Reputation: 5636
Security implication of allowing attributes while sanitising HTML using DOMPurify
I am using DOMPurify to sanitize HTML to prevent XSS.
const sanitizedHtml = DOMPurify.sanitize(htmlString);
The the problem is by default DOMPurify doesn't honor attributes of HTML tags. In my case, I have an anchor element with target attribute and that sanitized HTML removes the target attribute.
From the documentation I found that the following code fix this issue:
const sanitizedHtml = DOMPurify.sanitize(htmlString, { ADD_ATTR: ['target'] });
However, my question is that if DOMPurify is removing all the attributes then there has to be some reason behind that. So if I allow some specific attribute as mentioned above, am I opening up any security risk (of XSS attack)?
Upvotes: 2
Views: 2608
Answers (1)
Reputation: 21
While this might be a bit late, I'm currently doing some research on the topic myself. Maybe it will help someone in the future.
Simply allowing the attribute target can open you up to security issues as stated here.
An issue for allowing target=_blank does exist, but it was closed, as the author did not see it as a feature they would like to implement.
It seems like it is recommended to use hooks (samples can be found in the link) to achieve this functionality.
Upvotes: 2
Related Questions
- Mistake in using DOMPurify on the backend to sanitize form data?
- Is it safe to only escape HTML instead of using a library like DOMPurify to prevent XSS?
- jQuery html attributes with HTML?
- Unobtrusive JavaScript - Safe Attributes?
- Can HTML attributes be bypassed?
- Sanitizing user input when creating HTML elements
- Security risk (xss) with style attributes
- htmlentities on hidden form elements
- XSS safety of HTML tags with no attributes
- setAttribute() and XSS