Open Source Spotlight: DOMpurify with Mario Heiderich

Featured in this edition of Spotlight is Dr.-Ing. Mario Heiderich, creator of DOMPurify, an XSS sanitizer for HTML.

Dr.-Ing. Mario is a security researcher from Berlin, and leads the Cure53 company. He likes to pester peaceful attendees on various 5th-tier conferences with his hastily-assembled slide decks.

How would you ELI5 (explain like I’m 5) your project?

Websites are usually made out of HTML code, and sometimes, a website wants its users to contribute HTML that they can fully control. For example, blog comments, mails shown in the browser or Wiki page, or even copying a bit of text from a Word document into a rich text editor.

That user-contributed HTML can potentially contain risky elements that steal passwords or do comparably bad things. Website owners want to prevent that (of course), and to do so, can use our library.

We take a string of HTML, make sure everything that is commonly known as bad is removed and ensure only the good remains. This process is called sanitization, and we maintain a sanitizer library called DOMPurify.

Since not everyone agrees about what good and bad mean for security, we allow developers to configure what to remove and how. For us, by default, bad means XSS and DOM clobbering—two attacks that are not uncommon. We aim to prevent them with our library, no matter what.

What do you have in mind for the short-term and long-term future of DOMPurify?

As little as possible. Features are the worst, no?!

A sanitizer needs to be robust, reliable, fast—and last but not least—secure. We try to avoid complexity, implement as few new features as possible and aim to deliver stable sanitization results for both new and old-yet-still-present browsers.

So, our long-term road map contains exactly nothing whatsoever.

New features only get implemented if requested by users and evaluated as reasonable by us. The less we do in terms of feature additions, the more security and stability we can offer.

How do you plan out your work? What’s your style of preparation?

Most of the time, we wait and listen to the XSS community and the stream of things happening there.

If anyone finds a bypass or weakness in our library, we need fix it ASAP, even if that means weekend work or night shifts (it happened just a few weeks ago, in Autumn 2019).

Then, we need to run tests, make sure our fixes work as expected and squeeze out a release, announce it on the mailing list, tweet and get the word out.

Then, hopefully, developers update to the latest release, an advisory gets issued and after that, folks are safe from this bypass or weakness —and no one has their accounts stolen by XSS.

What kept you motivated to work over the years? What keeps your passion alive?

The idea that someone just has to do it, or else :)

The initial motivation was to create a tool that hasn't been created before and is better than available tools. Someone said on Twitter that a DOM-based sanitizer could not be created, so we said "hold my beer", and DOMPurify was born.

Over the subsequent months, the software matured and is now one of the most popular DOM-based sanitizers out there. NPM counts more than a million downloads per month, which is almost scary.

We believe that security checks cannot always be done on the server. How would the server know what crazy browser bugs are present in IE, Edge or Safari? And if it doesn't know, how will it deliver protection?

Traditionally, HTML sanitizers were run on the server (and often still are). This causes problems such as bypasses, crippled HTML and DoS. We solved many of these problems in DOMPurify—without adding new ones.

What is the one thing new developers need to learn?

Don't trust your users, don't trust the browser, don't trust anyone but yourself when it comes to security in development.

Don't see security as a word that means the same for everyone. Define what it means for you and your projects. Work on a threat model and hardening plan accordingly.

Then, at some point, security will become a valued partner during your development cycles, and not be a nuisance any longer—everyone wins.

How important is it for you to ensure quality? How do you ensure it?

Very, very important—for the reasons mentioned above.

We have a very comprehensive test suite. We make use of BrowserStack to cover all relevant browsers. We sign our commits—there is only one person and two computers who can in fact commit—nothing is accessible without 2FA and strong passphrases. We review every single commit and PR very carefully.

We know that if we ship a buggy version, many people will be prone to XSS attacks. More than some might imagine. We're talking hundreds of millions, according to calculations. So we need to keep a very close eye on the code and the attack-surface around it.

What do you think is the best way for developers to network? What social media networks do you frequent?

Personally, I try to avoid social media—having realized after several years of using it that, aside from feeding habits, addictions and FOMO, they have little to no use. They are not here for you, you are here for them.

From what I can see, the more interesting and valuable conversations happen in other venues anyway. Why waste time fighting someone's opinion on Twitter and getting upset about it in real-life?

How has being involved in open source changed your life?

Not much, if at all. My first open source project was PHPIDS, which is maintained by someone else. I started that project more than ten years ago.

Aside from increased coding sessions and night shifts, my life didn't change much with open source authorship.

Was there any technology you found hard to learn/understand at first?

Yes, regular expressions, PCRE style.

At first, they read like magic spells to me. Only after forcing myself to learn them and become fluent in writing and reading them, were the mysteries lifted. While it took me a good couple of weeks to master them, it really was worth every second spent. Knowing regular expressions is an extremely useful trait—in both software development and information security.

Check out DOMPurify on Github

We ❤️ open source. Fill out this form to get free, lifelong access to BrowserStack for your project's testing needs.

(Responses are edited for clarity).

Recommended reading