How to use DOMPurify in your Zimlet for XSS sanitizing

Cross-Site Scripting (XSS) attacks are a type of injection attack, in which malicious scripts are injected into otherwise benign and trusted websites. In case you are developing a Zimlet you should not trust any form of user input. If you integrate 3rd party services via your Zimlet, you probably also want to sanitize any data you receive from that 3rd party application.

Zimbra Modern UI includes DOMPurify that you can use in your Zimlet for your XSS sanitizing needs. Here is a basic example:

//Load components from Zimbra
import { createElement } from "preact";
import dompurify from 'dompurify';

//Create function by Zimbra convention
export default function Zimlet(context) {
    const { plugins } = context;
    const exports = {};

    exports.init = function init() {
        let clean = dompurify.sanitize('<b>hello there</b>');
        console.log(clean); //prints: <b>hello there</b>
        clean = dompurify.sanitize('<img src=x onerror=alert(1)//>');
        console.log(clean);//prints: <img src="x">

    return exports;

Further reading:

, ,

Comments are closed.

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures