sanitize-html VS DOMPurify

One thing to watch out for is that the content of each reply is HTML. To be safe (paranoid), I'm running the HTML through sanitize-html to make sure nobody can inject sketchy HTML into my site.

Don't forget to sanitize your HTML using https://github.com/apostrophecms/sanitize-html or upcoming feature: https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API because https://nimb.ws/leTXDt

Vue does not have as much support for Vue as there is for React. Examples are markdown-it, Remark.js, marked.js. But hopefully in the future, there should be more support, and after much research, I picked marked.js because it has the most stars and has zero vulnerability. Marked does not sanitize (meaning it does not secure HTML documents from attacks like cross-site scripting (XSS) ) marked output HTML as that feature is deprecated and has vulnerability but however, it supports the use of other libraries to secure output HTML such as DOMPurify (recommended), sanitize-html or insane.

If you're using an external view engine, or a javascript framework like react in addition to your ruby backend, you can rely on similar sanitization methods like the DOMPurify library.

You shouldn't roll your own for this. From what I've had to do web-wise, here's a few tools.

First, for the APIs, you need documentation: https://swagger.io/

From which you can generate JSON schemas and use those to validate in the browser and on the backend. https://www.npmjs.com/package/jsonschema

As well you should be writing a few more schemas for your application state and leverage the regex validation of your input components...

Speaking of which, you also need to sanitize out some potentially nasty input. https://www.npmjs.com/package/dompurify

Obviously this isn't everything and not perfect, but a lot of this tedium can be automated away if you have a few good examples of the happy path and some basic tests in place to prevent quick and dirty changes from poking holes in these layers.

Use DOMPUrify. That plus dangerouslySetInnerHTML and you're good to go.

element. Note that using dangerouslySetInnerHTML may leave your site vulnerable to XSS attacks. In order to mitigate this risk, we need to sanitize the HTML before we inject it. We'll use DOMPurify for that task. import React, { Component } from 'react'; import marked from 'marked'; import * as DOMPurify from 'dompurify'; class UserProfile extends Component { constructor (props) { super(props); } render () { const { userId, name, skills = [] } = this.props; return ( {name} ({userId}) Skills {skills.map((skill) => ( {skill.name} ))} ); } } Enter fullscreen mode Exit fullscreen mode To recap, our process is: Parse the skill description markdown to HTML Sanitize the HTML Inject the HTML into a element If we think through this process in the context of the component render cycle, we can see how it could have a negative effect on performance: Perform two potentially expensive tasks in series (markdown parsing and HTML sanitization) Perform those tasks in a loop, which is also executed in series Repeat every time the component renders We can't do much about the first and second issues — we have to parse the markdown, sanitize the resulting HTML and render it — but we can avoid the third issue. Why render if nothing has changed? Here is an updated version of the previous example that uses shouldComponentUpdate to block the component from rendering unless the userId prop has changed: import React, { Component } from 'react'; import marked from 'marked'; import * as DOMPurify from 'dompurify'; class UserProfile extends Component { constructor (props) { super(props); } shouldComponentUpdate (nextProps) { return nextProps.userId !== this.props.userId; } render () { const { userId, name, skills = [] } = this.props; return ( {name} ({userId}) Skills {skills.map((skill) => ( {skill.name} ))} ); } } Enter fullscreen mode Exit fullscreen mode We're comparing the userId prop because it's a simple equality comparison that will tell us when the user has changed. You might be tempted to try to perform a deep equality comparison of the skills array instead, but that will likely create a worse performance issue than the one we're trying to solve. shouldComponentUpdate is intended to be used for performance optimization but should be used carefully and sparingly. Blocking a component from rendering can cause bugs in descendant components that can be difficult to fix, and there are usually better ways to improve performance. Reducing the rendering workload In the previous example, we tried to mitigate a potential performance problem by blocking a component from rendering. That was the wrong solution to take because it didn't address the real problem. The real problem isn't that we're allowing the component to render when it doesn't have to, it's that we're doing too much work in the render cycle. Therefore, the correct solution is not to block rendering entirely, but to reduce the amount of work we do while rendering. Option 1: Store preprocessed data on state One way of reducing the workload is to run the expensive process only when inputs change and store the results on state. This is simple and doesn't interfere with the render cycle. It works equally well in both class and functional components. Class component The following example updates our previous examples to preprocess the user's skills and store them on state, instead of reading directly from props in the render cycle. The preprocessing logic has been moved into the processSkills function, which is called in two places: componentDidMount, where it will run before the initial render; and componentDidUpdate, where it will run when the value of the userId prop changes. If the component renders for any other reason, it will continue to use the preprocessed data from state at no additional cost. import React, { Component } from 'react'; import marked from 'marked'; import * as DOMPurify from 'dompurify'; const processSkills = (skills = []) => { return skills.map((skill) => ({ ...skill, htmlDescription: DOMPurify.sanitize(marked.parse(skill.description)), })); }; class UserProfile extends Component { constructor (props) { super(props); this.state = { processedSkills: [], }; } componentDidMount () { this.setState({ processedSkills: processSkills(this.props.skills), }); } componentDidUpdate (prevProps) { if (this.props.userId !== prevProps.userId) { this.setState({ processedSkills: processSkills(this.props.skills), }); } } render () { const { userId, name } = this.props; const { processedSkills = [] } = this.state; return ( {name} ({userId}) Skills {processedSkills.map((skill) => ( {skill.name} ))} ); } } Enter fullscreen mode Exit fullscreen mode Functional component (hooks) The functional component produces the same result as the class component, but is more concise. The useEffect hook calls processSkills with the skills array from props when the value of the userId prop changes. The resulting array is stored on state and used to render the skills list. import React, { useState, useEffect } from 'react'; import marked from 'marked'; import * as DOMPurify from 'dompurify'; const processSkills = (skills = []) => { return skills.map((skill) => ({ ...skill, htmlDescription: DOMPurify.sanitize(marked.parse(skill.description)), })); }; const UserProfile = (props) => { const { userId, name, skills = [] } = this.props; const [ processedSkills, setProcessedSkills ] = useState([]); useEffect( () => setProcessedSkills(processSkills(skills)), [userId] ); return ( {name} ({userId}) Skills {processedSkills.map((skill) => ( {skill.name} ))} ); } Enter fullscreen mode Exit fullscreen mode Option 2: Memoize preprocessed data Another option is to memoize (not memorize) the results of the process. Memoization is a form of in-memory caching. We're only going to discuss this in the context of functional components where we can use the useMemo hook provided by React, but you may be able to achieve similar results in a class component using a third-party helper. In this example, the useMemo hook is called on every render. On the initial render and any time the userId prop is updated, useMemo returns the result of calling processSkills with the skills array. If the userId prop hasn't changed since the last render, useMemo returns the previously cached result. import React, { useMemo } from 'react'; import marked from 'marked'; import * as DOMPurify from 'dompurify'; const processSkills = (skills = []) => { return skills.map((skill) => ({ ...skill, htmlDescription: DOMPurify.sanitize(marked.parse(skill.description)), })); }; const UserProfile = (props) => { const { userId, name, skills = [] } = this.props; const processedSkills = useMemo( () => processSkills(skills), [userId] ); return ( {name} ({userId}) Skills {processedSkills.map((skill) => ( {skill.name} ))} ); } Enter fullscreen mode Exit fullscreen mode Which option should I choose? If you're working with class components, I suggest preprocessing and storing data on state unless you think you have a strong use case for integrating a memoization helper (e.g. you need memoization throughout your app, not just in one or two places). In functional components, memoization offers the same benefit as preprocessing and storing the result on state without having to maintain state. However, it isn't guaranteed to be predictable. From the React docs: You may rely on useMemo as a performance optimization, not as a semantic guarantee. In the future, React may choose to “forget” some previously memoized values and recalculate them on next render, e.g. to free memory for offscreen components. Write your code so that it still works without useMemo — and then add it to optimize performance. Storing data on state may be a better choice if the predictability of your performance optimizations is critical to your application. In many, if not most cases it won't be critical, and memoization will likely be the cleanest and simplest way to improve render performance.

Coupled with DOMPurify [0], it helps much to simplify the messy JavaScript, HTML. Yin [1] has book on that.

[0]:https://github.com/cure53/DOMPurify

You need to install dompurify. DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML and SVG. This is the optional step.

I'm assuming JavaScript (or TypeScript) is the desired language here as you're using React. DOMPurify would work client-side and also with Nodejs if you have a JS backend that you use to to interact with Postgres (which would naturally be safer place to handle the sanitation compared to client-side). To be extra cautious, sanitising the user input both when writing and printing would be done

https://www.npmjs.com/package/dompurify or similar libraries can actually do the escaping themselves, but you will be able to set what tags you allow or what not to allow. The list of allowed tags needs to be similar to what you allow in the CKEditor. By using this library to sanitize the input, you will be able to actually use dangerouslySetHtml without issues

DOMPurify

DOMPurify [Apache 2.0] or [Mozilla 2.0] https://cure53.de/purify