JSanity strips out text-decoration on Chrome 57+ and Firefox 36+
After those versions, the browsers switched text-decoration to be a shorthand for:

• text-decoration-line
• text-decoration-style
• text-decoration-color
• text-decoration-thickness

The sanitizer works by reading the computed values, so it sees these new properties, doesn't recognize them, and sets them to null.
Depending on the browser, this affects the shorthand property text-decoration differently, but in effect, it removes the property.

See also: https://developer.mozilla.org/en-US/docs/Web/CSS/text-decoration

"list" attribute of "input" is not whitelisted - ref: https://www.w3schools.com/tags/att_input_list.asp
This is not a "dangerous" attribute type.

Here is the vector:

<form name="body" onmouseover="alert(1)" style="height:800px"><fieldset name="attributes"><form></form><form name="parentNode"><img id="attributes"></form></fieldset></form>

some more vectors can be seen here: http://www.thespanner.co.uk/2012/06/05/jslr/

The above payload was by @cgvwzq – Pepe Vila to bypass JSLR (Gareth Heyes' old toy)

There is no way how to opt-out an attribute from sanitation. Ideally there should be a way like

attributeCallout(elementName, attributeName, attributeValue)

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

Hi all,

it appears that jSanity can be bypassed using multiple techniques. We have not yet sorted out which ones - but the bypassed reproduce cleanly when using the DOMPurify test cases.

Steps to reproduce:

• Visit jSanity demo: http://jsanity.azurewebsites.net/jsanity-demo-pretty.htm
• Copy HTML from DOMPurify test-cases: https://cure53.de/purify
• Paste into jSanity demo-textarea, then click "Sanitize!"
• Watch multiple alerts pop up

Strangely, we don't see any errors on the console, so we are not sure yet what causes the problem. Please let us know if this description is sufficient for you or if we should have a closer look together.

Additional Info:

• The issue appears to only reproduce on Firefox
• The issue might be caused by this line: https://github.com/Microsoft/JSanity/blob/master/jsanity-0.2.js#L870
• The assumed core problem is described here: https://github.com/cure53/DOMPurify/releases/tag/0.6.7

I realize that picture is not in HTML5 but rather was proposed after it was finished, but it is implemented in many browsers, it is on a standards track, and it is as harmless as the img and source elements it's based around.

I also wonder what you think about allowing a couple old and nonstandard but still harmless elements: blink and marquee (even though I am aware that no modern browser even supports blink anymore).

Breaking out two issues from Koto (second comment in issue #5) to track separately:

var in Object will let through prototype properties:

<constructor desc="element name bypass, harmless" constructor="same here">
<b style="constructor: url(//do-stuff.harmless-now)">a</b>

HTML comments should not be let through, otherwise mXSS via e.g. document.createComment('--><script>alert(1)</script>')

Another bypass was spotted based on the mutations caused by the default jSanity behavior exposed on the demo. Affected browsers are MSIE <= 11 when running in older document modes.

Example Input:

<p style="font-family:'\22\3b\62\65havior:url(/callback.json?cb=<scriptlet>...</scriptlet>)\3b'">123

Resulting Output:

<span><p style='font-family: "";behavior:url(/callback.json?cb=<scriptlet>...</scriptlet>);";'>123</p></span>

This attack can be carried out, in case the attacker has control over another same-domain resource that would be served as JSON, image, XML or anything else that wouldn't render as a document.

Example Attack:
http://innerht.ml/challenges/kcal.pw/puzzle5.php/?name=%3Cmeta%20http-equiv=x-ua-compatible%20content=ie=5%20{}*{behavior:url%28%27http://innerht.ml/challenges/kcal.pw/styles.php?data=%253CSCRIPTLET%253E%2520%253CIMPLEMENTS%2520Type%253D%2522Behavior%2522%253E%253C%252FIMPLEMENTS%253E%2520%253CSCRIPT%2520Language%253D%2522javascript%2522%253Ealert%25281%2529%253C%252FSCRIPT%253E%2520%253C%252FSCRIPTLET%253E%27%29}

Note that DOMPurify protects itself against these kinds of attacks by falling back to use toStaticHTML in dangerous document modes. It might be recommendable for jSanity to do this as well:

https://github.com/cure53/DOMPurify/blob/master/src/purify.js#L632