Closed
Description
I'm wanting to use html-react-parser to sanitize and parse HTML from my CMS. Does it effectively sanitize the input from XSS attacks? https://stackoverflow.com/questions/29044518/safe-alternative-to-dangerouslysetinnerhtml#answer-48261046 claims that it does. If so, I think it would be great to document / advertise this somewhere in the README. Thanks for your work on this.
Metadata
Metadata
Assignees
Projects
Milestone
Relationships
Development
No branches or pull requests
Activity
remarkablemark commentedon Mar 8, 2019
Great question @dave-stevens-net!
Unfortunately it doesn't. The reason is because I chose to make this library flexible rather than strict.
Although there is the replace option, checking against all possible attacks may be too much. I recommend instead using an XSS sanitizer with dangerouslySetInnerHTML.
dave-stevens-net commentedon Mar 8, 2019
Good to know. Thanks for the quick response.
remarkablemark commentedon Mar 8, 2019
You're very welcome. If this answers your question @dave-stevens-net, can the issue be closed?
remarkablemark commentedon Mar 9, 2019
@dave-stevens-net I may have misspoke earlier about this library not being XSS safe.
I originally thought this library wasn't XSS-safe because
dangerouslySetInnerHTML
was relied here.However, it seems that I'm unable to reproduce any XSS vulnerabilities. See my fiddle, which is based off of this example.
Let me know if you have any luck in reproducing XSS attacks.
harveydf commentedon Mar 13, 2019
I managed to reproduce a simple XSS attack. There might be more.
Check my fiddle.
I found it in here https://www.in-secure.org/misc/xss/xss.html
dave-stevens-net commentedon Mar 13, 2019
I ended up coding a Sanitize component using the sanitize-html package dependency.
Example usage:
remarkablemark commentedon Mar 13, 2019
@harveydf Great find! Thanks for creating and sharing the fiddle.
I'll update the
README.md
to note that this library isn't XSS safe.docs(readme): add FAQ section and note that library is not XSS safe
k1sul1 commentedon Jul 9, 2019
I didn't want to use sanitize-html, because it's massive. I used dompurify instead, it's 10 times smaller, and doesn't remove CSS.
html('<iframe src=javascript:alert("xss")></iframe>')
remarkablemark commentedon Jul 14, 2019
Thanks for sharing your approach using dompurify @k1sul1!
I created a Repl.it demo based on your example.
19 remaining items