- From: Cure53 <notifications@github.com>
- Date: Thu, 22 Oct 2020 08:59:10 -0700
- To: whatwg/dom <dom@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/dom/issues/831/714592448@github.com>
> > This also affects non-JS based server side sanitizers. There is no DOM on server side, though node programs sometimes emulate it. My concern is that if there is HTML response that contains a user-controlled `<template>` tag (which might be the case for existing sanitizers that pass through `<template>`s due to their inertness), now this results in an XSS. > > Right, I agree that this might be a concern. But again, I would be really surprised if many sanitizer libraries just ignored entire subtrees of any kind. That is just asking for a bypass. I just tried [js-xss](https://jsxss.com/en/try.html) and it doesn't even allow un-escaped `<template>`, let alone the sub-tree. I couldn't find an online tester for sanitize-html. The problem is that they might have a safe default. But then people allow-list `<template>` with no harm in mind, unaware of the issue, and then they get XSS. This is why we for DOMPurify chose a different approach and have an extremely permitting allow-list by default so we catch bypasses as early as possible - rather than hiding them behind a restrictive default. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/dom/issues/831#issuecomment-714592448
Received on Thursday, 22 October 2020 15:59:22 UTC