Questions About `_isClobbered`

[GrantGryczan]

Out of curiosity, could you give an example/explanation of some input that makes this condition return true?

DOMPurify/src/purify.js

Lines 793 to 802 in dbf7a34

	if (
	typeof elm.nodeName !== 'string' ||
	typeof elm.textContent !== 'string' ||
	typeof elm.removeChild !== 'function' ||
	!(elm.attributes instanceof NamedNodeMap) ||
	typeof elm.removeAttribute !== 'function' ||
	typeof elm.setAttribute !== 'function' ||
	typeof elm.namespaceURI !== 'string' ||
	typeof elm.insertBefore !== 'function'
	) {

Also, why does this still run when the SANITIZE_DOM config option is false? I was under the impression that setting SANITIZE_DOM to false disables any clobbering-related checks. Is that not the purpose of SANITIZE_DOM? If not, what's the purpose?

Lastly, is it strictly necessary to get the value of elm.textContent in order to ensure it isn't clobbered? The textContent getter is really relatively slow. For large node trees, sanitization can be very noticeably slow just because of that one check (which I know because I profiled it).

[cure53]

Heya, here you can find several example for attacks that this code will mitigate:

https://github.com/cure53/DOMPurify/blob/main/test/fixtures/expect.js#L126

[GrantGryczan]

Ah, that makes sense. But then shouldn't this only be called on form elements? Since nodeName could be clobbered, you could check for form elements via elm instanceof HTMLFormElement. Again, the textContent getter is relatively really expensive, especially for deep node trees, so running it on as few elements as possible would be ideal.

[cure53]

Hmmm, that might work! Wanna send over a PR? We will run some tests against it and see if that works :D

[cure53]

closing this for inactivity