Skip to content

Instantly share code, notes, and snippets.

@LiveOverflow
Created April 7, 2019 10:35
Show Gist options
  • Save LiveOverflow/dd3d09d17c8fc0460c7e9a337b501331 to your computer and use it in GitHub Desktop.
Save LiveOverflow/dd3d09d17c8fc0460c7e9a337b501331 to your computer and use it in GitHub Desktop.
Fuzz innerHTML vs. DOMParser
<html>
<body>
<script>
const tags = ["a", "abbr", "address", "area", "article", "aside", "audio", "b", "base", "bdi", "bdo", "blockquote", "body", "br", "button", "canvas", "caption", "cite", "code", "col", "colgroup", "data", "datalist", "dd", "del", "details", "dfn", "dialog", "div", "dl", "dt", "em", "embed", "fieldset", "figcaption", "figure", "footer", "form", "h1", "h2", "h3", "h4", "h5", "h6", "head", "header", "hgroup", "hr", "html", "i", "iframe", "img", "input", "ins", "kbd", "keygen", "label", "legend", "li", "link", "main", "map", "mark", "math", "menu", "menuitem", "meta", "meter", "nav", "noscript", "object", "ol", "optgroup", "option", "output", "p", "param", "picture", "pre", "progress", "q", "rb", "rp", "rt", "rtc", "ruby", "s", "samp", "script", "section", "select", "slot", "small", "source", "span", "strong", "style", "sub", "summary", "sup", "svg", "table", "tbody", "td", "template", "textarea", "tfoot", "th", "thead", "time", "title", "tr", "track", "u", "ul", "var", "video", "wbr"]
const parser = new DOMParser();
function compare(html) {
doc = parser.parseFromString(html, "text/html");
htmlA = doc.documentElement.innerHTML;
document.documentElement.innerHTML = html;
htmlB = document.documentElement.innerHTML;
if(htmlA !== htmlB) {
console.log(html)
console.log(`DOMParser: ${htmlA}`)
console.log(`Document: ${htmlB}`)
console.log('---------------------')
}
}
// <tagA> aaa <tagB> bbb </tagC> ccc </tagA>
for(var tagA in tags) {
for(var tagB in tags) {
let fuzz = `<${tags[tagA]}> aaa <${tags[tagB]}> bbb </${tags[tagB]}> ccc </${tags[tagA]}>`;
compare(fuzz);
}
}
</script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment