Old iOS: getParentNode is not a function

[pager-itc]

On iOS 9 Safari DOMPurify.sanitize throws this error message (tested on iPhone 6S on BrowserStack, and physical iPad Mini 1 - iOS 9.3.5)

getParentNode is not a function. (In 'getParentNode(element)', 'getParentNode' is null)

On iOS 7 & 8 Safari (iPhone 5S & iPhone 6, BrowserStack)

null is not a function (evaluating 'getParentNode(element)')

Even in the most simple setup like below

<html>
<head>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/2.2.6/purify.js"></script>
  <script src="./index.js" defer></script>
</head>
<body>
  <div id="test"></div>
</body>
</html>

// index.js
const el = document.getElementById('test');
try {
  el.innerHTML = DOMPurify.sanitize('<div>Test</div>');
} catch (er) {
  el.innerText = er.message;
}

Transpiling with babel doesn't fix the issue.

The readme says that old browsers at the very least should do nothing. The isSupported property is true despite the error.

[cure53]

Ooof, you are right, while Safari 9 is not supported, we should not expose isSupported as true.

@securitum-mb do you have any idea how we can detect unsupported Safari?

[securityMB]

@cure53 My first thought is to check whether getParentNode is a function. If it doesn't, then the browser is not supported.

On the other hand (but unfortunately I don't have time to do it right now), maybe the clobbering protection as implemented was not the best idea. The implementation in Closure is slightly different and maybe a good place to start.

[cure53]

@pager-itc As far as I can see, this workaround should do.

  /**
   * Expose whether this browser supports running the full DOMPurify.
   */
  DOMPurify.isSupported =
    typeof getParentNode === 'function' &&
    implementation &&
    typeof implementation.createHTMLDocument !== 'undefined' &&
    documentMode !== 9;

It works as expected on our Safari 9 instance, canm you confirm that this does the trick for you and correctly sets isSupported?

[pager-itc]

Can confirm; with that workaround there is no error, dompurify just returns the original HTML string as it was provided for the old Safari browsers and sanitizes as normal in Chrome and Firefox on my desktop.

[cure53]

Cool, let me push that fix to main and see what the remaining test cases say.

[ghost]

Hey @cure53 @securityMB. Please check #514. It seems the issue of nullable getParentNode was fixed there. Please chekd the latest updates in the main branch if it works in your case

[cure53]

Aye, this one mostly addresses the faulty result for isSupported