Improper Initializationorg.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of this package are vulnerable to Improper Initialization in the DOMPurify.setConfig() API when an uponSanitizeAttribute hook is registered that mutates allowedAttributes. An attacker can cause persistent modification of the attribute allowlist by submitting specially crafted content, resulting in unauthorized attributes being permitted in all subsequent sanitization calls.
How to fix Improper Initialization? Upgrade org.webjars.npm:dompurify to version 3.4.11 or higher.
| |
Protection Mechanism Failureorg.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of this package are vulnerable to Protection Mechanism Failure through the clearConfig function. An attacker can execute arbitrary scripts in a Trusted Types sink by influencing a previously supplied TRUSTED_TYPES_POLICY on a reused instance and later triggering output with RETURN_TRUSTED_TYPE: true.
Note:
This is only exploitable if a DOMPurify instance is reused across trust boundaries and a less-trusted integration or attacker has previously set an unsafe Trusted Types policy.
How to fix Protection Mechanism Failure? Upgrade org.webjars.npm:dompurify to version 3.4.9 or higher.
| |
Cross-site Scripting (XSS)org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the SAFE_FOR_TEMPLATES function. An attacker can inject template expressions that survive sanitization inside <template> element content by splitting malicious expressions across adjacent text nodes, which are not properly scrubbed. This allows execution of arbitrary code or exfiltration of sensitive data if a downstream template engine evaluates the merged content.
This is only exploitable if both SAFE_FOR_TEMPLATES: true and either RETURN_DOM: true, RETURN_DOM_FRAGMENT: true, or IN_PLACE: true are explicitly set, and the application processes <template>.content with a template engine.
How to fix Cross-site Scripting (XSS)? Upgrade org.webjars.npm:dompurify to version 3.4.8 or higher.
| |
Prototype Pollutionorg.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of this package are vulnerable to Prototype Pollution in the IN_PLACE function when sanitizing a root element that is a <form> with event handler attributes and a descendant element whose name attribute matches certain property names checked by _isClobbered. An attacker can cause malicious attributes, such as event handlers or JavaScript URIs, to persist on the root element by crafting a DOM structure where the root is clobbered and then passing it to the sanitizer in IN_PLACE mode. This allows the attacker to execute arbitrary JavaScript or bypass attribute-level defenses when the sanitized node is reinserted into the live document.
Note:
This is only exploitable if the sanitizer is used in IN_PLACE mode on a detached root element that is an HTMLFormElement with a clobber-named child.
How to fix Prototype Pollution? Upgrade org.webjars.npm:dompurify to version 3.4.6 or higher.
| |
Trust Boundary Violationorg.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of this package are vulnerable to Trust Boundary Violation in the sanitize function when handling DOM nodes from a different same-origin realm due to improper realm-bound instanceof checks. An attacker can inject and execute malicious markup by providing specially crafted DOM nodes from a foreign realm, which bypass internal security checks and allow executable content to persist in form attributes, template content, and attached shadow roots.
How to fix Trust Boundary Violation? Upgrade org.webjars.npm:dompurify to version 3.4.6 or higher.
| |
Trust Boundary Violationorg.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of this package are vulnerable to Trust Boundary Violation through the mutation of data.allowedTags or data.allowedAttributes in hooks, which directly alters the global default sets used for sanitization. An attacker can cause persistent changes to the default allow-lists, enabling malicious tags or attributes to bypass sanitization in subsequent calls by injecting payloads that exploit the polluted configuration.
Note:
This is only exploitable if a hook is registered that mutates data.allowedTags or data.allowedAttributes, and later sanitization occurs without explicitly setting restrictive configuration arrays.
How to fix Trust Boundary Violation? Upgrade org.webjars.npm:dompurify to version 3.4.7 or higher.
| |
Cross-site Scripting (XSS)org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the IN_PLACE process when attacker-controlled live DOM nodes are sanitized. An attacker can execute arbitrary scripts in the context of the application by passing a manipulated DOM node with a spoofed nodeName property, causing malicious script elements to be retained and executed upon insertion into the document.
How to fix Cross-site Scripting (XSS)? Upgrade org.webjars.npm:dompurify to version 3.4.8 or higher.
| |
Cross-site Scripting (XSS)org.webjars.npm:dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the IN_PLACE function when handling a <template> element containing an element with an attached shadow DOM. An attacker can execute arbitrary scripts in the context of the user by injecting malicious content into the shadow DOM, which is not sanitized and is later executed when the template is cloned and inserted into the page.
How to fix Cross-site Scripting (XSS)? Upgrade org.webjars.npm:dompurify to version 3.4.7 or higher.
| |
