Sanitizing the template tags are not supported

[smasam]

I am using HTML5 templates for my UI, before I read the template and cache it, when ever required, I clone the template content and then render, so now using DOMPurify I would like to sanitize the template, but when I try to do this, DOMPurify does not return any content, looks like DOMPurify is using DOMParser to parse the html string, which eventually adds the template to the head, and for sanitizing the content( text) the DOMPurifier only considers body tag, which cannot any template and nothing is returned, but if we use WHOLE_DOCUMENT, we can get the template, but this should be supported even with out WHOLE_DOCUMENT flag, can you please add the support to parse the standalone template.

[cure53]

Heya, I reviewed the issue - and it's the same problem with for example style elements and other nodes that the browser automatically places in the header.

If DOMPurify starts working around that, we put ourselves into a very risky position. Likely, different browsers will do different things and we have to build code around that - which we don't want.

The way you already proposed looks best to me:

// Specify dirty template
var dirty = '<template><script><\/script><b></b></template>';

// Clean template and return DOM fragment
var clean = DOMPurify.sanitize(dirty, {WHOLE_DOCUMENT: true, RETURN_DOM_FRAGMENT: true});

console.log(clean.querySelector('template'));
console.log(clean.querySelector('template').innerHTML);

So, this is a wontfix from our side - but I hope the proposed solution helps.