Insecure Defaults Affecting dompurify Open this link in a new tab package, versions <0.3

Attack Complexity

Low

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

snyk-id

npm:dompurify:20140308
published

24 Apr 2017
disclosed

7 Mar 2014
credit

cure53

Report a new vulnerability Found a mistake?

Introduced: 7 Mar 2014

CWE-79 Open this link in a new tab

How to fix?

Upgrade dompurify to version 0.3 or higher.

Overview

dompurify is a DOM-only XSS sanitizer for HTML, MathML and SVG. Affected versions of the package are vulnerable to Cross-site Scripting (XSS) and DOM Clobbering due to Insecure Defaults. The default configuration allowed DOM Clobbering when used by a sanitized website. The default was changed to pevent such situations.

You can read more about Insecure Defaults on our blog.

References

GitHub Issue
GitHub Commit

Insecure Defaults Affecting dompurify Open this link in a new tab package, versions <0.3

Attack Complexity

snyk-id

published

disclosed

credit

Introduced: 7 Mar 2014

How to fix?

Overview

References