Make DOMPurify work in Node.js #29
Comments
|
I'm currently trying to implement the NodeIterator myself. |
|
Is there any news on this one? |
|
Nope, sorry. Didn't have time during the last months to work on the NodeIterator. It's still on my list. |
|
Sighs. Was wondering why I was getting this error. /path/to/node_modules/dompurify/purify.js:405
if(typeof document.implementation.createHTMLDocument === 'undefined')
^
ReferenceError: document is not defined
...Please don't host DOMPurify on npm if it's not going to work on node.js env; it's not a package manager for libraries that conveniently support CommonJS. |
|
npm is not a package manager exclusively for Node.js modules (Please read about the npm 2.0 release). |
|
Today, I've sent a PR to the jsdom project to include add You were right @cure53, dealing with DOM implementations is really a mess. ;) |
|
Hmmm. Are you planning on adding jsdom as a dependency? Would it be possible to use cheerio as an alternative? |
|
Cheerio is a jQuery-like HTML parser, not a DOM implementation (which we need, e.g. for createHTMLDocument, NodeFilter, NodeIterator, etc.). |
|
@fhemberger Nice! Would that mean that w ecan make DOMPurify happen in combination with jsdom? Or do we need to start creating a feature table of missing APIs and work our way through them? |
|
NodeFilter and NodeIterator are still missing in jsdom. NodeFilter is just a bunch of constants, NodeIterator is a tiny bit more complex. ;) Both should pass W3C's implementation tests as well. Then we should be able to use DOMPurify together with jsdom for Node.js. |
|
I have a feeling this can be done without jsdom. DOMPurify caught my attention because of its performance characteristics; and jsdom may slow things down a lot. |
|
Well, if you know of a different DOM implementation and you can get DOMPurify working with it, we'd happily accept a pull request. At the moment, jsdom is the only thing that comes to my mind … |
|
@dashed I fully agree with @fhemberger, if there was a way to do it w/o jsdom: awesome :) Using DOMPurify with node.js opens many many new doors. |
|
Would be really awesome to have it run in full node.js env. Looking forward to see that happening! Good luck guys! |
|
I'm already pushing updates to jsdom, I'll have a bit more time in December so I hope we can close this issue by the end of the year. ;) |
|
+1 for this feature.. |
|
jsdom 5.1.0 supports NodeIterator: jsdom/jsdom#1092 |
|
Thanks, I read the announcement (but hadn't notice the version has already been released). |
|
jsdom 5.2.0 has many fixes to make dompurify work. Most html snippets can now be "purified" properly. There are still a few test cases failing though, which would require more work in jsdom. One example is that jsdom currently throws an exception if an attribute is set with an invalid name: |
|
Above has been fixed. There are now 13 failing test cases.
|
|
Thanks @Joris-van-der-Wel for digging into this, looks like we're getting closer. |
|
A quick question: I think we are close to the next release. Should we go ahead or wait for you guys? Not sure how far this ticket is in total, thus asking :) |
|
No, don't wait for me. Just go ahead and release it. Node support would be a major version increment anyway. |
|
As for releasing:
The only thing I am not sure about yet are the 2 cases (87 and 173) that fail with svg content. I have not looked at those extensively. Perhaps all those need are an additional "expected" value in the test case itself. Here is the output of the test cases: https://joris-van-der-wel.github.io/DOMPurify-04d7218-on-jsdom-5.4.0.html and here is the script I used to generate this https://joris-van-der-wel.github.io/DOMPurify-test-jsdom.js |
|
So if none of those issues can cause a security issue, I would say, release it |
|
So will 0.6.4 support NodeJS? |
|
It supports iojs. (nodejs will be supported in the near future because iojs and nodejs are merging). Try this: npm install cure53/DOMPurify jsdomvar document = require('jsdom').jsdom();
var dompurify = require('dompurify')(document.defaultView);
console.log(dompurify.sanitize(`
hell <script>alert("hi");</script>
<div onclick="alert(123);">
o
</div>
world
<img id="createElement">
`)); |
|
I'm so grateful for your help so we finally got this out. Thanks! |
|
I haven't had the time for testing it, but can we close this issue now? |
|
Well, enabling KEEP_CONTENT has no effect now. Beyond that, I can imagine wanting to add a test runner in DOMPurify for jsdom (also see #61). And the readme will need updating |
|
Updated the README just now: 6b0c682. |
|
In case anyone else comes looking - to make current import { JSDOM } from 'jsdom'
import DOMPurify from 'dompurify'
const { window } = new JSDOM('<!DOCTYPE html>')
const domPurify = DOMPurify(window)
console.log(domPurify.sanitize(`
hell <script>alert("hi");</script>
<div onclick="alert(123);">
o
</div>
world
<img id="createElement">
`)); |
|
@CaptainN Thanks for your solution. |
|
I just stumbled upon this problem. I found a lightweight alternative for a simple DOMPurify use-case that works in Node: https://github.com/leizongmin/js-xss import xss from 'xss';
export function sanitizeText(string) {
// only include whitelisted tags, remove the others
return xss(string, { whiteList: ['b', 'i', 'strong'], stripIgnoreTag: true });
}It has to be lightweight because I'm using it with server-side rendered React, which runs in Node first but then runs in the browser. |
|
@EddyVinck There are a few xss-filtering solutions on NPM, you're free to use any of them. What led me to DOMPurify is this presentation Building Secure React Applications by Philippe De Ryck. Since you're working with React, it may interest you too. |
|
Well seems like a port was created 2 months ago |
Otherwise the tests break. See cure53/DOMPurify#29
* Sanitize email HTML to prevent XSS Fixes #457 * Replace dompurify with isomorphic-dompurify as per cure53/DOMPurify#29 * Switch to dompurify and make it work server-side on our own.
Using DOMPurify as in a guide produces an error because JEST do not have access to window object, so I applied the solution linked below: cure53/DOMPurify#29 (comment)
Using DOMPurify as in a guide produces an error because JEST do not have access to window object, so I applied the solution linked below: cure53/DOMPurify#29 (comment)
* Allow anchors in banner's description * Fetch JITMs on the "All posts" page * Fix a failed client-side test Using DOMPurify as in a guide produces an error because JEST do not have access to window object, so I applied the solution linked below: cure53/DOMPurify#29 (comment) * Fix tests by removing JSDOM usage Recently I've used JSDOM to imitate window object presence to overcome JEST tests falling since JEST uses node environment. Eventually it turned into a webpack breakage. The solution is in mocking DOMPurify. * Add missed dependency * Change JITM's message path Recently I used an incorrect message path and did not notice it because previously I mocked response from public-api.wordpress.com. * Remove isJetpack condition for Blaze's JITM since the current site might be connected to Jetpack.
Regarding issue #26 and #27, I originally held back Common JS style exports and publishing on npm on purpose, as DOMPurify doesn't run on a pure Node.js environment (it does client side with Browserify).
I'm still looking for a way to get it to work on Node.js as well. jsdom lacks DOM Level 2 Traversal methods like
createNodeIteratorat the moment, which DOMPurify uses internally.What's currently missing:
document.implementation.createHTMLDocument(polyfilled with
return jsdom('<html><body></body></html>');)document.createNodeIterator(root, whatToShow, filter, entityReferenceExpansion)NodeIterator.nextNode()implementationdocument.body.outerHTMLThe text was updated successfully, but these errors were encountered: