/DOMSanitizer

The DOMSanitizer fork with loose parsing technology.

Primary LanguageJavaScript

DOMSanitizer

DOMSanitizer is a client-side web application firewall (WAF) module written in JavaScript and protecting against Cross-Site Scripting (XSS) attacks in black-box model.

Security Goals

  • Reducing web application attacks surface on a client-side
  • DOM-based XSS attacks detection

Description

DOMSanitizer is intended for use in WAF solutions and as any other WAF it operates in a black-box model. If you are web application developer and you control application's data flows, then you probaly should use DOMPurify.

DOMSanitizer is based on the following components:

DOMSanitizer uses DOMPurify sanitizer for detection dangerous HTML, MathML and SVG markup and Acorn parser for heuristic finding code in data flows. It can be used in all modern browsers where DOMPurify and Acorn must work: Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome.

UPDATE

The new JS parsing mode has been added in this fork. You can use this instead of js-context. See example below.

API

DOMSanitizer.sanitize(dirty, {contexts: ['js', 'dom']});

Examples

// Common sanitization.
DOMSanitizer.sanitize('"};alert(1);//"')
// Returns ''


// Sanitization is a JavaScript-context.
DOMSanitizer.sanitize('"};alert(1);//"', {contexts: ['js']})
// Returns ''

// Sanitization is a JavaScript-context. (The attack vector has syntax errors)
DOMSanitizer.sanitize(')},{0:prompt(1', {contexts: ['jsloose']})
// Returns ''

// Sanitization is a DOM-context (custom DOMPurify-mode).
DOMSanitizer.sanitize('<script>alert(1)</script>', {contexts: ['dom']})
// Returns ''

// Sanitization is a attribute-based context.
DOMSanitizer.sanitize(' " onmouseover=alert(1) "', {contexts: ['attr']})
// Returns ''

Contexts

DOMSanitizer supports the following contexts: DOM, ATTR, URL, CALLBACK, JS, JSLOOSE.

Contributors

References

  1. Waf.js: How to Protect Web Applications using JavaScript.