Why the error alert still displayed event the HTML elements are sanitized?

Question

Why the error alert still displayed event the HTML elements are sanitized?

239 Views Asked by venki At 07 February 2023 at 09:03

The below are my use case scenario.

Collect the user input.(the input must be HTML sting element)
Form the HTML element with some style.
After creating the HTML element, need to sanitize it and append it into the target DOM element.
The DOM element rendered the sanitized element. but the error alert stil displayed.

The user input is

<img src="http://url.to.file.which/not.exist" onerror="alert(document.cookie);">

This always shows the alert.

Can someone help me to resolve this?

function createEle() {
  const wrapElement = document.createElement('div');
  wrapElement.innerHTML = document.getElementById("html-input").value;
  const html = showSanitizedHTML(wrapElement);
  console.log(html.outerHTML)
  document.getElementById("sanitized-html").innerHTML = html.innerHTML;
}

function showSanitizedHTML(value) {
  const sanitizedHTML = DOMPurify.sanitize(value.outerHTML);
  const tempWrapElement = document.createElement('div');
  tempWrapElement.innerHTML = sanitizedHTML;
  return tempWrapElement.firstElementChild;
}

<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/purify.min.js"></script>
<textarea id="html-input"></textarea>
<button onclick="createEle()">Show Sanitized HTML</button>
<div id="sanitized-html"></div>

Original Q&A

There are 3 best solutions below

**Quentin** · Answer 1 · 2023-02-07T09:15:10.010000

This is the sequence of events:

You read the raw user input
You inject the raw user input into the DOM (wrapElement.innerHTML =)
You read the normalised user input back from the DOM
You pass the normalised user input though DOMPurify.sanitize
You inject the sanitized user input into the DOM

The alert fires due to step 2.

**mplungjan** · Answer 2 · 2023-02-07T09:16:38.643000

The script content executes on this statement

wrapElement.innerHTML = document.getElementById("html-input").value;

So here is how to fix it

function createEle() {
  const wrapElement = document.createElement('div');
  wrapElement.innerHTML =  DOMPurify.sanitize(document.getElementById("html-input").value);
  console.log(wrapElement.outerHTML)
  document.getElementById("sanitized-html").innerHTML = wrapElement.innerHTML;
}

<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/purify.min.js"></script>
<textarea id="html-input"></textarea>
<button onclick="createEle()">Show Sanitized HTML</button>
<div id="sanitized-html"></div>

or shorter, assuming you want to keep using the wrapper:

document.getElementById("sanitized-html").innerHTML = wrapElement.innerHTML;

**T.J. Crowder** · Answer 3 · 2023-02-07T09:17:03.473000

Because you're using unsanitized HTML here:

const wrapElement = document.createElement('div');
wrapElement.innerHTML = document.getElementById("html-input").value;

Don't jump through those hoops, just pass the text directly to DOMPurify:

function createEle() {
    const element = showSanitizedHTML(document.getElementById("html-input").value);
    // Your `showSanitizedHTML` is returning an **element**, not HTML,
    // so you wouldn't use `innerHTML` to put it in the DOM.
    const output = document.getElementById("sanitized-html");
    output.innerHTML = "";
    output.appendChild(element);
}

function showSanitizedHTML(html) {
    const sanitizedHTML = DOMPurify.sanitize(html);
    // Not sure what the purpose of this wrapper element is, but since
    // it only uses sanitized HTML, I left it in place.
    const tempWrapElement = document.createElement("div");
    tempWrapElement.innerHTML = sanitizedHTML;
    return tempWrapElement.firstElementChild;
}

<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/purify.min.js"></script>
<textarea id="html-input"></textarea>
<button onclick="createEle()">Show Sanitized HTML</button>
<div id="sanitized-html"></div>

Or more simply:

function createEle() {
    const html = showSanitizedHTML(document.getElementById("html-input").value);
    document.getElementById("sanitized-html").innerHTML = html;
}

function showSanitizedHTML(html) {
    const sanitizedHTML = DOMPurify.sanitize(html);
    return sanitizedHTML;
}

<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/purify.min.js"></script>
<textarea id="html-input"></textarea>
<button onclick="createEle()">Show Sanitized HTML</button>
<div id="sanitized-html"></div>

Or even more simply:

function createEle() {
    document.getElementById("sanitized-html").innerHTML = DOMPurify.sanitize(
        document.getElementById("html-input").value
    );
}

<script src="https://cdn.jsdelivr.net/npm/[email protected]/dist/purify.min.js"></script>
<textarea id="html-input"></textarea>
<button onclick="createEle()">Show Sanitized HTML</button>
<div id="sanitized-html"></div>

Why the error alert still displayed event the HTML elements are sanitized?

There are 3 best solutions below

Related Questions in JAVASCRIPT

Related Questions in HTML

Related Questions in HTML-SANITIZING

Trending Questions

Popular # Hahtags

Popular Questions