{"id":14191,"date":"2022-02-03T11:15:03","date_gmt":"2022-02-03T10:15:03","guid":{"rendered":"https:\/\/hesmid.nl\/test\/?p=14191"},"modified":"2022-02-03T20:07:29","modified_gmt":"2022-02-03T19:07:29","slug":"dompurify","status":"publish","type":"post","link":"https:\/\/hesmid.nl\/test\/dompurify\/","title":{"rendered":"DOMPurify"},"content":{"rendered":"\n<p><a href=\"https:\/\/github.com\/cure53\/DOMPurify\">https:\/\/github.com\/cure53\/DOMPurify<\/a><\/p>\n\n\n\n<p>also: interesting discussion about XSS attacks (confusing even DOMPurify at times):<\/p>\n\n\n\n<p><a href=\"https:\/\/news.ycombinator.com\/item?id=24703230\">https:\/\/news.ycombinator.com\/item?id=24703230<\/a><\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p>DOMPurify sanitizes HTML and prevents XSS attacks. You can feed DOMPurify with string full of dirty HTML and it will return a string (unless configured otherwise) with clean HTML. DOMPurify will strip out everything that contains dangerous HTML and thereby prevent XSS attacks and other nastiness. It&#8217;s also damn bloody fast. We use the technologies the browser provides and turn them into an XSS filter. The faster your browser, the faster DOMPurify will be.<a href=\"https:\/\/github.com\/cure53\/DOMPurify#how-do-i-use-it\"><\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How do I use it?<\/h2>\n\n\n\n<p>It&#8217;s easy. Just include DOMPurify on your website.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/cure53\/DOMPurify#using-the-unminified-development-version\"><\/a><\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">Using the unminified development version<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;script type=\"text\/javascript\" src=\"src\/purify.js\"&gt;&lt;\/script&gt;<\/pre>\n\n\n\n<!--more-->\n\n\n\n<h3 class=\"wp-block-heading\"><a href=\"https:\/\/github.com\/cure53\/DOMPurify#using-the-minified-and-tested-production-version-source-map-available\"><\/a><\/h3>\n\n\n\n<h3 class=\"wp-block-heading\">Using the minified and tested production version (source-map available)<\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;script type=\"text\/javascript\" src=\"dist\/purify.min.js\"&gt;&lt;\/script&gt;<\/pre>\n\n\n\n<p>Afterwards you can sanitize strings by executing the following code:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">let clean = DOMPurify.sanitize(dirty);<\/pre>\n\n\n\n<p>The resulting HTML can be written into a DOM element using <code>innerHTML<\/code> or the DOM using <code>document.write()<\/code>. That is fully up to you. Note that by default, we permit HTML, SVG <strong>and<\/strong> MathML. If you only need HTML, which might be a very common use-case, you can easily set that up as well:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">let clean = DOMPurify.sanitize(dirty, { USE_PROFILES: { html: true } });<\/pre>\n\n\n\n<p><strong>Demo:<\/strong> <a href=\"https:\/\/cure53.de\/purify\">Play with DOMPurify<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Some purification samples please?<\/h2>\n\n\n\n<p>How does purified markup look like? Well, <a href=\"https:\/\/cure53.de\/purify\">the demo<\/a> shows it for a big bunch of nasty elements. But let&#8217;s also show some smaller examples!<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>DOMPurify.sanitize('&lt;img src=x onerror=alert(1)\/\/&gt;'); \/\/ becomes &lt;img src=\"x\"&gt;\nDOMPurify.sanitize('&lt;svg&gt;&lt;g\/onload=alert(2)\/\/&lt;p&gt;'); \/\/ becomes &lt;svg&gt;&lt;g&gt;&lt;\/g&gt;&lt;\/svg&gt;\nDOMPurify.sanitize('&lt;p&gt;abc&lt;iframe\/\/src=jAva&amp;Tab;script:alert(3)&gt;def&lt;\/p&gt;'); \/\/ becomes &lt;p&gt;abc&lt;\/p&gt;\nDOMPurify.sanitize('&lt;math&gt;&lt;mi\/\/xlink:href=\"data:x,&lt;script&gt;alert(4)&lt;\/script&gt;\"&gt;'); \/\/ becomes &lt;math&gt;&lt;mi&gt;&lt;\/mi&gt;&lt;\/math&gt;\nDOMPurify.sanitize('&lt;TABLE&gt;&lt;tr&gt;&lt;td&gt;HELLO&lt;\/tr&gt;&lt;\/TABL&gt;'); \/\/ becomes &lt;table&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;HELLO&lt;\/td&gt;&lt;\/tr&gt;&lt;\/tbody&gt;&lt;\/table&gt;\nDOMPurify.sanitize('&lt;UL&gt;&lt;li&gt;&lt;A HREF=\/\/google.com&gt;click&lt;\/UL&gt;'); \/\/ becomes &lt;ul&gt;&lt;li&gt;&lt;a href=\"\/\/google.com\"&gt;click&lt;\/a&gt;&lt;\/li&gt;&lt;\/ul&gt;<\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>https:\/\/github.com\/cure53\/DOMPurify also: interesting discussion about XSS attacks (confusing even DOMPurify at times): https:\/\/news.ycombinator.com\/item?id=24703230 DOMPurify sanitizes HTML and prevents XSS attacks. You can feed DOMPurify with string full of dirty HTML and it will return a string (unless configured otherwise) with clean HTML. DOMPurify will strip out everything that contains dangerous HTML and thereby prevent XSS [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[159,7],"tags":[690,311,689,688],"acf":[],"_links":{"self":[{"href":"https:\/\/hesmid.nl\/test\/wp-json\/wp\/v2\/posts\/14191"}],"collection":[{"href":"https:\/\/hesmid.nl\/test\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hesmid.nl\/test\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hesmid.nl\/test\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hesmid.nl\/test\/wp-json\/wp\/v2\/comments?post=14191"}],"version-history":[{"count":3,"href":"https:\/\/hesmid.nl\/test\/wp-json\/wp\/v2\/posts\/14191\/revisions"}],"predecessor-version":[{"id":14199,"href":"https:\/\/hesmid.nl\/test\/wp-json\/wp\/v2\/posts\/14191\/revisions\/14199"}],"wp:attachment":[{"href":"https:\/\/hesmid.nl\/test\/wp-json\/wp\/v2\/media?parent=14191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hesmid.nl\/test\/wp-json\/wp\/v2\/categories?post=14191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hesmid.nl\/test\/wp-json\/wp\/v2\/tags?post=14191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}