DOMSanitizer is a client-side web application firewall (WAF) module written in JavaScript and protecting against Cross-Site Scripting (XSS) attacks in black-box model.
- Reducing web application attacks surface on a client-side
- DOM-based XSS attacks detection
DOMSanitizer is intended for use in WAF solutions and as any other WAF it operates in a black-box model. If you are web application developer and you control application's data flows, then you probaly should use DOMPurify.
DOMSanitizer is based on the following components:
DOMSanitizer uses DOMPurify sanitizer for detection dangerous HTML, MathML and SVG markup and Acorn
parser for heuristic finding code in data flows.
It can be used in all modern browsers where DOMPurify and Acorn must work: Safari, Opera (15+), Internet Explorer (10+), Edge, Firefox and Chrome.
The new JS parsing mode has been added in this fork. You can use this instead of js-context. See example below.
DOMSanitizer.sanitize(dirty, {contexts: ['js', 'dom']});
// Common sanitization.
DOMSanitizer.sanitize('"};alert(1);//"')
// Returns ''
// Sanitization is a JavaScript-context.
DOMSanitizer.sanitize('"};alert(1);//"', {contexts: ['js']})
// Returns ''
// Sanitization is a JavaScript-context. (The attack vector has syntax errors)
DOMSanitizer.sanitize(')},{0:prompt(1', {contexts: ['jsloose']})
// Returns ''
// Sanitization is a DOM-context (custom DOMPurify-mode).
DOMSanitizer.sanitize('<script>alert(1)</script>', {contexts: ['dom']})
// Returns ''
// Sanitization is a attribute-based context.
DOMSanitizer.sanitize(' " onmouseover=alert(1) "', {contexts: ['attr']})
// Returns ''
DOMSanitizer supports the following contexts: DOM, ATTR, URL, CALLBACK, JS, JSLOOSE.