You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/ROOT/partials/security/sanitizing-html-input-and-protecting-against-xss-attacks-dom-parser-and-dom-purify.adoc
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,18 +5,18 @@ Previously, before HTML content was passed to {productname} 5.x, it was parsed u
5
5
6
6
The `SaxParser` API was developed in the then-absence of alternatives.
7
7
8
-
When this API’s validate setting was enabled —`validate: true` — `SaxParser` removed elements and attributes that did not fit the declared schema.
8
+
When this API's validate setting was enabled —`validate: true` — `SaxParser` removed elements and attributes that did not fit the declared schema.
9
9
10
10
And, over its lifetime, `SaxParser` was extended. For example, as of {productname} 5.9, the `SaxParser` API marked attributes with certain names or IDs as unsafe, because some names or IDs can cause the host browser to overwrite existing properties or functions.
11
11
12
-
For {productname} 6.0, however, this basic parser was removed and replaced with two significantly more thorough alternatives:
12
+
Since {productname} 6.0, this basic parser was removed and replaced with two significantly more thorough alternatives:
13
13
14
14
. the https://developer.mozilla.org/en-US/docs/Web/API/DOMParser[native browser API], `DOMParser()`; and
15
15
. the Free and Open Source _https://github.com/cure53/DOMPurify[XSS sanitizer for HTML, MathML and SVG]_, DOMPurify.
16
16
17
-
NOTE: {productname} uses DOMPurify 2.x, which was current at the time version 6 was developed.
17
+
NOTE: {productname} uses DOMPurify 2.x up to {productname} 6.7.3. This was updated to DOMPurify 3.x in {productname} 6.8, which was current at the time {productname} {productmajorversion} was developed.
18
18
19
-
Before HTML (or XML) content is passed to {productname} 6.x, the `DOMParser` API parses the HTML (or XML) string into a https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model[DOM object]. As part of this process, `DOMParser` attempts to correct malformed HTML.
19
+
Before HTML (or XML) content is passed to {productname} {productmajorversion}, the `DOMParser` API parses the HTML (or XML) string into a https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model[DOM object]. As part of this process, `DOMParser` attempts to correct malformed HTML.
0 commit comments