Cross-Site Scripting in dompurify
Moderate severity
GitHub Reviewed
Published
Aug 28, 2020
to the GitHub Advisory Database
•
Updated Sep 13, 2023
Description
Reviewed
Aug 28, 2020
Published to the GitHub Advisory Database
Aug 28, 2020
Last updated
Sep 13, 2023
Versions of
dompurify
prior to 2.0.3 are vulnerable to Cross-Site Scripting (XSS). The package has an XSS filter bypass due to Mutation XSS in both Chrome and Safari through a combination of<svg>
/<math>
elements and</p>
/</br>
. An example payload is:<svg></p><style><a id="</style><img src=1 onerror=alert(1)>">
. This allows attackers to bypass the XSS protection and execute arbitrary JavaScript in a victim's browser.Recommendation
Upgrade to version 2.0.3 or later. You may also disallow
<svg>
and<math>
throughdompurify
configurations: