This week, a two year old vulnerability report resurfaced in the news: https://portswigger.net/daily-swig/aurelia-frameworks-default-html-sanitizer-opens-the-door-to-xss-attacks
I therefore decided to create a very simple Aurelia plugin for using DOMPurify as Aurelia’s sanitizer implementation: @appex/aurelia-dompurify - npm
Feedback is welcome.
An issue I had, is that when using it as a plugin, having
config.singleton(HTMLSanitizer, DOMPurifySanitizer) in the plugin’s
index.ts and using it as
aurelia.use.plugin(PLATFORM.moduleName('@appex/aurelia-dompurify')), the result is two DI resolvers for
HTMLSanitizer, one returning
DOMPurifySanitizer and the other the default version. Inspecting the container shows them seemingly having the same key, but the objects are evidently not identical. Does anybody have an idea why this is?
Edit: This issue was due to referencing the local source folder of the package in
package.json for testing. Another issue remains, however:
aurelia.use.plugin(PLATFORM.moduleName('@appex/aurelia-dompurify')) needs to be put before the call to
.standardConfiguration(), otherwise the default implementation will be used. That is also the case if I add a
config.container.unregister(HTMLSanitizer) in the plugin’s
index.ts. Is there any way of avoiding that?
Edit: Fixed in v0.4.0 with help from @MaximBalaganskiy
Edit: v0.5.0 allows specifying a custom DOMPurify configuration