Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Endless loop of DOMParser.parseFromString when used with Trusted Types polyfill #1027

Closed
orazioedoardo opened this issue Nov 15, 2024 · 4 comments
Closed

Endless loop of DOMParser.parseFromString when used with Trusted Types polyfill #1027

orazioedoardo opened this issue Nov 15, 2024 · 4 comments

Comments

@orazioedoardo
Copy link

orazioedoardo commented Nov 15, 2024
edited
Loading

Background & Context

When trying to use DOMPurify in conjunction with the trustedTypes polyfill, the HTML is not sanitized but rather seems to run into an endless loop as if DOMPurify does not set its "dompurify" policy. Not sure if it's a DOMPurify issue, or an issue with the polyfill, or if I'm using it wrong, sorry if this is the wrong place to ask.

Input

This is the sample JavaScript code which then I bundle with webpack.

import { trustedTypes, TrustedTypeConfig, TrustedTypesEnforcer } from "trusted-types";
import DOMPurify from "dompurify";

let trustedTypesObject;

if (window.trustedTypes && trustedTypes.createPolicy) {
    trustedTypesObject = window.trustedTypes;
} else {
    trustedTypesObject = trustedTypes;
    const config = new TrustedTypeConfig(false, true, ["default", "dompurify"], false);
    const enforcer = new TrustedTypesEnforcer(config);
    enforcer.install();
}

trustedTypesObject.createPolicy("default", {
    createHTML: (string, type) => {
        console.warn("Created a '" + type + "' object.");
        return DOMPurify.sanitize(string, { RETURN_TRUSTED_TYPE: false });
    },
});

Given output

Example output from Safari, caught in an endless loop of thousands of DOMParser.parseFromString sanitization instances. At some point it ends but I believe the browser is doing it. If I try it in Chrome, it never ends and hangs the tab.

tt

Expected output

Expected a TrustedHTML object.
@cure53
Copy link
Owner

cure53 commented Nov 15, 2024

Heya, thanks for filing - if this is our bug, we will happily be fixing it, but I think it's not.

In case the issue only appears with the poly-fill in place, then I think their code might need fixing, not ours.

@orazioedoardo
Copy link
Author

Wow thanks for the quick reply. I will post an issue on https://github.com/w3c/trusted-types and see what they think about this.

@cure53
Copy link
Owner

cure53 commented Nov 15, 2024

Cool, thanks :)

@cure53 cure53 closed this as completed Nov 15, 2024
@orazioedoardo orazioedoardo mentioned this issue Nov 15, 2024
Closed
@orazioedoardo
Copy link
Author

In case the issue only appears with the poly-fill in place, then I think their code might need fixing, not ours.

Oh by the way, yes if I load the polyfill as explained here, DOMPurify works as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cure53 @orazioedoardo