Skip to content

Does html-react-parser strip out XSS? #94

Closed
@dave-stevens-net

Description

@dave-stevens-net

I'm wanting to use html-react-parser to sanitize and parse HTML from my CMS. Does it effectively sanitize the input from XSS attacks? https://stackoverflow.com/questions/29044518/safe-alternative-to-dangerouslysetinnerhtml#answer-48261046 claims that it does. If so, I think it would be great to document / advertise this somewhere in the README. Thanks for your work on this.

Activity

remarkablemark

remarkablemark commented on Mar 8, 2019

@remarkablemark
Owner

Great question @dave-stevens-net!

Unfortunately it doesn't. The reason is because I chose to make this library flexible rather than strict.

Although there is the replace option, checking against all possible attacks may be too much. I recommend instead using an XSS sanitizer with dangerouslySetInnerHTML.

dave-stevens-net

dave-stevens-net commented on Mar 8, 2019

@dave-stevens-net
Author

Good to know. Thanks for the quick response.

remarkablemark

remarkablemark commented on Mar 8, 2019

@remarkablemark
Owner

You're very welcome. If this answers your question @dave-stevens-net, can the issue be closed?

remarkablemark

remarkablemark commented on Mar 9, 2019

@remarkablemark
Owner

@dave-stevens-net I may have misspoke earlier about this library not being XSS safe.

I originally thought this library wasn't XSS-safe because dangerouslySetInnerHTML was relied here.

However, it seems that I'm unable to reproduce any XSS vulnerabilities. See my fiddle, which is based off of this example.

Let me know if you have any luck in reproducing XSS attacks.

harveydf

harveydf commented on Mar 13, 2019

@harveydf

I managed to reproduce a simple XSS attack. There might be more.

Check my fiddle.

I found it in here https://www.in-secure.org/misc/xss/xss.html

dave-stevens-net

dave-stevens-net commented on Mar 13, 2019

@dave-stevens-net
Author

I ended up coding a Sanitize component using the sanitize-html package dependency.

import React from 'react'
import sanitizeHtml from 'sanitize-html'

const Sanitize = ({ html }) => {
    const clean = sanitizeHtml(html, {
        allowedTags: sanitizeHtml.defaults.allowedTags.concat(['img', 'span']),
        allowedAttributes: {
           ...
        },
    })
    return (
        <span
            className="sanitized-html"
            dangerouslySetInnerHTML={{ __html: clean }}
        />
    )
}
export default Sanitize

Example usage:

<Sanitize html={data.wordpressPage.title} />
remarkablemark

remarkablemark commented on Mar 13, 2019

@remarkablemark
Owner

@harveydf Great find! Thanks for creating and sharing the fiddle.

I'll update the README.md to note that this library isn't XSS safe.

added a commit that references this issue on Apr 5, 2019
e6cc762
k1sul1

k1sul1 commented on Jul 9, 2019

@k1sul1

I didn't want to use sanitize-html, because it's massive. I used dompurify instead, it's 10 times smaller, and doesn't remove CSS.

import parse, { domToReact } from 'html-react-parser'
import DOMPurify from 'dompurify'
import React from 'react'

// export function replaceNode() {}

export default function html(html, opts = {}) {
  return parse(DOMPurify.sanitize(html), {
    ...{
      replace: replaceNode,
    },
    ...opts,
  })
}

html('<iframe src=javascript:alert("xss")></iframe>')

remarkablemark

remarkablemark commented on Jul 14, 2019

@remarkablemark
Owner

Thanks for sharing your approach using dompurify @k1sul1!

I created a Repl.it demo based on your example.

19 remaining items

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionFurther information is requested

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @k1sul1@harveydf@alexgleason@dave-stevens-net@remarkablemark

        Issue actions

          Does html-react-parser strip out XSS? · Issue #94 · remarkablemark/html-react-parser