Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: 🎸 sanitize HTML in createElement #2806

Merged
merged 1 commit into from
Jul 9, 2020

Conversation

AdamGold
Copy link
Contributor

@AdamGold AdamGold commented Jul 9, 2020

Decided to go with https://github.com/cure53/DOMPurify for a few reasons:

  1. Newest version does not contain any known vulnerabilities: https://snyk.io/vuln/npm:dompurify
  2. Easy to use
  3. They offer a bug bounty program
  4. Worked really well on the payloads that I've tried:
		const doc = new jsPDF();
		window.html2canvas = html2canvas;
		const html = `
<p id='test'>a</p>
	<img src=x onerror=eval("document.getElementById('test').innerHTML=window.location") />
<img src=x onerror=alert('XSS');>
<img src=x onerror=alert('XSS')//
<img src=x onerror=alert(String.fromCharCode(88,83,83));>
<img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
<img src=x:alert(alt) onerror=eval(src) alt=xss>
"><img src=x onerror=alert('XSS');>
"><img src=x onerror=alert(String.fromCharCode(88,83,83));>
<svgonload=alert(1)>
<svg/onload=alert('XSS')>
<svg onload=alert(1)//
<svg/onload=alert(String.fromCharCode(88,83,83))>
<svg id=alert(1) onload=eval(id)>
"><svg/onload=alert(String.fromCharCode(88,83,83))>
"><svg/onload=alert(/XSS/)
<sCrIpt>alert(1)</ScRipt>
	`;
	doc.html(html, {
	callback: function (doc) {
	}
	});

Closes #2795

@AdamGold
Copy link
Contributor Author

AdamGold commented Jul 9, 2020

@HackbrettXXX Please verify that everything works as I have tested this locally by changing the dist code, but haven't installed it via npm locally.

@HackbrettXXX
Copy link
Collaborator

Looks good. Thank you very much for the help. I'll notify you as soon as the new release is out.

@HackbrettXXX HackbrettXXX merged commit d6271db into parallax:master Jul 9, 2020
pmstss added a commit to pmstss/jsPDF that referenced this pull request Jul 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

XSS vulnerability in html method
2 participants