Security implication of allowing attributes while sanitising HTML using DOMPurify

Question

I am using DOMPurify to sanitize HTML to prevent XSS.

const sanitizedHtml = DOMPurify.sanitize(htmlString);

The the problem is by default DOMPurify doesn't honor attributes of HTML tags. In my case, I have an anchor element with target attribute and that sanitized HTML removes the target attribute.

From the documentation I found that the following code fix this issue:

const sanitizedHtml = DOMPurify.sanitize(htmlString, { ADD_ATTR: ['target'] });

However, my question is that if DOMPurify is removing all the attributes then there has to be some reason behind that. So if I allow some specific attribute as mentioned above, am I opening up any security risk (of XSS attack)?

score 2 · Answer 1 · answered Jun 14 '21 at 15:26

While this might be a bit late, I'm currently doing some research on the topic myself. Maybe it will help someone in the future.

Simply allowing the attribute target can open you up to security issues as stated here.

An issue for allowing target=_blank does exist, but it was closed, as the author did not see it as a feature they would like to implement.

It seems like it is recommended to use hooks (samples can be found in the link) to achieve this functionality.

Security implication of allowing attributes while sanitising HTML using DOMPurify

1 Answers1