[fix #1467] Make sure target attribute is kept after DOMPurify sanitization #1468
Conversation
…fy sanitization
|
This pull request is being automatically deployed with Vercel (learn more). 🔍 Inspect: https://vercel.com/docsify-core/docsify-preview/BkCKuc1cvzzh5yoySjR62UL9jzFK |
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. Latest deployment of this branch, based on commit 70c84aa:
|
src/core/render/index.js
Outdated
| html = this.isRemoteUrl ? DOMPurify.sanitize(html) : html; | ||
| // add "target" attribute to DOMPurify white list to handle external links | ||
| html = this.isRemoteUrl | ||
| ? DOMPurify.sanitize(html, { ADD_ATTR: ['target'] }) |
There was a problem hiding this comment.
so this change will skip sanitizing the attributes ?
There was a problem hiding this comment.
No, this change will consider the target attribute as a valid one and will not remove it. But it does not prevent DOMPurify to sanitize the attribute content. For example, if the following code is present in the source
<a target="javascript:alert('XSS')" href="https://example.com">Test</a>it will be changed to
<a href="https://example.com">Test</a>because the value will be considered as unsafe.
There was a problem hiding this comment.
cool, Can you add test(s) for this, Otherwise looks good to me
There was a problem hiding this comment.
@Fab1en So if it sees target="_blank" then it will leave it in that case? Mind adding a small test case?
|
DOMPurify will likely be removed shortly. See #1490. |
Summary
What kind of change does this PR introduce? (check at least one)
If changing the UI of default theme, please provide the before/after screenshot:
Does this PR introduce a breaking change? (check one)
If yes, please describe the impact and migration path for existing applications:
The PR fulfills these requirements:
fix #xxx[,#xxx], where "xxx" is the issue number)You have tested in the following browsers: (Providing a detailed version will be better.)
If adding a new feature, the PR's description includes:
To avoid wasting your time, it's best to open a feature request issue first and wait for approval before working on it.