Merge pull request #11 from ericcornelissen/patch-1

Update "Namespace Isolation" pattern description
SoheilKhodayari · Nov 7, 2024 · a754155 · a754155
2 parents dd747e8 + d36b9af
commit a754155
Showing 1 changed file with 2 additions and 3 deletions.
diff --git a/domc_wiki/indicators/patterns.md b/domc_wiki/indicators/patterns.md
@@ -49,7 +49,6 @@ Properties of `document` can always be overwritten by DOM Clobbering, even immed
 
 ### Namespace Isolation
 
-While robust sanitizers may remove [named properties](https://webidl.spec.whatwg.org/#dfn-support-named-properties), an alternative solution is to separate the namespace of variables defined by JavaScript code and named properties in user-generated markups. For example, the markdown to HTML converter of source code version control applications often prefix `id` and `name` attribute values of user-generated markup with a specific string. Motivated by this solution, one can monitor runtime changes in the DOM tree via the [MutationObserver API](https://developer.mozilla.org/en-US/docs/Web/API/MutationObserver), and prefix named properties of all dynamically inserted markups before adding them to the tree, which patches all aforementioned vulnerable patterns.
-
-
+While robust sanitizers may remove [named properties](https://webidl.spec.whatwg.org/#dfn-support-named-properties), an alternative solution is to separate the namespace of variables defined by JavaScript code and named properties in user-generated markups. For example, the markdown to HTML converter of source code version control applications often prefix `id` and `name` attribute values of user-generated markup with a specific string. If you use [DOMPurify](https://cure53.de/purify) you can use the [`SANITIZE_NAMED_PROPS`](https://github.com/cure53/DOMPurify/pull/710) option to automatically namespace `id`s and `name`s.
 
+Alternatively, one can monitor runtime changes in the DOM tree via the [MutationObserver API](https://developer.mozilla.org/en-US/docs/Web/API/MutationObserver), and prefix named properties of all dynamically inserted markups before adding them to the tree like [@weizman/shield](https://weizmangal.com/shield/) does. This provides some protections provided you can ensure it is run first, but you need to be careful when dynamically inserting HTML because it can temporarily cause clobbering. Also, some newer `<iframe>`-based clobbering techniques might be able to sidestep it.