dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix(sanitization): enhance DOMPurify hook to remove Alpine.js directives for improved XSS protection

Browse Source 
- Added logic to remove Alpine.js directives (x-*, @*, :*) from sanitized nodes to prevent potential XSS vulnerabilities.
- Maintained existing link sanitization to ensure safe handling of anchor elements.
This commit is contained in:
Andras Bacsai
2025-08-19 18:54:16 +02:00
parent 46440f2f8a
commit d832abaa35
1 changed files with 20 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
resources/views/layouts/base.blade.php
View File

@@ -90,6 +90,26 @@
// One-time hook registration (idempotent pattern) // One-time hook registration (idempotent pattern)
if (!window.__dpLinkHook) { if (!window.__dpLinkHook) {
DOMPurify.addHook('afterSanitizeAttributes', node => { DOMPurify.addHook('afterSanitizeAttributes', node => {
// Remove Alpine.js directives to prevent XSS
if (node.hasAttributes && node.hasAttributes()) {
const attrs = Array.from(node.attributes);
attrs.forEach(attr => {
// Remove x-* attributes (Alpine directives)
if (attr.name.startsWith('x-')) {
node.removeAttribute(attr.name);
}
// Remove @* attributes (Alpine event shorthand)
if (attr.name.startsWith('@')) {
node.removeAttribute(attr.name);
}
// Remove :* attributes (Alpine binding shorthand)
if (attr.name.startsWith(':')) {
node.removeAttribute(attr.name);
}
});
}
// Existing link sanitization
if (node.nodeName === 'A' && node.hasAttribute('href')) { if (node.nodeName === 'A' && node.hasAttribute('href')) {
const href = node.getAttribute('href') || ''; const href = node.getAttribute('href') || '';
if (!URL_RE.test(href)) node.removeAttribute('href'); if (!URL_RE.test(href)) node.removeAttribute('href');