Skip to content

DOMPurify versions from 3.1.7 upwards strip the contents of foreignObject tags in svg data passed in #647

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
matt-hoskins opened this issue Mar 31, 2025 · 1 comment
Open

DOMPurify versions from 3.1.7 upwards strip the contents of foreignObject tags in svg data passed in #647

matt-hoskins opened this issue Mar 31, 2025 · 1 comment

Comments

@matt-hoskins
Copy link

matt-hoskins commented Mar 31, 2025
edited by Asana-Int-bot
Loading

I have installed the node export server via npm:
npm install highcharts-export-server -g

On my server that pulled in a version of dompurify that's later than 3.1.5 (3.2.4 in fact) and during conversions by the export server the sanitize call made to dompurify for svg data is stripping the contents of foreignObject tags (the foreignObject tag remains, it's just empty).

It seems that versions of dompurify from 3.1.7 onwards will not allow HTML within foreignObject unless you add an additional option which was, I think, introduced in 3.2.0.

This issue with 3.1.7 onwards was reported by a user of Mermaid diagrams against DOMPurify and the change in 3.2.0 to be able to specify that e.g. foreignObject allow "HTML integrations" seemed to come in response to the issue report:
cure53/DOMPurify#1002

So the additional sanitize option needed with 3.2.0 onwards is:
HTML_INTEGRATION_POINTS: {'foreignobject': true}

If I modify sanitize.js in my local copy of node-export-server to add that additional option below the ADD_TAGS one then that resolves the problem.

I note that the package-lock.json file in MASTER in this node-export-server repository has dompurify 3.1.5 listed in it, but of course when installing via "npm install highcharts-export-server -g" that file is not included and the package.json just specifies "^3.1.5" for dompurify which, of course, versions 3.1.7 onwards (including 3.2.0 onwards) match.
@matt-hoskins
Copy link
Author

Just to add to some extra detail...

The changelog entry for DOMPurify 3.1.7 says:
"Removed the foreignObject element from the list of HTML entry-points, thanks @masatokinugawa"

And it was this commit that removed it from the list of default entry-points:
cure53/DOMPurify@4a9ec1f

This was the commit to 3.2.0 (which was the next version after 3.1.7) that added support for configurability of HTML entry-points (but isn't listed in the changelog and the README doesn't mention it in the examples):
cure53/DOMPurify@e4caa67

My own quick test shows that, as you'd hope, 3.2.x does sanitise the HTML within the foreignObject tag after adding the HTML_INTEGRATION_POINTS option to allow HTML within it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matt-hoskins