how to use dompurify for HTML sanitaze in effecitve way

Question

how to use dompurify for HTML sanitaze in effecitve way

ys-oo opened this issue 6 months ago · comments

I'm working on notion alternative using react js and this awesome package , now i didn't succeed on making a dompurify plugin that will sanitize the html before it's rendered on the dom , especially when using markdown comments like [link](google.com) as this is a huge door for xss attack

thank you for making this awesome package , and i do appreciate any help <3

Marijn Haverbeke · Answer 1 · Sun Jan 07 2024 05:56:38 GMT+0800 (China Standard Time)

I'm not sure I follow. Are the links or the comments an XSS vector? How?

ys-oo · Answer 2 · Mon Jan 08 2024 23:00:47 GMT+0800 (China Standard Time)

yo

I'm not sure I follow. Are the links or the comments an XSS vector? How?

i appreciate your response , the markdown links could be used to inject xss attack , i did provide an example with google.com link but it could be javascript instead ...

Marijn Haverbeke · Answer 3 · Tue Jan 09 2024 00:15:49 GMT+0800 (China Standard Time)

I don't think markdown-it will parse javascript: links. Do you have a working proof-of-concept?