Quesition about 'global'

[RobIsHere]

module.exports = global.DOMPurify = global.DOMPurify || resolveDOMPurify();

Just a thought about security: if anyone is able to install his do-nothing function somehow like

global.DOMPurify = (content, opts) => content

he could disable the sanitizing globally because his function would be returned by this package instead of Dompurify?

[kkomelin]

@RobIsHere excuse me, on "he" and "his", who are you talking about?

[RobIsHere]

The "he" and "his" reference back on the "anyone" and is a fictional person that tries to bypass the sanitizer.

If you don't share the opinion, close the issue. Just wanted to let you know. It's always valid to say if anyone can change global you probably have bigger problems.

I would not return the sanitizer from global, because it is too exposed IMHO. Caution is why we sanitize at all ;)

[kkomelin]

Got it @RobIsHere . "He" was just unusual for me because in the Western world, people rarely use it.

Anyway, you raised a good concern. Unfortunately, that is how some massively used crypto wallets connect with the SDKs, through the shared window.ethereum object, so what I want to say is it's a common practice, though I don't mean it's totally secure.