Reputation: 95
DOMPurify for XSS
I am trying to fix the cross side scripting (XSS) with the DOMPurify . The vulnerability found is in the URL as below . https://stage-xyzmysite.com/login/?rUrl=javascript:alert('hi') . I am trying to do a simple POC where it will try to eliminate the javascript alert part . I tried with DOMPurify.sanitize(< the url here > ) . I am expecting to see the javascript part getting removed but it is not happening . If I enclose the alert with tag in the URL then it is getting eliminated. Is there any other special config I should be using ?
Upvotes: 0
Views: 8782
Answers (1)
Reputation: 3527
DOMPurify cleans your HTML, it has to be HTML for there to be any risk of anyone clicking the link. If you just print it like text there is no risk of a user clicking on the link and getting injected.
Here is an article about XSS in HTML with examples on how to use DOMPurify in case it helps you https://writingjavascript.com/keep-your-html-output-secure-and-clean-from-xss-javascript-injection
Upvotes: -1
Related Questions
- Is it safe to only escape HTML instead of using a library like DOMPurify to prevent XSS?
- How to allow an iframe tag in `dompurify` including all of its attributes
- Security implication of allowing attributes while sanitising HTML using DOMPurify
- Is parsing HTML with DOMParser safe from XSS?
- DOM XSS and Javascript Escaping
- XSS- Cross-Site Scripting: DOM issue
- HTML Purifier against external resources
- How to filter javascript from specific urls in HtmlUnit
- Preventing DOM XSS
- Url parsing in javascript and DOM