DOMFortify
This page runs the real fortify.js
the way a site would: a CSP turns Trusted Types on, the library claims the realm's default policy, and the
deliberately-vulnerable code below is sanitized by the browser - unchanged.
// Search the source for: THE VULNERABILITY
function renderInnerHTML(value) {
out.innerHTML = value; // raw XSS sink, no sanitizer call
}
// Search the source for: THE FIX
What landed in the DOM (after the library)
Live DOM (this document - DOMFortify protected)
The real top-level document. Enforcement is on and the library is installed, so every write here goes through the sanitizer first - the whole point.
Child frame - a separate realm, DOMFortify installed into it too
DOMFortify guards only the realm it loads in, so a bare child frame is unprotected. Under an enforcing parent (common on a hardened site) an unprotected frame makes document.write throw - it wants a trusted value and finds no policy. The fix is the per-realm rule itself: install DOMFortify in the frame too, which the demo does here - so the write is sanitized by the frame's own policy.
checking...
Run a sink to see how it's handled.
Run an HTML sink to inspect what was stripped.
no events yet