org.webjars.npm:dompurify 3.3.3

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:dompurify package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) leading to cross-site scripting, via custom elements. When `CUSTOM_ELEMENT_HANDLING` is not enabled, and an attacker has already polluted the prototype of objects supplied to `DOMPurify.sanitize()`, the `tagNameCheck` and `attributeNameCheck` regex values allow arbitrary custom elements including event handlers to bypass sanitization. How to fix Cross-site Scripting (XSS)? Upgrade `org.webjars.npm:dompurify` to version 3.4.0 or higher.	[3.0.1,3.4.0)
L Cross-site Scripting (XSS) org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via templates injected to a site in `RETURN_DOM` mode. The `SAFE_FOR_TEMPLATES` sanitization can be bypassed, which then allows scripts to be executed if the template is evaluated by a framework such as Vue 2. An application is only vulnerable if it has `SAFE_FOR_TEMPLATES: true`, and `RETURN_DOM: true` or `RETURN_DOM_FRAGMENT: true` set. How to fix Cross-site Scripting (XSS)? Upgrade `org.webjars.npm:dompurify` to version 3.4.0 or higher.	[1.0.10,3.4.0)
M Operator Precedence Logic Error org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of this package are vulnerable to Operator Precedence Logic Error in the form of short-circuit evaluation that gives precedence to `ADD_TAGS` over `FORBID_TAGS` in `_sanitizeElements()`. In an application where `ADD_TAGS` is used as a function (via `EXTRA_ELEMENT_HANDLING.tagCheck`) and `FORBID_TAGS` is in use, an attacker can cause forbidden tags to be allowed. How to fix Operator Precedence Logic Error? Upgrade `org.webjars.npm:dompurify` to version 3.4.0 or higher.	[,3.4.0)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) leading to cross-site scripting, via custom elements. When CUSTOM_ELEMENT_HANDLING is not enabled, and an attacker has already polluted the prototype of objects supplied to DOMPurify.sanitize(), the tagNameCheck and attributeNameCheck regex values allow arbitrary custom elements including event handlers to bypass sanitization.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.npm:dompurify to version 3.4.0 or higher.

[3.0.1,3.4.0)

Cross-site Scripting (XSS)

org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via templates injected to a site in RETURN_DOM mode. The SAFE_FOR_TEMPLATES sanitization can be bypassed, which then allows scripts to be executed if the template is evaluated by a framework such as Vue 2. An application is only vulnerable if it has SAFE_FOR_TEMPLATES: true, and RETURN_DOM: true or RETURN_DOM_FRAGMENT: true set.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.npm:dompurify to version 3.4.0 or higher.

[1.0.10,3.4.0)

Operator Precedence Logic Error

org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Operator Precedence Logic Error in the form of short-circuit evaluation that gives precedence to ADD_TAGS over FORBID_TAGS in _sanitizeElements(). In an application where ADD_TAGS is used as a function (via EXTRA_ELEMENT_HANDLING.tagCheck) and FORBID_TAGS is in use, an attacker can cause forbidden tags to be allowed.

How to fix Operator Precedence Logic Error?

Upgrade org.webjars.npm:dompurify to version 3.4.0 or higher.

[,3.4.0)

org.webjars.npm:dompurify@3.3.3

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically