Draft: Disallow style attrs and tags in DOMPurify's default Configuration (!72482) · Merge requests · GitLab.org / GitLab

Dheeraj Joshi requested to merge djadmin-dompurify-forbid-styles into master Oct 18, 2021

What does this MR do and why?

DOMPurify allows style tags and attributes by default.

https://github.com/cure53/DOMPurify/blob/main/src/tags.js#L100
https://github.com/cure53/DOMPurify/blob/main/src/attrs.js#L259

This MR is adding a default configuration to DOMPurify to remove all the tags / attrs which can potentially mutate page stylings. This is to add defense-in-depth and avoid issues like phishing attacks with the help of HTML Injection.

Some related discussions at #342988 (comment 705893457).

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.

Closes #343207 (closed)

Edited Oct 27, 2021 by Dheeraj Joshi

Admin message

Draft: Disallow style attrs and tags in DOMPurify's default Configuration

What does this MR do and why?

MR acceptance checklist

Merge request reports