0

I stumbled across a weird behavior of DOMPurify where data-* attributes get left when sanitizing with the default options, but get stripped out when using the SAFE_FOR_TEMPLATES option. Also, the whole text that contains a template gets stripped out instead of just the template part.

Are these bugs or features? What is the rationale for these?

const dirty = '<span data-foo="bar"> Hello {{ World }} </span>';

console.log(
  DOMPurify.sanitize(dirty)
  // expected <span data-foo="bar"> Hello {{ World }} </span>
  // actual   <span data-foo="bar"> Hello {{ World }} </span>
);

console.log(
  DOMPurify.sanitize(dirty, { SAFE_FOR_TEMPLATES: true })
  // expected <span data-foo="bar"> Hello </span>
  // actual   <span>  </span>
);
<script src="https://unpkg.com/dompurify@2.0.0/dist/purify.min.js"></script>
Nino Filiu
  • 16,660
  • 11
  • 54
  • 84
  • Note that in [the docs](https://github.com/cure53/DOMPurify#can-i-configure-dompurify) they say > this mode is not recommended for production usage. // allowing template parsing in user-controlled HTML is not advised at all. – Roy J Sep 16 '19 at 13:01
  • @RoyJ yup I read that ;) But thanks! Did you stumble across some docs that explains in details what is the expected behavior and/or rationale behind the `SAFE_FOR_TEMPLATES` options? – Nino Filiu Sep 16 '19 at 13:04
  • 1
    I don't have a definite answer for you, but I note that Knockout uses `data-` attributes for its bindings, so maybe that's the rationale. – Roy J Sep 16 '19 at 13:14

0 Answers0