name-overrides-builtin
Test if a given name might override a property of a DOM Node marked as [OverrideBuiltins]
. To be specific, HTMLDocument
and HTMLFormElement
. This package uses a list so that it works in javascript implementations that do not have DOM and to make sure the behaviour is consistent between browser versions.
If an element qualifies as a named property because of its name or id attribute, the value of that attribute is used to set a property on HTMLDocument
and HTMLFormElement
instances. This property overrides any built in property, such as createElement
, firstChild
, etc. For example:
Usage
var overridesBuiltin = ; === true; === false; === true; === false; // returns ['ATTRIBUTE_NODE', 'CDATA_SECTION_NODE', ...var list = overridesBuiltin;var list = overridesBuiltin;
DOMPurify
DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG.
DOMPurify checks for named property clobbering by inspecting the browser it is running in. This is not adequate for some use cases. For example if you are sanitizing only on the server side (e.g. node.js + jsdom) and sending that content to various browsers, properties or method that are implemented in browsers but not jsdom are able to be overridden.
For such a use case, this library provides a convenient hook:
var window = defaultView;var DOMPurify = window;var overridesBuiltin = ; // returns '<img id="webkitRequestFullScreen" src="cat.png">'DOMPurify; overridesBuiltin; // returns '<img src="cat.png">'DOMPurify;