From 6e240ec508d26ec1c8075fb4d561ba13c89c2f32 Mon Sep 17 00:00:00 2001 From: Illia Kyselov Date: Thu, 25 Apr 2024 16:22:07 +0300 Subject: [PATCH] docs: correct hook name and remove misleading comment --- README.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index bd9da1252..7a131e843 100644 --- a/README.md +++ b/README.md @@ -73,7 +73,7 @@ After sanitizing your markup, you can also have a look at the property `DOMPurif DOMPurify technically also works server-side with Node.js. Our support strives to follow the [Node.js release cycle](https://nodejs.org/en/about/releases/). -Running DOMPurify on the server requires a DOM to be present, which is probably no surprise. Usually, [jsdom](https://github.com/jsdom/jsdom) is the tool of choice and we **strongly recommend** to use the latest version of _jsdom_. +Running DOMPurify on the server requires a DOM to be present, which is probably no surprise. Usually, [jsdom](https://github.com/jsdom/jsdom) is the tool of choice and we **strongly recommend** to use the latest version of _jsdom_. Why? Because older versions of _jsdom_ are known to be buggy in ways that result in XSS _even if_ DOMPurify does everything 100% correctly. There are **known attack vectors** in, e.g. _jsdom v19.0.0_ that are fixed in _jsdom v20.0.0_ - and we really recommend to keep _jsdom_ up to date because of that. @@ -369,11 +369,10 @@ _Example_: ```js DOMPurify.addHook( - 'beforeSanitizeElements', + 'uponSanitizeAttribute', function (currentNode, hookEvent, config) { - // Do something with the current node and return it - // You can also mutate hookEvent (i.e. set hookEvent.forceKeepAttr = true) - return currentNode; + // Do something with the current node + // You can also mutate hookEvent for current node (i.e. set hookEvent.forceKeepAttr = true) } ); ```