-
-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Does html-react-parser strip out XSS? #94
Comments
Great question @dave-stevens-net! Unfortunately it doesn't. The reason is because I chose to make this library flexible rather than strict. Although there is the replace option, checking against all possible attacks may be too much. I recommend instead using an XSS sanitizer with dangerouslySetInnerHTML. |
Good to know. Thanks for the quick response. |
You're very welcome. If this answers your question @dave-stevens-net, can the issue be closed? |
@dave-stevens-net I may have misspoke earlier about this library not being XSS safe. I originally thought this library wasn't XSS-safe because However, it seems that I'm unable to reproduce any XSS vulnerabilities. See my fiddle, which is based off of this example. Let me know if you have any luck in reproducing XSS attacks. |
I managed to reproduce a simple XSS attack. There might be more. Check my fiddle. I found it in here https://www.in-secure.org/misc/xss/xss.html |
I ended up coding a Sanitize component using the sanitize-html package dependency.
Example usage:
|
@harveydf Great find! Thanks for creating and sharing the fiddle. I'll update the |
I didn't want to use sanitize-html, because it's massive. I used dompurify instead, it's 10 times smaller, and doesn't remove CSS.
|
Hey I know this is a pretty old comment but I just wanted to point out that this isn't actually an XSS issue since the JavaScript is running within the iframe. If you change the html to |
In the |
@alexgleason there are many other ways to do XSS without <a onmouseover="alert()">xss</a> Take a look at https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html |
Ahh... that makes sense. What I'm really trying to figure out is if this library is any worse than |
@alexgleason you should treat this library the same as |
Thank you for clarifying. A friend of mine got burned by this one earlier this year, so now I am extra paranoid:
Fortunately I can't reproduce the attack using this library. I just gave it a try. They were using a custom HTML parser that was vulnerable. This library seems to use the browser's DOMParser when it's availble. Therefore, I conclude it's no less secure than using |
I'm wanting to use html-react-parser to sanitize and parse HTML from my CMS. Does it effectively sanitize the input from XSS attacks? https://stackoverflow.com/questions/29044518/safe-alternative-to-dangerouslysetinnerhtml#answer-48261046 claims that it does. If so, I think it would be great to document / advertise this somewhere in the README. Thanks for your work on this.
The text was updated successfully, but these errors were encountered: