist/purify.es.js.map b/dist/purify.es.js.map
diff --git a/dist/purify.js b/dist/purify.js
diff --git a/dist/purify.js.map b/dist/purify.js.map
diff --git a/dist/purify.min.js b/dist/purify.min.js
diff --git a/dist/purify.min.js.map b/dist/purify.min.js.map
diff --git a/src/purify.js b/src/purify.js
@@ -239,6 +239,10 @@ function createDOMPurify(window = getGlobal()) {
   /* Decide if unknown protocols are okay */
   let ALLOW_UNKNOWN_PROTOCOLS = false;
 
+  /* Decide if self-closing tags in attributes are allowed.
+   * Usually removed due to a mXSS issue in jQuery 3.0 */
+  let ALLOW_SELF_CLOSE_IN_ATTR = true;
+
   /* Output should be safe for common template engines.
    * This means, DOMPurify removes data attributes, mustaches and ERB
    */
@@ -468,6 +472,7 @@ function createDOMPurify(window = getGlobal()) {
     ALLOW_ARIA_ATTR = cfg.ALLOW_ARIA_ATTR !== false; // Default true
     ALLOW_DATA_ATTR = cfg.ALLOW_DATA_ATTR !== false; // Default true
     ALLOW_UNKNOWN_PROTOCOLS = cfg.ALLOW_UNKNOWN_PROTOCOLS || false; // Default false
+    ALLOW_SELF_CLOSE_IN_ATTR = cfg.ALLOW_SELF_CLOSE_IN_ATTR !== false; // Default true
     SAFE_FOR_TEMPLATES = cfg.SAFE_FOR_TEMPLATES || false; // Default false
     WHOLE_DOCUMENT = cfg.WHOLE_DOCUMENT || false; // Default false
     RETURN_DOM = cfg.RETURN_DOM || false; // Default false
@@ -1241,7 +1246,7 @@ function createDOMPurify(window = getGlobal()) {
       }
 
       /* Work around a security issue in jQuery 3.0 */
-      if (regExpTest(/\/>/i, value)) {
+      if (!ALLOW_SELF_CLOSE_IN_ATTR && regExpTest(/\/>/i, value)) {
         _removeAttribute(name, currentNode);
         continue;
       }

diff --git a/test/test-suite.js b/test/test-suite.js
@@ -133,6 +133,21 @@
         );
       }
     );
+    QUnit.test('Config-Flag tests: ALLOW_SELF_CLOSE_IN_ATTR', function (assert) {
+      // ALLOW_SELF_CLOSE_IN_ATTR
+      assert.equal(
+        DOMPurify.sanitize('<a href="#" class="foo <br/>">abc</a>', {
+          ALLOW_SELF_CLOSE_IN_ATTR: false,
+        }),
+        '<a href="#">abc</a>'
+      );
+      assert.equal(
+        DOMPurify.sanitize('<a href="#" class="foo <br/>">abc</a>', {
+          ALLOW_SELF_CLOSE_IN_ATTR: true,
+        }),
+        '<a class="foo <br/>" href="#">abc</a>'
+      );
+    });
     QUnit.test('Config-Flag tests: ALLOW_DATA_ATTR', function (assert) {
       // ALLOW_DATA_ATTR
       assert.equal(