abhaybhargav · February 16, 2020 03:21
diff --git a/dompurify-example.html b/dompurify-example.html
 <html>
    <head>
        <title>Output Escaping Demo</title>
        <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.0.8/purify.min.js"></script>
    </head>
    <body>
        <script>
            //Filter for Anchor HREF
            var dirtyHref = 'javascript:alert(1)';
            var link = document.createElement('a');
            link.setAttribute('href', dirtyHref);
            link.innerText = "Click me if you want to live!";
            var cleanLink = DOMPurify.sanitize(link, {IN_PLACE: true});
            console.log(cleanLink);
            document.body.appendChild(cleanLink);

            //Filter for onmousedown event
            var dirtyJS = 'alert(1)';
            var para = document.createElement('p');
            para.setAttribute('onmousedown', dirtyJS);
            para.innerText = "I am a paragraph. Click on me!";
            var cleanPara = DOMPurify.sanitize(para, {IN_PLACE: true});
            console.log(cleanPara);
            document.body.appendChild(cleanPara);
        </script>
    </body>
 </html>
	<html>
	<head>
	<title>Output Escaping Demo</title>
	<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.0.8/purify.min.js"></script>
	</head>
	<body>
	<script>
	//Filter for Anchor HREF
	var dirtyHref = 'javascript:alert(1)';
	var link = document.createElement('a');
	link.setAttribute('href', dirtyHref);
	link.innerText = "Click me if you want to live!";
	var cleanLink = DOMPurify.sanitize(link, {IN_PLACE: true});
	console.log(cleanLink);
	document.body.appendChild(cleanLink);

	//Filter for onmousedown event
	var dirtyJS = 'alert(1)';
	var para = document.createElement('p');
	para.setAttribute('onmousedown', dirtyJS);
	para.innerText = "I am a paragraph. Click on me!";
	var cleanPara = DOMPurify.sanitize(para, {IN_PLACE: true});
	console.log(cleanPara);
	document.body.appendChild(cleanPara);
	</script>
	</body>
	</html>
No results found