Question: Why not `{ RETURN_DOM_FRAGMENT: true, RETURN_DOM_IMPORT: false }`?

[GrantGryczan]

The readme states there are XSS vulnerabilities when RETURN_DOM_FRAGMENT is true while RETURN_DOM_IMPORT is false. Out of curiosity, could you give any example(s) of this? And an explanation of why it occurs or why RETURN_DOM_IMPORT prevents it would be appreciated :)

[cure53]

Uuuh, the bypass was discussed privately with the Chrome team, so not sure how much I can tell about it :D

If I remember correctly, it had to do with declarative shadow DOM: https://web.dev/declarative-shadow-dom/
It offered a way to make elements become invisible if the wrong flags are used, iirc that is why we do that magic.

[GrantGryczan]

Huh, how is that possible if the shadowroot attribute is blacklisted?

[cure53]

Well, what is someone allow-lists it? That would mean instant XSS and no one would know, right?

[GrantGryczan]

But couldn't it be automatically disabled if shadowroot is not allowed? That would be a huge optimization considering how slow importNode can be on large node trees. If that's a valid optimization, I'd be happy to submit a PR for it if you'd prefer.

[GrantGryczan]

Just for the record, here's a profile of DOMPurify.sanitize in Chrome 94 when called on a very large node tree. And similar results arise when running the same profile server-side in a JSDOM environment.

The browser just freezes when running this repeatedly (e.g. if the user types quickly where DOMPurify must repeatedly sanitize a live-updating HTML preview, which is my use case), though it's worth noting DOMPurify is only ~30% of the synchronous blocking time in my case (which makes the percentages above out of that ~30%). The other 70% is React, the browser itself, and other unrelated processing.

(Profiles like these are why I started to look into this as well as #585.)

[cure53]

Hmmm, yeah, let's try that :) We will have a look at the PR and do some XSS tests - and if all is fine, this might be valid. Thanks!

[cure53]

closing this for inactivity