DOMPurify sanitizing issue

Question

For tracking purposes, we're setting the following value for the "trackingfeature" attribute in our JSP file: vm.put("trackingFeature", "aem:pagepreview") However, on page load, we’re seeing a warning that DOMPurify is sanitizing the "trackingfeature" attribute—most likely due to the colon (:) in the value. Is there any way to fix this issue—either by allowing colons in this specific attribute or by excluding "trackingfeature" from being sanitized?

giuseppebaglio · Accepted Answer

You can configure DOMPurify to allow the trackingfeature attribute while retaining its sanitization for other attributes.

// Configure DOMPurify to allow the "trackingfeature" attribute with colons
DOMPurify.sanitize(dirtyHTML, {
    ADD_ATTR: ['trackingfeature'], // Explicitly allow the "trackingfeature" attribute
    ALLOW_UNKNOWN_PROTOCOLS: true  // Allow unknown protocols like "aem:"
});

This configuration ensures that the trackingfeature attribute is not stripped out during sanitization, and it allows colons in the attribute value by enabling ALLOW_UNKNOWN_PROTOCOLS. However, be cautious when enabling ALLOW_UNKNOWN_PROTOCOLS, as it could introduce security risks if misused.

Alternatively, you can use a hook to bypass sanitization for this specific attribute:

DOMPurify.addHook('uponSanitizeAttribute', function(node, data) {
  if (data.attrName === 'trackingfeature') {
    data.forceKeepAttr = true;
  }
});

This approach should ensures that the trackingfeature attribute is preserved exactly as it is, without being modified or removed by DOMPurify.

aanchal-sikka · Answer

@user96222 Did you find the suggestions helpful? Please let us know if you require more information. Otherwise, please mark the answer as correct for posterity. If you've discovered a solution yourself, we would appreciate it if you could share it with the community. Thank you!

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded