Do I need to use DOMPurify library to sanitize my Strapi data?

kamal-ch · July 31, 2021, 6:19pm

Hi, I have a Blog-post content type in Strapi and one of the field is of JSON data type.

I am feeding this JSON to a script tag on frontend using dangerouslySetInnerHTML attribute.

I have read this online that dangerouslySetInnerHTML attribute makes the website vulnerable to the XSS attacks. So, I need to sanitize HTML before and then feed to script tag. Probably, I can use the DOMPurify library to sanitize the data.

My question is that do I need to sanitize the data if all the content is being writtern by either myself or my trusted authors who have access to the Strapi.

Blog visitors are not allowed to post any type of content or comments.

P.S: I am using NextJS on the frontend.

sunnyson · August 1, 2021, 1:14am

Why don’t you add that json to window object? And then in your script access it with window.your_json

kamal-ch · August 1, 2021, 4:23pm

Hi sunnyson, thanks for your reponse.

To be honest, I didn’t know about this method earlier.

I will look further into it.

And when I will have a working solution ready, I will post it here in this post to help future readers.