2024-10-11 - Reopened additonal cases of domPurify with partial content (see comment)

2024-10-09 - Reopened: additonal cases of domPurify failing with partial content:

https://zkfiddle.org/sample/342cc7c/2-domSanitze-errors-due-to-partial-html

Open fiddle, search of the string:
onClick

current result:

All of the samples above allow a onClick="..." string to escape from a DOM attribute, and register another attribute, such as a JS listener or others, and can be used as an XSS vector.

Expected result

Attributes are not escapable

Debug information

The core of the issue is that the DomPurify library only works with full HTML elements
A full element is either a full node, or an implicite text node.
A series of attributes without an opening tag causes the DomPurify library to incorectly "fix" the quotes / doublequotes, and as a result causes potential XSS scenarios

Dom purify is used in more locations than the ones reported in the current sample, and may still cause issues.
Even if this sample string doesn't trigger the issue, since DomPurify fails to correctly escape the attribute content in the scenario above, it is reasonable to expect that a well-crafted malicious string could be created for other cases with the same results.

2024-10-08 - Reopened: updated fiddle with reproducing case

https://zkfiddle.org/sample/1r8ig9m/2-dompurify-partial-html-updated

current result:

Using \" inside of a style value transform the " into ' character, instead of encoding it to "
If the string is delimited by single quotes, this allow the value to end the current single-quote delimited string and start another CSS rule.

Expected result

Style value cannot use \" to break out of a rule and create new unintended rules

Steps to Reproduce

Run fiddle
https://zkfiddle.org/sample/1r8ig9m/1-dompurify-partial-html

Current Result

the attribute cleanup fails for 2nd row, causing tooltipText to spill into DOM content

Expected Result

attribute content doesn't spill in dom content

Debug Information

Caused by DomPurify.sanitize incorrectly adding string ending doublequote inside of an existing attribute.
This happens on partial html content passed to DomPurify sanitize.
Doesn't happen on fully formed dom element content

Run in JS console as test samples:

DOMPurify.sanitize("<div id= title='<a href>'></div>")
> `<div href="" id="title='<a">'></div>`
href word inside of title, removed when inside of fully formed div outer element

DOMPurify.sanitize("<div id= title='<a foo>'></div>")
> `<div id="title='<a">'></div>`
foo word inside of title, removed when inside of fully formed div outer element

DOMPurify.sanitize("id= title='<a href>'")
> `id= title='<a href="">'</a>`
attribute content broken, href receives doublequotes, breaks attribute to dom content

DOMPurify.sanitize("id= title='<a foo>'")
> "id= title='<a>'</a>"
attribute content broken, but doesn't escape to dom content

Workaround

<script><![CDATA[
zk.afterLoad('zk', function() {
    var xzUtl = {};
    zk.override(zUtl, xzUtl, {
       encodeXMLAttribute : function() {
          var result = xzUtl.encodeXMLAttribute.apply(this, arguments);
          return result.replaceAll('<', '&lt;');
       }
    });//zk.override
});//zk.afterLoad
]]></script>