DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML, and SVG. DOMPurify is written in JavaScript and works in all modern browsers (Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox, and Chrome - as well as almost anything else using Blink or WebKit). It doesn't break on MSIE6 or other legacy browsers. It either uses a fall-back or simply does nothing.
Questions tagged [dompurify]
43 questions
36
votes
2 answers
Is sanitizing JSON necessary?
I think it's a well-known best practice on the web to mistrust any input. The sentence
"All input is evil."
is probably the most cited quote with respect to input validation. Now, for HTML you can use tools such as DOMPurify to sanitize it.
My…
Golo Roden
- 140,679
- 96
- 298
- 425
32
votes
7 answers
Next.js DOMPurify.sanitize() shows TypeError: dompurify__WEBPACK_IMPORTED_MODULE_6___default.a.sanitize is not a function
I am using DOMPurify.sanitize() inside dangerouslySetInnerHTML={{}} to display innerHtml returned from the database. For initial purpose I'm using getServersideProps() with next-redux-wrapper for this page.
I installed dompurify with: npm i -S…
forest
- 1,312
- 3
- 20
- 47
13
votes
2 answers
How to install, import and use DOMPurify in frontend js file?
This is more of a "can you please confirm this is correct" type of question, as I think I resolved it in the process of writing the question but hopefully it will be of help to other people who are a bit hesitant when it comes to implementing…
user1063287
- 10,265
- 25
- 122
- 218
5
votes
2 answers
How to allow an iframe tag in `dompurify` including all of its attributes
I want dompurify to allow iframe tags, and I add iframe as an exception(ADD_TAGS). But that removes some attributes of it. I want all attributes to be there.
Henok Tesfaye
- 8,287
- 13
- 47
- 84
2
votes
0 answers
How to use DOMpurify?
Also I try to use React Stack Snippet but that doesn't work. It's the first time for me so I need help for sure
class App extends Component {
state = {
text: sampleText,
};
handleChange = (e) => {
const text = e.target.value;
…
bob17
- 115
- 2
- 5
2
votes
2 answers
How to use DOMPurify package with NuxtJS? Error: "default.a.sanitize is not a function"
I am trying to use the DOMPurify package in my NuxtJS app for parsing HTML into clean and safe strings for rendering in the UI. When rendering the page where the package is used, I get the following…
redshift
- 4,815
- 13
- 75
- 138
2
votes
1 answer
Security implication of allowing attributes while sanitising HTML using DOMPurify
I am using DOMPurify to sanitize HTML to prevent XSS.
const sanitizedHtml = DOMPurify.sanitize(htmlString);
The the problem is by default DOMPurify doesn't honor attributes of HTML tags. In my case, I have an anchor element with target attribute and…
vatsal mevada
- 5,148
- 7
- 39
- 68
2
votes
1 answer
How to fix TrustedHTML assignment error with Angular [innerHTML]
(It seems that my problem is related to getting error `This document requires 'TrustedHTML' assignment` in chrome, but I'm using Angular v10 instead)
Description:
When I use the [innerHTML]="myVar" directive on an Angular 10 (or below) project, with…
Doubidou
- 1,573
- 3
- 18
- 35
2
votes
0 answers
DOMPurify Keep text between tags || Remove only Tags
I have an Test string.
const html = '{%remove%} useful {{remove}}
Raul Blosfeld Wohnrath
- 161
- 1
- 3
- 12
1
vote
0 answers
Not able to use DOMPurify.sanitize in angular application, when imported as an ES6 module
I'm trying to use dompurify in my angular application, where in a service. I'm importing it as
import * as DOMPurify from 'dompurify';
This works fine when run normally as a CSR application. But if I run it as a SSR, I get
export 'sanitize'…
coding life
- 42
- 1
- 9
1
vote
1 answer
DOMPurify changing Mustache-Template-Structure
I am trying to sanitize an user-submitted template by using DOMPurify. This template is using the mustache-syntax to embed variables etc. The sanitizing itself works without issue, but Mustache-Sections are being moved to different parts within the…
solarisISBC
- 25
- 4
1
vote
1 answer
How to use DOMPurify just on one specific user input filed?
I need to demonstrate the XSS attack and how to prevent it. I made a simple web app that asks the user his first name and surname and prints "Welcome" together with his name and surname. Before using DOMPurify to prevent an XSS attack I was able to…
duje.je
- 31
- 6
1
vote
0 answers
Isomorphic Dompurify.sanitize() not reading request body
I'm using https://www.npmjs.com/package/isomorphic-dompurify in backend. When I'm passing request object in sanitize() method it is only keeping headers and removing everything else including body. Is there any way to keep the request body?
mik32
- 11
- 1
1
vote
1 answer
Dompurify.sanitize don't allow script tag even I had added FORCE_BODY: true and ADD_TAGS:["script"]
Please can anyone tell me what I did wrong here? What should I do to allow the script tag? My Html string data coming from database will be the same pattern as I showed here.
const cleanHtmlString = DOMPurify.sanitize("
Tanmoy Sen
- 111
- 10
1
vote
2 answers
How to load API data video url in react js
I have installed dompurify react js library and loaded all the contended as it is from API but API youtube URL video failed to load but can be seen in API.
API:
{
"id": 5,
"name": "shahiraja",
"title": "text below as a natural lead-in to…
AMRIT SHAHI
- 71
- 1
- 8