From d832abaa351ce78919501913b59dbb8a62875526 Mon Sep 17 00:00:00 2001 From: Andras Bacsai <5845193+andrasbacsai@users.noreply.github.com> Date: Tue, 19 Aug 2025 18:54:16 +0200 Subject: [PATCH] fix(sanitization): enhance DOMPurify hook to remove Alpine.js directives for improved XSS protection - Added logic to remove Alpine.js directives (x-*, @*, :*) from sanitized nodes to prevent potential XSS vulnerabilities. - Maintained existing link sanitization to ensure safe handling of anchor elements. --- resources/views/layouts/base.blade.php | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/resources/views/layouts/base.blade.php b/resources/views/layouts/base.blade.php index 2e1ba57e2..ebb134324 100644 --- a/resources/views/layouts/base.blade.php +++ b/resources/views/layouts/base.blade.php @@ -90,6 +90,26 @@ // One-time hook registration (idempotent pattern) if (!window.__dpLinkHook) { DOMPurify.addHook('afterSanitizeAttributes', node => { + // Remove Alpine.js directives to prevent XSS + if (node.hasAttributes && node.hasAttributes()) { + const attrs = Array.from(node.attributes); + attrs.forEach(attr => { + // Remove x-* attributes (Alpine directives) + if (attr.name.startsWith('x-')) { + node.removeAttribute(attr.name); + } + // Remove @* attributes (Alpine event shorthand) + if (attr.name.startsWith('@')) { + node.removeAttribute(attr.name); + } + // Remove :* attributes (Alpine binding shorthand) + if (attr.name.startsWith(':')) { + node.removeAttribute(attr.name); + } + }); + } + + // Existing link sanitization if (node.nodeName === 'A' && node.hasAttribute('href')) { const href = node.getAttribute('href') || ''; if (!URL_RE.test(href)) node.removeAttribute('href');